Search in sources :

Example 11 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method canConfigure.

@Override
public boolean canConfigure(ClientModel client) {
    if (canManage(client))
        return true;
    if (!root.isAdminSameRealm()) {
        return false;
    }
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = configureScope(server);
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 12 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method canMapClientScopeRoles.

@Override
public boolean canMapClientScopeRoles(ClientModel client) {
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesClientScopePermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = authz.getStoreFactory().getScopeStore().findByName(MAP_ROLES_CLIENT_SCOPE, server.getId());
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 13 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class ClientPermissions method hasView.

private boolean hasView(ClientModel client) {
    if (canView())
        return true;
    if (!root.isAdminSameRealm()) {
        return false;
    }
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = viewScope(server);
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 14 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class IdentityProviderPermissions method canExchangeTo.

@Override
public boolean canExchangeTo(ClientModel authorizedClient, IdentityProviderModel to) {
    ResourceServer server = root.initializeRealmResourceServer();
    if (server == null) {
        logger.debug("No resource server set up for target idp");
        return false;
    }
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
    if (resource == null) {
        logger.debug("No resource object set up for target idp");
        return false;
    }
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
    if (policy == null) {
        logger.debug("No permission object set up for target idp");
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        logger.debug("No policies set up for permission on target idp");
        return false;
    }
    Scope scope = exchangeToScope(server);
    if (scope == null) {
        logger.debug(TOKEN_EXCHANGE + " not initialized");
        return false;
    }
    ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
    EvaluationContext context = new DefaultEvaluationContext(identity, session) {

        @Override
        public Map<String, Collection<String>> getBaseAttributes() {
            Map<String, Collection<String>> attributes = super.getBaseAttributes();
            attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
            return attributes;
        }
    };
    return root.evaluatePermission(resource, server, context, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) Resource(org.keycloak.authorization.model.Resource) Collection(java.util.Collection) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) ResourceServer(org.keycloak.authorization.model.ResourceServer) ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)

Example 15 with ResourceServer

use of org.keycloak.authorization.model.ResourceServer in project keycloak by keycloak.

the class IdentityProviderPermissions method deletePermissions.

private void deletePermissions(IdentityProviderModel idp) {
    ResourceServer server = root.initializeRealmResourceServer();
    if (server == null)
        return;
    deletePolicy(getExchangeToPermissionName(idp), server);
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(idp), server.getId());
    ;
    if (resource != null)
        authz.getStoreFactory().getResourceStore().delete(resource.getId());
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Aggregations

ResourceServer (org.keycloak.authorization.model.ResourceServer)81 Policy (org.keycloak.authorization.model.Policy)50 Resource (org.keycloak.authorization.model.Resource)40 ClientModel (org.keycloak.models.ClientModel)37 Scope (org.keycloak.authorization.model.Scope)30 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)26 StoreFactory (org.keycloak.authorization.store.StoreFactory)21 RealmModel (org.keycloak.models.RealmModel)20 UserModel (org.keycloak.models.UserModel)13 HashSet (java.util.HashSet)12 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11 Map (java.util.Map)10 DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)10 PolicyProvider (org.keycloak.authorization.policy.provider.PolicyProvider)10 List (java.util.List)9 AdminPermissionManagement (org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)9 ArrayList (java.util.ArrayList)8 Collection (java.util.Collection)8 HashMap (java.util.HashMap)8 ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)8