libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-4727 KEYCLOAK-4652

Browse source
This commit is contained in:
Bill Burke 2017-04-06 10:44:33 -04:00
parent d1e71acf10
commit 31074c3c8d
13 changed files with 857 additions and 258 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
core/src/main/java/org/keycloak/representations/idm/authorization/DecisionEffect.java Normal file
View file

@ -0,0 +1,26 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm.authorization;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public enum DecisionEffect {
PERMIT,
DENY
}

24
services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationRequest.java → core/src/main/java/org/keycloak/representations/idm/authorization/PolicyEvaluationRequest.java
View file

@ -16,8 +16,10 @@
* limitations under the License. * limitations under the License.
*/ */
package org.keycloak.authorization.admin.representation; package org.keycloak.representations.idm.authorization;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -29,11 +31,11 @@ import org.keycloak.representations.idm.authorization.ResourceRepresentation;
*/ */
public class PolicyEvaluationRequest { public class PolicyEvaluationRequest {
private Map<String, Map<String, String>> context; private Map<String, Map<String, String>> context = new HashMap<>();
private List<Resource> resources; private List<ResourceRepresentation> resources = new LinkedList<>();
private String clientId; private String clientId;
private String userId; private String userId;
private List<String> roleIds; private List<String> roleIds = new LinkedList<>();
private boolean entitlements; private boolean entitlements;
public Map<String, Map<String, String>> getContext() { public Map<String, Map<String, String>> getContext() {
@ -44,11 +46,11 @@ public class PolicyEvaluationRequest {
this.context = context; this.context = context;
} }
public List<Resource> getResources() { public List<ResourceRepresentation> getResources() {
return this.resources; return this.resources;
} }
public void setResources(List<Resource> resources) { public void setResources(List<ResourceRepresentation> resources) {
this.resources = resources; this.resources = resources;
} }
@ -84,7 +86,13 @@ public class PolicyEvaluationRequest {
this.entitlements = entitlements; this.entitlements = entitlements;
} }
public static class Resource extends ResourceRepresentation { public PolicyEvaluationRequest addResource(String name, String... scopes) {
if (resources == null) {
resources = new LinkedList<>();
}
resources.add(new ResourceRepresentation(name, scopes));
return this;
} }
} }

173
core/src/main/java/org/keycloak/representations/idm/authorization/PolicyEvaluationResponse.java Normal file
View file

@ -0,0 +1,173 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm.authorization;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import java.util.ArrayList;
import java.util.List;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class PolicyEvaluationResponse {
private List<EvaluationResultRepresentation> results;
private boolean entitlements;
private DecisionEffect status;
private AccessToken rpt;
public List<EvaluationResultRepresentation> getResults() {
return results;
}
public DecisionEffect getStatus() {
return status;
}
public boolean isEntitlements() {
return entitlements;
}
public AccessToken getRpt() {
return rpt;
}
public void setResults(List<EvaluationResultRepresentation> results) {
this.results = results;
}
public void setEntitlements(boolean entitlements) {
this.entitlements = entitlements;
}
public void setStatus(DecisionEffect status) {
this.status = status;
}
public void setRpt(AccessToken rpt) {
this.rpt = rpt;
}
public static class EvaluationResultRepresentation {
private ResourceRepresentation resource;
private List<ScopeRepresentation> scopes;
private List<PolicyResultRepresentation> policies;
private DecisionEffect status;
private List<ScopeRepresentation> allowedScopes = new ArrayList<>();
public void setResource(final ResourceRepresentation resource) {
this.resource = resource;
}
public ResourceRepresentation getResource() {
return resource;
}
public void setScopes(List<ScopeRepresentation> scopes) {
this.scopes = scopes;
}
public List<ScopeRepresentation> getScopes() {
return scopes;
}
public void setPolicies(final List<PolicyResultRepresentation> policies) {
this.policies = policies;
}
public List<PolicyResultRepresentation> getPolicies() {
return policies;
}
public void setStatus(final DecisionEffect status) {
this.status = status;
}
public DecisionEffect getStatus() {
return status;
}
public void setAllowedScopes(List<ScopeRepresentation> allowedScopes) {
this.allowedScopes = allowedScopes;
}
public List<ScopeRepresentation> getAllowedScopes() {
return allowedScopes;
}
}
public static class PolicyResultRepresentation {
private PolicyRepresentation policy;
private DecisionEffect status;
private List<PolicyResultRepresentation> associatedPolicies;
private List<ScopeRepresentation> scopes = new ArrayList<>();
public PolicyRepresentation getPolicy() {
return policy;
}
public void setPolicy(final PolicyRepresentation policy) {
this.policy = policy;
}
public DecisionEffect getStatus() {
return status;
}
public void setStatus(final DecisionEffect status) {
this.status = status;
}
public List<PolicyResultRepresentation> getAssociatedPolicies() {
return associatedPolicies;
}
public void setAssociatedPolicies(final List<PolicyResultRepresentation> associatedPolicies) {
this.associatedPolicies = associatedPolicies;
}
@Override
public int hashCode() {
return this.policy.hashCode();
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
final PolicyResultRepresentation policy = (PolicyResultRepresentation) o;
return this.policy.equals(policy.getPolicy());
}
public void setScopes(List<ScopeRepresentation> scopes) {
this.scopes = scopes;
}
public List<ScopeRepresentation> getScopes() {
return scopes;
}
}
}

