use of org.keycloak.models.RoleModel in project keycloak by keycloak.
the class OpenshiftSAClientAdapter method createClientScope.
private ClientScopeModel createClientScope(String scope) {
ClientScopeModel managedScope = realm.getClientScopesStream().filter(scopeModel -> Objects.equals(scopeModel.getName(), scope)).findAny().orElse(null);
if (managedScope != null) {
return managedScope;
}
Map<String, String> attributes = new HashMap<>();
attributes.put(ClientScopeModel.DISPLAY_ON_CONSENT_SCREEN, Boolean.valueOf(isConsentRequired()).toString());
if (component.get(OpenshiftClientStorageProviderFactory.CONFIG_PROPERTY_DISPLAY_SCOPE_CONSENT_TEXT, Boolean.TRUE)) {
StringBuilder consentText = new StringBuilder("${openshift.scope.");
if (scope.indexOf(':') != -1) {
consentText.append(scope.replaceFirst(":", "_"));
}
attributes.put(ClientScopeModel.CONSENT_SCREEN_TEXT, consentText.append("}").toString());
} else {
attributes.put(ClientScopeModel.CONSENT_SCREEN_TEXT, scope);
}
return new AbstractReadOnlyClientScopeAdapter() {
@Override
public String getId() {
return scope;
}
@Override
public String getName() {
return scope;
}
@Override
public RealmModel getRealm() {
return realm;
}
@Override
public String getDescription() {
return scope;
}
@Override
public String getProtocol() {
return OIDCLoginProtocol.LOGIN_PROTOCOL;
}
@Override
public String getAttribute(String name) {
return attributes.get(name);
}
@Override
public Map<String, String> getAttributes() {
return attributes;
}
@Override
public Stream<ProtocolMapperModel> getProtocolMappersStream() {
return createDefaultProtocolMappers().stream();
}
@Override
public ProtocolMapperModel getProtocolMapperById(String id) {
return null;
}
@Override
public ProtocolMapperModel getProtocolMapperByName(String protocol, String name) {
return null;
}
@Override
public Stream<RoleModel> getScopeMappingsStream() {
return Stream.empty();
}
@Override
public Stream<RoleModel> getRealmScopeMappingsStream() {
return Stream.empty();
}
@Override
public boolean hasScope(RoleModel role) {
return false;
}
};
}
use of org.keycloak.models.RoleModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setupUsers.
public static void setupUsers(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = realm.getClientByClientId(CLIENT_NAME);
RoleModel realmRole = realm.getRole("realm-role");
RoleModel realmRole2 = realm.getRole("realm-role2");
RoleModel clientRole = client.getRole("client-role");
RoleModel mapperRole = realm.getRole("mapper");
RoleModel managerRole = realm.getRole("manager");
RoleModel compositeRole = realm.getRole("composite-role");
ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
RoleModel queryGroupsRole = realmManagementClient.getRole(AdminRoles.QUERY_GROUPS);
RoleModel queryUsersRole = realmManagementClient.getRole(AdminRoles.QUERY_USERS);
RoleModel queryClientsRole = realmManagementClient.getRole(AdminRoles.QUERY_CLIENTS);
UserModel nomapAdmin = session.users().addUser(realm, "nomap-admin");
nomapAdmin.setEnabled(true);
session.userCredentialManager().updateCredential(realm, nomapAdmin, UserCredentialModel.password("password"));
nomapAdmin.grantRole(adminRole);
UserModel anotherAdmin = session.users().addUser(realm, "anotherAdmin");
anotherAdmin.setEnabled(true);
session.userCredentialManager().updateCredential(realm, anotherAdmin, UserCredentialModel.password("password"));
anotherAdmin.grantRole(adminRole);
UserModel authorizedUser = session.users().addUser(realm, "authorized");
authorizedUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, authorizedUser, UserCredentialModel.password("password"));
authorizedUser.grantRole(mapperRole);
authorizedUser.grantRole(managerRole);
UserModel authorizedComposite = session.users().addUser(realm, "authorizedComposite");
authorizedComposite.setEnabled(true);
session.userCredentialManager().updateCredential(realm, authorizedComposite, UserCredentialModel.password("password"));
authorizedComposite.grantRole(compositeRole);
UserModel unauthorizedUser = session.users().addUser(realm, "unauthorized");
unauthorizedUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, unauthorizedUser, UserCredentialModel.password("password"));
UserModel unauthorizedMapper = session.users().addUser(realm, "unauthorizedMapper");
unauthorizedMapper.setEnabled(true);
