use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.
the class ClientPermissions method hasView.
private boolean hasView(ClientModel client) {
if (canView())
return true;
if (!root.isAdminSameRealm()) {
return false;
}
ResourceServer server = resourceServer(client);
if (server == null)
return false;
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
if (resource == null)
return false;
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(client), server.getId());
if (policy == null) {
return false;
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
return false;
}
Scope scope = viewScope(server);
return root.evaluatePermission(resource, server, scope);
}
use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.
the class IdentityProviderPermissions method canExchangeTo.
@Override
public boolean canExchangeTo(ClientModel authorizedClient, IdentityProviderModel to) {
ResourceServer server = root.initializeRealmResourceServer();
if (server == null) {
logger.debug("No resource server set up for target idp");
return false;
}
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
if (resource == null) {
logger.debug("No resource object set up for target idp");
return false;
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
if (policy == null) {
logger.debug("No permission object set up for target idp");
return false;
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
logger.debug("No policies set up for permission on target idp");
return false;
}
Scope scope = exchangeToScope(server);
if (scope == null) {
logger.debug(TOKEN_EXCHANGE + " not initialized");
return false;
}
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
EvaluationContext context = new DefaultEvaluationContext(identity, session) {
@Override
public Map<String, Collection<String>> getBaseAttributes() {
Map<String, Collection<String>> attributes = super.getBaseAttributes();
attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
return attributes;
}
};
return root.evaluatePermission(resource, server, context, scope);
}
use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.
the class IdentityProviderPermissions method deletePermissions.
private void deletePermissions(IdentityProviderModel idp) {
ResourceServer server = root.initializeRealmResourceServer();
if (server == null)
return;
deletePolicy(getExchangeToPermissionName(idp), server);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(idp), server.getId());
;
if (resource != null)
authz.getStoreFactory().getResourceStore().delete(resource.getId());
}
use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.
the class RolePermissions method canMapRole.
/**
* Is admin allowed to map this role?
*
* @param role
* @return
*/
@Override
public boolean canMapRole(RoleModel role) {
if (root.users().canManageDefault())
return checkAdminRoles(role);
if (!root.isAdminSameRealm()) {
return false;
}
if (role.getContainer() instanceof ClientModel) {
if (root.clients().canMapRoles((ClientModel) role.getContainer()))
return true;
}
if (!isPermissionsEnabled(role)) {
return false;
}
ResourceServer resourceServer = resourceServer(role);
if (resourceServer == null)
return false;
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolePermissionName(role), resourceServer.getId());
if (policy == null || policy.getAssociatedPolicies().isEmpty()) {
return false;
}
Resource roleResource = resource(role);
Scope mapRoleScope = mapRoleScope(resourceServer);
if (root.evaluatePermission(roleResource, resourceServer, mapRoleScope)) {
return checkAdminRoles(role);
} else {
return false;
}
}
use of org.keycloak.authorization.model.Resource in project keycloak by keycloak.
the class PolicyAdapter method getResources.
@Override
public Set<Resource> getResources() {
if (isUpdated())
return updated.getResources();
if (resources != null)
return resources;
resources = new HashSet<>();
ResourceStore resourceStore = cacheSession.getResourceStore();
for (String resourceId : cached.getResourcesIds(modelSupplier)) {
String resourceServerId = cached.getResourceServerId();
Resource resource = resourceStore.findById(resourceId, resourceServerId);
cacheSession.cacheResource(resource);
resources.add(resource);
}
return resources = Collections.unmodifiableSet(resources);
}
Aggregations