use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class GroupPermissions method getGroupsWithViewPermission.
@Override
public Set<String> getGroupsWithViewPermission() {
if (root.users().canView() || root.users().canManage())
return Collections.emptySet();
if (!root.isAdminSameRealm()) {
return Collections.emptySet();
}
ResourceServer server = root.realmResourceServer();
if (server == null) {
return Collections.emptySet();
}
Set<String> granted = new HashSet<>();
resourceStore.findByType("Group", server.getId(), resource -> {
if (hasPermission(resource, null, VIEW_MEMBERS_SCOPE, MANAGE_MEMBERS_SCOPE)) {
granted.add(resource.getName().substring(RESOURCE_NAME_PREFIX.length()));
}
});
return granted;
}
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class GroupPermissions method hasPermission.
private boolean hasPermission(GroupModel group, EvaluationContext context, String... scopes) {
ResourceServer server = root.realmResourceServer();
if (server == null) {
return false;
}
Resource resource = resourceStore.findByName(getGroupResourceName(group), server.getId());
if (resource == null) {
return false;
}
return hasPermission(resource, context, scopes);
}
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class GroupPermissions method groupResource.
private Resource groupResource(GroupModel group) {
ResourceServer server = root.realmResourceServer();
if (server == null)
return null;
String groupResourceName = getGroupResourceName(group);
return resourceStore.findByName(groupResourceName, server.getId());
}
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class MgmtPermissions method initializeRealmDefaultScopes.
public void initializeRealmDefaultScopes() {
ResourceServer server = initializeRealmResourceServer();
manageScope = initializeRealmScope(MgmtPermissions.MANAGE_SCOPE);
viewScope = initializeRealmScope(MgmtPermissions.VIEW_SCOPE);
}
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class UserPermissions method initialize.
private void initialize() {
root.initializeRealmResourceServer();
root.initializeRealmDefaultScopes();
ResourceServer server = root.realmResourceServer();
Scope manageScope = root.realmManageScope();
Scope viewScope = root.realmViewScope();
Scope mapRolesScope = root.initializeRealmScope(MAP_ROLES_SCOPE);
Scope impersonateScope = root.initializeRealmScope(IMPERSONATE_SCOPE);
Scope userImpersonatedScope = root.initializeRealmScope(USER_IMPERSONATED_SCOPE);
Scope manageGroupMembershipScope = root.initializeRealmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE);
Resource usersResource = resourceStore.findByName(USERS_RESOURCE, server.getId());
if (usersResource == null) {
usersResource = resourceStore.create(USERS_RESOURCE, server, server.getId());
Set<Scope> scopeset = new HashSet<>();
scopeset.add(manageScope);
scopeset.add(viewScope);
scopeset.add(mapRolesScope);
scopeset.add(impersonateScope);
scopeset.add(manageGroupMembershipScope);
scopeset.add(userImpersonatedScope);
usersResource.updateScopes(scopeset);
}
Policy managePermission = policyStore.findByName(MANAGE_PERMISSION_USERS, server.getId());
if (managePermission == null) {
Helper.addEmptyScopePermission(authz, server, MANAGE_PERMISSION_USERS, usersResource, manageScope);
}
Policy viewPermission = policyStore.findByName(VIEW_PERMISSION_USERS, server.getId());
if (viewPermission == null) {
Helper.addEmptyScopePermission(authz, server, VIEW_PERMISSION_USERS, usersResource, viewScope);
}
Policy mapRolesPermission = policyStore.findByName(MAP_ROLES_PERMISSION_USERS, server.getId());
if (mapRolesPermission == null) {
Helper.addEmptyScopePermission(authz, server, MAP_ROLES_PERMISSION_USERS, usersResource, mapRolesScope);
}
Policy membershipPermission = policyStore.findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, server.getId());
if (membershipPermission == null) {
Helper.addEmptyScopePermission(authz, server, MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, usersResource, manageGroupMembershipScope);
}
Policy impersonatePermission = policyStore.findByName(ADMIN_IMPERSONATING_PERMISSION, server.getId());
if (impersonatePermission == null) {
Helper.addEmptyScopePermission(authz, server, ADMIN_IMPERSONATING_PERMISSION, usersResource, impersonateScope);
}
impersonatePermission = policyStore.findByName(USER_IMPERSONATED_PERMISSION, server.getId());
if (impersonatePermission == null) {
Helper.addEmptyScopePermission(authz, server, USER_IMPERSONATED_PERMISSION, usersResource, userImpersonatedScope);
}
}
Aggregations