Search in sources :

Example 41 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class JPAResourceStore method findByType.

@Override
public void findByType(String type, String owner, String resourceServerId, Consumer<Resource> consumer) {
    TypedQuery<ResourceEntity> query;
    if (owner != null) {
        query = entityManager.createNamedQuery("findResourceIdByType", ResourceEntity.class);
    } else {
        query = entityManager.createNamedQuery("findResourceIdByTypeNoOwner", ResourceEntity.class);
    }
    query.setFlushMode(FlushModeType.COMMIT);
    query.setParameter("type", type);
    if (owner != null) {
        query.setParameter("ownerId", owner);
    }
    query.setParameter("serverId", resourceServerId);
    StoreFactory storeFactory = provider.getStoreFactory();
    query.getResultList().stream().map(entity -> new ResourceAdapter(entity, entityManager, storeFactory)).forEach(consumer);
}
Also used : ResourceServer(org.keycloak.authorization.model.ResourceServer) CriteriaQuery(javax.persistence.criteria.CriteriaQuery) KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils) StreamsUtil.closing(org.keycloak.utils.StreamsUtil.closing) StoreFactory(org.keycloak.authorization.store.StoreFactory) NoResultException(javax.persistence.NoResultException) FlushModeType(javax.persistence.FlushModeType) EntityManager(javax.persistence.EntityManager) ResourceStore(org.keycloak.authorization.store.ResourceStore) TypedQuery(javax.persistence.TypedQuery) ArrayList(java.util.ArrayList) Consumer(java.util.function.Consumer) PaginationUtils.paginateQuery(org.keycloak.models.jpa.PaginationUtils.paginateQuery) List(java.util.List) Predicate(javax.persistence.criteria.Predicate) ResourceEntity(org.keycloak.authorization.jpa.entities.ResourceEntity) Map(java.util.Map) CriteriaBuilder(javax.persistence.criteria.CriteriaBuilder) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) Expression(javax.persistence.criteria.Expression) LinkedList(java.util.LinkedList) Root(javax.persistence.criteria.Root) Resource(org.keycloak.authorization.model.Resource) ResourceEntity(org.keycloak.authorization.jpa.entities.ResourceEntity) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Example 42 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class ResourceSetService method getPermissions.

