Search in sources :

Example 6 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class PermissionTicketService method create.

@POST
@Consumes("application/json")
@Produces("application/json")
public Response create(PermissionTicketRepresentation representation) {
    PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
    if (representation == null)
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_permission", Response.Status.BAD_REQUEST);
    if (representation.getId() != null)
        throw new ErrorResponseException("invalid_permission", "created permissions should not have id", Response.Status.BAD_REQUEST);
    if (representation.getResource() == null)
        throw new ErrorResponseException("invalid_permission", "created permissions should have resource", Response.Status.BAD_REQUEST);
    if (representation.getScope() == null && representation.getScopeName() == null)
        throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST);
    if (representation.getRequester() == null && representation.getRequesterName() == null)
        throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
    ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore();
    Resource resource = rstore.findById(representation.getResource(), resourceServer.getId());
    if (resource == null)
        throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
    if (!resource.getOwner().equals(this.identity.getId()))
        throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
    UserModel user = null;
    if (representation.getRequester() != null)
        user = this.authorization.getKeycloakSession().userStorageManager().getUserById(this.authorization.getRealm(), representation.getRequester());
    else
        user = this.authorization.getKeycloakSession().userStorageManager().getUserByUsername(this.authorization.getRealm(), representation.getRequesterName());
    if (user == null)
        throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST);
    Scope scope = null;
    ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore();
    if (representation.getScopeName() != null)
        scope = sstore.findByName(representation.getScopeName(), resourceServer.getId());
    else
        scope = sstore.findById(representation.getScope(), resourceServer.getId());
    if (scope == null && representation.getScope() != null)
        throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScope() + "] is invalid", Response.Status.BAD_REQUEST);
    if (scope == null && representation.getScopeName() != null)
        throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScopeName() + "] is invalid", Response.Status.BAD_REQUEST);
    boolean match = resource.getScopes().contains(scope);
    if (!match)
        throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not have Scope [" + scope.getName() + "]", Response.Status.BAD_REQUEST);
    Map<PermissionTicket.FilterOption, String> attributes = new EnumMap<>(PermissionTicket.FilterOption.class);
    attributes.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
    attributes.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
    attributes.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
    if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty())
        throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
    PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer);
    if (representation.isGranted())
        ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis());
    representation = ModelToRepresentation.toRepresentation(ticket, authorization);
    return Response.ok(representation).build();
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) UserModel(org.keycloak.models.UserModel) Scope(org.keycloak.authorization.model.Scope) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) ErrorResponseException(org.keycloak.services.ErrorResponseException) EnumMap(java.util.EnumMap) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 7 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class PermissionTicketService method getFilters.

private Map<PermissionTicket.FilterOption, String> getFilters(StoreFactory storeFactory, String resourceId, String scopeId, String owner, String requester, Boolean granted) {
    Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
    if (resourceId != null) {
        filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resourceId);
    }
    if (scopeId != null) {
        ScopeStore scopeStore = storeFactory.getScopeStore();
        Scope scope = scopeStore.findById(scopeId, resourceServer.getId());
        if (scope == null) {
            scope = scopeStore.findByName(scopeId, resourceServer.getId());
        }
        filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope != null ? scope.getId() : scopeId);
    }
    if (owner != null) {
        filters.put(PermissionTicket.FilterOption.OWNER, getUserId(owner));
    }
    if (requester != null) {
        filters.put(PermissionTicket.FilterOption.REQUESTER, getUserId(requester));
    }
    if (granted != null) {
        filters.put(PermissionTicket.FilterOption.GRANTED, granted.toString());
    }
    return filters;
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Scope(org.keycloak.authorization.model.Scope) ScopeStore(org.keycloak.authorization.store.ScopeStore) EnumMap(java.util.EnumMap)

Example 8 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class PolicyService method findAll.

