Examples with Scope org.keycloak.authorization.model.Scope used on opensource projects

Search in sources :

Example 51 with Scope

use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.

the class PolicyService method findAll.

@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response findAll(@QueryParam("policyId") String id, @QueryParam("name") String name, @QueryParam("type") String type, @QueryParam("resource") String resource, @QueryParam("scope") String scope, @QueryParam("permission") Boolean permission, @QueryParam("owner") String owner, @QueryParam("fields") String fields, @QueryParam("first") Integer firstResult, @QueryParam("max") Integer maxResult) {
    if (auth != null) {
        this.auth.realm().requireViewAuthorization();
    }
    Map<Policy.FilterOption, String[]> search = new EnumMap<>(Policy.FilterOption.class);
    if (id != null && !"".equals(id.trim())) {
        search.put(Policy.FilterOption.ID, new String[] { id });
    }
    if (name != null && !"".equals(name.trim())) {
        search.put(Policy.FilterOption.NAME, new String[] { name });
    }
    if (type != null && !"".equals(type.trim())) {
        search.put(Policy.FilterOption.TYPE, new String[] { type });
    }
    if (owner != null && !"".equals(owner.trim())) {
        search.put(Policy.FilterOption.OWNER, new String[] { owner });
    }
    StoreFactory storeFactory = authorization.getStoreFactory();
    if (resource != null && !"".equals(resource.trim())) {
        ResourceStore resourceStore = storeFactory.getResourceStore();
        Resource resourceModel = resourceStore.findById(resource, resourceServer.getId());
        if (resourceModel == null) {
            Map<Resource.FilterOption, String[]> resourceFilters = new EnumMap<>(Resource.FilterOption.class);
            resourceFilters.put(Resource.FilterOption.NAME, new String[] { resource });
            if (owner != null) {
                resourceFilters.put(Resource.FilterOption.OWNER, new String[] { owner });
            }
            Set<String> resources = resourceStore.findByResourceServer(resourceFilters, resourceServer.getId(), -1, 1).stream().map(Resource::getId).collect(Collectors.toSet());
            if (resources.isEmpty()) {
                return Response.noContent().build();
            }
            search.put(Policy.FilterOption.RESOURCE_ID, resources.toArray(new String[resources.size()]));
        } else {
            search.put(Policy.FilterOption.RESOURCE_ID, new String[] { resourceModel.getId() });
        }
    }
    if (scope != null && !"".equals(scope.trim())) {
        ScopeStore scopeStore = storeFactory.getScopeStore();
        Scope scopeModel = scopeStore.findById(scope, resourceServer.getId());
        if (scopeModel == null) {
            Map<Scope.FilterOption, String[]> scopeFilters = new EnumMap<>(Scope.FilterOption.class);
            scopeFilters.put(Scope.FilterOption.NAME, new String[] { scope });
            Set<String> scopes = scopeStore.findByResourceServer(scopeFilters, resourceServer.getId(), -1, 1).stream().map(Scope::getId).collect(Collectors.toSet());
            if (scopes.isEmpty()) {
                return Response.noContent().build();
            }
            search.put(Policy.FilterOption.SCOPE_ID, scopes.toArray(new String[scopes.size()]));
        } else {
            search.put(Policy.FilterOption.SCOPE_ID, new String[] { scopeModel.getId() });
        }
    }
    if (permission != null) {
        search.put(Policy.FilterOption.PERMISSION, new String[] { permission.toString() });
    }
    return Response.ok(doSearch(firstResult, maxResult, fields, search)).build();
}
Also used : Policy(org.keycloak.authorization.model.Policy) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) Scope(org.keycloak.authorization.model.Scope) EnumMap(java.util.EnumMap) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Example 52 with Scope

use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.

the class PolicyEvaluationTest method testCachedDecisionsWithNegativePolicies.

public static void testCachedDecisionsWithNegativePolicies(KeycloakSession session) {
    session.getContext().setRealm(session.realms().getRealmByName("authz-test"));
    AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
    ClientModel clientModel = session.clients().getClientByClientId(session.getContext().getRealm(), "resource-server-test");
    StoreFactory storeFactory = authorization.getStoreFactory();
    ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel);
    Scope readScope = storeFactory.getScopeStore().create("read", resourceServer);
    Scope writeScope = storeFactory.getScopeStore().create("write", resourceServer);
    JSPolicyRepresentation policy = new JSPolicyRepresentation();
    policy.setName(KeycloakModelUtils.generateId());
    policy.setCode("$evaluation.grant()");
    policy.setLogic(Logic.NEGATIVE);
    storeFactory.getPolicyStore().create(policy, resourceServer);
    ScopePermissionRepresentation readPermission = new ScopePermissionRepresentation();
    readPermission.setName(KeycloakModelUtils.generateId());
    readPermission.addScope(readScope.getId());
    readPermission.addPolicy(policy.getName());
    storeFactory.getPolicyStore().create(readPermission, resourceServer);
    ScopePermissionRepresentation writePermission = new ScopePermissionRepresentation();
    writePermission.setName(KeycloakModelUtils.generateId());
    writePermission.addScope(writeScope.getId());
    writePermission.addPolicy(policy.getName());
    storeFactory.getPolicyStore().create(writePermission, resourceServer);
    Resource resource = storeFactory.getResourceStore().create(KeycloakModelUtils.generateId(), resourceServer, resourceServer.getId());
    PermissionEvaluator evaluator = authorization.evaluators().from(Arrays.asList(new ResourcePermission(resource, Arrays.asList(readScope, writeScope), resourceServer)), createEvaluationContext(session, Collections.emptyMap()));
    Collection<Permission> permissions = evaluator.evaluate(resourceServer, null);
    Assert.assertEquals(0, permissions.size());
}
Also used : ClientModel(org.keycloak.models.ClientModel) PermissionEvaluator(org.keycloak.authorization.permission.evaluator.PermissionEvaluator) Scope(org.keycloak.authorization.model.Scope) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Resource(org.keycloak.authorization.model.Resource) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Permission(org.keycloak.representations.idm.authorization.Permission) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceServer(org.keycloak.authorization.model.ResourceServer) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) ScopePermissionRepresentation(org.keycloak.representations.idm.authorization.ScopePermissionRepresentation)

