Search in sources :

Example 6 with ResourcePermission

use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.

the class UserPermissions method hasPermission.

private boolean hasPermission(EvaluationContext context, String... scopes) {
    ResourceServer server = root.realmResourceServer();
    if (server == null) {
        return false;
    }
    Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId());
    List<String> expectedScopes = Arrays.asList(scopes);
    if (resource == null) {
        return grantIfNoPermission && expectedScopes.contains(MgmtPermissions.MANAGE_SCOPE) && expectedScopes.contains(MgmtPermissions.VIEW_SCOPE);
    }
    Collection<Permission> permissions;
    if (context == null) {
        permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server);
    } else {
        permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server, context);
    }
    for (Permission permission : permissions) {
        for (String scope : permission.getScopes()) {
            if (expectedScopes.contains(scope)) {
                return true;
            }
        }
    }
    return false;
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Permission(org.keycloak.representations.idm.authorization.Permission) ResourceServer(org.keycloak.authorization.model.ResourceServer) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 7 with ResourcePermission

use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.

the class IterablePermissionEvaluator method evaluate.

@Override
public Decision evaluate(Decision decision) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    try {
        Map<Policy, Map<Object, Decision.Effect>> decisionCache = new HashMap<>();
        storeFactory.setReadOnly(true);
        Iterator<ResourcePermission> permissions = getPermissions();
        while (permissions.hasNext()) {
            this.policyEvaluator.evaluate(permissions.next(), authorizationProvider, executionContext, decision, decisionCache);
        }
        decision.onComplete();
    } catch (Throwable cause) {
        decision.onError(cause);
    } finally {
        storeFactory.setReadOnly(false);
    }
    return decision;
}
Also used : Policy(org.keycloak.authorization.model.Policy) HashMap(java.util.HashMap) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) Map(java.util.Map) Decision(org.keycloak.authorization.Decision) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 8 with ResourcePermission

use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.

the class AbstractDecisionCollector method onDecision.

@Override
public void onDecision(DefaultEvaluation evaluation) {
    Policy parentPolicy = evaluation.getParentPolicy();
    ResourcePermission permission = evaluation.getPermission();
    if (parentPolicy != null) {
        if (parentPolicy.equals(evaluation.getPolicy())) {
            results.computeIfAbsent(permission, permission1 -> {
                for (Result result : results.values()) {
                    Result.PolicyResult policyResult = result.getPolicy(parentPolicy);
                    if (policyResult != null) {
                        Result newResult = new Result(permission1, evaluation);
                        Result.PolicyResult newPolicyResult = newResult.policy(parentPolicy);
                        for (Result.PolicyResult associatePolicy : policyResult.getAssociatedPolicies()) {
                            newPolicyResult.policy(associatePolicy.getPolicy(), associatePolicy.getEffect());
                        }
                        Map<String, Set<String>> claims = result.getPermission().getClaims();
                        if (!claims.isEmpty()) {
                            permission1.addClaims(claims);
                        }
                        return newResult;
                    }
                }
                return new Result(permission1, evaluation);
            }).policy(parentPolicy);
        } else {
            results.computeIfAbsent(permission, p -> new Result(p, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
        }
    } else {
        results.computeIfAbsent(permission, p -> new Result(p, evaluation)).setStatus(evaluation.getEffect());
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) LinkedHashMap(java.util.LinkedHashMap) Policy(org.keycloak.authorization.model.Policy) Collection(java.util.Collection) Map(java.util.Map) Set(java.util.Set) Decision(org.keycloak.authorization.Decision) DecisionStrategy(org.keycloak.representations.idm.authorization.DecisionStrategy) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 9 with ResourcePermission

use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.

the class PolicyEvaluationService method createPermissions.