@Path("{id}/permissions")
@GET
@NoCache
@Produces("application/json")
public Response getPermissions(@PathParam("id") String id) {
    requireView();
    StoreFactory storeFactory = authorization.getStoreFactory();
    ResourceStore resourceStore = storeFactory.getResourceStore();
    Resource model = resourceStore.findById(id, resourceServer.getId());
    if (model == null) {
        return Response.status(Status.NOT_FOUND).build();
    }
    PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
    Set<Policy> policies = new HashSet<>();
    policies.addAll(policyStore.findByResource(model.getId(), resourceServer.getId()));
    if (model.getType() != null) {
        policies.addAll(policyStore.findByResourceType(model.getType(), resourceServer.getId()));
        Map<Resource.FilterOption, String[]> resourceFilter = new EnumMap<>(Resource.FilterOption.class);
        resourceFilter.put(Resource.FilterOption.OWNER, new String[] { resourceServer.getId() });
        resourceFilter.put(Resource.FilterOption.TYPE, new String[] { model.getType() });
        for (Resource resourceType : resourceStore.findByResourceServer(resourceFilter, resourceServer.getId(), -1, -1)) {
            policies.addAll(policyStore.findByResource(resourceType.getId(), resourceServer.getId()));
        }
    }
    policies.addAll(policyStore.findByScopeIds(model.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toList()), id, resourceServer.getId()));
    policies.addAll(policyStore.findByScopeIds(model.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toList()), null, resourceServer.getId()));
    List<PolicyRepresentation> representation = new ArrayList<>();
    for (Policy policyModel : policies) {
        if (!"uma".equalsIgnoreCase(policyModel.getType())) {
            PolicyRepresentation policy = new PolicyRepresentation();
            policy.setId(policyModel.getId());
            policy.setName(policyModel.getName());
            policy.setType(policyModel.getType());
            if (!representation.contains(policy)) {
                representation.add(policy);
            }
        }
    }
    return Response.ok(representation).build();
}
Also used : Policy(org.keycloak.authorization.model.Policy) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ResourceType(org.keycloak.events.admin.ResourceType) Produces(javax.ws.rs.Produces) BiFunction(java.util.function.BiFunction) Path(javax.ws.rs.Path) OAuthErrorException(org.keycloak.OAuthErrorException) QueryParam(javax.ws.rs.QueryParam) Consumes(javax.ws.rs.Consumes) ErrorResponseException(org.keycloak.services.ErrorResponseException) ModelToRepresentation.toRepresentation(org.keycloak.models.utils.ModelToRepresentation.toRepresentation) Map(java.util.Map) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) DELETE(javax.ws.rs.DELETE) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) Set(java.util.Set) PolicyStore(org.keycloak.authorization.store.PolicyStore) ResourceStore(org.keycloak.authorization.store.ResourceStore) Collectors(java.util.stream.Collectors) List(java.util.List) Response(javax.ws.rs.core.Response) RepresentationToModel.toModel(org.keycloak.models.utils.RepresentationToModel.toModel) ClientModel(org.keycloak.models.ClientModel) OperationType(org.keycloak.events.admin.OperationType) PathParam(javax.ws.rs.PathParam) Scope(org.keycloak.authorization.model.Scope) GET(javax.ws.rs.GET) StoreFactory(org.keycloak.authorization.store.StoreFactory) Constants(org.keycloak.models.Constants) HashMap(java.util.HashMap) Function(java.util.function.Function) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) ArrayList(java.util.ArrayList) HashSet(java.util.HashSet) UserModel(org.keycloak.models.UserModel) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) Status(javax.ws.rs.core.Response.Status) PathMatcher(org.keycloak.common.util.PathMatcher) ResourceServer(org.keycloak.authorization.model.ResourceServer) POST(javax.ws.rs.POST) AdminPermissionEvaluator(org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator) KeycloakSession(org.keycloak.models.KeycloakSession) Policy(org.keycloak.authorization.model.Policy) NoCache(org.jboss.resteasy.annotations.cache.NoCache) PUT(javax.ws.rs.PUT) Collections(java.util.Collections) Resource(org.keycloak.authorization.model.Resource) AdminEventBuilder(org.keycloak.services.resources.admin.AdminEventBuilder) Resource(org.keycloak.authorization.model.Resource) ArrayList(java.util.ArrayList) ResourceStore(org.keycloak.authorization.store.ResourceStore) StoreFactory(org.keycloak.authorization.store.StoreFactory) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) PolicyStore(org.keycloak.authorization.store.PolicyStore) EnumMap(java.util.EnumMap) HashSet(java.util.HashSet) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Example 43 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class ResourceSetService method create.

public ResourceRepresentation create(ResourceRepresentation resource) {
    requireManage();
    StoreFactory storeFactory = this.authorization.getStoreFactory();
    ResourceOwnerRepresentation owner = resource.getOwner();
    if (owner == null) {
        owner = new ResourceOwnerRepresentation();
        owner.setId(resourceServer.getId());
        resource.setOwner(owner);
    }
    String ownerId = owner.getId();
    if (ownerId == null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "You must specify the resource owner.", Status.BAD_REQUEST);
    }
    Resource existingResource = storeFactory.getResourceStore().findByName(resource.getName(), ownerId, this.resourceServer.getId());
    if (existingResource != null) {
        throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource with name [" + resource.getName() + "] already exists.", Status.CONFLICT);
    }
    return toRepresentation(toModel(resource, this.resourceServer, authorization), resourceServer.getId(), authorization);
}
Also used : Resource(org.keycloak.authorization.model.Resource) ResourceOwnerRepresentation(org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation) ErrorResponseException(org.keycloak.services.ErrorResponseException) StoreFactory(org.keycloak.authorization.store.StoreFactory)

Example 44 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class ResourceSetService method getAttributes.

@Path("{id}/attributes")
@GET
@NoCache
@Produces("application/json")
public Response getAttributes(@PathParam("id") String id) {
    requireView();
    StoreFactory storeFactory = authorization.getStoreFactory();
    Resource model = storeFactory.getResourceStore().findById(id, resourceServer.getId());
    if (model == null) {
        return Response.status(Status.NOT_FOUND).build();
    }
    return Response.ok(model.getAttributes()).build();
}
Also used : Resource(org.keycloak.authorization.model.Resource) StoreFactory(org.keycloak.authorization.store.StoreFactory) Path(javax.ws.rs.Path) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) NoCache(org.jboss.resteasy.annotations.cache.NoCache)

Example 45 with StoreFactory

use of org.keycloak.authorization.store.StoreFactory in project keycloak by keycloak.

