Search in sources :

Example 1 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class GroupPermissions method getGroupsWithViewPermission.

@Override
public Set<String> getGroupsWithViewPermission() {
    if (root.users().canView() || root.users().canManage())
        return Collections.emptySet();
    if (!root.isAdminSameRealm()) {
        return Collections.emptySet();
    }
    ResourceServer server = root.realmResourceServer();
    if (server == null) {
        return Collections.emptySet();
    }
    Set<String> granted = new HashSet<>();
    resourceStore.findByType("Group", server.getId(), resource -> {
        if (hasPermission(resource, null, VIEW_MEMBERS_SCOPE, MANAGE_MEMBERS_SCOPE)) {
            granted.add(resource.getName().substring(RESOURCE_NAME_PREFIX.length()));
        }
    });
    return granted;
}
Also used : ResourceServer(org.keycloak.authorization.model.ResourceServer) HashSet(java.util.HashSet)

Example 2 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class GroupPermissions method hasPermission.

private boolean hasPermission(GroupModel group, EvaluationContext context, String... scopes) {
    ResourceServer server = root.realmResourceServer();
    if (server == null) {
        return false;
    }
    Resource resource = resourceStore.findByName(getGroupResourceName(group), server.getId());
    if (resource == null) {
        return false;
    }
    return hasPermission(resource, context, scopes);
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 3 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class GroupPermissions method groupResource.

private Resource groupResource(GroupModel group) {
    ResourceServer server = root.realmResourceServer();
    if (server == null)
        return null;
    String groupResourceName = getGroupResourceName(group);
    return resourceStore.findByName(groupResourceName, server.getId());
}
Also used : ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 4 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class MgmtPermissions method initializeRealmDefaultScopes.

public void initializeRealmDefaultScopes() {
    ResourceServer server = initializeRealmResourceServer();
    manageScope = initializeRealmScope(MgmtPermissions.MANAGE_SCOPE);
    viewScope = initializeRealmScope(MgmtPermissions.VIEW_SCOPE);
}
Also used : ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 5 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class UserPermissions method initialize.

private void initialize() {
    root.initializeRealmResourceServer();
    root.initializeRealmDefaultScopes();
    ResourceServer server = root.realmResourceServer();
    Scope manageScope = root.realmManageScope();
    Scope viewScope = root.realmViewScope();
    Scope mapRolesScope = root.initializeRealmScope(MAP_ROLES_SCOPE);
    Scope impersonateScope = root.initializeRealmScope(IMPERSONATE_SCOPE);
    Scope userImpersonatedScope = root.initializeRealmScope(USER_IMPERSONATED_SCOPE);
    Scope manageGroupMembershipScope = root.initializeRealmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE);
    Resource usersResource = resourceStore.findByName(USERS_RESOURCE, server.getId());
    if (usersResource == null) {
        usersResource = resourceStore.create(USERS_RESOURCE, server, server.getId());
        Set<Scope> scopeset = new HashSet<>();
        scopeset.add(manageScope);
        scopeset.add(viewScope);
        scopeset.add(mapRolesScope);
        scopeset.add(impersonateScope);
        scopeset.add(manageGroupMembershipScope);
        scopeset.add(userImpersonatedScope);
        usersResource.updateScopes(scopeset);
    }
    Policy managePermission = policyStore.findByName(MANAGE_PERMISSION_USERS, server.getId());
    if (managePermission == null) {
        Helper.addEmptyScopePermission(authz, server, MANAGE_PERMISSION_USERS, usersResource, manageScope);
    }
    Policy viewPermission = policyStore.findByName(VIEW_PERMISSION_USERS, server.getId());
    if (viewPermission == null) {
        Helper.addEmptyScopePermission(authz, server, VIEW_PERMISSION_USERS, usersResource, viewScope);
    }
    Policy mapRolesPermission = policyStore.findByName(MAP_ROLES_PERMISSION_USERS, server.getId());
    if (mapRolesPermission == null) {
        Helper.addEmptyScopePermission(authz, server, MAP_ROLES_PERMISSION_USERS, usersResource, mapRolesScope);
    }
    Policy membershipPermission = policyStore.findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, server.getId());
    if (membershipPermission == null) {
        Helper.addEmptyScopePermission(authz, server, MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, usersResource, manageGroupMembershipScope);
    }
    Policy impersonatePermission = policyStore.findByName(ADMIN_IMPERSONATING_PERMISSION, server.getId());
    if (impersonatePermission == null) {
        Helper.addEmptyScopePermission(authz, server, ADMIN_IMPERSONATING_PERMISSION, usersResource, impersonateScope);
    }
    impersonatePermission = policyStore.findByName(USER_IMPERSONATED_PERMISSION, server.getId());
    if (impersonatePermission == null) {
        Helper.addEmptyScopePermission(authz, server, USER_IMPERSONATED_PERMISSION, usersResource, userImpersonatedScope);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer) HashSet(java.util.HashSet)

Aggregations

ResourceServer (org.keycloak.authorization.model.ResourceServer)81 Policy (org.keycloak.authorization.model.Policy)50 Resource (org.keycloak.authorization.model.Resource)40 ClientModel (org.keycloak.models.ClientModel)37 Scope (org.keycloak.authorization.model.Scope)30 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)26 StoreFactory (org.keycloak.authorization.store.StoreFactory)21 RealmModel (org.keycloak.models.RealmModel)20 UserModel (org.keycloak.models.UserModel)13 HashSet (java.util.HashSet)12 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11 Map (java.util.Map)10 DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)10 PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)10 List (java.util.List)9 AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)9 ArrayList (java.util.ArrayList)8 Collection (java.util.Collection)8 HashMap (java.util.HashMap)8 ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)8