Examples with Policy org.keycloak.authorization.model.Policy used on opensource projects

Search in sources :

Example 26 with Policy

use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.

the class AbstractDecisionCollector method onDecision.

@Override
public void onDecision(DefaultEvaluation evaluation) {
    Policy parentPolicy = evaluation.getParentPolicy();
    ResourcePermission permission = evaluation.getPermission();
    if (parentPolicy != null) {
        if (parentPolicy.equals(evaluation.getPolicy())) {
            results.computeIfAbsent(permission, permission1 -> {
                for (Result result : results.values()) {
                    Result.PolicyResult policyResult = result.getPolicy(parentPolicy);
                    if (policyResult != null) {
                        Result newResult = new Result(permission1, evaluation);
                        Result.PolicyResult newPolicyResult = newResult.policy(parentPolicy);
                        for (Result.PolicyResult associatePolicy : policyResult.getAssociatedPolicies()) {
                            newPolicyResult.policy(associatePolicy.getPolicy(), associatePolicy.getEffect());
                        }
                        Map<String, Set<String>> claims = result.getPermission().getClaims();
                        if (!claims.isEmpty()) {
                            permission1.addClaims(claims);
                        }
                        return newResult;
                    }
                }
                return new Result(permission1, evaluation);
            }).policy(parentPolicy);
        } else {
            results.computeIfAbsent(permission, p -> new Result(p, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
        }
    } else {
        results.computeIfAbsent(permission, p -> new Result(p, evaluation)).setStatus(evaluation.getEffect());
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) LinkedHashMap(java.util.LinkedHashMap) Policy(org.keycloak.authorization.model.Policy) Collection(java.util.Collection) Map(java.util.Map) Set(java.util.Set) Decision(org.keycloak.authorization.Decision) DecisionStrategy(org.keycloak.representations.idm.authorization.DecisionStrategy) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 27 with Policy

use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.

the class ExportUtils method createPolicyRepresentation.

private static PolicyRepresentation createPolicyRepresentation(AuthorizationProvider authorizationProvider, Policy policy) {
    try {
        PolicyRepresentation rep = toRepresentation(policy, authorizationProvider, true, true);
        Map<String, String> config = new HashMap<>(rep.getConfig());
        rep.setConfig(config);
        Set<Scope> scopes = policy.getScopes();
        if (!scopes.isEmpty()) {
            List<String> scopeNames = scopes.stream().map(Scope::getName).collect(Collectors.toList());
            config.put("scopes", JsonSerialization.writeValueAsString(scopeNames));
        }
        Set<Resource> policyResources = policy.getResources();
        if (!policyResources.isEmpty()) {
            List<String> resourceNames = policyResources.stream().map(Resource::getName).collect(Collectors.toList());
            config.put("resources", JsonSerialization.writeValueAsString(resourceNames));
        }
        Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
        if (!associatedPolicies.isEmpty()) {
            config.put("applyPolicies", JsonSerialization.writeValueAsString(associatedPolicies.stream().map(associated -> associated.getName()).collect(Collectors.toList())));
        }
        return rep;
    } catch (Exception e) {
        throw new RuntimeException("Error while exporting policy [" + policy.getName() + "].", e);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Version(org.keycloak.common.Version) RoleContainerModel(org.keycloak.models.RoleContainerModel) Map(java.util.Map) ModelToRepresentation.toRepresentation(org.keycloak.models.utils.ModelToRepresentation.toRepresentation) CredentialRepresentation(org.keycloak.representations.idm.CredentialRepresentation) UserConsentRepresentation(org.keycloak.representations.idm.UserConsentRepresentation) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ClientScopeModel(org.keycloak.models.ClientScopeModel) RealmModel(org.keycloak.models.RealmModel) FederatedIdentityRepresentation(org.keycloak.representations.idm.FederatedIdentityRepresentation) Collection(java.util.Collection) AuthorizationProviderFactory(org.keycloak.authorization.AuthorizationProviderFactory) Set(java.util.Set) RoleModel(org.keycloak.models.RoleModel) PolicyStore(org.keycloak.authorization.store.PolicyStore) Collectors(java.util.stream.Collectors) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ModelToRepresentation(org.keycloak.models.utils.ModelToRepresentation) ResourceServerRepresentation(org.keycloak.representations.idm.authorization.ResourceServerRepresentation) List(java.util.List) Stream(java.util.stream.Stream) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Profile(org.keycloak.common.Profile) JsonGenerator(com.fasterxml.jackson.core.JsonGenerator) ScopeMappingRepresentation(org.keycloak.representations.idm.ScopeMappingRepresentation) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) UserModel(org.keycloak.models.UserModel) ComponentExportRepresentation(org.keycloak.representations.idm.ComponentExportRepresentation) JsonEncoding(com.fasterxml.jackson.core.JsonEncoding) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) LinkedList(java.util.LinkedList) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) ResourceServer(org.keycloak.authorization.model.ResourceServer) FederatedIdentityModel(org.keycloak.models.FederatedIdentityModel) OutputStream(java.io.OutputStream) RolesRepresentation(org.keycloak.representations.idm.RolesRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) CredentialModel(org.keycloak.credential.CredentialModel) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) KeycloakSession(org.keycloak.models.KeycloakSession) IOException(java.io.IOException) JsonSerialization(org.keycloak.util.JsonSerialization) Policy(org.keycloak.authorization.model.Policy) JsonFactory(com.fasterxml.jackson.core.JsonFactory) SerializationFeature(com.fasterxml.jackson.databind.SerializationFeature) MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) Resource(org.keycloak.authorization.model.Resource) HashMap(java.util.HashMap) MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) Resource(org.keycloak.authorization.model.Resource) IOException(java.io.IOException) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) Scope(org.keycloak.authorization.model.Scope)

