Examples with Result org.keycloak.authorization.policy.evaluation.Result used on opensource projects

Search in sources :

Example 1 with Result

use of org.keycloak.authorization.policy.evaluation.Result in project keycloak by keycloak.

the class AggregatePolicyProvider method evaluate.

@Override
public void evaluate(Evaluation evaluation) {
    DecisionResultCollector decision = new DecisionResultCollector() {

        @Override
        protected void onComplete(Result result) {
            if (isGranted(result.getResults().iterator().next())) {
                evaluation.grant();
            } else {
                evaluation.deny();
            }
        }
    };
    AuthorizationProvider authorization = evaluation.getAuthorizationProvider();
    Policy policy = evaluation.getPolicy();
    DefaultEvaluation defaultEvaluation = DefaultEvaluation.class.cast(evaluation);
    Map<Policy, Map<Object, Decision.Effect>> decisionCache = defaultEvaluation.getDecisionCache();
    ResourcePermission permission = evaluation.getPermission();
    for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
        Map<Object, Decision.Effect> decisions = decisionCache.computeIfAbsent(associatedPolicy, p -> new HashMap<>());
        Decision.Effect effect = decisions.get(permission);
        DefaultEvaluation eval = new DefaultEvaluation(evaluation.getPermission(), evaluation.getContext(), policy, associatedPolicy, decision, authorization, decisionCache);
        if (effect == null) {
            PolicyProvider policyProvider = authorization.getProvider(associatedPolicy.getType());
            policyProvider.evaluate(eval);
            eval.denyIfNoEffect();
            decisions.put(permission, eval.getEffect());
        } else {
            eval.setEffect(effect);
        }
    }
    decision.onComplete(permission);
}
Also used : Policy(org.keycloak.authorization.model.Policy) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) DecisionResultCollector(org.keycloak.authorization.policy.evaluation.DecisionResultCollector) DefaultEvaluation(org.keycloak.authorization.policy.evaluation.DefaultEvaluation) Decision(org.keycloak.authorization.Decision) Result(org.keycloak.authorization.policy.evaluation.Result) PolicyProvider(org.keycloak.authorization.policy.provider.PolicyProvider) HashMap(java.util.HashMap) Map(java.util.Map) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 2 with Result

use of org.keycloak.authorization.policy.evaluation.Result in project keycloak by keycloak.

the class PolicyEvaluationResponseBuilder method build.

