Search in sources :

Example 11 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class GroupSynchronizer method synchronize.

@Override
public void synchronize(GroupModel.GroupRemovedEvent event, KeycloakSessionFactory factory) {
    ProviderFactory<AuthorizationProvider> providerFactory = factory.getProviderFactory(AuthorizationProvider.class);
    AuthorizationProvider authorizationProvider = providerFactory.create(event.getKeycloakSession());
    StoreFactory storeFactory = authorizationProvider.getStoreFactory();
    PolicyStore policyStore = storeFactory.getPolicyStore();
    GroupModel group = event.getGroup();
    Map<Policy.FilterOption, String[]> attributes = new EnumMap<>(Policy.FilterOption.class);
    attributes.put(Policy.FilterOption.TYPE, new String[] { "group" });
    attributes.put(Policy.FilterOption.CONFIG, new String[] { "groups", group.getId() });
    attributes.put(Policy.FilterOption.ANY_OWNER, Policy.FilterOption.EMPTY_FILTER);
    List<Policy> search = policyStore.findByResourceServer(attributes, null, -1, -1);
    for (Policy policy : search) {
        PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
        GroupPolicyRepresentation representation = GroupPolicyRepresentation.class.cast(policyFactory.toRepresentation(policy, authorizationProvider));
        Set<GroupPolicyRepresentation.GroupDefinition> groups = representation.getGroups();
        groups.removeIf(groupDefinition -> groupDefinition.getId().equals(group.getId()));
        if (groups.isEmpty()) {
            policyFactory.onRemove(policy, authorizationProvider);
            policyStore.delete(policy.getId());
        } else {
            policyFactory.onUpdate(policy, representation, authorizationProvider);
        }
    }
}
Also used : Policy(org.keycloak.authorization.model.Policy) PolicyProviderFactory(org.keycloak.authorization.policy.provider.PolicyProviderFactory) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) GroupModel(org.keycloak.models.GroupModel) StoreFactory(org.keycloak.authorization.store.StoreFactory) GroupPolicyRepresentation(org.keycloak.representations.idm.authorization.GroupPolicyRepresentation) PolicyStore(org.keycloak.authorization.store.PolicyStore) EnumMap(java.util.EnumMap)

Example 12 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class ResourceSetService method delete.

@Path("{id}")
@DELETE
public Response delete(@PathParam("id") String id) {
    requireManage();
    StoreFactory storeFactory = authorization.getStoreFactory();
    Resource resource = storeFactory.getResourceStore().findById(id, resourceServer.getId());
    if (resource == null) {
        return Response.status(Status.NOT_FOUND).build();
    }
    storeFactory.getResourceStore().delete(id);
    audit(toRepresentation(resource, resourceServer.getId(), authorization), OperationType.DELETE);
    return Response.noContent().build();
}
Also used : Resource(org.keycloak.authorization.model.Resource) StoreFactory(org.keycloak.authorization.store.StoreFactory) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE)

Example 13 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class ResourceSetService method find.