Example 53 with Scope

use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.

the class GroupPermissions method initialize.

private void initialize(GroupModel group) {
    root.initializeRealmResourceServer();
    root.initializeRealmDefaultScopes();
    ResourceServer server = root.realmResourceServer();
    Scope manageScope = root.realmManageScope();
    Scope viewScope = root.realmViewScope();
    Scope manageMembersScope = root.initializeRealmScope(MANAGE_MEMBERS_SCOPE);
    Scope viewMembersScope = root.initializeRealmScope(VIEW_MEMBERS_SCOPE);
    Scope manageMembershipScope = root.initializeRealmScope(MANAGE_MEMBERSHIP_SCOPE);
    String groupResourceName = getGroupResourceName(group);
    Resource groupResource = resourceStore.findByName(groupResourceName, server.getId());
    if (groupResource == null) {
        groupResource = resourceStore.create(groupResourceName, server, server.getId());
        Set<Scope> scopeset = new HashSet<>();
        scopeset.add(manageScope);
        scopeset.add(viewScope);
        scopeset.add(viewMembersScope);
        scopeset.add(manageMembershipScope);
        scopeset.add(manageMembersScope);
        groupResource.updateScopes(scopeset);
        groupResource.setType("Group");
    }
    String managePermissionName = getManagePermissionGroup(group);
    Policy managePermission = policyStore.findByName(managePermissionName, server.getId());
    if (managePermission == null) {
        Helper.addEmptyScopePermission(authz, server, managePermissionName, groupResource, manageScope);
    }
    String viewPermissionName = getViewPermissionGroup(group);
    Policy viewPermission = policyStore.findByName(viewPermissionName, server.getId());
    if (viewPermission == null) {
        Helper.addEmptyScopePermission(authz, server, viewPermissionName, groupResource, viewScope);
    }
    String manageMembersPermissionName = getManageMembersPermissionGroup(group);
    Policy manageMembersPermission = policyStore.findByName(manageMembersPermissionName, server.getId());
    if (manageMembersPermission == null) {
        Helper.addEmptyScopePermission(authz, server, manageMembersPermissionName, groupResource, manageMembersScope);
    }
    String viewMembersPermissionName = getViewMembersPermissionGroup(group);
    Policy viewMembersPermission = policyStore.findByName(viewMembersPermissionName, server.getId());
    if (viewMembersPermission == null) {
        Helper.addEmptyScopePermission(authz, server, viewMembersPermissionName, groupResource, viewMembersScope);
    }
    String manageMembershipPermissionName = getManageMembershipPermissionGroup(group);
    Policy manageMembershipPermission = policyStore.findByName(manageMembershipPermissionName, server.getId());
    if (manageMembershipPermission == null) {
        Helper.addEmptyScopePermission(authz, server, manageMembershipPermissionName, groupResource, manageMembershipScope);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer) HashSet(java.util.HashSet)

Example 54 with Scope

use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.

the class ClientPermissions method canMapCompositeRoles.

@Override
public boolean canMapCompositeRoles(ClientModel client) {
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesCompositePermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = authz.getStoreFactory().getScopeStore().findByName(MAP_ROLES_COMPOSITE_SCOPE, server.getId());
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Example 55 with Scope

use of org.keycloak.authorization.model.Scope in project keycloak by keycloak.

the class ClientPermissions method canMapRoles.

@Override
public boolean canMapRoles(ClientModel client) {
    ResourceServer server = resourceServer(client);
    if (server == null)
        return false;
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
    if (resource == null)
        return false;
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesPermissionName(client), server.getId());
    if (policy == null) {
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        return false;
    }
    Scope scope = mapRolesScope(server);
    return root.evaluatePermission(resource, server, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ResourceServer(org.keycloak.authorization.model.ResourceServer)

Aggregations

Scope (org.keycloak.authorization.model.Scope)65 Resource (org.keycloak.authorization.model.Resource)43 ResourceServer (org.keycloak.authorization.model.ResourceServer)39 Policy (org.keycloak.authorization.model.Policy)38 StoreFactory (org.keycloak.authorization.store.StoreFactory)21 HashSet (java.util.HashSet)19 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)19 ArrayList (java.util.ArrayList)18 List (java.util.List)17 ClientModel (org.keycloak.models.ClientModel)17 Map (java.util.Map)16 EnumMap (java.util.EnumMap)14 Collectors (java.util.stream.Collectors)14 PolicyStore (org.keycloak.authorization.store.PolicyStore)14 Collection (java.util.Collection)13 Set (java.util.Set)13 UserModel (org.keycloak.models.UserModel)13 Produces (javax.ws.rs.Produces)12 ResourceStore (org.keycloak.authorization.store.ResourceStore)12 KeycloakSession (org.keycloak.models.KeycloakSession)12
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial