Search in sources :

Example 1 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class PolicyAdapter method getScopes.

@Override
public Set<Scope> getScopes() {
    if (isUpdated())
        return updated.getScopes();
    if (scopes != null)
        return scopes;
    scopes = new HashSet<>();
    ScopeStore scopeStore = cacheSession.getScopeStore();
    String resourceServerId = cached.getResourceServerId();
    for (String scopeId : cached.getScopesIds(modelSupplier)) {
        Scope scope = scopeStore.findById(scopeId, resourceServerId);
        cacheSession.cacheScope(scope);
        scopes.add(scope);
    }
    return scopes = Collections.unmodifiableSet(scopes);
}
Also used : Scope(org.keycloak.authorization.model.Scope) ScopeStore(org.keycloak.authorization.store.ScopeStore)

Example 2 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class PermissionTicketAwareDecisionResultCollector method onComplete.

@Override
public void onComplete() {
    super.onComplete();
    if (request.isSubmitRequest()) {
        StoreFactory storeFactory = authorization.getStoreFactory();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        List<Permission> permissions = ticket.getPermissions();
        if (permissions != null) {
            for (Permission permission : permissions) {
                Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId());
                if (resource == null) {
                    resource = resourceStore.findByName(permission.getResourceId(), identity.getId(), resourceServer.getId());
                }
                if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getId())) {
                    continue;
                }
                Set<String> scopes = permission.getScopes();
                if (scopes.isEmpty()) {
                    scopes = resource.getScopes().stream().map(Scope::getName).collect(Collectors.toSet());
                }
                if (scopes.isEmpty()) {
                    Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
                    filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
                    filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
                    filters.put(PermissionTicket.FilterOption.SCOPE_IS_NULL, Boolean.TRUE.toString());
                    List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
                    if (tickets.isEmpty()) {
                        authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), null, identity.getId(), resourceServer);
                    }
                } else {
                    ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore();
                    for (String scopeId : scopes) {
                        Scope scope = scopeStore.findByName(scopeId, resourceServer.getId());
                        if (scope == null) {
                            scope = scopeStore.findById(scopeId, resourceServer.getId());
                        }
                        Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
                        filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
                        filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
                        filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
                        List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
                        if (tickets.isEmpty()) {
                            authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), scope.getId(), identity.getId(), resourceServer);
                        }
                    }
                }
            }
        }
    }
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) Scope(org.keycloak.authorization.model.Scope) Permission(org.keycloak.representations.idm.authorization.Permission) EnumMap(java.util.EnumMap)

Example 3 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class PolicyEvaluationService method createPermissions.

private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
    return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
        StoreFactory storeFactory = authorization.getStoreFactory();
        if (resource == null) {
            resource = new ResourceRepresentation();
        }
        Set<ScopeRepresentation> givenScopes = resource.getScopes();
        if (givenScopes == null) {
            givenScopes = new HashSet<>();
        }
        ScopeStore scopeStore = storeFactory.getScopeStore();
        Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
        if (resource.getId() != null) {
            Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
            return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream();
        } else if (resource.getType() != null) {
            return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, resourceServer, scopes, authorization, request));
        } else {
            if (scopes.isEmpty()) {
                return Stream.empty();
            }
            List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
            if (resources.isEmpty()) {
                return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
            }
            return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, resourceServer, scopes, authorization, request));
        }
    }).collect(Collectors.toList());
}
Also used : ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Arrays(java.util.Arrays) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Produces(javax.ws.rs.Produces) Permissions(org.keycloak.authorization.permission.Permissions) OAuthErrorException(org.keycloak.OAuthErrorException) Consumes(javax.ws.rs.Consumes) AuthenticationManager(org.keycloak.services.managers.AuthenticationManager) AccessToken(org.keycloak.representations.AccessToken) DecisionPermissionCollector(org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector) ErrorResponseException(org.keycloak.services.ErrorResponseException) Map(java.util.Map) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RealmModel(org.keycloak.models.RealmModel) PolicyEvaluationResponseBuilder(org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder) Collection(java.util.Collection) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) List(java.util.List) ScopeStore(org.keycloak.authorization.store.ScopeStore) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Attributes(org.keycloak.authorization.attribute.Attributes) Permission(org.keycloak.representations.idm.authorization.Permission) Logger(org.jboss.logging.Logger) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) TokenManager(org.keycloak.protocol.oidc.TokenManager) Function(java.util.function.Function) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) UserModel(org.keycloak.models.UserModel) ClientSessionContext(org.keycloak.models.ClientSessionContext) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) Status(javax.ws.rs.core.Response.Status) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) KeycloakSession(org.keycloak.models.KeycloakSession) UserSessionModel(org.keycloak.models.UserSessionModel) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) Result(org.keycloak.authorization.policy.evaluation.Result) Urls(org.keycloak.services.Urls) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Function(java.util.function.Function) Scope(org.keycloak.authorization.model.Scope) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) List(java.util.List) ArrayList(java.util.ArrayList) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 4 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class AuthorizationProvider method createScopeWrapper.

