Search in sources :

Example 6 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class UserSynchronizer method removeUserResources.

private void removeUserResources(UserRemovedEvent event, AuthorizationProvider authorizationProvider) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    UserModel userModel = event.getUser();
    resourceStore.findByOwner(userModel.getId(), null, resource -> {
        String resourceId = resource.getId();
        policyStore.findByResource(resourceId, resource.getResourceServer()).forEach(policy -> {
            if (policy.getResources().size() == 1) {
                policyStore.delete(policy.getId());
            } else {
                policy.removeResource(resource);
            }
        });
        resourceStore.delete(resourceId);
    });
}
Also used : UserModel(org.keycloak.models.UserModel) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Example 7 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class ResourceSetService method getScopes.

@Path("{id}/scopes")
@GET
@NoCache
@Produces("application/json")
public Response getScopes(@PathParam("id") String id) {
    requireView();
    StoreFactory storeFactory = authorization.getStoreFactory();
    Resource model = storeFactory.getResourceStore().findById(id, resourceServer.getId());
    if (model == null) {
        return Response.status(Status.NOT_FOUND).build();
    }
    List<ScopeRepresentation> scopes = model.getScopes().stream().map(scope -> {
        ScopeRepresentation representation = new ScopeRepresentation();
        representation.setId(scope.getId());
        representation.setName(scope.getName());
        return representation;
    }).collect(Collectors.toList());
    if (model.getType() != null && !model.getOwner().equals(resourceServer.getId())) {
        ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
        for (Resource typed : resourceStore.findByType(model.getType(), resourceServer.getId())) {
            if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(model.getId())) {
                scopes.addAll(typed.getScopes().stream().map(model1 -> {
                    ScopeRepresentation scope = new ScopeRepresentation();
                    scope.setId(model1.getId());
                    scope.setName(model1.getName());
                    String iconUri = model1.getIconUri();
                    if (iconUri != null) {
                        scope.setIconUri(iconUri);
                    }
                    return scope;
                }).filter(scopeRepresentation -> !scopes.contains(scopeRepresentation)).collect(Collectors.toList()));
            }
        }
    }
    return Response.ok(scopes).build();
}
Also used : ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourceType(org.keycloak.events.admin.ResourceType) Produces(javax.ws.rs.Produces) BiFunction(java.util.function.BiFunction) Path(javax.ws.rs.Path) OAuthErrorException(org.keycloak.OAuthErrorException) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) ErrorResponseException(org.keycloak.services.ErrorResponseException) ModelToRepresentation.toRepresentation(org.keycloak.models.utils.ModelToRepresentation.toRepresentation) Map(java.util.Map) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) DELETE(javax.ws.rs.DELETE) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) Set(java.util.Set) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) List(java.util.List) Response(javax.ws.rs.core.Response) RepresentationToModel.toModel(org.keycloak.models.utils.RepresentationToModel.toModel) ClientModel(org.keycloak.models.ClientModel) OperationType(org.keycloak.events.admin.OperationType) PathParam(javax.ws.rs.PathParam) Scope(org.keycloak.authorization.model.Scope) GET(javax.ws.rs.GET) StoreFactory(org.keycloak.authorization.store.StoreFactory) Constants(org.keycloak.models.Constants) HashMap(java.util.HashMap) Function(java.util.function.Function) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) UserModel(org.keycloak.models.UserModel) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) Status(javax.ws.rs.core.Response.Status) PathMatcher(org.keycloak.common.util.PathMatcher) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) KeycloakSession(org.keycloak.models.KeycloakSession) Policy(org.keycloak.authorization.model.Policy) NoCache(org.jboss.resteasy.annotations.cache.NoCache) PUT(javax.ws.rs.PUT) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) AdminEventBuilder(org.keycloak.services.resources.admin.AdminEventBuilder) Resource(org.keycloak.authorization.model.Resource) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Example 8 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class ResourceSetService method update.

@Path("{id}")
@PUT
@Consumes("application/json")
@Produces("application/json")
public Response update(@PathParam("id") String id, ResourceRepresentation resource) {
    requireManage();
    resource.setId(id);
    StoreFactory storeFactory = this.authorization.getStoreFactory();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    Resource model = resourceStore.findById(resource.getId(), resourceServer.getId());
    if (model == null) {
        return Response.status(Status.NOT_FOUND).build();
    }
    toModel(resource, resourceServer, authorization);
    audit(resource, OperationType.UPDATE);
    return Response.noContent().build();
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) Path(javax.ws.rs.Path) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces) PUT(javax.ws.rs.PUT)

Example 9 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class UserManagedPermissionService method checkRequest.

