Search in sources :

Example 11 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class JPAResourceStore method findByUri.

@Override
public List<Resource> findByUri(String uri, String resourceServerId) {
    TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByUri", String.class);
    query.setFlushMode(FlushModeType.COMMIT);
    query.setParameter("uri", uri);
    query.setParameter("serverId", resourceServerId);
    List<String> result = query.getResultList();
    List<Resource> list = new LinkedList<>();
    ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
    for (String id : result) {
        Resource resource = resourceStore.findById(id, resourceServerId);
        if (resource != null) {
            list.add(resource);
        }
    }
    return list;
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceStore(org.keycloak.authorization.store.ResourceStore) LinkedList(java.util.LinkedList)

Example 12 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class JPAResourceStore method findByResourceServer.

@Override
public List<Resource> findByResourceServer(String resourceServerId) {
    TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByServerId", String.class);
    query.setParameter("serverId", resourceServerId);
    List<String> result = query.getResultList();
    List<Resource> list = new LinkedList<>();
    ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
    for (String id : result) {
        Resource resource = resourceStore.findById(id, resourceServerId);
        if (resource != null) {
            list.add(resource);
        }
    }
    return list;
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceStore(org.keycloak.authorization.store.ResourceStore) LinkedList(java.util.LinkedList)

Example 13 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class DecisionPermissionCollector method grantPermission.

protected void grantPermission(AuthorizationProvider authorizationProvider, Set<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
    Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet());
    Resource resource = permission.getResource();
    if (resource != null) {
        permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request));
    } else if (!grantedScopes.isEmpty()) {
        ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
        resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)));
        permissions.add(createPermission(null, scopeNames, permission.getClaims(), request));
    }
}
Also used : ResourceServer(org.keycloak.authorization.model.ResourceServer) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Scope(org.keycloak.authorization.model.Scope) Permission(org.keycloak.representations.idm.authorization.Permission) Collection(java.util.Collection) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) DecisionStrategy(org.keycloak.representations.idm.authorization.DecisionStrategy) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) Policy(org.keycloak.authorization.model.Policy) List(java.util.List) Map(java.util.Map) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) LinkedHashSet(java.util.LinkedHashSet) Resource(org.keycloak.authorization.model.Resource) Resource(org.keycloak.authorization.model.Resource) ResourceStore(org.keycloak.authorization.store.ResourceStore)

Example 14 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class DefaultPolicyEvaluator method evaluate.

@Override
public void evaluate(ResourcePermission permission, AuthorizationProvider authorizationProvider, EvaluationContext executionContext, Decision decision, Map<Policy, Map<Object, Decision.Effect>> decisionCache) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    ResourceServer resourceServer = permission.getResourceServer();
    PolicyEnforcementMode enforcementMode = resourceServer.getPolicyEnforcementMode();
    if (PolicyEnforcementMode.DISABLED.equals(enforcementMode)) {
        grantAndComplete(permission, authorizationProvider, executionContext, decision);
        return;
    }
    // if marked as granted we just complete the evaluation
    if (permission.isGranted()) {
        grantAndComplete(permission, authorizationProvider, executionContext, decision);
        return;
    }
    AtomicBoolean verified = new AtomicBoolean();
    Consumer<Policy> policyConsumer = createPolicyEvaluator(permission, authorizationProvider, executionContext, decision, verified, decisionCache);
    Resource resource = permission.getResource();
    if (resource != null) {
        policyStore.findByResource(resource.getId(), resourceServer.getId(), policyConsumer);
        if (resource.getType() != null) {
            policyStore.findByResourceType(resource.getType(), resourceServer.getId(), policyConsumer);
            if (!resource.getOwner().equals(resourceServer.getId())) {
                for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
                    policyStore.findByResource(typedResource.getId(), resourceServer.getId(), policyConsumer);
                }
            }
        }
    }
    Collection<Scope> scopes = permission.getScopes();
    if (!scopes.isEmpty()) {
        policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), null, resourceServer.getId(), policyConsumer);
    }
    if (verified.get()) {
        decision.onComplete(permission);
        return;
    }
    if (PolicyEnforcementMode.PERMISSIVE.equals(enforcementMode)) {
        grantAndComplete(permission, authorizationProvider, executionContext, decision);
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceServer(org.keycloak.authorization.model.ResourceServer) PolicyEnforcementMode(org.keycloak.representations.idm.authorization.PolicyEnforcementMode)

Example 15 with ResourceStore

use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.

the class Permissions method populateTypedScopes.

private static Set<Scope> populateTypedScopes(Resource resource, ResourceServer resourceServer, List<Scope> defaultScopes, AuthorizationProvider authorization) {
    String type = resource.getType();
    if (type == null || resource.getOwner().equals(resourceServer.getId())) {
        return new LinkedHashSet<>(defaultScopes);
    }
    Set<Scope> scopes = new LinkedHashSet<>(defaultScopes);
    // check if there is a typed resource whose scopes are inherited by the resource being requested. In this case, we assume that parent resource
    // is owned by the resource server itself
    StoreFactory storeFactory = authorization.getStoreFactory();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    resourceStore.findByType(type, resourceServer.getId(), resource1 -> {
        for (Scope typeScope : resource1.getScopes()) {
            if (!scopes.contains(typeScope)) {
                scopes.add(typeScope);
            }
        }
    });
    return scopes;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) Scope(org.keycloak.authorization.model.Scope) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Aggregations

ResourceStore (org.keycloak.authorization.store.ResourceStore)29 Resource (org.keycloak.authorization.model.Resource)22 StoreFactory (org.keycloak.authorization.store.StoreFactory)12 Scope (org.keycloak.authorization.model.Scope)11 ResourceServer (org.keycloak.authorization.model.ResourceServer)9 ArrayList (java.util.ArrayList)8 EnumMap (java.util.EnumMap)7 List (java.util.List)7 Map (java.util.Map)7 Set (java.util.Set)7 Policy (org.keycloak.authorization.model.Policy)7 UserModel (org.keycloak.models.UserModel)7 ErrorResponseException (org.keycloak.services.ErrorResponseException)7 HashMap (java.util.HashMap)6 LinkedList (java.util.LinkedList)6 Collectors (java.util.stream.Collectors)6 Produces (javax.ws.rs.Produces)6 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)6 PermissionTicket (org.keycloak.authorization.model.PermissionTicket)6 PolicyStore (org.keycloak.authorization.store.PolicyStore)6