Search in sources :

Example 1 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class RolePolicyProviderFactory method postInit.

@Override
public void postInit(KeycloakSessionFactory factory) {
    factory.register(event -> {
        if (event instanceof RoleRemovedEvent) {
            KeycloakSession keycloakSession = ((RoleRemovedEvent) event).getKeycloakSession();
            AuthorizationProvider provider = keycloakSession.getProvider(AuthorizationProvider.class);
            StoreFactory storeFactory = provider.getStoreFactory();
            PolicyStore policyStore = storeFactory.getPolicyStore();
            RoleModel removedRole = ((RoleRemovedEvent) event).getRole();
            RoleContainerModel container = removedRole.getContainer();
            ResourceServerStore resourceServerStore = storeFactory.getResourceServerStore();
            if (container instanceof RealmModel) {
                RealmModel realm = (RealmModel) container;
                realm.getClientsStream().forEach(clientModel -> updateResourceServer(clientModel, removedRole, resourceServerStore, policyStore));
            } else {
                ClientModel clientModel = (ClientModel) container;
                updateResourceServer(clientModel, removedRole, resourceServerStore, policyStore);
            }
        }
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) ClientModel(org.keycloak.models.ClientModel) ResourceServerStore(org.keycloak.authorization.store.ResourceServerStore) KeycloakSession(org.keycloak.models.KeycloakSession) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) RoleRemovedEvent(org.keycloak.models.RoleContainerModel.RoleRemovedEvent) PolicyStore(org.keycloak.authorization.store.PolicyStore) RoleModel(org.keycloak.models.RoleModel) StoreFactory(org.keycloak.authorization.store.StoreFactory) RoleContainerModel(org.keycloak.models.RoleContainerModel)

Example 2 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class IterablePermissionEvaluator method evaluate.

@Override
public Decision evaluate(Decision decision) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    try {
        Map<Policy, Map<Object, Decision.Effect>> decisionCache = new HashMap<>();
        storeFactory.setReadOnly(true);
        Iterator<ResourcePermission> permissions = getPermissions();
        while (permissions.hasNext()) {
            this.policyEvaluator.evaluate(permissions.next(), authorizationProvider, executionContext, decision, decisionCache);
        }
        decision.onComplete();
    } catch (Throwable cause) {
        decision.onError(cause);
    } finally {
        storeFactory.setReadOnly(false);
    }
    return decision;
}
Also used : Policy(org.keycloak.authorization.model.Policy) HashMap(java.util.HashMap) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) Map(java.util.Map) Decision(org.keycloak.authorization.Decision) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 3 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class UnboundedPermissionEvaluator method evaluate.

@Override
public Decision evaluate(Decision decision) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    try {
        Map<Policy, Map<Object, Decision.Effect>> decisionCache = new HashMap<>();
        storeFactory.setReadOnly(true);
        Permissions.all(resourceServer, executionContext.getIdentity(), authorizationProvider, request, permission -> policyEvaluator.evaluate(permission, authorizationProvider, executionContext, decision, decisionCache));
        decision.onComplete();
    } catch (Throwable cause) {
        decision.onError(cause);
    } finally {
        storeFactory.setReadOnly(false);
    }
    return decision;
}
Also used : Policy(org.keycloak.authorization.model.Policy) HashMap(java.util.HashMap) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) Map(java.util.Map) Decision(org.keycloak.authorization.Decision)

Example 4 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class PermissionTicketAwareDecisionResultCollector method onComplete.

@Override
public void onComplete() {
    super.onComplete();
    if (request.isSubmitRequest()) {
        StoreFactory storeFactory = authorization.getStoreFactory();
        ResourceStore resourceStore = storeFactory.getResourceStore();
        List<Permission> permissions = ticket.getPermissions();
        if (permissions != null) {
            for (Permission permission : permissions) {
                Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId());
                if (resource == null) {
                    resource = resourceStore.findByName(permission.getResourceId(), identity.getId(), resourceServer.getId());
                }
                if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getId())) {
                    continue;
                }
                Set<String> scopes = permission.getScopes();
                if (scopes.isEmpty()) {
                    scopes = resource.getScopes().stream().map(Scope::getName).collect(Collectors.toSet());
                }
                if (scopes.isEmpty()) {
                    Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
                    filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
                    filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
                    filters.put(PermissionTicket.FilterOption.SCOPE_IS_NULL, Boolean.TRUE.toString());
                    List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
                    if (tickets.isEmpty()) {
                        authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), null, identity.getId(), resourceServer);
                    }
                } else {
                    ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore();
                    for (String scopeId : scopes) {
                        Scope scope = scopeStore.findByName(scopeId, resourceServer.getId());
                        if (scope == null) {
                            scope = scopeStore.findById(scopeId, resourceServer.getId());
                        }
                        Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
                        filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
                        filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
                        filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
                        List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1);
                        if (tickets.isEmpty()) {
                            authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), scope.getId(), identity.getId(), resourceServer);
                        }
                    }
                }
            }
        }
    }
}
Also used : PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) Scope(org.keycloak.authorization.model.Scope) Permission(org.keycloak.representations.idm.authorization.Permission) EnumMap(java.util.EnumMap)

