Search in sources :

Example 6 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class Permissions method all.

/**
 * Returns a list of permissions for all resources and scopes that belong to the given <code>resourceServer</code> and
 * <code>identity</code>.
 *
 * TODO: review once we support caches
 *
 * @param resourceServer
 * @param identity
 * @param authorization
 * @return
 */
public static void all(ResourceServer resourceServer, Identity identity, AuthorizationProvider authorization, AuthorizationRequest request, Consumer<ResourcePermission> evaluator) {
    StoreFactory storeFactory = authorization.getStoreFactory();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    Metadata metadata = request.getMetadata();
    final AtomicLong limit;
    if (metadata != null && metadata.getLimit() != null) {
        limit = new AtomicLong(metadata.getLimit());
    } else {
        limit = new AtomicLong(Long.MAX_VALUE);
    }
    // obtain all resources where owner is the resource server
    resourceStore.findByOwner(resourceServer.getId(), resourceServer.getId(), resource -> {
        if (limit.decrementAndGet() >= 0) {
            evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request));
        }
    });
    // resource server isn't current user
    if (resourceServer.getId() != identity.getId()) {
        // obtain all resources where owner is the current user
        resourceStore.findByOwner(identity.getId(), resourceServer.getId(), resource -> {
            if (limit.decrementAndGet() >= 0) {
                evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request));
            }
        });
    }
    // obtain all resources granted to the user via permission tickets (uma)
    List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().findGranted(identity.getId(), resourceServer.getId());
    if (!tickets.isEmpty()) {
        Map<String, ResourcePermission> userManagedPermissions = new HashMap<>();
        for (PermissionTicket ticket : tickets) {
            if (limit.get() < 0) {
                break;
            }
            ResourcePermission permission = userManagedPermissions.computeIfAbsent(ticket.getResource().getId(), s -> {
                limit.decrementAndGet();
                ResourcePermission resourcePermission = new ResourcePermission(ticket.getResource(), new ArrayList<>(), resourceServer, request.getClaims());
                resourcePermission.setGranted(true);
                return resourcePermission;
            });
            permission.addScope(ticket.getScope());
        }
        for (ResourcePermission permission : userManagedPermissions.values()) {
            evaluator.accept(permission);
        }
    }
}
Also used : AtomicLong(java.util.concurrent.atomic.AtomicLong) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) HashMap(java.util.HashMap) Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Example 7 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class MigrateTo2_1_0 method migrateRolePolicies.

// KEYCLOAK-3338: Changes to how role policy config is stored"
private void migrateRolePolicies(RealmModel realm, KeycloakSession session) {
    AuthorizationProvider authorizationProvider = session.getProvider(AuthorizationProvider.class);
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    realm.getClientsStream().forEach(clientModel -> {
        ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel);
        if (resourceServer != null) {
            policyStore.findByType("role", resourceServer.getId()).forEach(policy -> {
                Map<String, String> config = new HashMap(policy.getConfig());
                String roles = config.get("roles");
                List roleConfig;
                try {
                    roleConfig = JsonSerialization.readValue(roles, List.class);
                } catch (Exception e) {
                    throw new RuntimeException("Malformed configuration for role policy [" + policy.getName() + "].", e);
                }
                if (!roleConfig.isEmpty() && roleConfig.get(0) instanceof String) {
                    try {
                        config.put("roles", JsonSerialization.writeValueAsString(roleConfig.stream().map(new Function<String, Map>() {

                            @Override
                            public Map apply(String roleId) {
                                Map updated = new HashMap();
                                updated.put("id", roleId);
                                return updated;
                            }
                        }).collect(Collectors.toList())));
                        policy.setConfig(config);
                    } catch (Exception e) {
                        throw new RuntimeException("Failed to migrate role policy [" + policy.getName() + "].", e);
                    }
                }
            });
        }
    });
}
Also used : Function(java.util.function.Function) HashMap(java.util.HashMap) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) PolicyStore(org.keycloak.authorization.store.PolicyStore) List(java.util.List) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceServer(org.keycloak.authorization.model.ResourceServer) HashMap(java.util.HashMap) Map(java.util.Map)