session.userCredentialManager().updateCredential(realm, unauthorizedMapper, UserCredentialModel.password("password"));
unauthorizedMapper.grantRole(managerRole);
UserModel user1 = session.users().addUser(realm, "user1");
user1.setEnabled(true);
// group management
AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
GroupModel group = KeycloakModelUtils.findGroupByPath(realm, "top");
UserModel groupMember = session.users().addUser(realm, "groupMember");
groupMember.joinGroup(group);
groupMember.setEnabled(true);
UserModel groupManager = session.users().addUser(realm, "groupManager");
groupManager.grantRole(queryGroupsRole);
groupManager.grantRole(queryUsersRole);
groupManager.setEnabled(true);
groupManager.grantRole(mapperRole);
session.userCredentialManager().updateCredential(realm, groupManager, UserCredentialModel.password("password"));
UserModel groupManagerNoMapper = session.users().addUser(realm, "noMapperGroupManager");
groupManagerNoMapper.setEnabled(true);
session.userCredentialManager().updateCredential(realm, groupManagerNoMapper, UserCredentialModel.password("password"));
groupManagerNoMapper.grantRole(queryGroupsRole);
groupManagerNoMapper.grantRole(queryUsersRole);
UserPolicyRepresentation groupManagerRep = new UserPolicyRepresentation();
groupManagerRep.setName("groupManagers");
groupManagerRep.addUser("groupManager");
groupManagerRep.addUser("noMapperGroupManager");
ResourceServer server = permissions.realmResourceServer();
Policy groupManagerPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupManagerRep, server);
permissions.groups().manageMembersPermission(group).addAssociatedPolicy(groupManagerPolicy);
permissions.groups().manageMembershipPermission(group).addAssociatedPolicy(groupManagerPolicy);
permissions.groups().viewPermission(group).addAssociatedPolicy(groupManagerPolicy);
UserModel clientMapper = session.users().addUser(realm, "clientMapper");
clientMapper.setEnabled(true);
clientMapper.grantRole(managerRole);
clientMapper.grantRole(queryUsersRole);
session.userCredentialManager().updateCredential(realm, clientMapper, UserCredentialModel.password("password"));
Policy clientMapperPolicy = permissions.clients().mapRolesPermission(client);
UserPolicyRepresentation userRep = new UserPolicyRepresentation();
userRep.setName("userClientMapper");
userRep.addUser("clientMapper");
Policy userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
clientMapperPolicy.addAssociatedPolicy(userPolicy);
UserModel clientManager = session.users().addUser(realm, "clientManager");
clientManager.setEnabled(true);
clientManager.grantRole(queryClientsRole);
session.userCredentialManager().updateCredential(realm, clientManager, UserCredentialModel.password("password"));
Policy clientManagerPolicy = permissions.clients().managePermission(client);
userRep = new UserPolicyRepresentation();
userRep.setName("clientManager");
userRep.addUser("clientManager");
userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
clientManagerPolicy.addAssociatedPolicy(userPolicy);
UserModel clientConfigurer = session.users().addUser(realm, "clientConfigurer");
clientConfigurer.setEnabled(true);
clientConfigurer.grantRole(queryClientsRole);
session.userCredentialManager().updateCredential(realm, clientConfigurer, UserCredentialModel.password("password"));
Policy clientConfigurePolicy = permissions.clients().configurePermission(client);
userRep = new UserPolicyRepresentation();
userRep.setName("clientConfigure");
userRep.addUser("clientConfigurer");
userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
clientConfigurePolicy.addAssociatedPolicy(userPolicy);
UserModel groupViewer = session.users().addUser(realm, "groupViewer");
groupViewer.grantRole(queryGroupsRole);
groupViewer.grantRole(queryUsersRole);
groupViewer.setEnabled(true);
session.userCredentialManager().updateCredential(realm, groupViewer, UserCredentialModel.password("password"));
UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation();
groupViewMembersRep.setName("groupMemberViewers");
groupViewMembersRep.addUser("groupViewer");
Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupViewMembersRep, server);
Policy groupViewMembersPermission = permissions.groups().viewMembersPermission(group);
groupViewMembersPermission.addAssociatedPolicy(groupViewMembersPolicy);
}
use of org.keycloak.models.RoleModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setupPolices.
