Example 46 with ResourceServer
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class DecisionPermissionCollector method grantPermission.
protected void grantPermission(AuthorizationProvider authorizationProvider, Set<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet());
Resource resource = permission.getResource();
if (resource != null) {
permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request));
} else if (!grantedScopes.isEmpty()) {
ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)));
permissions.add(createPermission(null, scopeNames, permission.getClaims(), request));
}
}
Also used :
ResourceServer(org.keycloak.authorization.model.ResourceServer)
ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)
Scope(org.keycloak.authorization.model.Scope)
Permission(org.keycloak.representations.idm.authorization.Permission)
Collection(java.util.Collection)
AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest)
Set(java.util.Set)
DecisionStrategy(org.keycloak.representations.idm.authorization.DecisionStrategy)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
Collectors(java.util.stream.Collectors)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
Policy(org.keycloak.authorization.model.Policy)
List(java.util.List)
Map(java.util.Map)
AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider)
LinkedHashSet(java.util.LinkedHashSet)
Resource(org.keycloak.authorization.model.Resource)
Resource(org.keycloak.authorization.model.Resource)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
Example 47 with ResourceServer
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class AuthorizationProvider method createPolicyWrapper.
private PolicyStore createPolicyWrapper(StoreFactory storeFactory) {
return new PolicyStore() {
PolicyStore policyStore = storeFactory.getPolicyStore();
@Override
public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
Set<String> resources = representation.getResources();
if (resources != null) {
representation.setResources(resources.stream().map(id -> {
Resource resource = storeFactory.getResourceStore().findById(id, resourceServer.getId());
if (resource == null) {
resource = storeFactory.getResourceStore().findByName(id, resourceServer.getId());
}
if (resource == null) {
throw new RuntimeException("Resource [" + id + "] does not exist or is not owned by the resource server.");
}
return resource.getId();
}).collect(Collectors.toSet()));
}
Set<String> scopes = representation.getScopes();
if (scopes != null) {
representation.setScopes(scopes.stream().map(id -> {
Scope scope = storeFactory.getScopeStore().findById(id, resourceServer.getId());
if (scope == null) {
scope = storeFactory.getScopeStore().findByName(id, resourceServer.getId());
}
if (scope == null) {
throw new RuntimeException("Scope [" + id + "] does not exist");
}
return scope.getId();
}).collect(Collectors.toSet()));
}
Set<String> policies = representation.getPolicies();
if (policies != null) {
representation.setPolicies(policies.stream().map(id -> {
Policy policy = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
if (policy == null) {
policy = storeFactory.getPolicyStore().findByName(id, resourceServer.getId());
}
if (policy == null) {
throw new RuntimeException("Policy [" + id + "] does not exist");
}
return policy.getId();
}).collect(Collectors.toSet()));
}
return RepresentationToModel.toModel(representation, AuthorizationProvider.this, policyStore.create(representation, resourceServer));
}
@Override
public void delete(String id) {
Policy policy = findById(id, null);
if (policy != null) {
ResourceServer resourceServer = policy.getResourceServer();
// if uma policy (owned by a user) also remove associated policies
if (policy.getOwner() != null) {
for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
// only remove associated policies created from the policy being deleted
if (associatedPolicy.getOwner() != null) {
policy.removeAssociatedPolicy(associatedPolicy);
policyStore.delete(associatedPolicy.getId());
}
}
}
findDependentPolicies(policy.getId(), resourceServer.getId()).forEach(dependentPolicy -> {
dependentPolicy.removeAssociatedPolicy(policy);
if (dependentPolicy.getAssociatedPolicies().isEmpty()) {
delete(dependentPolicy.getId());
}
});
policyStore.delete(id);
}
}
@Override
public Policy findById(String id, String resourceServerId) {
