use of org.keycloak.services.ErrorResponseException in project keycloak by keycloak.
the class OIDCClientRegistrationProvider method createOIDC.
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response createOIDC(OIDCClientRepresentation clientOIDC) {
if (clientOIDC.getClientId() != null) {
throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client Identifier included", Response.Status.BAD_REQUEST);
}
try {
ClientRepresentation client = DescriptionConverter.toInternal(session, clientOIDC);
List<String> grantTypes = clientOIDC.getGrantTypes();
if (grantTypes != null && grantTypes.contains(OAuth2Constants.UMA_GRANT_TYPE)) {
client.setAuthorizationServicesEnabled(true);
}
if (!(grantTypes == null || grantTypes.contains(OAuth2Constants.REFRESH_TOKEN))) {
OIDCAdvancedConfigWrapper.fromClientRepresentation(client).setUseRefreshToken(false);
}
OIDCClientRegistrationContext oidcContext = new OIDCClientRegistrationContext(session, client, this, clientOIDC);
client = create(oidcContext);
ClientModel clientModel = session.getContext().getRealm().getClientByClientId(client.getClientId());
updatePairwiseSubMappers(clientModel, SubjectType.parse(clientOIDC.getSubjectType()), clientOIDC.getSectorIdentifierUri());
updateClientRepWithProtocolMappers(clientModel, client);
validateClient(clientModel, clientOIDC, true);
URI uri = session.getContext().getUri().getAbsolutePathBuilder().path(client.getClientId()).build();
clientOIDC = DescriptionConverter.toExternalResponse(session, client, uri);
clientOIDC.setClientIdIssuedAt(Time.currentTime());
return Response.created(uri).entity(clientOIDC).build();
} catch (ClientRegistrationException cre) {
ServicesLogger.LOGGER.clientRegistrationException(cre.getMessage());
throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client metadata invalid", Response.Status.BAD_REQUEST);
}
}
use of org.keycloak.services.ErrorResponseException in project keycloak by keycloak.
the class OIDCClientRegistrationProvider method updateOIDC.
@PUT
@Path("{clientId}")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response updateOIDC(@PathParam("clientId") String clientId, OIDCClientRepresentation clientOIDC) {
try {
ClientRepresentation client = DescriptionConverter.toInternal(session, clientOIDC);
OIDCClientRegistrationContext oidcContext = new OIDCClientRegistrationContext(session, client, this, clientOIDC);
client = update(clientId, oidcContext);
ClientModel clientModel = session.getContext().getRealm().getClientByClientId(client.getClientId());
updatePairwiseSubMappers(clientModel, SubjectType.parse(clientOIDC.getSubjectType()), clientOIDC.getSectorIdentifierUri());
updateClientRepWithProtocolMappers(clientModel, client);
validateClient(clientModel, clientOIDC, false);
URI uri = session.getContext().getUri().getAbsolutePathBuilder().path(client.getClientId()).build();
clientOIDC = DescriptionConverter.toExternalResponse(session, client, uri);
return Response.ok(clientOIDC).build();
} catch (ClientRegistrationException cre) {
ServicesLogger.LOGGER.clientRegistrationException(cre.getMessage());
throw new ErrorResponseException(ErrorCodes.INVALID_CLIENT_METADATA, "Client metadata invalid", Response.Status.BAD_REQUEST);
}
}
use of org.keycloak.services.ErrorResponseException in project keycloak by keycloak.
the class ResourceSetService method create.
public ResourceRepresentation create(ResourceRepresentation resource) {
requireManage();
StoreFactory storeFactory = this.authorization.getStoreFactory();
ResourceOwnerRepresentation owner = resource.getOwner();
if (owner == null) {
owner = new ResourceOwnerRepresentation();
owner.setId(resourceServer.getId());
resource.setOwner(owner);
}
String ownerId = owner.getId();
if (ownerId == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "You must specify the resource owner.", Status.BAD_REQUEST);
}
Resource existingResource = storeFactory.getResourceStore().findByName(resource.getName(), ownerId, this.resourceServer.getId());
if (existingResource != null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource with name [" + resource.getName() + "] already exists.", Status.CONFLICT);
}
return toRepresentation(toModel(resource, this.resourceServer, authorization), resourceServer.getId(), authorization);
}
use of org.keycloak.services.ErrorResponseException in project keycloak by keycloak.