@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response findAll(@QueryParam("policyId") String id, @QueryParam("name") String name, @QueryParam("type") String type, @QueryParam("resource") String resource, @QueryParam("scope") String scope, @QueryParam("permission") Boolean permission, @QueryParam("owner") String owner, @QueryParam("fields") String fields, @QueryParam("first") Integer firstResult, @QueryParam("max") Integer maxResult) {
    if (auth != null) {
        this.auth.realm().requireViewAuthorization();
    }
    Map<Policy.FilterOption, String[]> search = new EnumMap<>(Policy.FilterOption.class);
    if (id != null && !"".equals(id.trim())) {
        search.put(Policy.FilterOption.ID, new String[] { id });
    }
    if (name != null && !"".equals(name.trim())) {
        search.put(Policy.FilterOption.NAME, new String[] { name });
    }
    if (type != null && !"".equals(type.trim())) {
        search.put(Policy.FilterOption.TYPE, new String[] { type });
    }
    if (owner != null && !"".equals(owner.trim())) {
        search.put(Policy.FilterOption.OWNER, new String[] { owner });
    }
    StoreFactory storeFactory = authorization.getStoreFactory();
    if (resource != null && !"".equals(resource.trim())) {
        ResourceStore resourceStore = storeFactory.getResourceStore();
        Resource resourceModel = resourceStore.findById(resource, resourceServer.getId());
        if (resourceModel == null) {
            Map<Resource.FilterOption, String[]> resourceFilters = new EnumMap<>(Resource.FilterOption.class);
            resourceFilters.put(Resource.FilterOption.NAME, new String[] { resource });
            if (owner != null) {
                resourceFilters.put(Resource.FilterOption.OWNER, new String[] { owner });
            }
            Set<String> resources = resourceStore.findByResourceServer(resourceFilters, resourceServer.getId(), -1, 1).stream().map(Resource::getId).collect(Collectors.toSet());
            if (resources.isEmpty()) {
                return Response.noContent().build();
            }
            search.put(Policy.FilterOption.RESOURCE_ID, resources.toArray(new String[resources.size()]));
        } else {
            search.put(Policy.FilterOption.RESOURCE_ID, new String[] { resourceModel.getId() });
        }
    }
    if (scope != null && !"".equals(scope.trim())) {
        ScopeStore scopeStore = storeFactory.getScopeStore();
        Scope scopeModel = scopeStore.findById(scope, resourceServer.getId());
        if (scopeModel == null) {
            Map<Scope.FilterOption, String[]> scopeFilters = new EnumMap<>(Scope.FilterOption.class);
            scopeFilters.put(Scope.FilterOption.NAME, new String[] { scope });
            Set<String> scopes = scopeStore.findByResourceServer(scopeFilters, resourceServer.getId(), -1, 1).stream().map(Scope::getId).collect(Collectors.toSet());
            if (scopes.isEmpty()) {
                return Response.noContent().build();
            }
            search.put(Policy.FilterOption.SCOPE_ID, scopes.toArray(new String[scopes.size()]));
        } else {
            search.put(Policy.FilterOption.SCOPE_ID, new String[] { scopeModel.getId() });
        }
    }
    if (permission != null) {
        search.put(Policy.FilterOption.PERMISSION, new String[] { permission.toString() });
    }
    return Response.ok(doSearch(firstResult, maxResult, fields, search)).build();
}
Also used : Policy(org.keycloak.authorization.model.Policy) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) Scope(org.keycloak.authorization.model.Scope) EnumMap(java.util.EnumMap) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Example 9 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class MapResourceServerStore method delete.

@Override
public void delete(ClientModel client) {
    String id = client.getId();
    LOG.tracef("delete(%s, %s)%s", id, getShortStackTrace());
    if (id == null)
        return;
    // TODO: Simplify the following, ideally by leveraging triggers, stored procedures or ref integrity
    PolicyStore policyStore = authorizationProvider.getStoreFactory().getPolicyStore();
    policyStore.findByResourceServer(id).stream().map(Policy::getId).forEach(policyStore::delete);
    PermissionTicketStore permissionTicketStore = authorizationProvider.getStoreFactory().getPermissionTicketStore();
    permissionTicketStore.findByResourceServer(id).stream().map(PermissionTicket::getId).forEach(permissionTicketStore::delete);
    ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
    resourceStore.findByResourceServer(id).stream().map(Resource::getId).forEach(resourceStore::delete);
    ScopeStore scopeStore = authorizationProvider.getStoreFactory().getScopeStore();
    scopeStore.findByResourceServer(id).stream().map(Scope::getId).forEach(scopeStore::delete);
    tx.delete(id);
}
Also used : PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) ScopeStore(org.keycloak.authorization.store.ScopeStore) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore)

Example 10 with ScopeStore

use of org.keycloak.authorization.store.ScopeStore in project keycloak by keycloak.

the class RepresentationToModel method toModel.

public static Scope toModel(ScopeRepresentation scope, ResourceServer resourceServer, AuthorizationProvider authorization, boolean updateIfExists) {
    StoreFactory storeFactory = authorization.getStoreFactory();
    ScopeStore scopeStore = storeFactory.getScopeStore();
    Scope existing;
    if (scope.getId() != null) {
        existing = scopeStore.findById(scope.getId(), resourceServer.getId());
    } else {
        existing = scopeStore.findByName(scope.getName(), resourceServer.getId());
    }
    if (existing != null) {
        if (updateIfExists) {
            existing.setName(scope.getName());
            existing.setDisplayName(scope.getDisplayName());
            existing.setIconUri(scope.getIconUri());
        }
        return existing;
    }
    Scope model = scopeStore.create(scope.getId(), scope.getName(), resourceServer);
    model.setDisplayName(scope.getDisplayName());
    model.setIconUri(scope.getIconUri());
    scope.setId(model.getId());
    return model;
}
Also used : Scope(org.keycloak.authorization.model.Scope) ScopeStore(org.keycloak.authorization.store.ScopeStore) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Aggregations

ScopeStore (org.keycloak.authorization.store.ScopeStore)10 Scope (org.keycloak.authorization.model.Scope)9 ResourceStore (org.keycloak.authorization.store.ResourceStore)5 StoreFactory (org.keycloak.authorization.store.StoreFactory)5 EnumMap (java.util.EnumMap)4 PermissionTicket (org.keycloak.authorization.model.PermissionTicket)4 Resource (org.keycloak.authorization.model.Resource)4 Produces (javax.ws.rs.Produces)3 PermissionTicketStore (org.keycloak.authorization.store.PermissionTicketStore)3 Permission (org.keycloak.representations.idm.authorization.Permission)3 Map (java.util.Map)2 Consumes (javax.ws.rs.Consumes)2 POST (javax.ws.rs.POST)2 KeycloakIdentity (org.keycloak.authorization.common.KeycloakIdentity)2 ResourceServer (org.keycloak.authorization.model.ResourceServer)2 ResourcePermission (org.keycloak.authorization.permission.ResourcePermission)2 ArrayList (java.util.ArrayList)1 Arrays (java.util.Arrays)1 Collection (java.util.Collection)1 Collections (java.util.Collections)1