Example 8 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class UserSynchronizer method removeUserResources.

private void removeUserResources(UserRemovedEvent event, AuthorizationProvider authorizationProvider) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    UserModel userModel = event.getUser();
    resourceStore.findByOwner(userModel.getId(), null, resource -> {
        String resourceId = resource.getId();
        policyStore.findByResource(resourceId, resource.getResourceServer()).forEach(policy -> {
            if (policy.getResources().size() == 1) {
                policyStore.delete(policy.getId());
            } else {
                policy.removeResource(resource);
            }
        });
        resourceStore.delete(resourceId);
    });
}
Also used : UserModel(org.keycloak.models.UserModel) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Example 9 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class UserSynchronizer method removeFromUserPolicies.

private void removeFromUserPolicies(UserRemovedEvent event, AuthorizationProvider authorizationProvider) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    UserModel userModel = event.getUser();
    Map<Policy.FilterOption, String[]> attributes = new EnumMap<>(Policy.FilterOption.class);
    attributes.put(Policy.FilterOption.TYPE, new String[] { "user" });
    attributes.put(Policy.FilterOption.CONFIG, new String[] { "users", userModel.getId() });
    List<Policy> search = policyStore.findByResourceServer(attributes, null, -1, -1);
    for (Policy policy : search) {
        PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
        UserPolicyRepresentation representation = UserPolicyRepresentation.class.cast(policyFactory.toRepresentation(policy, authorizationProvider));
        Set<String> users = representation.getUsers();
        users.remove(userModel.getId());
        if (users.isEmpty()) {
            policyFactory.onRemove(policy, authorizationProvider);
            policyStore.delete(policy.getId());
        } else {
            policyFactory.onUpdate(policy, representation, authorizationProvider);
        }
    }
}
Also used : UserModel(org.keycloak.models.UserModel) Policy(org.keycloak.authorization.model.Policy) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory) PolicyStore(org.keycloak.authorization.store.PolicyStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) EnumMap(java.util.EnumMap)

Example 10 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class UserSynchronizer method removeFromUserPermissionTickets.

private void removeFromUserPermissionTickets(UserRemovedEvent event, AuthorizationProvider authorizationProvider) {
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
    UserModel userModel = event.getUser();
    Map<PermissionTicket.FilterOption, String> attributes = new EnumMap<>(PermissionTicket.FilterOption.class);
    attributes.put(PermissionTicket.FilterOption.OWNER, userModel.getId());
    for (PermissionTicket ticket : ticketStore.find(attributes, null, -1, -1)) {
        ticketStore.delete(ticket.getId());
    }
    attributes.clear();
    attributes.put(PermissionTicket.FilterOption.REQUESTER, userModel.getId());
    for (PermissionTicket ticket : ticketStore.find(attributes, null, -1, -1)) {
        ticketStore.delete(ticket.getId());
    }
}
Also used : UserModel(org.keycloak.models.UserModel) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) PermissionTicketStore(org.keycloak.authorization.store.PermissionTicketStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) EnumMap(java.util.EnumMap)

Aggregations

StoreFactory (org.keycloak.authorization.store.StoreFactory)61 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)33 ResourceServer (org.keycloak.authorization.model.ResourceServer)32 Policy (org.keycloak.authorization.model.Policy)31 Resource (org.keycloak.authorization.model.Resource)26 ClientModel (org.keycloak.models.ClientModel)21 Scope (org.keycloak.authorization.model.Scope)20 PolicyStore (org.keycloak.authorization.store.PolicyStore)20 Map (java.util.Map)19 List (java.util.List)17 ResourceStore (org.keycloak.authorization.store.ResourceStore)17 Path (javax.ws.rs.Path)15 Produces (javax.ws.rs.Produces)15 ArrayList (java.util.ArrayList)14 EnumMap (java.util.EnumMap)12 HashMap (java.util.HashMap)12 GET (javax.ws.rs.GET)12 KeycloakSession (org.keycloak.models.KeycloakSession)11 UserModel (org.keycloak.models.UserModel)11 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11