Search in sources :

Example 6 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class UserPermissions method isImpersonatable.

@Override
public boolean isImpersonatable(UserModel user) {
    ResourceServer server = root.realmResourceServer();
    if (server == null) {
        return true;
    }
    Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId());
    if (resource == null) {
        return true;
    }
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, server.getId());
    if (policy == null) {
        return true;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return true;
    }
    return hasPermission(new DefaultEvaluationContext(new UserModelIdentity(root.realm, user), session), USER_IMPERSONATED_SCOPE);
}
Also used : Policy(org.keycloak.authorization.model.Policy) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer) UserModelIdentity(org.keycloak.authorization.common.UserModelIdentity)

Example 7 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class UserPermissions method deletePermissionSetup.

private void deletePermissionSetup() {
    ResourceServer server = root.realmResourceServer();
    if (server == null)
        return;
    Policy policy = managePermission();
    if (policy != null) {
        policyStore.delete(policy.getId());
    }
    policy = viewPermission();
    if (policy != null) {
        policyStore.delete(policy.getId());
    }
    policy = mapRolesPermission();
    if (policy != null) {
        policyStore.delete(policy.getId());
    }
    policy = manageGroupMembershipPermission();
    if (policy != null) {
        policyStore.delete(policy.getId());
    }
    policy = adminImpersonatingPermission();
    if (policy != null) {
        policyStore.delete(policy.getId());
    }
    policy = userImpersonatedPermission();
    if (policy != null) {
        policyStore.delete(policy.getId());
    }
    Resource usersResource = resourceStore.findByName(USERS_RESOURCE, server.getId());
    if (usersResource != null) {
        resourceStore.delete(usersResource.getId());
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 8 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class ClientPermissions method canExchangeTo.

@Override
public boolean canExchangeTo(ClientModel authorizedClient, ClientModel to) {
    if (!authorizedClient.equals(to)) {
        ResourceServer server = resourceServer(to);
        if (server == null) {
            logger.debug("No resource server set up for target client");
            return false;
        }
        Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
        if (resource == null) {
            logger.debug("No resource object set up for target client");
            return false;
        }
        Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
        if (policy == null) {
            logger.debug("No permission object set up for target client");
            return false;
        }
        Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
        // if no policies attached to permission then just do default behavior
        if (associatedPolicies == null || associatedPolicies.isEmpty()) {
            logger.debug("No policies set up for permission on target client");
            return false;
        }
        Scope scope = exchangeToScope(server);
        if (scope == null) {
            logger.debug(TOKEN_EXCHANGE + " not initialized");
            return false;
        }
        ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
        EvaluationContext context = new DefaultEvaluationContext(identity, session) {

            @Override
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> attributes = super.getBaseAttributes();
                attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
                return attributes;
            }
        };
        return root.evaluatePermission(resource, server, context, scope);
    }
    return true;
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) Resource(org.keycloak.authorization.model.Resource) Collection(java.util.Collection) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) ResourceServer(org.keycloak.authorization.model.ResourceServer) ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)

Example 9 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class ClientPermissions method canConfigure.

@Override
public boolean canConfigure(ClientModel client) {
    if (canManage(client))
        return true;
    if (!root.isAdminSameRealm()) {
        return false;
    }
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = configureScope(server);
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 10 with Resource

use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.

the class ClientPermissions method canMapClientScopeRoles.

@Override
public boolean canMapClientScopeRoles(ClientModel client) {
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesClientScopePermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = authz.getStoreFactory().getScopeStore().findByName(MAP_ROLES_CLIENT_SCOPE, server.getId());
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Aggregations

Resource (org.keycloak.authorization.model.Resource)87 ResourceServer (org.keycloak.authorization.model.ResourceServer)51 Policy (org.keycloak.authorization.model.Policy)45 Scope (org.keycloak.authorization.model.Scope)44 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)27 ResourceStore (org.keycloak.authorization.store.ResourceStore)27 StoreFactory (org.keycloak.authorization.store.StoreFactory)26 ArrayList (java.util.ArrayList)22 ClientModel (org.keycloak.models.ClientModel)22 List (java.util.List)20 HashSet (java.util.HashSet)19 Map (java.util.Map)19 UserModel (org.keycloak.models.UserModel)18 RealmModel (org.keycloak.models.RealmModel)16 HashMap (java.util.HashMap)15 Set (java.util.Set)15 EnumMap (java.util.EnumMap)14 Collectors (java.util.stream.Collectors)14 Path (javax.ws.rs.Path)13 PolicyStore (org.keycloak.authorization.store.PolicyStore)13