11
core/src/main/java/org/keycloak/representations/idm/authorization/ResourceRepresentation.java
View file

@ -18,6 +18,8 @@ package org.keycloak.representations.idm.authorization;
import java.net.URI; import java.net.URI;
import java.util.Collections; import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Objects; import java.util.Objects;
import java.util.Set; import java.util.Set;
@ -91,6 +93,15 @@ public class ResourceRepresentation {
this(name, scopes, null, null, null); this(name, scopes, null, null, null);
} }
public ResourceRepresentation(String name, String... scopes) {
this.name = name;
this.scopes = new HashSet<>();
for (String s : scopes) {
ScopeRepresentation rep = new ScopeRepresentation(s);
this.scopes.add(rep);
}
}
/** /**
* Creates a new instance. * Creates a new instance.
* *

9
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
View file

@ -17,6 +17,8 @@
package org.keycloak.admin.client.resource; package org.keycloak.admin.client.resource;
import org.jboss.resteasy.annotations.cache.NoCache; import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.representations.idm.authorization.PolicyProviderRepresentation; import org.keycloak.representations.idm.authorization.PolicyProviderRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.PolicyRepresentation;
@ -53,4 +55,11 @@ public interface PoliciesResource {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@NoCache @NoCache
List<PolicyProviderRepresentation> policyProviders(); List<PolicyProviderRepresentation> policyProviders();
@POST
@Consumes("application/json")
@Produces("application/json")
@Path("evaluate")
PolicyEvaluationResponse evaluate(PolicyEvaluationRequest evaluationRequest);
} }

14
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UsersResource.java
View file

@ -36,11 +36,15 @@ public interface UsersResource {
@GET @GET
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
List<UserRepresentation> search(@QueryParam("username") String username, List<UserRepresentation> search(@QueryParam("username") String username,
@QueryParam("firstName") String firstName, @QueryParam("firstName") String firstName,
@QueryParam("lastName") String lastName, @QueryParam("lastName") String lastName,
@QueryParam("email") String email, @QueryParam("email") String email,
@QueryParam("first") Integer firstResult, @QueryParam("first") Integer firstResult,
@QueryParam("max") Integer maxResults); @QueryParam("max") Integer maxResults);
@GET
@Produces(MediaType.APPLICATION_JSON)
List<UserRepresentation> search(@QueryParam("username") String username);
@GET @GET
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)

