Example 16 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class RoleByIdResource method getClientRoleComposites.
/**
* Get client-level roles for the client that are in the role's composite
*
* @param id
* @param clientUuid
* @return
*/
@Path("{role-id}/composites/clients/{clientUuid}")
@GET
@NoCache
@Produces(MediaType.APPLICATION_JSON)
public Stream<RoleRepresentation> getClientRoleComposites(@PathParam("role-id") final String id, @PathParam("clientUuid") final String clientUuid) {
RoleModel role = getRoleModel(id);
auth.roles().requireView(role);
ClientModel clientModel = realm.getClientById(clientUuid);
if (clientModel == null) {
throw new NotFoundException("Could not find client");
}
return getClientRoleComposites(clientModel, role);
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
NotFoundException(javax.ws.rs.NotFoundException)
RoleModel(org.keycloak.models.RoleModel)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
NoCache(org.jboss.resteasy.annotations.cache.NoCache)
Example 17 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class DefaultClientSessionContext method loadRoles.
private Set<RoleModel> loadRoles() {
UserModel user = clientSession.getUserSession().getUser();
ClientModel client = clientSession.getClient();
return TokenManager.getAccess(user, client, getClientScopesStream());
}
Also used :
UserModel(org.keycloak.models.UserModel)
ClientModel(org.keycloak.models.ClientModel)
Example 18 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class RolePermissions method canMapRole.
/**
* Is admin allowed to map this role?
*
* @param role
* @return
*/
@Override
public boolean canMapRole(RoleModel role) {
if (root.users().canManageDefault())
return checkAdminRoles(role);
if (!root.isAdminSameRealm()) {
return false;
}
if (role.getContainer() instanceof ClientModel) {
if (root.clients().canMapRoles((ClientModel) role.getContainer()))
return true;
}
if (!isPermissionsEnabled(role)) {
return false;
}
ResourceServer resourceServer = resourceServer(role);
if (resourceServer == null)
return false;
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolePermissionName(role), resourceServer.getId());
if (policy == null || policy.getAssociatedPolicies().isEmpty()) {
return false;
}
Resource roleResource = resource(role);
Scope mapRoleScope = mapRoleScope(resourceServer);
if (root.evaluatePermission(roleResource, resourceServer, mapRoleScope)) {
return checkAdminRoles(role);
} else {
return false;
}
}
Also used :
Policy(org.keycloak.authorization.model.Policy)
ClientModel(org.keycloak.models.ClientModel)
Scope(org.keycloak.authorization.model.Scope)
Resource(org.keycloak.authorization.model.Resource)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
Example 19 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class ClientTokenExchangeSAML2Test method addDirectExchanger.
private static void addDirectExchanger(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel exampleRole = realm.addRole("example");
AdminPermissionManagement management = AdminPermissions.management(session, realm);
ClientModel directExchanger = realm.addClient("direct-exchanger");
directExchanger.setName("direct-exchanger");
directExchanger.setClientId("direct-exchanger");
directExchanger.setPublicClient(false);
directExchanger.setDirectAccessGrantsEnabled(true);
directExchanger.setEnabled(true);
directExchanger.setSecret("secret");
directExchanger.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
directExchanger.setFullScopeAllowed(false);
// permission for client to client exchange to "target" client
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_SIGNED_TARGET), true);
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_ENCRYPTED_TARGET), true);
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_SIGNED_AND_ENCRYPTED_TARGET), true);
management.clients().setPermissionsEnabled(realm.getClientByClientId(SAML_UNSIGNED_AND_UNENCRYPTED_TARGET), true);
ClientPolicyRepresentation clientImpersonateRep = new ClientPolicyRepresentation();
clientImpersonateRep.setName("clientImpersonatorsDirect");
clientImpersonateRep.addClient(directExchanger.getId());
ResourceServer server = management.realmResourceServer();
Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server);
management.users().setPermissionsEnabled(true);
management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy);
management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
UserModel impersonatedUser = session.users().addUser(realm, "impersonated-user");
impersonatedUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, impersonatedUser, UserCredentialModel.password("password"));
impersonatedUser.grantRole(exampleRole);
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
Policy(org.keycloak.authorization.model.Policy)
UserModel(org.keycloak.models.UserModel)
ClientModel(org.keycloak.models.ClientModel)
ClientPolicyRepresentation(org.keycloak.representations.idm.authorization.ClientPolicyRepresentation)
RoleModel(org.keycloak.models.RoleModel)
ResourceServer(org.keycloak.authorization.model.ResourceServer)
AdminPermissionManagement(org.keycloak.services.resources.admin.permissions.AdminPermissionManagement)
Example 20 with ClientModel
use of org.keycloak.models.ClientModel in project keycloak by keycloak.
the class MapUserConsentEntity method toModel.
public static UserConsentModel toModel(RealmModel realm, MapUserConsentEntity entity) {
if (entity == null) {
return null;
}
ClientModel client = realm.getClientById(entity.getClientId());
if (client == null) {
throw new ModelException("Client with id " + entity.getClientId() + " is not available");
}
UserConsentModel model = new UserConsentModel(client);
model.setCreatedDate(entity.getCreatedDate());
model.setLastUpdatedDate(entity.getLastUpdatedDate());
Set<String> grantedClientScopesIds = entity.getGrantedClientScopesIds();
if (grantedClientScopesIds != null && !grantedClientScopesIds.isEmpty()) {
grantedClientScopesIds.stream().map(scopeId -> KeycloakModelUtils.findClientScopeById(realm, client, scopeId)).filter(Objects::nonNull).forEach(model::addGrantedClientScope);
}
return model;
}
Also used :
ClientModel(org.keycloak.models.ClientModel)
ModelException(org.keycloak.models.ModelException)
UserConsentModel(org.keycloak.models.UserConsentModel)
Aggregations
ClientModel (org.keycloak.models.ClientModel)344
RealmModel (org.keycloak.models.RealmModel)148
UserModel (org.keycloak.models.UserModel)88
RoleModel (org.keycloak.models.RoleModel)74
KeycloakSession (org.keycloak.models.KeycloakSession)67
Test (org.junit.Test)64
UserSessionModel (org.keycloak.models.UserSessionModel)41
ResourceServer (org.keycloak.authorization.model.ResourceServer)39
Policy (org.keycloak.authorization.model.Policy)38
HashMap (java.util.HashMap)37
AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)36
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)34
ModelTest (org.keycloak.testsuite.arquillian.annotation.ModelTest)34
List (java.util.List)32
Map (java.util.Map)32
Path (javax.ws.rs.Path)29
LinkedList (java.util.LinkedList)28
ClientScopeModel (org.keycloak.models.ClientScopeModel)28
ArrayList (java.util.ArrayList)27
AuthenticatedClientSessionModel (org.keycloak.models.AuthenticatedClientSessionModel)27