public static void setupPolices(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
AdminPermissionManagement permissions = AdminPermissions.management(session, realm);
RoleModel realmRole = realm.addRole("realm-role");
RoleModel realmRole2 = realm.addRole("realm-role2");
ClientModel client1 = realm.addClient(CLIENT_NAME);
realm.addClientScope("scope");
client1.setFullScopeAllowed(false);
RoleModel client1Role = client1.addRole("client-role");
GroupModel group = realm.createGroup("top");
RoleModel mapperRole = realm.addRole("mapper");
RoleModel managerRole = realm.addRole("manager");
RoleModel compositeRole = realm.addRole("composite-role");
compositeRole.addCompositeRole(mapperRole);
compositeRole.addCompositeRole(managerRole);
// realm-role and application.client-role will have a role policy associated with their map-role permission
{
permissions.roles().setPermissionsEnabled(client1Role, true);
Policy mapRolePermission = permissions.roles().mapRolePermission(client1Role);
ResourceServer server = permissions.roles().resourceServer(client1Role);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
{
permissions.roles().setPermissionsEnabled(realmRole, true);
Policy mapRolePermission = permissions.roles().mapRolePermission(realmRole);
ResourceServer server = permissions.roles().resourceServer(realmRole);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
// realmRole2 will have an empty map-role policy
{
permissions.roles().setPermissionsEnabled(realmRole2, true);
}
// setup Users manage policies
{
permissions.users().setPermissionsEnabled(true);
ResourceServer server = permissions.realmResourceServer();
Policy managerPolicy = permissions.roles().rolePolicy(server, managerRole);
Policy permission = permissions.users().managePermission();
permission.addAssociatedPolicy(managerPolicy);
permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
}
{
permissions.groups().setPermissionsEnabled(group, true);
}
{
permissions.clients().setPermissionsEnabled(client1, true);
}
// setup Users impersonate policy
{
ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
permissions.users().setPermissionsEnabled(true);
ResourceServer server = permissions.realmResourceServer();
Policy adminPolicy = permissions.roles().rolePolicy(server, adminRole);
adminPolicy.setLogic(Logic.NEGATIVE);
Policy permission = permissions.users().userImpersonatedPermission();
permission.addAssociatedPolicy(adminPolicy);
permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
}
}
use of org.keycloak.models.RoleModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setupDeleteTest.
// testRestEvaluationMasterRealm
// testRestEvaluationMasterAdminTestRealm
// test role deletion that it cleans up authz objects
public static void setupDeleteTest(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel removedRole = realm.addRole("removedRole");
ClientModel client = realm.addClient("removedClient");
RoleModel removedClientRole = client.addRole("removedClientRole");
GroupModel removedGroup = realm.createGroup("removedGroup");
AdminPermissionManagement management = AdminPermissions.management(session, realm);
management.roles().setPermissionsEnabled(removedRole, true);
management.roles().setPermissionsEnabled(removedClientRole, true);
management.groups().setPermissionsEnabled(removedGroup, true);
management.clients().setPermissionsEnabled(client, true);
management.users().setPermissionsEnabled(true);
}
use of org.keycloak.models.RoleModel in project keycloak by keycloak.
the class FineGrainAdminUnitTest method setup5152.
public static void setup5152(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
RoleModel realmAdminRole = realmAdminClient.getRole(AdminRoles.REALM_ADMIN);
UserModel realmUser = session.users().addUser(realm, "realm-admin");
realmUser.grantRole(realmAdminRole);
realmUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
}
Aggregations