the class AbstractPermissionService method verifyRequestedResource.
private List<Permission> verifyRequestedResource(List<PermissionRequest> request) {
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
List<Permission> requestedResources = new ArrayList<>();
for (PermissionRequest permissionRequest : request) {
String resourceSetId = permissionRequest.getResourceId();
List<Resource> resources = new ArrayList<>();
if (resourceSetId == null) {
if (permissionRequest.getScopes() == null || permissionRequest.getScopes().isEmpty()) {
throw new ErrorResponseException("invalid_resource_id", "Resource id or name not provided.", Response.Status.BAD_REQUEST);
}
} else {
Resource resource = resourceStore.findById(resourceSetId, resourceServer.getId());
if (resource != null) {
resources.add(resource);
} else {
Resource userResource = resourceStore.findByName(resourceSetId, identity.getId(), this.resourceServer.getId());
if (userResource != null) {
resources.add(userResource);
}
if (!identity.isResourceServer()) {
Resource serverResource = resourceStore.findByName(resourceSetId, this.resourceServer.getId());
if (serverResource != null) {
resources.add(serverResource);
}
}
}
if (resources.isEmpty()) {
throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + resourceSetId + "] does not exists in this server.", Response.Status.BAD_REQUEST);
}
}
if (resources.isEmpty()) {
requestedResources.add(new Permission(null, verifyRequestedScopes(permissionRequest, null)));
} else {
for (Resource resource : resources) {
requestedResources.add(new Permission(resource.getId(), verifyRequestedScopes(permissionRequest, resource)));
}
}
}
return requestedResources;
}
use of org.keycloak.services.ErrorResponseException in project keycloak by keycloak.
the class PermissionTicketService method create.
@POST
@Consumes("application/json")
@Produces("application/json")
public Response create(PermissionTicketRepresentation representation) {
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
if (representation == null)
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_permission", Response.Status.BAD_REQUEST);
if (representation.getId() != null)
throw new ErrorResponseException("invalid_permission", "created permissions should not have id", Response.Status.BAD_REQUEST);
if (representation.getResource() == null)
throw new ErrorResponseException("invalid_permission", "created permissions should have resource", Response.Status.BAD_REQUEST);
if (representation.getScope() == null && representation.getScopeName() == null)
throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST);
if (representation.getRequester() == null && representation.getRequesterName() == null)
throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore();
Resource resource = rstore.findById(representation.getResource(), resourceServer.getId());
if (resource == null)
throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
if (!resource.getOwner().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
UserModel user = null;
if (representation.getRequester() != null)
user = this.authorization.getKeycloakSession().userStorageManager().getUserById(this.authorization.getRealm(), representation.getRequester());
else
user = this.authorization.getKeycloakSession().userStorageManager().getUserByUsername(this.authorization.getRealm(), representation.getRequesterName());
if (user == null)
throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST);
Scope scope = null;
ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore();
if (representation.getScopeName() != null)
scope = sstore.findByName(representation.getScopeName(), resourceServer.getId());
else
scope = sstore.findById(representation.getScope(), resourceServer.getId());
if (scope == null && representation.getScope() != null)
throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScope() + "] is invalid", Response.Status.BAD_REQUEST);
if (scope == null && representation.getScopeName() != null)
throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScopeName() + "] is invalid", Response.Status.BAD_REQUEST);
boolean match = resource.getScopes().contains(scope);
if (!match)
throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not have Scope [" + scope.getName() + "]", Response.Status.BAD_REQUEST);
Map<PermissionTicket.FilterOption, String> attributes = new EnumMap<>(PermissionTicket.FilterOption.class);
attributes.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
attributes.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
attributes.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty())
throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer);
if (representation.isGranted())
ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis());
representation = ModelToRepresentation.toRepresentation(ticket, authorization);
return Response.ok(representation).build();
}
Aggregations