use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.
the class UserPermissions method canClientImpersonate.
@Override
public boolean canClientImpersonate(ClientModel client, UserModel user) {
ClientModelIdentity identity = new ClientModelIdentity(session, client);
EvaluationContext context = new DefaultEvaluationContext(identity, session) {
@Override
public Map<String, Collection<String>> getBaseAttributes() {
Map<String, Collection<String>> attributes = super.getBaseAttributes();
attributes.put("kc.client.id", Arrays.asList(client.getClientId()));
return attributes;
}
};
return canImpersonate(context) && isImpersonatable(user);
}
use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.
the class ClientPermissions method canExchangeTo.
@Override
public boolean canExchangeTo(ClientModel authorizedClient, ClientModel to) {
if (!authorizedClient.equals(to)) {
ResourceServer server = resourceServer(to);
if (server == null) {
logger.debug("No resource server set up for target client");
return false;
}
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
if (resource == null) {
logger.debug("No resource object set up for target client");
return false;
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
if (policy == null) {
logger.debug("No permission object set up for target client");
return false;
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
logger.debug("No policies set up for permission on target client");
return false;
}
Scope scope = exchangeToScope(server);
if (scope == null) {
logger.debug(TOKEN_EXCHANGE + " not initialized");
return false;
}
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
EvaluationContext context = new DefaultEvaluationContext(identity, session) {
@Override
public Map<String, Collection<String>> getBaseAttributes() {
Map<String, Collection<String>> attributes = super.getBaseAttributes();
attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
return attributes;
}
};
return root.evaluatePermission(resource, server, context, scope);
}
return true;
}
use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.
the class IdentityProviderPermissions method canExchangeTo.
@Override
public boolean canExchangeTo(ClientModel authorizedClient, IdentityProviderModel to) {
ResourceServer server = root.initializeRealmResourceServer();
if (server == null) {
logger.debug("No resource server set up for target idp");
return false;
}
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId());
if (resource == null) {
logger.debug("No resource object set up for target idp");
return false;
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId());
if (policy == null) {
logger.debug("No permission object set up for target idp");
return false;
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
logger.debug("No policies set up for permission on target idp");
return false;
}
Scope scope = exchangeToScope(server);
if (scope == null) {
logger.debug(TOKEN_EXCHANGE + " not initialized");
return false;
}
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
EvaluationContext context = new DefaultEvaluationContext(identity, session) {
@Override
public Map<String, Collection<String>> getBaseAttributes() {
Map<String, Collection<String>> attributes = super.getBaseAttributes();
attributes.put("kc.client.id", Arrays.asList(authorizedClient.getClientId()));
return attributes;
}
};
return root.evaluatePermission(resource, server, context, scope);
}
use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.
the class TimePolicyProvider method evaluate.
@Override
public void evaluate(Evaluation evaluation) {
Policy policy = evaluation.getPolicy();
SimpleDateFormat dateFormat = new SimpleDateFormat(DEFAULT_DATE_PATTERN);
try {
String contextTime = null;
EvaluationContext context = evaluation.getContext();
if (context.getAttributes() != null && context.getAttributes().exists(CONTEXT_TIME_ENTRY)) {
Attributes.Entry contextTimeEntry = context.getAttributes().getValue(CONTEXT_TIME_ENTRY);
if (!contextTimeEntry.isEmpty()) {
contextTime = contextTimeEntry.asString(0);
}
}
Date actualDate = contextTime == null ? new Date() : dateFormat.parse(contextTime);
String notBefore = policy.getConfig().get("nbf");
if (notBefore != null && !"".equals(notBefore)) {
if (actualDate.before(dateFormat.parse(format(notBefore)))) {
evaluation.deny();
return;
}
}
String notOnOrAfter = policy.getConfig().get("noa");
if (notOnOrAfter != null && !"".equals(notOnOrAfter)) {
if (actualDate.after(dateFormat.parse(format(notOnOrAfter)))) {
evaluation.deny();
return;
}
}
if (isInvalid(actualDate, Calendar.DAY_OF_MONTH, "dayMonth", policy) || isInvalid(actualDate, Calendar.MONTH, "month", policy) || isInvalid(actualDate, Calendar.YEAR, "year", policy) || isInvalid(actualDate, Calendar.HOUR_OF_DAY, "hour", policy) || isInvalid(actualDate, Calendar.MINUTE, "minute", policy)) {
evaluation.deny();
return;
}
evaluation.grant();
} catch (Exception e) {
throw new RuntimeException("Could not evaluate time-based policy [" + policy.getName() + "].", e);
}
}
use of org.keycloak.authorization.policy.evaluation.EvaluationContext in project keycloak by keycloak.
the class UserPolicyProvider method evaluate.
@Override
public void evaluate(Evaluation evaluation) {
EvaluationContext context = evaluation.getContext();
UserPolicyRepresentation representation = representationFunction.apply(evaluation.getPolicy(), evaluation.getAuthorizationProvider());
for (String userId : representation.getUsers()) {
if (context.getIdentity().getId().equals(userId)) {
evaluation.grant();
break;
}
}
}
Aggregations