Example 5 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class AuthorizationProvider method createResourceStoreWrapper.

private ResourceStore createResourceStoreWrapper(StoreFactory storeFactory) {
    return new ResourceStore() {

        ResourceStore delegate = storeFactory.getResourceStore();

        @Override
        public Resource create(String name, ResourceServer resourceServer, String owner) {
            return delegate.create(name, resourceServer, owner);
        }

        @Override
        public Resource create(String id, String name, ResourceServer resourceServer, String owner) {
            return delegate.create(id, name, resourceServer, owner);
        }

        @Override
        public void delete(String id) {
            Resource resource = findById(id, null);
            StoreFactory storeFactory = AuthorizationProvider.this.getStoreFactory();
            PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
            List<PermissionTicket> permissions = ticketStore.findByResource(id, resource.getResourceServer());
            for (PermissionTicket permission : permissions) {
                ticketStore.delete(permission.getId());
            }
            PolicyStore policyStore = storeFactory.getPolicyStore();
            List<Policy> policies = policyStore.findByResource(id, resource.getResourceServer());
            for (Policy policyModel : policies) {
                if (policyModel.getResources().size() == 1) {
                    policyStore.delete(policyModel.getId());
                } else {
                    policyModel.removeResource(resource);
                }
            }
            delegate.delete(id);
        }

        @Override
        public Resource findById(String id, String resourceServerId) {
            return delegate.findById(id, resourceServerId);
        }

        @Override
        public List<Resource> findByOwner(String ownerId, String resourceServerId) {
            return delegate.findByOwner(ownerId, resourceServerId);
        }

        @Override
        public void findByOwner(String ownerId, String resourceServerId, Consumer<Resource> consumer) {
            delegate.findByOwner(ownerId, resourceServerId, consumer);
        }

        @Override
        public List<Resource> findByOwner(String ownerId, String resourceServerId, int first, int max) {
            return delegate.findByOwner(ownerId, resourceServerId, first, max);
        }

        @Override
        public List<Resource> findByUri(String uri, String resourceServerId) {
            return delegate.findByUri(uri, resourceServerId);
        }

        @Override
        public List<Resource> findByResourceServer(String resourceServerId) {
            return delegate.findByResourceServer(resourceServerId);
        }

        @Override
        public List<Resource> findByResourceServer(Map<Resource.FilterOption, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
            return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
        }

        @Override
        public List<Resource> findByScope(List<String> id, String resourceServerId) {
            return delegate.findByScope(id, resourceServerId);
        }

        @Override
        public void findByScope(List<String> scopes, String resourceServerId, Consumer<Resource> consumer) {
            delegate.findByScope(scopes, resourceServerId, consumer);
        }

        @Override
        public Resource findByName(String name, String resourceServerId) {
            return delegate.findByName(name, resourceServerId);
        }

        @Override
        public Resource findByName(String name, String ownerId, String resourceServerId) {
            return delegate.findByName(name, ownerId, resourceServerId);
        }

        @Override
        public List<Resource> findByType(String type, String resourceServerId) {
            return delegate.findByType(type, resourceServerId);
        }

        @Override
        public void findByType(String type, String resourceServerId, Consumer<Resource> consumer) {
            delegate.findByType(type, resourceServerId, consumer);
        }

        @Override
        public void findByType(String type, String owner, String resourceServerId, Consumer<Resource> consumer) {
            delegate.findByType(type, owner, resourceServerId, consumer);
        }

        @Override
        public List<Resource> findByType(String type, String owner, String resourceServerId) {
            return delegate.findByType(type, resourceServerId);
        }

        @Override
        public List<Resource> findByTypeInstance(String type, String resourceServerId) {
            return delegate.findByTypeInstance(type, resourceServerId);
        }

        @Override
        public void findByTypeInstance(String type, String resourceServerId, Consumer<Resource> consumer) {
            delegate.findByTypeInstance(type, resourceServerId, consumer);
        }
    };
}
Also used : Policy(org.keycloak.authorization.model.Policy) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Resource(org.keycloak.authorization.model.Resource) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) Consumer(java.util.function.Consumer) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) PolicyStore(org.keycloak.authorization.store.PolicyStore) List(java.util.List) ResourceServer(org.keycloak.authorization.model.ResourceServer) Map(java.util.Map)

Aggregations

StoreFactory (org.keycloak.authorization.store.StoreFactory)61 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)33 ResourceServer (org.keycloak.authorization.model.ResourceServer)32 Policy (org.keycloak.authorization.model.Policy)31 Resource (org.keycloak.authorization.model.Resource)26 ClientModel (org.keycloak.models.ClientModel)21 Scope (org.keycloak.authorization.model.Scope)20 PolicyStore (org.keycloak.authorization.store.PolicyStore)20 Map (java.util.Map)19 List (java.util.List)17 ResourceStore (org.keycloak.authorization.store.ResourceStore)17 Path (javax.ws.rs.Path)15 Produces (javax.ws.rs.Produces)15 ArrayList (java.util.ArrayList)14 EnumMap (java.util.EnumMap)12 HashMap (java.util.HashMap)12 GET (javax.ws.rs.GET)12 KeycloakSession (org.keycloak.models.KeycloakSession)11 UserModel (org.keycloak.models.UserModel)11 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11