Search in sources :

Example 66 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method deletePermissions.

private void deletePermissions(ClientModel client) {
    ResourceServer server = resourceServer(client);
    if (server == null)
        return;
    deletePolicy(getManagePermissionName(client), server);
    deletePolicy(getViewPermissionName(client), server);
    deletePolicy(getMapRolesPermissionName(client), server);
    deletePolicy(getMapRolesClientScopePermissionName(client), server);
    deletePolicy(getMapRolesCompositePermissionName(client), server);
    deletePolicy(getConfigurePermissionName(client), server);
    deletePolicy(getExchangeToPermissionName(client), server);
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    ;
    if (resource != null)
        authz.getStoreFactory().getResourceStore().delete(resource.getId());
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 67 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method canMapRoles.

@Override
public boolean canMapRoles(ClientModel client) {
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesPermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = mapRolesScope(server);
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 68 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method resource.

@Override
public Resource resource(ClientModel client) {
    ResourceServer server = resourceServer(client);
    if (server == null)
        return null;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return null;
    return resource;
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 69 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method initialize.

private void initialize(ClientModel client) {
    ResourceServer server = root.findOrCreateResourceServer(client);
    Scope manageScope = manageScope(server);
    if (manageScope == null) {
        manageScope = authz.getStoreFactory().getScopeStore().create(AdminPermissionManagement.MANAGE_SCOPE, server);
    }
    Scope viewScope = viewScope(server);
    if (viewScope == null) {
        viewScope = authz.getStoreFactory().getScopeStore().create(AdminPermissionManagement.VIEW_SCOPE, server);
    }
    Scope mapRoleScope = mapRolesScope(server);
    if (mapRoleScope == null) {
        mapRoleScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLES_SCOPE, server);
    }
    Scope mapRoleClientScope = root.initializeScope(MAP_ROLES_CLIENT_SCOPE, server);
    Scope mapRoleCompositeScope = root.initializeScope(MAP_ROLES_COMPOSITE_SCOPE, server);
    Scope configureScope = root.initializeScope(CONFIGURE_SCOPE, server);
    Scope exchangeToScope = root.initializeScope(TOKEN_EXCHANGE, server);
    String resourceName = getResourceName(client);
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
    if (resource == null) {
        resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getId());
        resource.setType("Client");
        Set<Scope> scopeset = new HashSet<>();
        scopeset.add(configureScope);
        scopeset.add(manageScope);
        scopeset.add(viewScope);
        scopeset.add(mapRoleScope);
        scopeset.add(mapRoleClientScope);
        scopeset.add(mapRoleCompositeScope);
        scopeset.add(exchangeToScope);
        resource.updateScopes(scopeset);
    }
    String managePermissionName = getManagePermissionName(client);
    Policy managePermission = authz.getStoreFactory().getPolicyStore().findByName(managePermissionName, server.getId());
    if (managePermission == null) {
        Helper.addEmptyScopePermission(authz, server, managePermissionName, resource, manageScope);
    }
    String configurePermissionName = getConfigurePermissionName(client);
    Policy configurePermission = authz.getStoreFactory().getPolicyStore().findByName(configurePermissionName, server.getId());
    if (configurePermission == null) {
        Helper.addEmptyScopePermission(authz, server, configurePermissionName, resource, configureScope);
    }
    String viewPermissionName = getViewPermissionName(client);
    Policy viewPermission = authz.getStoreFactory().getPolicyStore().findByName(viewPermissionName, server.getId());
    if (viewPermission == null) {
        Helper.addEmptyScopePermission(authz, server, viewPermissionName, resource, viewScope);
    }
    String mapRolePermissionName = getMapRolesPermissionName(client);
    Policy mapRolePermission = authz.getStoreFactory().getPolicyStore().findByName(mapRolePermissionName, server.getId());
    if (mapRolePermission == null) {
        Helper.addEmptyScopePermission(authz, server, mapRolePermissionName, resource, mapRoleScope);
    }
    String mapRoleClientScopePermissionName = getMapRolesClientScopePermissionName(client);
    Policy mapRoleClientScopePermission = authz.getStoreFactory().getPolicyStore().findByName(mapRoleClientScopePermissionName, server.getId());
    if (mapRoleClientScopePermission == null) {
        Helper.addEmptyScopePermission(authz, server, mapRoleClientScopePermissionName, resource, mapRoleClientScope);
    }
    String mapRoleCompositePermissionName = getMapRolesCompositePermissionName(client);
    Policy mapRoleCompositePermission = authz.getStoreFactory().getPolicyStore().findByName(mapRoleCompositePermissionName, server.getId());
    if (mapRoleCompositePermission == null) {
        Helper.addEmptyScopePermission(authz, server, mapRoleCompositePermissionName, resource, mapRoleCompositeScope);
    }
    String exchangeToPermissionName = getExchangeToPermissionName(client);
    Policy exchangeToPermission = authz.getStoreFactory().getPolicyStore().findByName(exchangeToPermissionName, server.getId());
    if (exchangeToPermission == null) {
        Helper.addEmptyScopePermission(authz, server, exchangeToPermissionName, resource, exchangeToScope);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer) HashSet(java.util.HashSet)

Example 70 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method canManage.

@Override
public boolean canManage(ClientModel client) {
    if (canManageClientsDefault())
        return true;
    if (!root.isAdminSameRealm()) {
        return false;
    }
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getManagePermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = manageScope(server);
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Aggregations

ResourceServer (org.keycloak.authorization.model.ResourceServer)81 Policy (org.keycloak.authorization.model.Policy)50 Resource (org.keycloak.authorization.model.Resource)40 ClientModel (org.keycloak.models.ClientModel)37 Scope (org.keycloak.authorization.model.Scope)30 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)26 StoreFactory (org.keycloak.authorization.store.StoreFactory)21 RealmModel (org.keycloak.models.RealmModel)20 UserModel (org.keycloak.models.UserModel)13 HashSet (java.util.HashSet)12 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11 Map (java.util.Map)10 DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)10 PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)10 List (java.util.List)9 AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)9 ArrayList (java.util.ArrayList)8 Collection (java.util.Collection)8 HashMap (java.util.HashMap)8 ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)8