public Response find(@QueryParam("_id") String id, @QueryParam("name") String name, @QueryParam("uri") String uri, @QueryParam("owner") String owner, @QueryParam("type") String type, @QueryParam("scope") String scope, @QueryParam("matchingUri") Boolean matchingUri, @QueryParam("exactName") Boolean exactName, @QueryParam("deep") Boolean deep, @QueryParam("first") Integer firstResult, @QueryParam("max") Integer maxResult, BiFunction<Resource, Boolean, ?> toRepresentation) {
    requireView();
    StoreFactory storeFactory = authorization.getStoreFactory();
    if (deep == null) {
        deep = true;
    }
    Map<Resource.FilterOption, String[]> search = new EnumMap<>(Resource.FilterOption.class);
    if (id != null && !"".equals(id.trim())) {
        search.put(Resource.FilterOption.ID, new String[] { id });
    }
    if (name != null && !"".equals(name.trim())) {
        search.put(exactName != null && exactName ? Resource.FilterOption.EXACT_NAME : Resource.FilterOption.NAME, new String[] { name });
    }
    if (uri != null && !"".equals(uri.trim())) {
        search.put(Resource.FilterOption.URI, new String[] { uri });
    }
    if (owner != null && !"".equals(owner.trim())) {
        RealmModel realm = authorization.getKeycloakSession().getContext().getRealm();
        ClientModel clientModel = realm.getClientByClientId(owner);
        if (clientModel != null) {
            owner = clientModel.getId();
        } else {
            UserModel user = authorization.getKeycloakSession().users().getUserByUsername(realm, owner);
            if (user != null) {
                owner = user.getId();
            }
        }
        search.put(Resource.FilterOption.OWNER, new String[] { owner });
    }
    if (type != null && !"".equals(type.trim())) {
        search.put(Resource.FilterOption.TYPE, new String[] { type });
    }
    if (scope != null && !"".equals(scope.trim())) {
        Map<Scope.FilterOption, String[]> scopeFilter = new EnumMap<>(Scope.FilterOption.class);
        scopeFilter.put(Scope.FilterOption.NAME, new String[] { scope });
        List<Scope> scopes = authorization.getStoreFactory().getScopeStore().findByResourceServer(scopeFilter, resourceServer.getId(), -1, -1);
        if (scopes.isEmpty()) {
            return Response.ok(Collections.emptyList()).build();
        }
        search.put(Resource.FilterOption.SCOPE_ID, scopes.stream().map(Scope::getId).toArray(String[]::new));
    }
    List<Resource> resources = storeFactory.getResourceStore().findByResourceServer(search, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS);
    if (matchingUri != null && matchingUri && resources.isEmpty()) {
        Map<Resource.FilterOption, String[]> attributes = new EnumMap<>(Resource.FilterOption.class);
        attributes.put(Resource.FilterOption.URI_NOT_NULL, new String[] { "true" });
        attributes.put(Resource.FilterOption.OWNER, new String[] { resourceServer.getId() });
        List<Resource> serverResources = storeFactory.getResourceStore().findByResourceServer(attributes, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : -1);
        PathMatcher<Map.Entry<String, Resource>> pathMatcher = new PathMatcher<Map.Entry<String, Resource>>() {

            @Override
            protected String getPath(Map.Entry<String, Resource> entry) {
                return entry.getKey();
            }

            @Override
            protected Collection<Map.Entry<String, Resource>> getPaths() {
                Map<String, Resource> result = new HashMap<>();
                serverResources.forEach(resource -> resource.getUris().forEach(uri -> {
                    result.put(uri, resource);
                }));
                return result.entrySet();
            }
        };
        Map.Entry<String, Resource> matches = pathMatcher.matches(uri);
        if (matches != null) {
            resources = Collections.singletonList(matches.getValue());
        }
    }
    Boolean finalDeep = deep;
    return Response.ok(resources.stream().map(resource -> toRepresentation.apply(resource, finalDeep)).collect(Collectors.toList())).build();
}
Also used : ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourceType(org.keycloak.events.admin.ResourceType) Produces(javax.ws.rs.Produces) BiFunction(java.util.function.BiFunction) Path(javax.ws.rs.Path) OAuthErrorException(org.keycloak.OAuthErrorException) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) ErrorResponseException(org.keycloak.services.ErrorResponseException) ModelToRepresentation.toRepresentation(org.keycloak.models.utils.ModelToRepresentation.toRepresentation) Map(java.util.Map) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) DELETE(javax.ws.rs.DELETE) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) Set(java.util.Set) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) List(java.util.List) Response(javax.ws.rs.core.Response) RepresentationToModel.toModel(org.keycloak.models.utils.RepresentationToModel.toModel) ClientModel(org.keycloak.models.ClientModel) OperationType(org.keycloak.events.admin.OperationType) PathParam(javax.ws.rs.PathParam) Scope(org.keycloak.authorization.model.Scope) GET(javax.ws.rs.GET) StoreFactory(org.keycloak.authorization.store.StoreFactory) Constants(org.keycloak.models.Constants) HashMap(java.util.HashMap) Function(java.util.function.Function) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) UserModel(org.keycloak.models.UserModel) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) Status(javax.ws.rs.core.Response.Status) PathMatcher(org.keycloak.common.util.PathMatcher) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) KeycloakSession(org.keycloak.models.KeycloakSession) Policy(org.keycloak.authorization.model.Policy) NoCache(org.jboss.resteasy.annotations.cache.NoCache) PUT(javax.ws.rs.PUT) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) AdminEventBuilder(org.keycloak.services.resources.admin.AdminEventBuilder) HashMap(java.util.HashMap) Resource(org.keycloak.authorization.model.Resource) StoreFactory(org.keycloak.authorization.store.StoreFactory) RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ClientModel(org.keycloak.models.ClientModel) PathMatcher(org.keycloak.common.util.PathMatcher) Scope(org.keycloak.authorization.model.Scope) EnumMap(java.util.EnumMap) Map(java.util.Map) EnumMap(java.util.EnumMap) HashMap(java.util.HashMap)