private ScopeStore createScopeWrapper(StoreFactory storeFactory) {
    return new ScopeStore() {

        ScopeStore delegate = storeFactory.getScopeStore();

        @Override
        public Scope create(String name, ResourceServer resourceServer) {
            return delegate.create(name, resourceServer);
        }

        @Override
        public Scope create(String id, String name, ResourceServer resourceServer) {
            return delegate.create(id, name, resourceServer);
        }

        @Override
        public void delete(String id) {
            Scope scope = findById(id, null);
            PermissionTicketStore ticketStore = AuthorizationProvider.this.getStoreFactory().getPermissionTicketStore();
            List<PermissionTicket> permissions = ticketStore.findByScope(id, scope.getResourceServer().getId());
            for (PermissionTicket permission : permissions) {
                ticketStore.delete(permission.getId());
            }
            delegate.delete(id);
        }

        @Override
        public Scope findById(String id, String resourceServerId) {
            return delegate.findById(id, resourceServerId);
        }

        @Override
        public Scope findByName(String name, String resourceServerId) {
            return delegate.findByName(name, resourceServerId);
        }

        @Override
        public List<Scope> findByResourceServer(String id) {
            return delegate.findByResourceServer(id);
        }

        @Override
        public List<Scope> findByResourceServer(Map<Scope.FilterOption, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
            return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
        }
    };
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Scope(org.keycloak.authorization.model.Scope) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) ScopeStore(org.keycloak.authorization.store.ScopeStore) ResourceServer(org.keycloak.authorization.model.ResourceServer) Map(java.util.Map)

Example 5 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class AuthorizationTokenService method createPermissions.

private Collection<ResourcePermission> createPermissions(PermissionTicketToken ticket, KeycloakAuthorizationRequest request, ResourceServer resourceServer, AuthorizationProvider authorization, EvaluationContext context) {
    KeycloakIdentity identity = (KeycloakIdentity) context.getIdentity();
    StoreFactory storeFactory = authorization.getStoreFactory();
    Map<String, ResourcePermission> permissionsToEvaluate = new LinkedHashMap<>();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    ScopeStore scopeStore = storeFactory.getScopeStore();
    Metadata metadata = request.getMetadata();
    final AtomicInteger limit = metadata != null && metadata.getLimit() != null ? new AtomicInteger(metadata.getLimit()) : null;
    for (Permission permission : ticket.getPermissions()) {
        if (limit != null && limit.get() <= 0) {
            break;
        }
        Set<Scope> requestedScopesModel = resolveRequestedScopes(request, resourceServer, scopeStore, permission);
        String resourceId = permission.getResourceId();
        if (resourceId != null) {
            resolveResourcePermission(request, resourceServer, identity, authorization, storeFactory, permissionsToEvaluate, resourceStore, limit, permission, requestedScopesModel, resourceId);
        } else {
            resolveScopePermissions(request, resourceServer, authorization, permissionsToEvaluate, resourceStore, limit, requestedScopesModel);
        }
    }
    resolvePreviousGrantedPermissions(ticket, request, resourceServer, permissionsToEvaluate, resourceStore, scopeStore, limit);
    return permissionsToEvaluate.values();
}
Also used : Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata) ScopeStore(org.keycloak.authorization.store.ScopeStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) LinkedHashMap(java.util.LinkedHashMap) Scope(org.keycloak.authorization.model.Scope) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Permission(org.keycloak.representations.idm.authorization.Permission) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Aggregations

ScopeStore (org.keycloak.authorization.store.ScopeStore)10 Scope (org.keycloak.authorization.model.Scope)9 ResourceStore (org.keycloak.authorization.store.ResourceStore)5 StoreFactory (org.keycloak.authorization.store.StoreFactory)5 EnumMap (java.util.EnumMap)4 PermissionTicket (org.keycloak.authorization.model.PermissionTicket)4 Resource (org.keycloak.authorization.model.Resource)4 Produces (javax.ws.rs.Produces)3 PermissionTicketStore (org.keycloak.authorization.store.PermissionTicketStore)3 Permission (org.keycloak.representations.idm.authorization.Permission)3 Map (java.util.Map)2 Consumes (javax.ws.rs.Consumes)2 POST (javax.ws.rs.POST)2 KeycloakIdentity (org.keycloak.authorization.common.KeycloakIdentity)2 ResourceServer (org.keycloak.authorization.model.ResourceServer)2 ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)2 ArrayList (java.util.ArrayList)1 Arrays (java.util.Arrays)1 Collection (java.util.Collection)1 Collections (java.util.Collections)1