Example 28 with Policy

use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.

the class TimePolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    Policy policy = evaluation.getPolicy();
    SimpleDateFormat dateFormat = new SimpleDateFormat(DEFAULT_DATE_PATTERN);
    try {
        String contextTime = null;
        EvaluationContext context = evaluation.getContext();
        if (context.getAttributes() != null && context.getAttributes().exists(CONTEXT_TIME_ENTRY)) {
            Attributes.Entry contextTimeEntry = context.getAttributes().getValue(CONTEXT_TIME_ENTRY);
            if (!contextTimeEntry.isEmpty()) {
                contextTime = contextTimeEntry.asString(0);
            }
        }
        Date actualDate = contextTime == null ? new Date() : dateFormat.parse(contextTime);
        String notBefore = policy.getConfig().get("nbf");
        if (notBefore != null && !"".equals(notBefore)) {
            if (actualDate.before(dateFormat.parse(format(notBefore)))) {
                evaluation.deny();
                return;
            }
        }
        String notOnOrAfter = policy.getConfig().get("noa");
        if (notOnOrAfter != null && !"".equals(notOnOrAfter)) {
            if (actualDate.after(dateFormat.parse(format(notOnOrAfter)))) {
                evaluation.deny();
                return;
            }
        }
        if (isInvalid(actualDate, Calendar.DAY_OF_MONTH, "dayMonth", policy) || isInvalid(actualDate, Calendar.MONTH, "month", policy) || isInvalid(actualDate, Calendar.YEAR, "year", policy) || isInvalid(actualDate, Calendar.HOUR_OF_DAY, "hour", policy) || isInvalid(actualDate, Calendar.MINUTE, "minute", policy)) {
            evaluation.deny();
            return;
        }
        evaluation.grant();
    } catch (Exception e) {
        throw new RuntimeException("Could not evaluate time-based policy [" + policy.getName() + "].", e);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) Attributes(org.keycloak.authorization.attribute.Attributes) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) SimpleDateFormat(java.text.SimpleDateFormat) Date(java.util.Date)

Example 29 with Policy

use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.

the class RepresentationToModel method updateAssociatedPolicies.

