Examples with Resource org.keycloak.authorization.model.Resource used on opensource projects

Example 56 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class ResourceSetService method create.

public ResourceRepresentation create(ResourceRepresentation resource) {
    requireManage();
    StoreFactory storeFactory = this.authorization.getStoreFactory();
    ResourceOwnerRepresentation owner = resource.getOwner();
    if (owner == null) {
        owner = new ResourceOwnerRepresentation();
        owner.setId(resourceServer.getId());
        resource.setOwner(owner);
    }
    String ownerId = owner.getId();
    if (ownerId == null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "You must specify the resource owner.", Status.BAD_REQUEST);
    }
    Resource existingResource = storeFactory.getResourceStore().findByName(resource.getName(), ownerId, this.resourceServer.getId());
    if (existingResource != null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource with name [" + resource.getName() + "] already exists.", Status.CONFLICT);
    }
    return toRepresentation(toModel(resource, this.resourceServer, authorization), resourceServer.getId(), authorization);
}

Example 57 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class ResourceSetService method getAttributes.

@Path("{id}/attributes")
@GET
@NoCache
@Produces("application/json")
public Response getAttributes(@PathParam("id") String id) {
    requireView();
    StoreFactory storeFactory = authorization.getStoreFactory();
    Resource model = storeFactory.getResourceStore().findById(id, resourceServer.getId());
    if (model == null) {
        return Response.status(Status.NOT_FOUND).build();
    }
    return Response.ok(model.getAttributes()).build();
}

Example 58 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class AuthorizationTokenService method resolveResourcePermission.

private void resolveResourcePermission(KeycloakAuthorizationRequest request, ResourceServer resourceServer, KeycloakIdentity identity, AuthorizationProvider authorization, StoreFactory storeFactory, Map<String, ResourcePermission> permissionsToEvaluate, ResourceStore resourceStore, AtomicInteger limit, Permission permission, Set<Scope> requestedScopesModel, String resourceId) {
    Resource resource;
    if (resourceId.indexOf('-') != -1) {
        resource = resourceStore.findById(resourceId, resourceServer.getId());
    } else {
        resource = null;
    }
    if (resource != null) {
        addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource);
    } else if (resourceId.startsWith("resource-type:")) {
        // only resource types, no resource instances. resource types are owned by the resource server
        String resourceType = resourceId.substring("resource-type:".length());
        resourceStore.findByType(resourceType, resourceServer.getId(), resourceServer.getId(), resource1 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource1));
    } else if (resourceId.startsWith("resource-type-any:")) {
        // any resource with a given type
        String resourceType = resourceId.substring("resource-type-any:".length());
        resourceStore.findByType(resourceType, null, resourceServer.getId(), resource12 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource12));
    } else if (resourceId.startsWith("resource-type-instance:")) {
        // only resource instances with a given type
        String resourceType = resourceId.substring("resource-type-instance:".length());
        resourceStore.findByTypeInstance(resourceType, resourceServer.getId(), resource13 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource13));
    } else if (resourceId.startsWith("resource-type-owner:")) {
        // only resources where the current identity is the owner
        String resourceType = resourceId.substring("resource-type-owner:".length());
        resourceStore.findByType(resourceType, identity.getId(), resourceServer.getId(), resource14 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource14));
    } else {
        Resource ownerResource = resourceStore.findByName(resourceId, identity.getId(), resourceServer.getId());
        if (ownerResource != null) {
            permission.setResourceId(ownerResource.getId());
            addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, ownerResource);
        }
        if (!identity.isResourceServer() || !identity.getId().equals(resourceServer.getId())) {
            List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().findGranted(resourceId, identity.getId(), resourceServer.getId());
            if (!tickets.isEmpty()) {
                List<Scope> scopes = new ArrayList<>();
                Resource grantedResource = null;
                for (PermissionTicket permissionTicket : tickets) {
                    if (grantedResource == null) {
                        grantedResource = permissionTicket.getResource();
                    }
                    scopes.add(permissionTicket.getScope());
                }
                requestedScopesModel.retainAll(scopes);
                ResourcePermission resourcePermission = addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, grantedResource);
                // the permission is explicitly granted by the owner, mark this permission as granted so that we don't run the evaluation engine on it
                resourcePermission.setGranted(true);
            }
            Resource serverResource = resourceStore.findByName(resourceId, resourceServer.getId());
            if (serverResource != null) {
                permission.setResourceId(serverResource.getId());
                addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, serverResource);
            }
        }
    }
    if (permissionsToEvaluate.isEmpty()) {
        CorsErrorResponseException invalidResourceException = new CorsErrorResponseException(request.getCors(), "invalid_resource", "Resource with id [" + resourceId + "] does not exist.", Status.BAD_REQUEST);
        fireErrorEvent(request.getEvent(), Errors.INVALID_REQUEST, invalidResourceException);
        throw invalidResourceException;
    }
}