the class AuthorizationTokenService method resolveResourcePermission.

private void resolveResourcePermission(KeycloakAuthorizationRequest request, ResourceServer resourceServer, KeycloakIdentity identity, AuthorizationProvider authorization, StoreFactory storeFactory, Map<String, ResourcePermission> permissionsToEvaluate, ResourceStore resourceStore, AtomicInteger limit, Permission permission, Set<Scope> requestedScopesModel, String resourceId) {
    Resource resource;
    if (resourceId.indexOf('-') != -1) {
        resource = resourceStore.findById(resourceId, resourceServer.getId());
    } else {
        resource = null;
    }
    if (resource != null) {
        addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource);
    } else if (resourceId.startsWith("resource-type:")) {
        // only resource types, no resource instances. resource types are owned by the resource server
        String resourceType = resourceId.substring("resource-type:".length());
        resourceStore.findByType(resourceType, resourceServer.getId(), resourceServer.getId(), resource1 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource1));
    } else if (resourceId.startsWith("resource-type-any:")) {
        // any resource with a given type
        String resourceType = resourceId.substring("resource-type-any:".length());
        resourceStore.findByType(resourceType, null, resourceServer.getId(), resource12 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource12));
    } else if (resourceId.startsWith("resource-type-instance:")) {
        // only resource instances with a given type
        String resourceType = resourceId.substring("resource-type-instance:".length());
        resourceStore.findByTypeInstance(resourceType, resourceServer.getId(), resource13 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource13));
    } else if (resourceId.startsWith("resource-type-owner:")) {
        // only resources where the current identity is the owner
        String resourceType = resourceId.substring("resource-type-owner:".length());
        resourceStore.findByType(resourceType, identity.getId(), resourceServer.getId(), resource14 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource14));
    } else {
        Resource ownerResource = resourceStore.findByName(resourceId, identity.getId(), resourceServer.getId());
        if (ownerResource != null) {
            permission.setResourceId(ownerResource.getId());
            addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, ownerResource);
        }
        if (!identity.isResourceServer() || !identity.getId().equals(resourceServer.getId())) {
            List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().findGranted(resourceId, identity.getId(), resourceServer.getId());
            if (!tickets.isEmpty()) {
                List<Scope> scopes = new ArrayList<>();
                Resource grantedResource = null;
                for (PermissionTicket permissionTicket : tickets) {
                    if (grantedResource == null) {
                        grantedResource = permissionTicket.getResource();
                    }
                    scopes.add(permissionTicket.getScope());
                }
                requestedScopesModel.retainAll(scopes);
                ResourcePermission resourcePermission = addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, grantedResource);
                // the permission is explicitly granted by the owner, mark this permission as granted so that we don't run the evaluation engine on it
                resourcePermission.setGranted(true);
            }
            Resource serverResource = resourceStore.findByName(resourceId, resourceServer.getId());
            if (serverResource != null) {
                permission.setResourceId(serverResource.getId());
                addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, serverResource);
            }
        }
    }
    if (permissionsToEvaluate.isEmpty()) {
        CorsErrorResponseException invalidResourceException = new CorsErrorResponseException(request.getCors(), "invalid_resource", "Resource with id [" + resourceId + "] does not exist.", Status.BAD_REQUEST);
        fireErrorEvent(request.getEvent(), Errors.INVALID_REQUEST, invalidResourceException);
        throw invalidResourceException;
    }
}