private void checkRequest(String resourceId, UmaPermissionRepresentation representation) {
    ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore();
    Resource resource = resourceStore.findById(resourceId, resourceServer.getId());
    if (resource == null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource [" + resourceId + "] cannot be found", Response.Status.BAD_REQUEST);
    }
    if (!resource.getOwner().equals(identity.getId())) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Only resource owner can access policies for resource [" + resourceId + "]", Status.BAD_REQUEST);
    }
    if (!resource.isOwnerManagedAccess()) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Only resources with owner managed accessed can have policies", Status.BAD_REQUEST);
    }
    if (!resourceServer.isAllowRemoteResourceManagement()) {
        throw new ErrorResponseException(OAuthErrorException.REQUEST_NOT_SUPPORTED, "Remote Resource Management not enabled on resource server [" + resourceServer.getId() + "]", Status.FORBIDDEN);
    }
    if (representation != null) {
        Set<String> resourceScopes = resource.getScopes().stream().map(scope -> scope.getName()).collect(Collectors.toSet());
        Set<String> scopes = representation.getScopes();
        if (scopes == null || scopes.isEmpty()) {
            scopes = resourceScopes;
            representation.setScopes(scopes);
        }
        if (!resourceScopes.containsAll(scopes)) {
            throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Some of the scopes [" + scopes + "] are not valid for resource [" + resourceId + "]", Response.Status.BAD_REQUEST);
        }
        if (representation.getCondition() != null) {
            if (!Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
                throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Script upload not supported", Status.BAD_REQUEST);
            }
        }
    }
}
Also used : PathParam(javax.ws.rs.PathParam) Produces(javax.ws.rs.Produces) Profile(org.keycloak.common.Profile) GET(javax.ws.rs.GET) Path(javax.ws.rs.Path) ResteasyProviderFactory(org.jboss.resteasy.spi.ResteasyProviderFactory) OAuthErrorException(org.keycloak.OAuthErrorException) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) ErrorResponseException(org.keycloak.services.ErrorResponseException) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Status(javax.ws.rs.core.Response.Status) Identity(org.keycloak.authorization.identity.Identity) DELETE(javax.ws.rs.DELETE) PolicyTypeResourceService(org.keycloak.authorization.admin.PolicyTypeResourceService) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) Set(java.util.Set) IOException(java.io.IOException) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) PermissionService(org.keycloak.authorization.admin.PermissionService) JsonSerialization(org.keycloak.util.JsonSerialization) Policy(org.keycloak.authorization.model.Policy) Response(javax.ws.rs.core.Response) NoCache(org.jboss.resteasy.annotations.cache.NoCache) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) PUT(javax.ws.rs.PUT) Resource(org.keycloak.authorization.model.Resource) AdminEventBuilder(org.keycloak.services.resources.admin.AdminEventBuilder) Resource(org.keycloak.authorization.model.Resource) ResourceStore(org.keycloak.authorization.store.ResourceStore) ErrorResponseException(org.keycloak.services.ErrorResponseException)

Example 10 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class AbstractPermissionService method verifyRequestedScopes.

private Set<String> verifyRequestedScopes(PermissionRequest request, Resource resource) {
    Set<String> requestScopes = request.getScopes();
    if (requestScopes == null) {
        return Collections.emptySet();
    }
    ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
    return requestScopes.stream().map(scopeName -> {
        Scope scope = null;
        if (resource != null) {
            scope = resource.getScopes().stream().filter(scope1 -> scope1.getName().equals(scopeName)).findFirst().orElse(null);
            if (scope == null && resource.getType() != null) {
                scope = resourceStore.findByType(resource.getType(), resourceServer.getId()).stream().filter(baseResource -> baseResource.getOwner().equals(resource.getResourceServer())).flatMap(resource1 -> resource1.getScopes().stream()).filter(baseScope -> baseScope.getName().equals(scopeName)).findFirst().orElse(null);
            }
        } else {
            scope = authorization.getStoreFactory().getScopeStore().findByName(scopeName, resourceServer.getId());
        }
        if (scope == null) {
            throw new ErrorResponseException("invalid_scope", "Scope [" + scopeName + "] is invalid", Response.Status.BAD_REQUEST);
        }
        return scope.getName();
    }).collect(Collectors.toSet());
}
Also used : ResourceServer(org.keycloak.authorization.model.ResourceServer) Scope(org.keycloak.authorization.model.Scope) Permission(org.keycloak.representations.idm.authorization.Permission) Set(java.util.Set) HashMap(java.util.HashMap) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) PermissionRequest(org.keycloak.representations.idm.authorization.PermissionRequest) ArrayList(java.util.ArrayList) List(java.util.List) Response(javax.ws.rs.core.Response) ErrorResponseException(org.keycloak.services.ErrorResponseException) Map(java.util.Map) Urls(org.keycloak.services.Urls) PermissionTicketToken(org.keycloak.representations.idm.authorization.PermissionTicketToken) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) PermissionResponse(org.keycloak.representations.idm.authorization.PermissionResponse) Scope(org.keycloak.authorization.model.Scope) ResourceStore(org.keycloak.authorization.store.ResourceStore) ErrorResponseException(org.keycloak.services.ErrorResponseException)

Aggregations

ResourceStore (org.keycloak.authorization.store.ResourceStore)29 Resource (org.keycloak.authorization.model.Resource)22 StoreFactory (org.keycloak.authorization.store.StoreFactory)12 Scope (org.keycloak.authorization.model.Scope)11 ResourceServer (org.keycloak.authorization.model.ResourceServer)9 ArrayList (java.util.ArrayList)8 EnumMap (java.util.EnumMap)7 List (java.util.List)7 Map (java.util.Map)7 Set (java.util.Set)7 Policy (org.keycloak.authorization.model.Policy)7 UserModel (org.keycloak.models.UserModel)7 ErrorResponseException (org.keycloak.services.ErrorResponseException)7 HashMap (java.util.HashMap)6 LinkedList (java.util.LinkedList)6 Collectors (java.util.stream.Collectors)6 Produces (javax.ws.rs.Produces)6 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)6 PermissionTicket (org.keycloak.authorization.model.PermissionTicket)6 PolicyStore (org.keycloak.authorization.store.PolicyStore)6