Search in sources :

Example 1 with EvaluationContext

use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.

the class UserPermissions method canClientImpersonate.

@Override
public boolean canClientImpersonate(ClientModel client, UserModel user) {
    ClientModelIdentity identity = new ClientModelIdentity(session, client);
    EvaluationContext context = new DefaultEvaluationContext(identity, session) {

        @Override
        public Map<String, Collection<String>> getBaseAttributes() {
            Map<String, Collection<String>> attributes = super.getBaseAttributes();
            attributes.put("kc.client.id", Arrays.asList(client.getClientId()));
            return attributes;
        }
    };
    return canImpersonate(context) && isImpersonatable(user);
}
Also used : DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) Collection(java.util.Collection) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)

Example 2 with EvaluationContext

use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.

the class ClientPermissions method canExchangeTo.

@Override
public boolean canExchangeTo(ClientModel authorizedClient, ClientModel to) {
    if (!authorizedClient.equals(to)) {
        ResourceServer server = resourceServer(to);
        if (server == null) {
            logger.debug("No resource server set up for target client");
            return false;
        }
        Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
        if (resource == null) {
            logger.debug("No resource object set up for target client");
            return false;
        }
        Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
        if (policy == null) {
            logger.debug("No permission object set up for target client");
            return false;
        }
        Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
        // if no policies attached to permission then just do default behavior
        if (associatedPolicies == null || associatedPolicies.isEmpty()) {
            logger.debug("No policies set up for permission on target client");
            return false;
        }
        Scope scope = exchangeToScope(server);
        if (scope == null) {
            logger.debug(TOKEN_EXCHANGE + " not initialized");
            return false;
        }
        ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
        EvaluationContext context = new DefaultEvaluationContext(identity, session) {

            @Override
            public Map<String, Collection<String>> getBaseAttributes() {
                Map<String, Collection<String>> attributes = super.getBaseAttributes();
                attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
                return attributes;
            }
        };
        return root.evaluatePermission(resource, server, context, scope);
    }
    return true;
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) Resource(org.keycloak.authorization.model.Resource) Collection(java.util.Collection) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) ResourceServer(org.keycloak.authorization.model.ResourceServer) ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)

Example 3 with EvaluationContext

use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.

the class IdentityProviderPermissions method canExchangeTo.

@Override
public boolean canExchangeTo(ClientModel authorizedClient, IdentityProviderModel to) {
    ResourceServer server = root.initializeRealmResourceServer();
    if (server == null) {
        logger.debug("No resource server set up for target idp");
        return false;
    }
    Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
    if (resource == null) {
        logger.debug("No resource object set up for target idp");
        return false;
    }
    Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
    if (policy == null) {
        logger.debug("No permission object set up for target idp");
        return false;
    }
    Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
    // if no policies attached to permission then just do default behavior
    if (associatedPolicies == null || associatedPolicies.isEmpty()) {
        logger.debug("No policies set up for permission on target idp");
        return false;
    }
    Scope scope = exchangeToScope(server);
    if (scope == null) {
        logger.debug(TOKEN_EXCHANGE + " not initialized");
        return false;
    }
    ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
    EvaluationContext context = new DefaultEvaluationContext(identity, session) {

        @Override
        public Map<String, Collection<String>> getBaseAttributes() {
            Map<String, Collection<String>> attributes = super.getBaseAttributes();
            attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
            return attributes;
        }
    };
    return root.evaluatePermission(resource, server, context, scope);
}
Also used : Policy(org.keycloak.authorization.model.Policy) Scope(org.keycloak.authorization.model.Scope) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) Resource(org.keycloak.authorization.model.Resource) Collection(java.util.Collection) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) ResourceServer(org.keycloak.authorization.model.ResourceServer) ClientModelIdentity(org.keycloak.authorization.common.ClientModelIdentity)

Example 4 with EvaluationContext

use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.

the class TimePolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    Policy policy = evaluation.getPolicy();
    SimpleDateFormat dateFormat = new SimpleDateFormat(DEFAULT_DATE_PATTERN);
    try {
        String contextTime = null;
        EvaluationContext context = evaluation.getContext();
        if (context.getAttributes() != null && context.getAttributes().exists(CONTEXT_TIME_ENTRY)) {
            Attributes.Entry contextTimeEntry = context.getAttributes().getValue(CONTEXT_TIME_ENTRY);
            if (!contextTimeEntry.isEmpty()) {
                contextTime = contextTimeEntry.asString(0);
            }
        }
        Date actualDate = contextTime == null ? new Date() : dateFormat.parse(contextTime);
        String notBefore = policy.getConfig().get("nbf");
        if (notBefore != null && !"".equals(notBefore)) {
            if (actualDate.before(dateFormat.parse(format(notBefore)))) {
                evaluation.deny();
                return;
            }
        }
        String notOnOrAfter = policy.getConfig().get("noa");
        if (notOnOrAfter != null && !"".equals(notOnOrAfter)) {
            if (actualDate.after(dateFormat.parse(format(notOnOrAfter)))) {
                evaluation.deny();
                return;
            }
        }
        if (isInvalid(actualDate, Calendar.DAY_OF_MONTH, "dayMonth", policy) || isInvalid(actualDate, Calendar.MONTH, "month", policy) || isInvalid(actualDate, Calendar.YEAR, "year", policy) || isInvalid(actualDate, Calendar.HOUR_OF_DAY, "hour", policy) || isInvalid(actualDate, Calendar.MINUTE, "minute", policy)) {
            evaluation.deny();
            return;
        }
        evaluation.grant();
    } catch (Exception e) {
        throw new RuntimeException("Could not evaluate time-based policy [" + policy.getName() + "].", e);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) Attributes(org.keycloak.authorization.attribute.Attributes) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) SimpleDateFormat(java.text.SimpleDateFormat) Date(java.util.Date)

Example 5 with EvaluationContext

use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.

the class UserPolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    EvaluationContext context = evaluation.getContext();
    UserPolicyRepresentation representation = representationFunction.apply(evaluation.getPolicy(), evaluation.getAuthorizationProvider());
    for (String userId : representation.getUsers()) {
        if (context.getIdentity().getId().equals(userId)) {
            evaluation.grant();
            break;
        }
    }
}
Also used : UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext)

Aggregations

EvaluationContext (org.keycloak.authorization.policy.evaluation.EvaluationContext)9 DefaultEvaluationContext (org.keycloak.authorization.common.DefaultEvaluationContext)6 Collection (java.util.Collection)4 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)4 ResourceServer (org.keycloak.authorization.model.ResourceServer)4 ClientModelIdentity (org.keycloak.authorization.common.ClientModelIdentity)3 Policy (org.keycloak.authorization.model.Policy)3 Resource (org.keycloak.authorization.model.Resource)3 Scope (org.keycloak.authorization.model.Scope)3 ClientModel (org.keycloak.models.ClientModel)3 HashMap (java.util.HashMap)2 OAuthErrorException (org.keycloak.OAuthErrorException)2 Attributes (org.keycloak.authorization.attribute.Attributes)2 KeycloakIdentity (org.keycloak.authorization.common.KeycloakIdentity)2 ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)2 Permission (org.keycloak.representations.idm.authorization.Permission)2 ErrorResponseException (org.keycloak.services.ErrorResponseException)2 SimpleDateFormat (java.text.SimpleDateFormat)1 ArrayList (java.util.ArrayList)1 Arrays (java.util.Arrays)1