return policyStore.findById(id, resourceServerId);
}
@Override
public Policy findByName(String name, String resourceServerId) {
return policyStore.findByName(name, resourceServerId);
}
@Override
public List<Policy> findByResourceServer(String resourceServerId) {
return policyStore.findByResourceServer(resourceServerId);
}
@Override
public List<Policy> findByResourceServer(Map<Policy.FilterOption, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
return policyStore.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
}
@Override
public List<Policy> findByResource(String resourceId, String resourceServerId) {
return policyStore.findByResource(resourceId, resourceServerId);
}
@Override
public void findByResource(String resourceId, String resourceServerId, Consumer<Policy> consumer) {
policyStore.findByResource(resourceId, resourceServerId, consumer);
}
@Override
public List<Policy> findByResourceType(String resourceType, String resourceServerId) {
return policyStore.findByResourceType(resourceType, resourceServerId);
}
@Override
public List<Policy> findByScopeIds(List<String> scopeIds, String resourceServerId) {
return policyStore.findByScopeIds(scopeIds, resourceServerId);
}
@Override
public List<Policy> findByScopeIds(List<String> scopeIds, String resourceId, String resourceServerId) {
return policyStore.findByScopeIds(scopeIds, resourceId, resourceServerId);
}
@Override
public void findByScopeIds(List<String> scopeIds, String resourceId, String resourceServerId, Consumer<Policy> consumer) {
policyStore.findByScopeIds(scopeIds, resourceId, resourceServerId, consumer);
}
@Override
public List<Policy> findByType(String type, String resourceServerId) {
return policyStore.findByType(type, resourceServerId);
}
@Override
public List<Policy> findDependentPolicies(String id, String resourceServerId) {
return policyStore.findDependentPolicies(id, resourceServerId);
}
@Override
public void findByResourceType(String type, String id, Consumer<Policy> policyConsumer) {
policyStore.findByResourceType(type, id, policyConsumer);
}
};
}
Also used :
AbstractPolicyRepresentation(org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation)
Policy(org.keycloak.authorization.model.Policy)
Scope(org.keycloak.authorization.model.Scope)
Consumer(java.util.function.Consumer)
Resource(org.keycloak.authorization.model.Resource)
PolicyStore(org.keycloak.authorization.store.PolicyStore)
List(java.util.List)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
Map(java.util.Map)
Example 48 with ResourceServer
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class AuthorizationProvider method createScopeWrapper.
private ScopeStore createScopeWrapper(StoreFactory storeFactory) {
return new ScopeStore() {
ScopeStore delegate = storeFactory.getScopeStore();
@Override
public Scope create(String name, ResourceServer resourceServer) {
return delegate.create(name, resourceServer);
}
@Override
public Scope create(String id, String name, ResourceServer resourceServer) {
return delegate.create(id, name, resourceServer);
}
@Override
public void delete(String id) {
Scope scope = findById(id, null);
PermissionTicketStore ticketStore = AuthorizationProvider.this.getStoreFactory().getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByScope(id, scope.getResourceServer().getId());
for (PermissionTicket permission : permissions) {
ticketStore.delete(permission.getId());
}
delegate.delete(id);
}
@Override
public Scope findById(String id, String resourceServerId) {
return delegate.findById(id, resourceServerId);
}
@Override
public Scope findByName(String name, String resourceServerId) {
return delegate.findByName(name, resourceServerId);
}
@Override
public List<Scope> findByResourceServer(String id) {
return delegate.findByResourceServer(id);
}
@Override
public List<Scope> findByResourceServer(Map<Scope.FilterOption, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
}
};
}
Also used :
PermissionTicket(org.keycloak.authorization.model.PermissionTicket)
Scope(org.keycloak.authorization.model.Scope)
PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore)
ScopeStore(org.keycloak.authorization.store.ScopeStore)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
Map(java.util.Map)
Example 49 with ResourceServer
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class ClientApplicationSynchronizer method removeFromClientPolicies.