private static void updateAssociatedPolicies(Set<String> policyIds, Policy policy, StoreFactory storeFactory) {
    ResourceServer resourceServer = policy.getResourceServer();
    if (policyIds != null) {
        if (policyIds.isEmpty()) {
            for (Policy associated : new HashSet<Policy>(policy.getAssociatedPolicies())) {
                policy.removeAssociatedPolicy(associated);
            }
            return;
        }
        PolicyStore policyStore = storeFactory.getPolicyStore();
        for (String policyId : policyIds) {
            boolean hasPolicy = false;
            for (Policy policyModel : new HashSet<Policy>(policy.getAssociatedPolicies())) {
                if (policyModel.getId().equals(policyId) || policyModel.getName().equals(policyId)) {
                    hasPolicy = true;
                }
            }
            if (!hasPolicy) {
                Policy associatedPolicy = policyStore.findById(policyId, resourceServer.getId());
                if (associatedPolicy == null) {
                    associatedPolicy = policyStore.findByName(policyId, resourceServer.getId());
                    if (associatedPolicy == null) {
                        throw new RuntimeException("Policy with id or name [" + policyId + "] does not exist");
                    }
                }
                policy.addAssociatedPolicy(associatedPolicy);
            }
        }
        for (Policy policyModel : new HashSet<Policy>(policy.getAssociatedPolicies())) {
            boolean hasPolicy = false;
            for (String policyId : policyIds) {
                if (policyModel.getId().equals(policyId) || policyModel.getName().equals(policyId)) {
                    hasPolicy = true;
                }
            }
            if (!hasPolicy) {
                policy.removeAssociatedPolicy(policyModel);
            }
        }
    }
    policy.removeConfig("applyPolicies");
}
Also used : WebAuthnPolicy(org.keycloak.models.WebAuthnPolicy) OTPPolicy(org.keycloak.models.OTPPolicy) Policy(org.keycloak.authorization.model.Policy) PasswordPolicy(org.keycloak.models.PasswordPolicy) PolicyStore(org.keycloak.authorization.store.PolicyStore) ArtifactBindingUtils.computeArtifactBindingIdentifierString(org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString) ResourceServer(org.keycloak.authorization.model.ResourceServer) HashSet(java.util.HashSet)

Example 30 with Policy

use of org.keycloak.authorization.model.Policy in project keycloak by keycloak.

the class FineGrainAdminUnitTest method setupUsers.