Example 14 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class PolicyEvaluationService method createPermissions.

private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request) {
    return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
        StoreFactory storeFactory = authorization.getStoreFactory();
        if (resource == null) {
            resource = new ResourceRepresentation();
        }
        Set<ScopeRepresentation> givenScopes = resource.getScopes();
        if (givenScopes == null) {
            givenScopes = new HashSet<>();
        }
        ScopeStore scopeStore = storeFactory.getScopeStore();
        Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
        if (resource.getId() != null) {
            Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
            return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream();
        } else if (resource.getType() != null) {
            return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, resourceServer, scopes, authorization, request));
        } else {
            if (scopes.isEmpty()) {
                return Stream.empty();
            }
            List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
            if (resources.isEmpty()) {
                return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
            }
            return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, resourceServer, scopes, authorization, request));
        }
    }).collect(Collectors.toList());
}
Also used : ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Arrays(java.util.Arrays) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Produces(javax.ws.rs.Produces) Permissions(org.keycloak.authorization.permission.Permissions) OAuthErrorException(org.keycloak.OAuthErrorException) Consumes(javax.ws.rs.Consumes) AuthenticationManager(org.keycloak.services.managers.AuthenticationManager) AccessToken(org.keycloak.representations.AccessToken) DecisionPermissionCollector(org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector) ErrorResponseException(org.keycloak.services.ErrorResponseException) Map(java.util.Map) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RealmModel(org.keycloak.models.RealmModel) PolicyEvaluationResponseBuilder(org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder) Collection(java.util.Collection) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) List(java.util.List) ScopeStore(org.keycloak.authorization.store.ScopeStore) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) Attributes(org.keycloak.authorization.attribute.Attributes) Permission(org.keycloak.representations.idm.authorization.Permission) Logger(org.jboss.logging.Logger) StoreFactory(org.keycloak.authorization.store.StoreFactory) HashMap(java.util.HashMap) TokenManager(org.keycloak.protocol.oidc.TokenManager) Function(java.util.function.Function) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) UserModel(org.keycloak.models.UserModel) ClientSessionContext(org.keycloak.models.ClientSessionContext) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) Status(javax.ws.rs.core.Response.Status) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) KeycloakSession(org.keycloak.models.KeycloakSession) UserSessionModel(org.keycloak.models.UserSessionModel) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) Result(org.keycloak.authorization.policy.evaluation.Result) Urls(org.keycloak.services.Urls) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) Resource(org.keycloak.authorization.model.Resource) ScopeStore(org.keycloak.authorization.store.ScopeStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Function(java.util.function.Function) Scope(org.keycloak.authorization.model.Scope) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) List(java.util.List) ArrayList(java.util.ArrayList) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Example 15 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class PolicyService method findByName.

@Path("/search")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response findByName(@QueryParam("name") String name, @QueryParam("fields") String fields) {
    if (auth != null) {
        this.auth.realm().requireViewAuthorization();
    }
    StoreFactory storeFactory = authorization.getStoreFactory();
    if (name == null) {
        return Response.status(Status.BAD_REQUEST).build();
    }
    Policy model = storeFactory.getPolicyStore().findByName(name, this.resourceServer.getId());
    if (model == null) {
        return Response.noContent().build();
    }
    return Response.ok(toRepresentation(model, fields, authorization)).build();
}
Also used : Policy(org.keycloak.authorization.model.Policy) StoreFactory(org.keycloak.authorization.store.StoreFactory) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Aggregations

StoreFactory (org.keycloak.authorization.store.StoreFactory)61 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)33 ResourceServer (org.keycloak.authorization.model.ResourceServer)32 Policy (org.keycloak.authorization.model.Policy)31 Resource (org.keycloak.authorization.model.Resource)26 ClientModel (org.keycloak.models.ClientModel)21 Scope (org.keycloak.authorization.model.Scope)20 PolicyStore (org.keycloak.authorization.store.PolicyStore)20 Map (java.util.Map)19 List (java.util.List)17 ResourceStore (org.keycloak.authorization.store.ResourceStore)17 Path (javax.ws.rs.Path)15 Produces (javax.ws.rs.Produces)15 ArrayList (java.util.ArrayList)14 EnumMap (java.util.EnumMap)12 HashMap (java.util.HashMap)12 GET (javax.ws.rs.GET)12 KeycloakSession (org.keycloak.models.KeycloakSession)11 UserModel (org.keycloak.models.UserModel)11 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11