Examples with PolicyEvaluationResponse org.keycloak.representations.idm.authorization.PolicyEvaluationResponse used on opensource projects

Search in sources :

Example 1 with PolicyEvaluationResponse

use of org.keycloak.representations.idm.authorization.PolicyEvaluationResponse in project keycloak by keycloak.

the class PolicyEvaluationResponseBuilder method build.

public static PolicyEvaluationResponse build(PolicyEvaluationService.EvaluationDecisionCollector decision, ResourceServer resourceServer, AuthorizationProvider authorization, KeycloakIdentity identity) {
    PolicyEvaluationResponse response = new PolicyEvaluationResponse();
    List<PolicyEvaluationResponse.EvaluationResultRepresentation> resultsRep = new ArrayList<>();
    AccessToken accessToken = identity.getAccessToken();
    AccessToken.Authorization authorizationData = new AccessToken.Authorization();
    authorizationData.setPermissions(decision.results());
    accessToken.setAuthorization(authorizationData);
    ClientModel clientModel = authorization.getRealm().getClientById(resourceServer.getId());
    if (!accessToken.hasAudience(clientModel.getClientId())) {
        accessToken.audience(clientModel.getClientId());
    }
    response.setRpt(accessToken);
    Collection<Result> results = decision.getResults();
    if (results.stream().anyMatch(evaluationResult -> evaluationResult.getEffect().equals(Decision.Effect.DENY))) {
        response.setStatus(DecisionEffect.DENY);
    } else {
        response.setStatus(DecisionEffect.PERMIT);
    }
    for (Result result : results) {
        PolicyEvaluationResponse.EvaluationResultRepresentation rep = new PolicyEvaluationResponse.EvaluationResultRepresentation();
        if (result.getEffect() == Decision.Effect.DENY) {
            rep.setStatus(DecisionEffect.DENY);
        } else {
            rep.setStatus(DecisionEffect.PERMIT);
        }
        resultsRep.add(rep);
        if (result.getPermission().getResource() != null) {
            ResourceRepresentation resource = new ResourceRepresentation();
            resource.setId(result.getPermission().getResource().getId());
            resource.setName(result.getPermission().getResource().getName());
            rep.setResource(resource);
        } else {
            ResourceRepresentation resource = new ResourceRepresentation();
            resource.setName("Any Resource with Scopes " + result.getPermission().getScopes().stream().map(Scope::getName).collect(Collectors.toList()));
            rep.setResource(resource);
        }
        rep.setScopes(result.getPermission().getScopes().stream().map(scope -> {
            ScopeRepresentation representation = new ScopeRepresentation();
            representation.setId(scope.getId());
            representation.setName(scope.getName());
            return representation;
        }).collect(Collectors.toList()));
        List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = new ArrayList<>();
        for (Result.PolicyResult policy : result.getResults()) {
            PolicyResultRepresentation policyRep = toRepresentation(policy, authorization);
            if ("resource".equals(policy.getPolicy().getType())) {
                policyRep.getPolicy().setScopes(result.getPermission().getResource().getScopes().stream().map(Scope::getName).collect(Collectors.toSet()));
            }
            policies.add(policyRep);
        }
        rep.setPolicies(policies);
    }
    resultsRep.sort(Comparator.comparing(o -> o.getResource().getName()));
    Map<String, PolicyEvaluationResponse.EvaluationResultRepresentation> groupedResults = new HashMap<>();
    resultsRep.forEach(evaluationResultRepresentation -> {
        PolicyEvaluationResponse.EvaluationResultRepresentation result = groupedResults.get(evaluationResultRepresentation.getResource().getId());
        ResourceRepresentation resource = evaluationResultRepresentation.getResource();
        if (result == null) {
            groupedResults.put(resource.getId(), evaluationResultRepresentation);
            result = evaluationResultRepresentation;
        }
        if (result.getStatus().equals(DecisionEffect.PERMIT) || (evaluationResultRepresentation.getStatus().equals(DecisionEffect.PERMIT) && result.getStatus().equals(DecisionEffect.DENY))) {
            result.setStatus(DecisionEffect.PERMIT);
        }
        List<ScopeRepresentation> scopes = result.getScopes();
        if (DecisionEffect.PERMIT.equals(result.getStatus())) {
            result.setAllowedScopes(scopes);
        }
        if (resource.getId() != null) {
            if (!scopes.isEmpty()) {
                result.getResource().setName(evaluationResultRepresentation.getResource().getName() + " with scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList()));
            } else {
                result.getResource().setName(evaluationResultRepresentation.getResource().getName());
            }
        } else {
            result.getResource().setName("Any Resource with Scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList()));
        }
        List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = result.getPolicies();
        for (PolicyEvaluationResponse.PolicyResultRepresentation policy : new ArrayList<>(evaluationResultRepresentation.getPolicies())) {
            if (!policies.contains(policy)) {
                policies.add(policy);
            }
        }
    });
    response.setResults(groupedResults.values().stream().collect(Collectors.toList()));
    return response;
}
Also used : ClientModel(org.keycloak.models.ClientModel) Scope(org.keycloak.authorization.model.Scope) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) Arrays(java.util.Arrays) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation) HashMap(java.util.HashMap) Function(java.util.function.Function) PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) PermissionTicket(org.keycloak.authorization.model.PermissionTicket) ArrayList(java.util.ArrayList) PolicyEvaluationService(org.keycloak.authorization.admin.PolicyEvaluationService) UserModel(org.keycloak.models.UserModel) AccessToken(org.keycloak.representations.AccessToken) Map(java.util.Map) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) AuthorizationProvider(org.keycloak.authorization.AuthorizationProvider) ResourceServer(org.keycloak.authorization.model.ResourceServer) RealmModel(org.keycloak.models.RealmModel) EnumMap(java.util.EnumMap) Collection(java.util.Collection) KeycloakSession(org.keycloak.models.KeycloakSession) Set(java.util.Set) Decision(org.keycloak.authorization.Decision) Collectors(java.util.stream.Collectors) KeycloakIdentity(org.keycloak.authorization.common.KeycloakIdentity) Policy(org.keycloak.authorization.model.Policy) List(java.util.List) Stream(java.util.stream.Stream) Result(org.keycloak.authorization.policy.evaluation.Result) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) DecisionEffect(org.keycloak.representations.idm.authorization.DecisionEffect) Comparator(java.util.Comparator) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation) Result(org.keycloak.authorization.policy.evaluation.Result) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) ClientModel(org.keycloak.models.ClientModel) Function(java.util.function.Function) Scope(org.keycloak.authorization.model.Scope) AccessToken(org.keycloak.representations.AccessToken) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) ScopeRepresentation(org.keycloak.representations.idm.authorization.ScopeRepresentation) PolicyResultRepresentation(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse.PolicyResultRepresentation)

