use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.
the class UserPermissions method hasPermission.
private boolean hasPermission(EvaluationContext context, String... scopes) {
ResourceServer server = root.realmResourceServer();
if (server == null) {
return false;
}
Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId());
List<String> expectedScopes = Arrays.asList(scopes);
if (resource == null) {
return grantIfNoPermission && expectedScopes.contains(MgmtPermissions.MANAGE_SCOPE) && expectedScopes.contains(MgmtPermissions.VIEW_SCOPE);
}
Collection<Permission> permissions;
if (context == null) {
permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server);
} else {
permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server, context);
}
for (Permission permission : permissions) {
for (String scope : permission.getScopes()) {
if (expectedScopes.contains(scope)) {
return true;
}
}
}
return false;
}
use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.
the class IterablePermissionEvaluator method evaluate.
@Override
public Decision evaluate(Decision decision) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
try {
Map<Policy, Map<Object, Decision.Effect>> decisionCache = new HashMap<>();
storeFactory.setReadOnly(true);
Iterator<ResourcePermission> permissions = getPermissions();
while (permissions.hasNext()) {
this.policyEvaluator.evaluate(permissions.next(), authorizationProvider, executionContext, decision, decisionCache);
}
decision.onComplete();
} catch (Throwable cause) {
decision.onError(cause);
} finally {
storeFactory.setReadOnly(false);
}
return decision;
}
use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.
the class AbstractDecisionCollector method onDecision.
@Override
public void onDecision(DefaultEvaluation evaluation) {
Policy parentPolicy = evaluation.getParentPolicy();
ResourcePermission permission = evaluation.getPermission();
if (parentPolicy != null) {
if (parentPolicy.equals(evaluation.getPolicy())) {
results.computeIfAbsent(permission, permission1 -> {
for (Result result : results.values()) {
Result.PolicyResult policyResult = result.getPolicy(parentPolicy);
if (policyResult != null) {
Result newResult = new Result(permission1, evaluation);
Result.PolicyResult newPolicyResult = newResult.policy(parentPolicy);
for (Result.PolicyResult associatePolicy : policyResult.getAssociatedPolicies()) {
newPolicyResult.policy(associatePolicy.getPolicy(), associatePolicy.getEffect());
}
Map<String, Set<String>> claims = result.getPermission().getClaims();
if (!claims.isEmpty()) {
permission1.addClaims(claims);
}
return newResult;
}
}
return new Result(permission1, evaluation);
}).policy(parentPolicy);
} else {
results.computeIfAbsent(permission, p -> new Result(p, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
}
} else {
results.computeIfAbsent(permission, p -> new Result(p, evaluation)).setStatus(evaluation.getEffect());
}
}
use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.
the class PolicyEvaluationService method createPermissions.
private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
StoreFactory storeFactory = authorization.getStoreFactory();
if (resource == null) {
resource = new ResourceRepresentation();
}
Set<ScopeRepresentation> givenScopes = resource.getScopes();
if (givenScopes == null) {
givenScopes = new HashSet<>();
}
ScopeStore scopeStore = storeFactory.getScopeStore();
Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
if (resource.getId() != null) {
Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream();
} else if (resource.getType() != null) {
return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, resourceServer, scopes, authorization, request));
} else {
if (scopes.isEmpty()) {
return Stream.empty();
}
List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
if (resources.isEmpty()) {
return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
}
return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, resourceServer, scopes, authorization, request));
}
}).collect(Collectors.toList());
}
use of org.keycloak.authorization.permission.ResourcePermission in project keycloak by keycloak.
the class AuthorizationTokenService method addPermission.
private ResourcePermission addPermission(KeycloakAuthorizationRequest request, ResourceServer resourceServer, AuthorizationProvider authorization, Map<String, ResourcePermission> permissionsToEvaluate, AtomicInteger limit, Set<Scope> requestedScopesModel, Resource resource) {
ResourcePermission permission = permissionsToEvaluate.get(resource.getId());
if (permission == null) {
permission = new ResourcePermission(resource, Permissions.resolveScopes(resource, resourceServer, requestedScopesModel, authorization), resourceServer, request.getClaims());
// if it is not the case, then the requested scope is invalid and we don't need to evaluate
if (!requestedScopesModel.isEmpty() && permission.getScopes().isEmpty()) {
return null;
}
permissionsToEvaluate.put(resource.getId(), permission);
if (limit != null) {
limit.decrementAndGet();
}
}
return permission;
}
Aggregations