public static PolicyEvaluationResponse build(PolicyEvaluationService.EvaluationDecisionCollector decision, ResourceServer resourceServer, AuthorizationProvider authorization, KeycloakIdentity identity) {
    PolicyEvaluationResponse response = new PolicyEvaluationResponse();
    List<PolicyEvaluationResponse.EvaluationResultRepresentation> resultsRep = new ArrayList<>();
    AccessToken accessToken = identity.getAccessToken();
    AccessToken.Authorization authorizationData = new AccessToken.Authorization();
    authorizationData.setPermissions(decision.results());
    accessToken.setAuthorization(authorizationData);
    ClientModel clientModel = authorization.getRealm().getClientById(resourceServer.getId());
    if (!accessToken.hasAudience(clientModel.getClientId())) {
        accessToken.audience(clientModel.getClientId());
    }
    response.setRpt(accessToken);
    Collection<Result> results = decision.getResults();
    if (results.stream().anyMatch(evaluationResult -> evaluationResult.getEffect().equals(Decision.Effect.DENY))) {
        response.setStatus(DecisionEffect.DENY);
    } else {
        response.setStatus(DecisionEffect.PERMIT);
    }
    for (Result result : results) {
        PolicyEvaluationResponse.EvaluationResultRepresentation rep = new PolicyEvaluationResponse.EvaluationResultRepresentation();
        if (result.getEffect() == Decision.Effect.DENY) {
            rep.setStatus(DecisionEffect.DENY);
        } else {
            rep.setStatus(DecisionEffect.PERMIT);
        }
        resultsRep.add(rep);
        if (result.getPermission().getResource() != null) {
            ResourceRepresentation resource = new ResourceRepresentation();
            resource.setId(result.getPermission().getResource().getId());
            resource.setName(result.getPermission().getResource().getName());
            rep.setResource(resource);
        } else {
            ResourceRepresentation resource = new ResourceRepresentation();
            resource.setName("Any Resource with Scopes " + result.getPermission().getScopes().stream().map(Scope::getName).collect(Collectors.toList()));
            rep.setResource(resource);
        }
        rep.setScopes(result.getPermission().getScopes().stream().map(scope -> {
            ScopeRepresentation representation = new ScopeRepresentation();
            representation.setId(scope.getId());
            representation.setName(scope.getName());
            return representation;
        }).collect(Collectors.toList()));
        List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = new ArrayList<>();
        for (Result.PolicyResult policy : result.getResults()) {
            PolicyResultRepresentation policyRep = toRepresentation(policy, authorization);
            if ("resource".equals(policy.getPolicy().getType())) {
                policyRep.getPolicy().setScopes(result.getPermission().getResource().getScopes().stream().map(Scope::getName).collect(Collectors.toSet()));
            }
            policies.add(policyRep);
        }
        rep.setPolicies(policies);
    }
    resultsRep.sort(Comparator.comparing(o -> o.getResource().getName()));
    Map<String, PolicyEvaluationResponse.EvaluationResultRepresentation> groupedResults = new HashMap<>();
    resultsRep.forEach(evaluationResultRepresentation -> {
        PolicyEvaluationResponse.EvaluationResultRepresentation result = groupedResults.get(evaluationResultRepresentation.getResource().getId());
        ResourceRepresentation resource = evaluationResultRepresentation.getResource();
        if (result == null) {
            groupedResults.put(resource.getId(), evaluationResultRepresentation);
            result = evaluationResultRepresentation;
        }
        if (result.getStatus().equals(DecisionEffect.PERMIT) || (evaluationResultRepresentation.getStatus().equals(DecisionEffect.PERMIT) && result.getStatus().equals(DecisionEffect.DENY))) {
            result.setStatus(DecisionEffect.PERMIT);
        }
        List<ScopeRepresentation> scopes = result.getScopes();
        if (DecisionEffect.PERMIT.equals(result.getStatus())) {
            result.setAllowedScopes(scopes);
        }
        if (resource.getId() != null) {
            if (!scopes.isEmpty()) {
                result.getResource().setName(evaluationResultRepresentation.getResource().getName() + " with scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList()));
            } else {
                result.getResource().setName(evaluationResultRepresentation.getResource().getName());
            }
        } else {
            result.getResource().setName("Any Resource with Scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList()));
        }
        List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = result.getPolicies();
        for (PolicyEvaluationResponse.PolicyResultRepresentation policy : new ArrayList<>(evaluationResultRepresentation.getPolicies())) {
            if (!policies.contains(policy)) {
                policies.add(policy);
            }
        }
    });
    response.setResults(groupedResults.values().stream().collect(Collectors.toList()));
    return response;
}
Also used : ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Arrays(java.util.Arrays) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation) HashMap(java.util.HashMap) Function(java.util.function.Function) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) ArrayList(java.util.ArrayList) PolicyEvaluationService(org.keycloak.authorization.admin.PolicyEvaluationService) UserModel(org.keycloak.models.UserModel) AccessToken(org.keycloak.representations.AccessToken) Map(java.util.Map) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ResourceServer(org.keycloak.authorization.model.ResourceServer) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) KeycloakSession(org.keycloak.models.KeycloakSession) Set(java.util.Set) Decision(org.keycloak.authorization.Decision) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) Policy(org.keycloak.authorization.model.Policy) List(java.util.List) Stream(java.util.stream.Stream) Result(org.keycloak.authorization.policy.evaluation.Result) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) DecisionEffect(org.keycloak.representations.idm.authorization.DecisionEffect) Comparator(java.util.Comparator) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation) Result(org.keycloak.authorization.policy.evaluation.Result) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ClientModel(org.keycloak.models.ClientModel) Function(java.util.function.Function) Scope(org.keycloak.authorization.model.Scope) AccessToken(org.keycloak.representations.AccessToken) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation)

Example 3 with Result

use of org.keycloak.authorization.policy.evaluation.Result in project keycloak by keycloak.

the class PolicyEvaluationResponseBuilder method toRepresentation.