Example 2 with PolicyEvaluationResponse

use of org.keycloak.representations.idm.authorization.PolicyEvaluationResponse in project keycloak by keycloak.

the class PolicyEvaluationCompositeRoleTest method testCreate.

@Test
public void testCreate() throws Exception {
    testingClient.server().run(PolicyEvaluationCompositeRoleTest::setup);
    RealmResource realm = adminClient.realm(TEST);
    String resourceServerId = realm.clients().findByClientId("myclient").get(0).getId();
    UserRepresentation user = realm.users().search("user").get(0);
    PolicyEvaluationRequest request = new PolicyEvaluationRequest();
    request.setUserId(user.getId());
    request.setClientId(resourceServerId);
    request.addResource("myresource", "myscope");
    PolicyEvaluationResponse result = realm.clients().get(resourceServerId).authorization().policies().evaluate(request);
    Assert.assertEquals(result.getStatus(), DecisionEffect.PERMIT);
}
Also used : RealmResource(org.keycloak.admin.client.resource.RealmResource) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Example 3 with PolicyEvaluationResponse

use of org.keycloak.representations.idm.authorization.PolicyEvaluationResponse in project keycloak by keycloak.

the class DeployedScriptPolicyTest method testCreatePermission.

@Test
public void testCreatePermission() {
    AuthorizationResource authorization = getAuthorizationResource();
    PolicyRepresentation grantPolicy = new PolicyRepresentation();
    grantPolicy.setName("Grant Policy");
    grantPolicy.setType("script-policy-grant.js");
    authorization.policies().create(grantPolicy).close();
    PolicyRepresentation denyPolicy = new PolicyRepresentation();
    denyPolicy.setName("Deny Policy");
    denyPolicy.setType("script-policy-deny.js");
    authorization.policies().create(denyPolicy).close();
    PermissionsResource permissions = authorization.permissions();
    ResourcePermissionRepresentation permission = new ResourcePermissionRepresentation();
    permission.setName("Test Deployed JS Permission");
    permission.addResource("Default Resource");
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().create(permission).close();
    PolicyEvaluationRequest request = new PolicyEvaluationRequest();
    request.setUserId("marta");
    request.addResource("Default Resource");
    PolicyEvaluationResponse response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
    permission = permissions.resource().findByName(permission.getName());
    permission.addPolicy(denyPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.addPolicy(grantPolicy.getName());
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.DENY, response.getStatus());
    permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
    permissions.resource().findById(permission.getId()).update(permission);
    response = authorization.policies().evaluate(request);
    assertEquals(DecisionEffect.PERMIT, response.getStatus());
}
Also used : PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) JSPolicyRepresentation(org.keycloak.representations.idm.authorization.JSPolicyRepresentation) PermissionsResource(org.keycloak.admin.client.resource.PermissionsResource) PolicyEvaluationResponse(org.keycloak.representations.idm.authorization.PolicyEvaluationResponse) PolicyEvaluationRequest(org.keycloak.representations.idm.authorization.PolicyEvaluationRequest) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) ResourcePermissionRepresentation(org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation) Test(org.junit.Test) AbstractAuthzTest(org.keycloak.testsuite.authz.AbstractAuthzTest)

Aggregations

PolicyEvaluationResponse (org.keycloak.representations.idm.authorization.PolicyEvaluationResponse)3 Test (org.junit.Test)2 PolicyEvaluationRequest (org.keycloak.representations.idm.authorization.PolicyEvaluationRequest)2 PolicyRepresentation (org.keycloak.representations.idm.authorization.PolicyRepresentation)2 ArrayList (java.util.ArrayList)1 Arrays (java.util.Arrays)1 Collection (java.util.Collection)1 Comparator (java.util.Comparator)1 EnumMap (java.util.EnumMap)1 HashMap (java.util.HashMap)1 List (java.util.List)1 Map (java.util.Map)1 Set (java.util.Set)1 Function (java.util.function.Function)1 Collectors (java.util.stream.Collectors)1 Stream (java.util.stream.Stream)1 AuthorizationResource (org.keycloak.admin.client.resource.AuthorizationResource)1 PermissionsResource (org.keycloak.admin.client.resource.PermissionsResource)1 RealmResource (org.keycloak.admin.client.resource.RealmResource)1 AuthorizationProvider (org.keycloak.authorization.AuthorizationProvider)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial