use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class JPAResourceStore method findByUri.
@Override
public List<Resource> findByUri(String uri, String resourceServerId) {
TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByUri", String.class);
query.setFlushMode(FlushModeType.COMMIT);
query.setParameter("uri", uri);
query.setParameter("serverId", resourceServerId);
List<String> result = query.getResultList();
List<Resource> list = new LinkedList<>();
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(id, resourceServerId);
if (resource != null) {
list.add(resource);
}
}
return list;
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class JPAResourceStore method findByResourceServer.
@Override
public List<Resource> findByResourceServer(String resourceServerId) {
TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByServerId", String.class);
query.setParameter("serverId", resourceServerId);
List<String> result = query.getResultList();
List<Resource> list = new LinkedList<>();
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(id, resourceServerId);
if (resource != null) {
list.add(resource);
}
}
return list;
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class DecisionPermissionCollector method grantPermission.
protected void grantPermission(AuthorizationProvider authorizationProvider, Set<Permission> permissions, ResourcePermission permission, Collection<Scope> grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result) {
Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet());
Resource resource = permission.getResource();
if (resource != null) {
permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request));
} else if (!grantedScopes.isEmpty()) {
ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)));
permissions.add(createPermission(null, scopeNames, permission.getClaims(), request));
}
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class DefaultPolicyEvaluator method evaluate.
@Override
public void evaluate(ResourcePermission permission, AuthorizationProvider authorizationProvider, EvaluationContext executionContext, Decision decision, Map<Policy, Map<Object, Decision.Effect>> decisionCache) {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
ResourceStore resourceStore = storeFactory.getResourceStore();
ResourceServer resourceServer = permission.getResourceServer();
PolicyEnforcementMode enforcementMode = resourceServer.getPolicyEnforcementMode();
if (PolicyEnforcementMode.DISABLED.equals(enforcementMode)) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
return;
}
// if marked as granted we just complete the evaluation
if (permission.isGranted()) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
return;
}
AtomicBoolean verified = new AtomicBoolean();
Consumer<Policy> policyConsumer = createPolicyEvaluator(permission, authorizationProvider, executionContext, decision, verified, decisionCache);
Resource resource = permission.getResource();
if (resource != null) {
policyStore.findByResource(resource.getId(), resourceServer.getId(), policyConsumer);
if (resource.getType() != null) {
policyStore.findByResourceType(resource.getType(), resourceServer.getId(), policyConsumer);
if (!resource.getOwner().equals(resourceServer.getId())) {
for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
policyStore.findByResource(typedResource.getId(), resourceServer.getId(), policyConsumer);
}
}
}
}
Collection<Scope> scopes = permission.getScopes();
if (!scopes.isEmpty()) {
policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), null, resourceServer.getId(), policyConsumer);
}
if (verified.get()) {
decision.onComplete(permission);
return;
}
if (PolicyEnforcementMode.PERMISSIVE.equals(enforcementMode)) {
grantAndComplete(permission, authorizationProvider, executionContext, decision);
}
}
use of org.keycloak.authorization.store.ResourceStore in project keycloak by keycloak.
the class Permissions method populateTypedScopes.
private static Set<Scope> populateTypedScopes(Resource resource, ResourceServer resourceServer, List<Scope> defaultScopes, AuthorizationProvider authorization) {
String type = resource.getType();
if (type == null || resource.getOwner().equals(resourceServer.getId())) {
return new LinkedHashSet<>(defaultScopes);
}
Set<Scope> scopes = new LinkedHashSet<>(defaultScopes);
// check if there is a typed resource whose scopes are inherited by the resource being requested. In this case, we assume that parent resource
// is owned by the resource server itself
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
resourceStore.findByType(type, resourceServer.getId(), resource1 -> {
for (Scope typeScope : resource1.getScopes()) {
if (!scopes.contains(typeScope)) {
scopes.add(typeScope);
}
}
});
return scopes;
}
Aggregations