use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class RolePermissions method rolePolicy.
@Override
public Policy rolePolicy(ResourceServer server, RoleModel role) {
String policyName = Helper.getRolePolicyName(role);
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(policyName, server.getId());
if (policy != null)
return policy;
return Helper.createRolePolicy(authz, server, role, policyName);
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class ClientTokenExchangeSAML2Test method addDirectExchanger.
private static void addDirectExchanger(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel exampleRole = realm.addRole("example");
AdminPermissionManagement management = AdminPermissions.management(session, realm);
ClientModel directExchanger = realm.addClient("direct-exchanger");
directExchanger.setName("direct-exchanger");
directExchanger.setClientId("direct-exchanger");
directExchanger.setPublicClient(false);
directExchanger.setDirectAccessGrantsEnabled(true);
directExchanger.setEnabled(true);
directExchanger.setSecret("secret");
directExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
directExchanger.setFullScopeAllowed(false);
// permission for client to client exchange to "target" client
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_SIGNED_TARGET), true);
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_ENCRYPTED_TARGET), true);
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_SIGNED_AND_ENCRYPTED_TARGET), true);
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_UNSIGNED_AND_UNENCRYPTED_TARGET), true);
ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
clientImpersonateRep.setName("clientImpersonatorsDirect");
clientImpersonateRep.addClient(directExchanger.getId());
ResourceServer server = management.realmResourceServer();
Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
management.users().setPermissionsEnabled(true);
management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
impersonatedUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
impersonatedUser.grantRole(exampleRole);
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class IterablePermissionEvaluator method evaluate.
@Override
public Decision evaluate(Decision decision) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
try {
Map<Policy, Map<Object, Decision.Effect>> decisionCache = new HashMap<>();
storeFactory.setReadOnly(true);
Iterator<ResourcePermission> permissions = getPermissions();
while (permissions.hasNext()) {
this.policyEvaluator.evaluate(permissions.next(), authorizationProvider, executionContext, decision, decisionCache);
}
decision.onComplete();
} catch (Throwable cause) {
decision.onError(cause);
} finally {
storeFactory.setReadOnly(false);
}
return decision;
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class UnboundedPermissionEvaluator method evaluate.
@Override
public Decision evaluate(Decision decision) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
try {
Map<Policy, Map<Object, Decision.Effect>> decisionCache = new HashMap<>();
storeFactory.setReadOnly(true);
Permissions.all(resourceServer, executionContext.getIdentity(), authorizationProvider, request, permission -> policyEvaluator.evaluate(permission, authorizationProvider, executionContext, decision, decisionCache));
decision.onComplete();
} catch (Throwable cause) {
decision.onError(cause);
} finally {
storeFactory.setReadOnly(false);
}
return decision;
}
use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.
the class AuthorizationProvider method createResourceStoreWrapper.
private ResourceStore createResourceStoreWrapper(StoreFactory storeFactory) {
return new ResourceStore() {
ResourceStore delegate = storeFactory.getResourceStore();
@Override
public Resource create(String name, ResourceServer resourceServer, String owner) {
return delegate.create(name, resourceServer, owner);
}
@Override
public Resource create(String id, String name, ResourceServer resourceServer, String owner) {
return delegate.create(id, name, resourceServer, owner);
}
@Override
public void delete(String id) {
Resource resource = findById(id, null);
StoreFactory storeFactory = AuthorizationProvider.this.getStoreFactory();
PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByResource(id, resource.getResourceServer());
for (PermissionTicket permission : permissions) {
ticketStore.delete(permission.getId());
}
PolicyStore policyStore = storeFactory.getPolicyStore();
List<Policy> policies = policyStore.findByResource(id, resource.getResourceServer());
for (Policy policyModel : policies) {
if (policyModel.getResources().size() == 1) {
policyStore.delete(policyModel.getId());
} else {
policyModel.removeResource(resource);
}
}
delegate.delete(id);
}
@Override
public Resource findById(String id, String resourceServerId) {
return delegate.findById(id, resourceServerId);
}
@Override
public List<Resource> findByOwner(String ownerId, String resourceServerId) {
return delegate.findByOwner(ownerId, resourceServerId);
}
@Override
public void findByOwner(String ownerId, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByOwner(ownerId, resourceServerId, consumer);
}
@Override
public List<Resource> findByOwner(String ownerId, String resourceServerId, int first, int max) {
return delegate.findByOwner(ownerId, resourceServerId, first, max);
}
@Override
public List<Resource> findByUri(String uri, String resourceServerId) {
return delegate.findByUri(uri, resourceServerId);
}
@Override
public List<Resource> findByResourceServer(String resourceServerId) {
return delegate.findByResourceServer(resourceServerId);
}
@Override
public List<Resource> findByResourceServer(Map<Resource.FilterOption, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
}
@Override
public List<Resource> findByScope(List<String> id, String resourceServerId) {
return delegate.findByScope(id, resourceServerId);
}
@Override
public void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByScope(scopes, resourceServerId, consumer);
}
@Override
public Resource findByName(String name, String resourceServerId) {
return delegate.findByName(name, resourceServerId);
}
@Override
public Resource findByName(String name, String ownerId, String resourceServerId) {
return delegate.findByName(name, ownerId, resourceServerId);
}
@Override
public List<Resource> findByType(String type, String resourceServerId) {
return delegate.findByType(type, resourceServerId);
}
@Override
public void findByType(String type, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByType(type, resourceServerId, consumer);
}
@Override
public void findByType(String type, String owner, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByType(type, owner, resourceServerId, consumer);
}
@Override
public List<Resource> findByType(String type, String owner, String resourceServerId) {
return delegate.findByType(type, resourceServerId);
}
@Override
public List<Resource> findByTypeInstance(String type, String resourceServerId) {
return delegate.findByTypeInstance(type, resourceServerId);
}
@Override
public void findByTypeInstance(String type, String resourceServerId, Consumer<Resource> consumer) {
delegate.findByTypeInstance(type, resourceServerId, consumer);
}
};
}
Aggregations