public static void setupUsers(KeycloakSession session) {
    RealmModel realm = session.realms().getRealmByName(TEST);
    ClientModel client = realm.getClientByClientId(CLIENT_NAME);
    RoleModel realmRole = realm.getRole("realm-role");
    RoleModel realmRole2 = realm.getRole("realm-role2");
    RoleModel clientRole = client.getRole("client-role");
    RoleModel mapperRole = realm.getRole("mapper");
    RoleModel managerRole = realm.getRole("manager");
    RoleModel compositeRole = realm.getRole("composite-role");
    ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
    RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
    RoleModel queryGroupsRole = realmManagementClient.getRole(AdminRoles.QUERY_GROUPS);
    RoleModel queryUsersRole = realmManagementClient.getRole(AdminRoles.QUERY_USERS);
    RoleModel queryClientsRole = realmManagementClient.getRole(AdminRoles.QUERY_CLIENTS);
    UserModel nomapAdmin = session.users().addUser(realm, "nomap-admin");
    nomapAdmin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, nomapAdmin, UserCredentialModel.password("password"));
    nomapAdmin.grantRole(adminRole);
    UserModel anotherAdmin = session.users().addUser(realm, "anotherAdmin");
    anotherAdmin.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, anotherAdmin, UserCredentialModel.password("password"));
    anotherAdmin.grantRole(adminRole);
    UserModel authorizedUser = session.users().addUser(realm, "authorized");
    authorizedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, authorizedUser, UserCredentialModel.password("password"));
    authorizedUser.grantRole(mapperRole);
    authorizedUser.grantRole(managerRole);
    UserModel authorizedComposite = session.users().addUser(realm, "authorizedComposite");
    authorizedComposite.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, authorizedComposite, UserCredentialModel.password("password"));
    authorizedComposite.grantRole(compositeRole);
    UserModel unauthorizedUser = session.users().addUser(realm, "unauthorized");
    unauthorizedUser.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, unauthorizedUser, UserCredentialModel.password("password"));
    UserModel unauthorizedMapper = session.users().addUser(realm, "unauthorizedMapper");
    unauthorizedMapper.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, unauthorizedMapper, UserCredentialModel.password("password"));
    unauthorizedMapper.grantRole(managerRole);
    UserModel user1 = session.users().addUser(realm, "user1");
    user1.setEnabled(true);
    // group management
    AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
    GroupModel group = KeycloakModelUtils.findGroupByPath(realm, "top");
    UserModel groupMember = session.users().addUser(realm, "groupMember");
    groupMember.joinGroup(group);
    groupMember.setEnabled(true);
    UserModel groupManager = session.users().addUser(realm, "groupManager");
    groupManager.grantRole(queryGroupsRole);
    groupManager.grantRole(queryUsersRole);
    groupManager.setEnabled(true);
    groupManager.grantRole(mapperRole);
    session.userCredentialManager().updateCredential(realm, groupManager, UserCredentialModel.password("password"));
    UserModel groupManagerNoMapper = session.users().addUser(realm, "noMapperGroupManager");
    groupManagerNoMapper.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, groupManagerNoMapper, UserCredentialModel.password("password"));
    groupManagerNoMapper.grantRole(queryGroupsRole);
    groupManagerNoMapper.grantRole(queryUsersRole);
    UserPolicyRepresentation groupManagerRep = new UserPolicyRepresentation();
    groupManagerRep.setName("groupManagers");
    groupManagerRep.addUser("groupManager");
    groupManagerRep.addUser("noMapperGroupManager");
    ResourceServer server = permissions.realmResourceServer();
    Policy groupManagerPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupManagerRep, server);
    permissions.groups().manageMembersPermission(group).addAssociatedPolicy(groupManagerPolicy);
    permissions.groups().manageMembershipPermission(group).addAssociatedPolicy(groupManagerPolicy);
    permissions.groups().viewPermission(group).addAssociatedPolicy(groupManagerPolicy);
    UserModel clientMapper = session.users().addUser(realm, "clientMapper");
    clientMapper.setEnabled(true);
    clientMapper.grantRole(managerRole);
    clientMapper.grantRole(queryUsersRole);
    session.userCredentialManager().updateCredential(realm, clientMapper, UserCredentialModel.password("password"));
    Policy clientMapperPolicy = permissions.clients().mapRolesPermission(client);
    UserPolicyRepresentation userRep = new UserPolicyRepresentation();
    userRep.setName("userClientMapper");
    userRep.addUser("clientMapper");
    Policy userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientMapperPolicy.addAssociatedPolicy(userPolicy);
    UserModel clientManager = session.users().addUser(realm, "clientManager");
    clientManager.setEnabled(true);
    clientManager.grantRole(queryClientsRole);
    session.userCredentialManager().updateCredential(realm, clientManager, UserCredentialModel.password("password"));
    Policy clientManagerPolicy = permissions.clients().managePermission(client);
    userRep = new UserPolicyRepresentation();
    userRep.setName("clientManager");
    userRep.addUser("clientManager");
    userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientManagerPolicy.addAssociatedPolicy(userPolicy);
    UserModel clientConfigurer = session.users().addUser(realm, "clientConfigurer");
    clientConfigurer.setEnabled(true);
    clientConfigurer.grantRole(queryClientsRole);
    session.userCredentialManager().updateCredential(realm, clientConfigurer, UserCredentialModel.password("password"));
    Policy clientConfigurePolicy = permissions.clients().configurePermission(client);
    userRep = new UserPolicyRepresentation();
    userRep.setName("clientConfigure");
    userRep.addUser("clientConfigurer");
    userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
    clientConfigurePolicy.addAssociatedPolicy(userPolicy);
    UserModel groupViewer = session.users().addUser(realm, "groupViewer");
    groupViewer.grantRole(queryGroupsRole);
    groupViewer.grantRole(queryUsersRole);
    groupViewer.setEnabled(true);
    session.userCredentialManager().updateCredential(realm, groupViewer, UserCredentialModel.password("password"));
    UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation();
    groupViewMembersRep.setName("groupMemberViewers");
    groupViewMembersRep.addUser("groupViewer");
    Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupViewMembersRep, server);
    Policy groupViewMembersPermission = permissions.groups().viewMembersPermission(group);
    groupViewMembersPermission.addAssociatedPolicy(groupViewMembersPolicy);
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) GroupModel(org.keycloak.models.GroupModel) RoleModel(org.keycloak.models.RoleModel) ResourceServer(org.keycloak.authorization.model.ResourceServer) AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)

Aggregations

Policy (org.keycloak.authorization.model.Policy)106 ResourceServer (org.keycloak.authorization.model.ResourceServer)57 Resource (org.keycloak.authorization.model.Resource)38 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)37 ClientModel (org.keycloak.models.ClientModel)37 Scope (org.keycloak.authorization.model.Scope)33 StoreFactory (org.keycloak.authorization.store.StoreFactory)29 RealmModel (org.keycloak.models.RealmModel)27 PolicyStore (org.keycloak.authorization.store.PolicyStore)23 Map (java.util.Map)22 UserModel (org.keycloak.models.UserModel)20 HashMap (java.util.HashMap)19 HashSet (java.util.HashSet)17 ArrayList (java.util.ArrayList)15 PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)15 List (java.util.List)14 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)13 ClientPolicyRepresentation (org.keycloak.representations.idm.authorization.ClientPolicyRepresentation)12 AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)12 Set (java.util.Set)11
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial