Example 1 with EnforcementMode
use of org.keycloak.representations.adapters.config.PolicyEnforcerConfig.EnforcementMode in project keycloak by keycloak.
the class AbstractPolicyEnforcer method authorize.
public AuthorizationContext authorize(OIDCHttpFacade httpFacade) {
EnforcementMode enforcementMode = getEnforcerConfig().getEnforcementMode();
KeycloakSecurityContext securityContext = httpFacade.getSecurityContext();
if (EnforcementMode.DISABLED.equals(enforcementMode)) {
if (securityContext == null) {
httpFacade.getResponse().sendError(401, "Invalid bearer");
}
return createEmptyAuthorizationContext(true);
}
Request request = httpFacade.getRequest();
PathConfig pathConfig = getPathConfig(request);
if (securityContext == null) {
if (!isDefaultAccessDeniedUri(request)) {
if (pathConfig != null) {
if (EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
return createEmptyAuthorizationContext(true);
} else {
challenge(pathConfig, getRequiredScopes(pathConfig, request), httpFacade);
}
} else {
handleAccessDenied(httpFacade);
}
}
return createEmptyAuthorizationContext(false);
}
AccessToken accessToken = securityContext.getToken();
if (accessToken != null) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debugf("Checking permissions for path [%s] with config [%s].", request.getURI(), pathConfig);
}
if (pathConfig == null) {
if (EnforcementMode.PERMISSIVE.equals(enforcementMode)) {
return createAuthorizationContext(accessToken, null);
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debugf("Could not find a configuration for path [%s]", getPath(request));
}
if (isDefaultAccessDeniedUri(request)) {
return createAuthorizationContext(accessToken, null);
}
handleAccessDenied(httpFacade);
return createEmptyAuthorizationContext(false);
}
if (EnforcementMode.DISABLED.equals(pathConfig.getEnforcementMode())) {
return createAuthorizationContext(accessToken, pathConfig);
}
MethodConfig methodConfig = getRequiredScopes(pathConfig, request);
Map<String, List<String>> claims = resolveClaims(pathConfig, httpFacade);
if (isAuthorized(pathConfig, methodConfig, accessToken, httpFacade, claims)) {
try {
return createAuthorizationContext(accessToken, pathConfig);
} catch (Exception e) {
throw new RuntimeException("Error processing path [" + pathConfig.getPath() + "].", e);
}
}
if (methodConfig != null && ScopeEnforcementMode.DISABLED.equals(methodConfig.getScopesEnforcementMode())) {
return createEmptyAuthorizationContext(true);
}
if (LOGGER.isDebugEnabled()) {
LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
}
if (!challenge(pathConfig, methodConfig, httpFacade)) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debugf("Challenge not sent, sending default forbidden response. Path [%s]", pathConfig);
}
handleAccessDenied(httpFacade);
}
}
return createEmptyAuthorizationContext(false);
}
Also used :
MethodConfig(org.keycloak.representations.adapters.config.PolicyEnforcerConfig.MethodConfig)
PathConfig(org.keycloak.representations.adapters.config.PolicyEnforcerConfig.PathConfig)
KeycloakSecurityContext(org.keycloak.KeycloakSecurityContext)
AccessToken(org.keycloak.representations.AccessToken)
ScopeEnforcementMode(org.keycloak.representations.adapters.config.PolicyEnforcerConfig.ScopeEnforcementMode)
EnforcementMode(org.keycloak.representations.adapters.config.PolicyEnforcerConfig.EnforcementMode)
Request(org.keycloak.adapters.spi.HttpFacade.Request)
ArrayList(java.util.ArrayList)
List(java.util.List)
Aggregations
ArrayList (java.util.ArrayList)1
List (java.util.List)1
KeycloakSecurityContext (org.keycloak.KeycloakSecurityContext)1
Request (org.keycloak.adapters.spi.HttpFacade.Request)1
AccessToken (org.keycloak.representations.AccessToken)1
EnforcementMode (org.keycloak.representations.adapters.config.PolicyEnforcerConfig.EnforcementMode)1
MethodConfig (org.keycloak.representations.adapters.config.PolicyEnforcerConfig.MethodConfig)1
PathConfig (org.keycloak.representations.adapters.config.PolicyEnforcerConfig.PathConfig)1
ScopeEnforcementMode (org.keycloak.representations.adapters.config.PolicyEnforcerConfig.ScopeEnforcementMode)1