Example 59 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class AbstractPermissionService method verifyRequestedResource.

private List<Permission> verifyRequestedResource(List<PermissionRequest> request) {
    ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
    List<Permission> requestedResources = new ArrayList<>();
    for (PermissionRequest permissionRequest : request) {
        String resourceSetId = permissionRequest.getResourceId();
        List<Resource> resources = new ArrayList<>();
        if (resourceSetId == null) {
            if (permissionRequest.getScopes() == null || permissionRequest.getScopes().isEmpty()) {
                throw new ErrorResponseException("invalid_resource_id", "Resource id or name not provided.", Response.Status.BAD_REQUEST);
            }
        } else {
            Resource resource = resourceStore.findById(resourceSetId, resourceServer.getId());
            if (resource != null) {
                resources.add(resource);
            } else {
                Resource userResource = resourceStore.findByName(resourceSetId, identity.getId(), this.resourceServer.getId());
                if (userResource != null) {
                    resources.add(userResource);
                }
                if (!identity.isResourceServer()) {
                    Resource serverResource = resourceStore.findByName(resourceSetId, this.resourceServer.getId());
                    if (serverResource != null) {
                        resources.add(serverResource);
                    }
                }
            }
            if (resources.isEmpty()) {
                throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + resourceSetId + "] does not exists in this server.", Response.Status.BAD_REQUEST);
            }
        }
        if (resources.isEmpty()) {
            requestedResources.add(new Permission(null, verifyRequestedScopes(permissionRequest, null)));
        } else {
            for (Resource resource : resources) {
                requestedResources.add(new Permission(resource.getId(), verifyRequestedScopes(permissionRequest, resource)));
            }
        }
    }
    return requestedResources;
}

Example 60 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class PermissionTicketService method create.

@POST
@Consumes("application/json")
@Produces("application/json")
public Response create(PermissionTicketRepresentation representation) {
    PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
    if (representation == null)
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_permission", Response.Status.BAD_REQUEST);
    if (representation.getId() != null)
        throw new ErrorResponseException("invalid_permission", "created permissions should not have id", Response.Status.BAD_REQUEST);
    if (representation.getResource() == null)
        throw new ErrorResponseException("invalid_permission", "created permissions should have resource", Response.Status.BAD_REQUEST);
    if (representation.getScope() == null && representation.getScopeName() == null)
        throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST);
    if (representation.getRequester() == null && representation.getRequesterName() == null)
        throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
    ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore();
    Resource resource = rstore.findById(representation.getResource(), resourceServer.getId());
    if (resource == null)
        throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
    if (!resource.getOwner().equals(this.identity.getId()))
        throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
    UserModel user = null;
    if (representation.getRequester() != null)
        user = this.authorization.getKeycloakSession().userStorageManager().getUserById(this.authorization.getRealm(), representation.getRequester());
    else
        user = this.authorization.getKeycloakSession().userStorageManager().getUserByUsername(this.authorization.getRealm(), representation.getRequesterName());
    if (user == null)
        throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST);
    Scope scope = null;
    ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore();
    if (representation.getScopeName() != null)
        scope = sstore.findByName(representation.getScopeName(), resourceServer.getId());
    else
        scope = sstore.findById(representation.getScope(), resourceServer.getId());
    if (scope == null && representation.getScope() != null)
        throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScope() + "] is invalid", Response.Status.BAD_REQUEST);
    if (scope == null && representation.getScopeName() != null)
        throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScopeName() + "] is invalid", Response.Status.BAD_REQUEST);
    boolean match = resource.getScopes().contains(scope);
    if (!match)
        throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not have Scope [" + scope.getName() + "]", Response.Status.BAD_REQUEST);
    Map<PermissionTicket.FilterOption, String> attributes = new EnumMap<>(PermissionTicket.FilterOption.class);
    attributes.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
    attributes.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
    attributes.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
    if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty())
        throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
    PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer);
    if (representation.isGranted())
        ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis());
    representation = ModelToRepresentation.toRepresentation(ticket, authorization);
    return Response.ok(representation).build();
}