private static PolicyEvaluationResponse.PolicyResultRepresentation toRepresentation(Result.PolicyResult result, AuthorizationProvider authorization) {
    PolicyEvaluationResponse.PolicyResultRepresentation policyResultRep = new PolicyEvaluationResponse.PolicyResultRepresentation();
    PolicyRepresentation representation = new PolicyRepresentation();
    Policy policy = result.getPolicy();
    representation.setId(policy.getId());
    representation.setName(policy.getName());
    representation.setType(policy.getType());
    representation.setDecisionStrategy(policy.getDecisionStrategy());
    representation.setDescription(policy.getDescription());
    if ("uma".equals(representation.getType())) {
        Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
        filters.put(PermissionTicket.FilterOption.POLICY_ID, policy.getId());
        List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, policy.getResourceServer().getId(), -1, 1);
        if (!tickets.isEmpty()) {
            KeycloakSession keycloakSession = authorization.getKeycloakSession();
            RealmModel realm = authorization.getRealm();
            PermissionTicket ticket = tickets.get(0);
            UserModel userOwner = keycloakSession.users().getUserById(realm, ticket.getOwner());
            UserModel requester = keycloakSession.users().getUserById(realm, ticket.getRequester());
            String resourceOwner;
            if (userOwner != null) {
                resourceOwner = getUserEmailOrUserName(userOwner);
            } else {
                ClientModel clientOwner = realm.getClientById(ticket.getOwner());
                resourceOwner = clientOwner.getClientId();
            }
            representation.setDescription("Resource owner (" + resourceOwner + ") grants access to " + getUserEmailOrUserName(requester));
        } else {
            String description = representation.getDescription();
            if (description != null) {
                representation.setDescription(description + " (User-Managed Policy)");
            } else {
                representation.setDescription("User-Managed Policy");
            }
        }
    }
    representation.setResources(policy.getResources().stream().map(resource -> resource.getName()).collect(Collectors.toSet()));
    Set<String> scopeNames = policy.getScopes().stream().map(scope -> scope.getName()).collect(Collectors.toSet());
    representation.setScopes(scopeNames);
    policyResultRep.setPolicy(representation);
    if (result.getEffect() == Decision.Effect.DENY) {
        policyResultRep.setStatus(DecisionEffect.DENY);
        policyResultRep.setScopes(representation.getScopes());
    } else {
        policyResultRep.setStatus(DecisionEffect.PERMIT);
    }
    policyResultRep.setAssociatedPolicies(result.getAssociatedPolicies().stream().map(policy1 -> toRepresentation(policy1, authorization)).collect(Collectors.toList()));
    return policyResultRep;
}
Also used : Policy(org.keycloak.authorization.model.Policy) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Arrays(java.util.Arrays) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation) HashMap(java.util.HashMap) Function(java.util.function.Function) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) ArrayList(java.util.ArrayList) PolicyEvaluationService(org.keycloak.authorization.admin.PolicyEvaluationService) UserModel(org.keycloak.models.UserModel) AccessToken(org.keycloak.representations.AccessToken) Map(java.util.Map) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ResourceServer(org.keycloak.authorization.model.ResourceServer) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) KeycloakSession(org.keycloak.models.KeycloakSession) Set(java.util.Set) Decision(org.keycloak.authorization.Decision) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) Policy(org.keycloak.authorization.model.Policy) List(java.util.List) Stream(java.util.stream.Stream) Result(org.keycloak.authorization.policy.evaluation.Result) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) DecisionEffect(org.keycloak.representations.idm.authorization.DecisionEffect) Comparator(java.util.Comparator) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) KeycloakSession(org.keycloak.models.KeycloakSession) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation) EnumMap(java.util.EnumMap)

Aggregations

HashMap (java.util.HashMap)3 Map (java.util.Map)3 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)3 Decision (org.keycloak.authorization.Decision)3 Policy (org.keycloak.authorization.model.Policy)3 Result (org.keycloak.authorization.policy.evaluation.Result)3 ArrayList (java.util.ArrayList)2 Arrays (java.util.Arrays)2 Collection (java.util.Collection)2 Comparator (java.util.Comparator)2 EnumMap (java.util.EnumMap)2 List (java.util.List)2 Set (java.util.Set)2 Function (java.util.function.Function)2 Collectors (java.util.stream.Collectors)2 Stream (java.util.stream.Stream)2 PolicyEvaluationService (org.keycloak.authorization.admin.PolicyEvaluationService)2 KeycloakIdentity (org.keycloak.authorization.common.KeycloakIdentity)2 PermissionTicket (org.keycloak.authorization.model.PermissionTicket)2 ResourceServer (org.keycloak.authorization.model.ResourceServer)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial