use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.
the class PolicyAdapter method getScopes.
@Override
public Set<Scope> getScopes() {
if (isUpdated())
return updated.getScopes();
if (scopes != null)
return scopes;
scopes = new HashSet<>();
ScopeStore scopeStore = cacheSession.getScopeStore();
String resourceServerId = cached.getResourceServerId();
for (String scopeId : cached.getScopesIds(modelSupplier)) {
Scope scope = scopeStore.findById(scopeId, resourceServerId);
cacheSession.cacheScope(scope);
scopes.add(scope);
}
return scopes = Collections.unmodifiableSet(scopes);
}
use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.
the class PermissionTicketAwareDecisionResultCollector method onComplete.
@Override
public void onComplete() {
super.onComplete();
if (request.isSubmitRequest()) {
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
List<Permission> permissions = ticket.getPermissions();
if (permissions != null) {
for (Permission permission : permissions) {
Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId());
if (resource == null) {
resource = resourceStore.findByName(permission.getResourceId(), identity.getId(), resourceServer.getId());
}
if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getId())) {
continue;
}
Set<String> scopes = permission.getScopes();
if (scopes.isEmpty()) {
scopes = resource.getScopes().stream().map(Scope::getName).collect(Collectors.toSet());
}
if (scopes.isEmpty()) {
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_IS_NULL, Boolean.TRUE.toString());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), null, identity.getId(), resourceServer);
}
} else {
ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore();
for (String scopeId : scopes) {
Scope scope = scopeStore.findByName(scopeId, resourceServer.getId());
if (scope == null) {
scope = scopeStore.findById(scopeId, resourceServer.getId());
}
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), scope.getId(), identity.getId(), resourceServer);
}
}
}
}
}
}
}
use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.
the class PolicyEvaluationService method createPermissions.
private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
StoreFactory storeFactory = authorization.getStoreFactory();
if (resource == null) {
resource = new ResourceRepresentation();
}
Set<ScopeRepresentation> givenScopes = resource.getScopes();
if (givenScopes == null) {
givenScopes = new HashSet<>();
}
ScopeStore scopeStore = storeFactory.getScopeStore();
Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
if (resource.getId() != null) {
Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream();
} else if (resource.getType() != null) {
return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, resourceServer, scopes, authorization, request));
} else {
if (scopes.isEmpty()) {
return Stream.empty();
}
List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
if (resources.isEmpty()) {
return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
}
return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, resourceServer, scopes, authorization, request));
}
}).collect(Collectors.toList());
}
use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.
the class AuthorizationProvider method createScopeWrapper.
private ScopeStore createScopeWrapper(StoreFactory storeFactory) {
return new ScopeStore() {
ScopeStore delegate = storeFactory.getScopeStore();
@Override
public Scope create(String name, ResourceServer resourceServer) {
return delegate.create(name, resourceServer);
}
@Override
public Scope create(String id, String name, ResourceServer resourceServer) {
return delegate.create(id, name, resourceServer);
}
@Override
public void delete(String id) {
Scope scope = findById(id, null);
PermissionTicketStore ticketStore = AuthorizationProvider.this.getStoreFactory().getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByScope(id, scope.getResourceServer().getId());
for (PermissionTicket permission : permissions) {
ticketStore.delete(permission.getId());
}
delegate.delete(id);
}
@Override
public Scope findById(String id, String resourceServerId) {
return delegate.findById(id, resourceServerId);
}
@Override
public Scope findByName(String name, String resourceServerId) {
return delegate.findByName(name, resourceServerId);
}
@Override
public List<Scope> findByResourceServer(String id) {
return delegate.findByResourceServer(id);
}
@Override
public List<Scope> findByResourceServer(Map<Scope.FilterOption, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
}
};
}
use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.
the class AuthorizationTokenService method createPermissions.
private Collection<ResourcePermission> createPermissions(PermissionTicketToken ticket, KeycloakAuthorizationRequest request, ResourceServer resourceServer, AuthorizationProvider authorization, EvaluationContext context) {
KeycloakIdentity identity = (KeycloakIdentity) context.getIdentity();
StoreFactory storeFactory = authorization.getStoreFactory();
Map<String, ResourcePermission> permissionsToEvaluate = new LinkedHashMap<>();
ResourceStore resourceStore = storeFactory.getResourceStore();
ScopeStore scopeStore = storeFactory.getScopeStore();
Metadata metadata = request.getMetadata();
final AtomicInteger limit = metadata != null && metadata.getLimit() != null ? new AtomicInteger(metadata.getLimit()) : null;
for (Permission permission : ticket.getPermissions()) {
if (limit != null && limit.get() <= 0) {
break;
}
Set<Scope> requestedScopesModel = resolveRequestedScopes(request, resourceServer, scopeStore, permission);
String resourceId = permission.getResourceId();
if (resourceId != null) {
resolveResourcePermission(request, resourceServer, identity, authorization, storeFactory, permissionsToEvaluate, resourceStore, limit, permission, requestedScopesModel, resourceId);
} else {
resolveScopePermissions(request, resourceServer, authorization, permissionsToEvaluate, resourceStore, limit, requestedScopesModel);
}
}
resolvePreviousGrantedPermissions(ticket, request, resourceServer, permissionsToEvaluate, resourceStore, scopeStore, limit);
return permissionsToEvaluate.values();
}
Aggregations