Also used : ResourcePermission(org.keycloak.authorization.permission.ResourcePermission) Arrays(java.util.Arrays) Tokens(org.keycloak.authorization.util.Tokens) UserSessionProvider(org.keycloak.models.UserSessionProvider) DefaultClientSessionContext(org.keycloak.services.util.DefaultClientSessionContext) BiFunction(java.util.function.BiFunction) Permissions(org.keycloak.authorization.permission.Permissions) PermissionTicketAwareDecisionResultCollector(org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector) AuthenticationSessionManager(org.keycloak.services.managers.AuthenticationSessionManager) Metadata(org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata) MediaType(javax.ws.rs.core.MediaType) OAuthErrorException(org.keycloak.OAuthErrorException) AuthenticationManager(org.keycloak.services.managers.AuthenticationManager) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) AccessToken(org.keycloak.representations.AccessToken) AuthenticatedClientSessionModel(org.keycloak.models.AuthenticatedClientSessionModel) ErrorResponseException(org.keycloak.services.ErrorResponseException) Map(java.util.Map) ClientConnection(org.keycloak.common.ClientConnection) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) AuthenticationSessionModel(org.keycloak.sessions.AuthenticationSessionModel) RealmModel(org.keycloak.models.RealmModel) Collection(java.util.Collection) AuthorizationRequest(org.keycloak.representations.idm.authorization.AuthorizationRequest) Set(java.util.Set) ResourceStore(org.keycloak.authorization.store.ResourceStore) CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException) Collectors(java.util.stream.Collectors) IDToken(org.keycloak.representations.IDToken) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) Objects(java.util.Objects) List(java.util.List) ScopeStore(org.keycloak.authorization.store.ScopeStore) ServiceAccountConstants(org.keycloak.common.constants.ServiceAccountConstants) Response(javax.ws.rs.core.Response) Details(org.keycloak.events.Details) DefaultEvaluationContext(org.keycloak.authorization.common.DefaultEvaluationContext) RootAuthenticationSessionModel(org.keycloak.sessions.RootAuthenticationSessionModel) Entry(java.util.Map.Entry) OIDCLoginProtocol(org.keycloak.protocol.oidc.OIDCLoginProtocol) ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils) Permission(org.keycloak.representations.idm.authorization.Permission) Logger(org.jboss.logging.Logger) StoreFactory(org.keycloak.authorization.store.StoreFactory) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) HashMap(java.util.HashMap) RefreshToken(org.keycloak.representations.RefreshToken) TokenManager(org.keycloak.protocol.oidc.TokenManager) HttpMethod(javax.ws.rs.HttpMethod) ArrayList(java.util.ArrayList) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) HashSet(java.util.HashSet) LinkedHashMap(java.util.LinkedHashMap) UserModel(org.keycloak.models.UserModel) ClientSessionContext(org.keycloak.models.ClientSessionContext) EventBuilder(org.keycloak.events.EventBuilder) OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) PermissionTicketToken(org.keycloak.representations.idm.authorization.PermissionTicketToken) Cors(org.keycloak.services.resources.Cors) Status(javax.ws.rs.core.Response.Status) Base64Url(org.keycloak.common.util.Base64Url) ResourceServer(org.keycloak.authorization.model.ResourceServer) Errors(org.keycloak.events.Errors) Authorization(org.keycloak.representations.AccessToken.Authorization) KeycloakSession(org.keycloak.models.KeycloakSession) HttpRequest(org.jboss.resteasy.spi.HttpRequest) UserSessionModel(org.keycloak.models.UserSessionModel) AuthorizationResponse(org.keycloak.representations.idm.authorization.AuthorizationResponse) JsonSerialization(org.keycloak.util.JsonSerialization) EvaluationContext(org.keycloak.authorization.policy.evaluation.EvaluationContext) ResourceServerStore(org.keycloak.authorization.store.ResourceServerStore) Urls(org.keycloak.services.Urls) AccessTokenResponseBuilder(org.keycloak.protocol.oidc.TokenManager.AccessTokenResponseBuilder) Resource(org.keycloak.authorization.model.Resource) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) Scope(org.keycloak.authorization.model.Scope) Resource(org.keycloak.authorization.model.Resource) ArrayList(java.util.ArrayList) CorsErrorResponseException(org.keycloak.services.CorsErrorResponseException) ResourcePermission(org.keycloak.authorization.permission.ResourcePermission)

Aggregations

StoreFactory (org.keycloak.authorization.store.StoreFactory)61 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)33 ResourceServer (org.keycloak.authorization.model.ResourceServer)32 Policy (org.keycloak.authorization.model.Policy)31 Resource (org.keycloak.authorization.model.Resource)26 ClientModel (org.keycloak.models.ClientModel)21 Scope (org.keycloak.authorization.model.Scope)20 PolicyStore (org.keycloak.authorization.store.PolicyStore)20 Map (java.util.Map)19 List (java.util.List)17 ResourceStore (org.keycloak.authorization.store.ResourceStore)17 Path (javax.ws.rs.Path)15 Produces (javax.ws.rs.Produces)15 ArrayList (java.util.ArrayList)14 EnumMap (java.util.EnumMap)12 HashMap (java.util.HashMap)12 GET (javax.ws.rs.GET)12 KeycloakSession (org.keycloak.models.KeycloakSession)11 UserModel (org.keycloak.models.UserModel)11 JSPolicyRepresentation (org.keycloak.representations.idm.authorization.JSPolicyRepresentation)11