private void removeFromClientPolicies(ClientRemovedEvent event, AuthorizationProvider authorizationProvider) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
ResourceServerStore store = storeFactory.getResourceServerStore();
ResourceServer resourceServer = store.findByClient(event.getClient());
if (resourceServer != null) {
storeFactory.getResourceServerStore().delete(event.getClient());
}
Map<Policy.FilterOption, String[]> attributes = new EnumMap<>(Policy.FilterOption.class);
attributes.put(Policy.FilterOption.TYPE, new String[] { "client" });
attributes.put(Policy.FilterOption.CONFIG, new String[] { "clients", event.getClient().getId() });
attributes.put(Policy.FilterOption.ANY_OWNER, Policy.FilterOption.EMPTY_FILTER);
List<Policy> search = storeFactory.getPolicyStore().findByResourceServer(attributes, null, -1, -1);
for (Policy policy : search) {
PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
ClientPolicyRepresentation representation = ClientPolicyRepresentation.class.cast(policyFactory.toRepresentation(policy, authorizationProvider));
Set<String> clients = representation.getClients();
clients.remove(event.getClient().getId());
if (clients.isEmpty()) {
policyFactory.onRemove(policy, authorizationProvider);
authorizationProvider.getStoreFactory().getPolicyStore().delete(policy.getId());
} else {
policyFactory.onUpdate(policy, representation, authorizationProvider);
}
}
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation)
ResourceServerStore(org.keycloak.authorization.store.ResourceServerStore)
PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
EnumMap(java.util.EnumMap)
Example 50 with ResourceServer
use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.
the class DefaultPolicyEvaluator method evaluate.
@Override
public void evaluate(ResourcePermission permission, AuthorizationProvider authorizationProvider, EvaluationContext executionContext, Decision decision, Map<Policy, Map<Object, Decision.Effect>> decisionCache) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
ResourceStore resourceStore = storeFactory.getResourceStore();
ResourceServer resourceServer = permission.getResourceServer();
PolicyEnforcementMode enforcementMode = resourceServer.getPolicyEnforcementMode();
if (PolicyEnforcementMode.DISABLED.equals(enforcementMode)) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
return;
}
// if marked as granted we just complete the evaluation
if (permission.isGranted()) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
return;
}
AtomicBoolean verified = new AtomicBoolean();
Consumer<Policy> policyConsumer = createPolicyEvaluator(permission, authorizationProvider, executionContext, decision, verified, decisionCache);
Resource resource = permission.getResource();
if (resource != null) {
policyStore.findByResource(resource.getId(), resourceServer.getId(), policyConsumer);
if (resource.getType() != null) {
policyStore.findByResourceType(resource.getType(), resourceServer.getId(), policyConsumer);
if (!resource.getOwner().equals(resourceServer.getId())) {
for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
policyStore.findByResource(typedResource.getId(), resourceServer.getId(), policyConsumer);
}
}
}
}
Collection<Scope> scopes = permission.getScopes();
if (!scopes.isEmpty()) {
policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), null, resourceServer.getId(), policyConsumer);
}
if (verified.get()) {
decision.onComplete(permission);
return;
}
if (PolicyEnforcementMode.PERMISSIVE.equals(enforcementMode)) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
}
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean)
Scope(org.keycloak.authorization.model.Scope)
Resource(org.keycloak.authorization.model.Resource)
PolicyStore(org.keycloak.authorization.store.PolicyStore)
ResourceStore(org.keycloak.authorization.store.ResourceStore)
StoreFactory(org.keycloak.authorization.store.StoreFactory)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
PolicyEnforcementMode(org.keycloak.representations.idm.authorization.PolicyEnforcementMode)
Aggregations
ResourceServer (org.keycloak.authorization.model.ResourceServer)81
Policy (org.keycloak.authorization.model.Policy)50
Resource (org.keycloak.authorization.model.Resource)40
ClientModel (org.keycloak.models.ClientModel)37
Scope (org.keycloak.authorization.model.Scope)30
AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)26
StoreFactory (org.keycloak.authorization.store.StoreFactory)21
RealmModel (org.keycloak.models.RealmModel)20
UserModel (org.keycloak.models.UserModel)13
HashSet (java.util.HashSet)12
JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11
Map (java.util.Map)10
DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)10
PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)10
List (java.util.List)9
AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)9
ArrayList (java.util.ArrayList)8
Collection (java.util.Collection)8
HashMap (java.util.HashMap)8
ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)8