private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
    return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
        StoreFactory storeFactory = authorization.getStoreFactory();
        if (resource == null) {
            resource = new ResourceRepresentation();
        }
        Set<ScopeRepresentation> givenScopes = resource.getScopes();
        if (givenScopes == null) {
            givenScopes = new HashSet<>();
        }
        ScopeStore scopeStore = storeFactory.getScopeStore();
        Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
        if (resource.getId() != null) {
            Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
            return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream();
        } else if (resource.getType() != null) {
            return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, resourceServer, scopes, authorization, request));
        } else {
            if (scopes.isEmpty()) {
                return Stream.empty();
            }
            List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
            if (resources.isEmpty()) {
                return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
            }
            return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, resourceServer, scopes, authorization, request));
        }
    }).collect(Collectors.toList());
}
Also used : ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Arrays(java.util.Arrays) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Produces(javax.ws.rs.Produces) Permissions(org.keycloak.authorization.permission.Permissions) OAuthErrorException(org.keycloak.OAuthErrorException) Consumes(javax.ws.rs.Consumes) AuthenticationManager(org.keycloak.services.managers.AuthenticationManager) AccessToken(org.keycloak.representations.AccessToken) DecisionPermissionCollector(org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector) ErrorResponseException(org.keycloak.services.ErrorResponseException) Map(java.util.Map) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RealmModel(org.keycloak.models.RealmModel) PolicyEvaluationResponseBuilder(org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder) Collection(java.util.Collection) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) List(java.util.List) ScopeStore(org.keycloak.authorization.store.ScopeStore) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Attributes(org.keycloak.authorization.attribute.Attributes) Permission(org.keycloak.representations.idm.authorization.Permission) Logger(org.jboss.logging.Logger) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) TokenManager(org.keycloak.protocol.oidc.TokenManager) Function(java.util.function.Function) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) UserModel(org.keycloak.models.UserModel) ClientSessionContext(org.keycloak.models.ClientSessionContext) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) Status(javax.ws.rs.core.Response.Status) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) KeycloakSession(org.keycloak.models.KeycloakSession) UserSessionModel(org.keycloak.models.UserSessionModel) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) Result(org.keycloak.authorization.policy.evaluation.Result) Urls(org.keycloak.services.Urls) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Function(java.util.function.Function) Scope(org.keycloak.authorization.model.Scope) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) List(java.util.List) ArrayList(java.util.ArrayList) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 10 with ResourcePermission

use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.

the class AuthorizationTokenService method addPermission.

private ResourcePermission addPermission(KeycloakAuthorizationRequest request, ResourceServer resourceServer, AuthorizationProvider authorization, Map<String, ResourcePermission> permissionsToEvaluate, AtomicInteger limit, Set<Scope> requestedScopesModel, Resource resource) {
    ResourcePermission permission = permissionsToEvaluate.get(resource.getId());
    if (permission == null) {
        permission = new ResourcePermission(resource, Permissions.resolveScopes(resource, resourceServer, requestedScopesModel, authorization), resourceServer, request.getClaims());
        // if it is not the case, then the requested scope is invalid and we don't need to evaluate
        if (!requestedScopesModel.isEmpty() && permission.getScopes().isEmpty()) {
            return null;
        }
        permissionsToEvaluate.put(resource.getId(), permission);
        if (limit != null) {
            limit.decrementAndGet();
        }
    }
    return permission;
}
Also used : ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Aggregations

ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)19 Map (java.util.Map)9 Policy (org.keycloak.authorization.model.Policy)9 Resource (org.keycloak.authorization.model.Resource)9 Scope (org.keycloak.authorization.model.Scope)9 Permission (org.keycloak.representations.idm.authorization.Permission)8 HashMap (java.util.HashMap)7 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)7 ResourceServer (org.keycloak.authorization.model.ResourceServer)7 ArrayList (java.util.ArrayList)6 Decision (org.keycloak.authorization.Decision)6 StoreFactory (org.keycloak.authorization.store.StoreFactory)6 HashSet (java.util.HashSet)5 Set (java.util.Set)5 Collection (java.util.Collection)4 DefaultEvaluation (org.keycloak.authorization.policy.evaluation.DefaultEvaluation)4 ClientModel (org.keycloak.models.ClientModel)4 LinkedHashMap (java.util.LinkedHashMap)3 List (java.util.List)3 Collectors (java.util.stream.Collectors)3