use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class UserManagedPermissionUtil method updatePolicy.
public static void updatePolicy(PermissionTicket ticket, StoreFactory storeFactory) {
Scope scope = ticket.getScope();
Policy policy = ticket.getPolicy();
if (policy == null) {
Map<PermissionTicket.FilterOption, String> filter = new EnumMap<>(PermissionTicket.FilterOption.class);
filter.put(PermissionTicket.FilterOption.OWNER, ticket.getOwner());
filter.put(PermissionTicket.FilterOption.REQUESTER, ticket.getRequester());
filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId());
filter.put(PermissionTicket.FilterOption.POLICY_IS_NOT_NULL, Boolean.TRUE.toString());
List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(filter, ticket.getResourceServer().getId(), -1, 1);
if (!tickets.isEmpty()) {
policy = tickets.iterator().next().getPolicy();
}
}
if (ticket.isGranted()) {
if (policy == null) {
policy = createUserManagedPermission(ticket, storeFactory);
}
if (scope != null && !policy.getScopes().contains(scope)) {
policy.addScope(scope);
}
ticket.setPolicy(policy);
} else if (scope != null) {
policy.removeScope(scope);
ticket.setPolicy(null);
}
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class ClientApplicationSynchronizer method removeFromClientPolicies.
private void removeFromClientPolicies(ClientRemovedEvent event, AuthorizationProvider authorizationProvider) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
ResourceServerStore store = storeFactory.getResourceServerStore();
ResourceServer resourceServer = store.findByClient(event.getClient());
if (resourceServer != null) {
storeFactory.getResourceServerStore().delete(event.getClient());
}
Map<Policy.FilterOption, String[]> attributes = new EnumMap<>(Policy.FilterOption.class);
attributes.put(Policy.FilterOption.TYPE, new String[] { "client" });
attributes.put(Policy.FilterOption.CONFIG, new String[] { "clients", event.getClient().getId() });
attributes.put(Policy.FilterOption.ANY_OWNER, Policy.FilterOption.EMPTY_FILTER);
List<Policy> search = storeFactory.getPolicyStore().findByResourceServer(attributes, null, -1, -1);
for (Policy policy : search) {
PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
ClientPolicyRepresentation representation = ClientPolicyRepresentation.class.cast(policyFactory.toRepresentation(policy, authorizationProvider));
Set<String> clients = representation.getClients();
clients.remove(event.getClient().getId());
if (clients.isEmpty()) {
policyFactory.onRemove(policy, authorizationProvider);
authorizationProvider.getStoreFactory().getPolicyStore().delete(policy.getId());
} else {
policyFactory.onUpdate(policy, representation, authorizationProvider);
}
}
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class AbstractDecisionCollector method isGranted.
protected boolean isGranted(Result.PolicyResult policyResult) {
Policy policy = policyResult.getPolicy();
DecisionStrategy decisionStrategy = policy.getDecisionStrategy();
switch(decisionStrategy) {
case AFFIRMATIVE:
for (Result.PolicyResult decision : policyResult.getAssociatedPolicies()) {
if (Effect.PERMIT.equals(decision.getEffect())) {
return true;
}
}
return false;
case CONSENSUS:
int grantCount = 0;
int denyCount = policy.getAssociatedPolicies().size();
for (Result.PolicyResult decision : policyResult.getAssociatedPolicies()) {
if (decision.getEffect().equals(Effect.PERMIT)) {
grantCount++;
denyCount--;
}
}
return grantCount > denyCount;
default:
// defaults to UNANIMOUS
for (Result.PolicyResult decision : policyResult.getAssociatedPolicies()) {
if (Effect.DENY.equals(decision.getEffect())) {
return false;
}
}
return true;
}
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class DefaultPolicyEvaluator method evaluate.
@Override
public void evaluate(ResourcePermission permission, AuthorizationProvider authorizationProvider, EvaluationContext executionContext, Decision decision, Map<Policy, Map<Object, Decision.Effect>> decisionCache) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
ResourceStore resourceStore = storeFactory.getResourceStore();
ResourceServer resourceServer = permission.getResourceServer();
PolicyEnforcementMode enforcementMode = resourceServer.getPolicyEnforcementMode();
if (PolicyEnforcementMode.DISABLED.equals(enforcementMode)) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
return;
}
// if marked as granted we just complete the evaluation
if (permission.isGranted()) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
return;
}
AtomicBoolean verified = new AtomicBoolean();
Consumer<Policy> policyConsumer = createPolicyEvaluator(permission, authorizationProvider, executionContext, decision, verified, decisionCache);
Resource resource = permission.getResource();
if (resource != null) {
policyStore.findByResource(resource.getId(), resourceServer.getId(), policyConsumer);
if (resource.getType() != null) {
policyStore.findByResourceType(resource.getType(), resourceServer.getId(), policyConsumer);
if (!resource.getOwner().equals(resourceServer.getId())) {
for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
policyStore.findByResource(typedResource.getId(), resourceServer.getId(), policyConsumer);
}
}
}
}
Collection<Scope> scopes = permission.getScopes();
if (!scopes.isEmpty()) {
policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), null, resourceServer.getId(), policyConsumer);
}
if (verified.get()) {
decision.onComplete(permission);
return;
}
if (PolicyEnforcementMode.PERMISSIVE.equals(enforcementMode)) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
}
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class ExportUtils method exportAuthorizationSettings.
public static ResourceServerRepresentation exportAuthorizationSettings(KeycloakSession session, ClientModel client) {
AuthorizationProviderFactory providerFactory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
AuthorizationProvider authorization = providerFactory.create(session, client.getRealm());
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findByClient(client);
if (settingsModel == null) {
return null;
}
ResourceServerRepresentation representation = toRepresentation(settingsModel, client);
representation.setId(null);
representation.setName(null);
representation.setClientId(null);
List<ResourceRepresentation> resources = storeFactory.getResourceStore().findByResourceServer(settingsModel.getId()).stream().map(resource -> {
ResourceRepresentation rep = toRepresentation(resource, settingsModel.getId(), authorization);
if (rep.getOwner().getId().equals(settingsModel.getId())) {
rep.setOwner((ResourceOwnerRepresentation) null);
} else {
rep.getOwner().setId(null);
}
rep.getScopes().forEach(scopeRepresentation -> {
scopeRepresentation.setId(null);
scopeRepresentation.setIconUri(null);
});
return rep;
}).collect(Collectors.toList());
representation.setResources(resources);
List<PolicyRepresentation> policies = new ArrayList<>();
PolicyStore policyStore = storeFactory.getPolicyStore();
policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> !policy.getType().equals("resource") && !policy.getType().equals("scope") && policy.getOwner() == null).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
policies.addAll(policyStore.findByResourceServer(settingsModel.getId()).stream().filter(policy -> (policy.getType().equals("resource") || policy.getType().equals("scope") && policy.getOwner() == null)).map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList()));
representation.setPolicies(policies);
List<ScopeRepresentation> scopes = storeFactory.getScopeStore().findByResourceServer(settingsModel.getId()).stream().map(scope -> {
ScopeRepresentation rep = toRepresentation(scope);
rep.setPolicies(null);
rep.setResources(null);
return rep;
}).collect(Collectors.toList());
representation.setScopes(scopes);
return representation;
}
Aggregations