use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class UserSynchronizer method removeUserResources.
private void removeUserResources(UserRemovedEvent event, AuthorizationProvider authorizationProvider) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
ResourceStore resourceStore = storeFactory.getResourceStore();
UserModel userModel = event.getUser();
resourceStore.findByOwner(userModel.getId(), null, resource -> {
String resourceId = resource.getId();
policyStore.findByResource(resourceId, resource.getResourceServer()).forEach(policy -> {
if (policy.getResources().size() == 1) {
policyStore.delete(policy.getId());
} else {
policy.removeResource(resource);
}
});
resourceStore.delete(resourceId);
});
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class ResourceSetService method getScopes.
@Path("{id}/scopes")
@GET
@NoCache
@Produces("application/json")
public Response getScopes(@PathParam("id") String id) {
requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Resource model = storeFactory.getResourceStore().findById(id, resourceServer.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}
List<ScopeRepresentation> scopes = model.getScopes().stream().map(scope -> {
ScopeRepresentation representation = new ScopeRepresentation();
representation.setId(scope.getId());
representation.setName(scope.getName());
return representation;
}).collect(Collectors.toList());
if (model.getType() != null && !model.getOwner().equals(resourceServer.getId())) {
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
for (Resource typed : resourceStore.findByType(model.getType(), resourceServer.getId())) {
if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(model.getId())) {
scopes.addAll(typed.getScopes().stream().map(model1 -> {
ScopeRepresentation scope = new ScopeRepresentation();
scope.setId(model1.getId());
scope.setName(model1.getName());
String iconUri = model1.getIconUri();
if (iconUri != null) {
scope.setIconUri(iconUri);
}
return scope;
}).filter(scopeRepresentation -> !scopes.contains(scopeRepresentation)).collect(Collectors.toList()));
}
}
}
return Response.ok(scopes).build();
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class ResourceSetService method update.
@Path("{id}")
@PUT
@Consumes("application/json")
@Produces("application/json")
public Response update(@PathParam("id") String id, ResourceRepresentation resource) {
requireManage();
resource.setId(id);
StoreFactory storeFactory = this.authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
Resource model = resourceStore.findById(resource.getId(), resourceServer.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}
toModel(resource, resourceServer, authorization);
audit(resource, OperationType.UPDATE);
return Response.noContent().build();
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class UserManagedPermissionService method checkRequest.
private void checkRequest(String resourceId, UmaPermissionRepresentation representation) {
ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore();
Resource resource = resourceStore.findById(resourceId, resourceServer.getId());
if (resource == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource [" + resourceId + "] cannot be found", Response.Status.BAD_REQUEST);
}
if (!resource.getOwner().equals(identity.getId())) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Only resource owner can access policies for resource [" + resourceId + "]", Status.BAD_REQUEST);
}
if (!resource.isOwnerManagedAccess()) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Only resources with owner managed accessed can have policies", Status.BAD_REQUEST);
}
if (!resourceServer.isAllowRemoteResourceManagement()) {
throw new ErrorResponseException(OAuthErrorException.REQUEST_NOT_SUPPORTED, "Remote Resource Management not enabled on resource server [" + resourceServer.getId() + "]", Status.FORBIDDEN);
}
if (representation != null) {
Set<String> resourceScopes = resource.getScopes().stream().map(scope -> scope.getName()).collect(Collectors.toSet());
Set<String> scopes = representation.getScopes();
if (scopes == null || scopes.isEmpty()) {
scopes = resourceScopes;
representation.setScopes(scopes);
}
if (!resourceScopes.containsAll(scopes)) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Some of the scopes [" + scopes + "] are not valid for resource [" + resourceId + "]", Response.Status.BAD_REQUEST);
}
if (representation.getCondition() != null) {
if (!Profile.isFeatureEnabled(Profile.Feature.UPLOAD_SCRIPTS)) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Script upload not supported", Status.BAD_REQUEST);
}
}
}
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class AbstractPermissionService method verifyRequestedScopes.
private Set<String> verifyRequestedScopes(PermissionRequest request, Resource resource) {
Set<String> requestScopes = request.getScopes();
if (requestScopes == null) {
return Collections.emptySet();
}
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
return requestScopes.stream().map(scopeName -> {
Scope scope = null;
if (resource != null) {
scope = resource.getScopes().stream().filter(scope1 -> scope1.getName().equals(scopeName)).findFirst().orElse(null);
if (scope == null && resource.getType() != null) {
scope = resourceStore.findByType(resource.getType(), resourceServer.getId()).stream().filter(baseResource -> baseResource.getOwner().equals(resource.getResourceServer())).flatMap(resource1 -> resource1.getScopes().stream()).filter(baseScope -> baseScope.getName().equals(scopeName)).findFirst().orElse(null);
}
} else {
scope = authorization.getStoreFactory().getScopeStore().findByName(scopeName, resourceServer.getId());
}
if (scope == null) {
throw new ErrorResponseException("invalid_scope", "Scope [" + scopeName + "] is invalid", Response.Status.BAD_REQUEST);
}
return scope.getName();
}).collect(Collectors.toSet());
}
Aggregations