138
services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
View file

@ -17,12 +17,12 @@
*/ */
package org.keycloak.authorization.admin; package org.keycloak.authorization.admin;
import static java.util.Arrays.asList;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -33,15 +33,13 @@ import java.util.stream.Stream;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
import javax.ws.rs.POST; import javax.ws.rs.POST;
import javax.ws.rs.Produces; import javax.ws.rs.Produces;
import javax.ws.rs.container.AsyncResponse;
import javax.ws.rs.container.Suspended;
import javax.ws.rs.core.Context; import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import org.jboss.resteasy.spi.HttpRequest; import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.admin.representation.PolicyEvaluationRequest; import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.authorization.admin.representation.PolicyEvaluationResponse; import org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder;
import org.keycloak.authorization.attribute.Attributes; import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.common.KeycloakEvaluationContext; import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity; import org.keycloak.authorization.common.KeycloakIdentity;
@ -58,15 +56,13 @@ import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionModel; import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel; import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.ProtocolMapper; import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation; import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.Urls; import org.keycloak.services.Urls;
import org.keycloak.services.resources.admin.RealmAuth; import org.keycloak.services.resources.admin.RealmAuth;
@ -89,32 +85,41 @@ public class PolicyEvaluationService {
this.auth = auth; this.auth = auth;
} }
static class Decision extends DecisionResultCollector {
Throwable error;
List<Result> results;
@Override
protected void onComplete(List<Result> results) {
this.results = results;
}
@Override
public void onError(Throwable cause) {
this.error = cause;
}
}
public static <T> List<T> asList(T... a) {
List<T> list = new LinkedList<T>();
for (T t : a) list.add(t);
return list;
}
@POST @POST
@Consumes("application/json") @Consumes("application/json")
@Produces("application/json") @Produces("application/json")
public void evaluate(PolicyEvaluationRequest evaluationRequest, @Suspended AsyncResponse asyncResponse) { public Response evaluate(PolicyEvaluationRequest evaluationRequest) throws Throwable {
this.auth.requireView(); this.auth.requireView();
KeycloakIdentity identity = createIdentity(evaluationRequest); KeycloakIdentity identity = createIdentity(evaluationRequest);
EvaluationContext evaluationContext = createEvaluationContext(evaluationRequest, identity); EvaluationContext evaluationContext = createEvaluationContext(evaluationRequest, identity);
authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate(createDecisionCollector(authorization, identity, asyncResponse)); Decision decisionCollector = new Decision();
} authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate(decisionCollector);
if (decisionCollector.error != null) {
private DecisionResultCollector createDecisionCollector(AuthorizationProvider authorization, KeycloakIdentity identity, AsyncResponse asyncResponse) { throw decisionCollector.error;
return new DecisionResultCollector() { }
@Override return Response.ok(PolicyEvaluationResponseBuilder.build(decisionCollector.results, resourceServer, authorization, identity)).build();
protected void onComplete(List<Result> results) {
try {
asyncResponse.resume(Response.ok(PolicyEvaluationResponse.build(results, resourceServer, authorization, identity)).build());
} catch (Throwable cause) {
asyncResponse.resume(cause);
}
}
@Override
public void onError(Throwable cause) {
asyncResponse.resume(cause);
}
};
} }
private EvaluationContext createEvaluationContext(PolicyEvaluationRequest representation, KeycloakIdentity identity) { private EvaluationContext createEvaluationContext(PolicyEvaluationRequest representation, KeycloakIdentity identity) {
@ -144,11 +149,11 @@ public class PolicyEvaluationService {
} }
private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization) { private List<ResourcePermission> createPermissions(PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization) {
List<PolicyEvaluationRequest.Resource> resources = representation.getResources(); List<ResourceRepresentation> resources = representation.getResources();
return resources.stream().flatMap((Function<PolicyEvaluationRequest.Resource, Stream<ResourcePermission>>) resource -> { return resources.stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
StoreFactory storeFactory = authorization.getStoreFactory(); StoreFactory storeFactory = authorization.getStoreFactory();
if (resource == null) { if (resource == null) {
resource = new PolicyEvaluationRequest.Resource(); resource = new ResourceRepresentation();
} }
Set<ScopeRepresentation> givenScopes = resource.getScopes(); Set<ScopeRepresentation> givenScopes = resource.getScopes();
@ -183,32 +188,15 @@ public class PolicyEvaluationService {
private KeycloakIdentity createIdentity(PolicyEvaluationRequest representation) { private KeycloakIdentity createIdentity(PolicyEvaluationRequest representation) {
KeycloakSession keycloakSession = this.authorization.getKeycloakSession(); KeycloakSession keycloakSession = this.authorization.getKeycloakSession();
RealmModel realm = keycloakSession.getContext().getRealm(); RealmModel realm = keycloakSession.getContext().getRealm();
AccessToken accessToken = new AccessToken(); AccessToken accessToken = null;
accessToken.subject(representation.getUserId());
accessToken.issuedFor(representation.getClientId());
accessToken.audience(representation.getClientId());
accessToken.issuer(Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realm.getName()));
accessToken.setRealmAccess(new AccessToken.Access());
AccessToken.Access realmAccess = accessToken.getRealmAccess(); String subject = representation.getUserId();
Map<String, Object> claims = accessToken.getOtherClaims();
Map<String, String> givenAttributes = representation.getContext().get("attributes");
if (givenAttributes != null) {
givenAttributes.forEach((key, value) -> claims.put(key, asList(value)));
}
String subject = accessToken.getSubject();
if (subject != null) { if (subject != null) {
UserModel userModel = keycloakSession.users().getUserById(subject, realm); UserModel userModel = keycloakSession.users().getUserById(subject, realm);
if (userModel != null) { if (userModel != null) {
userModel.getAttributes().forEach(claims::put);
userModel.getRoleMappings().stream().map(RoleModel::getName).forEach(roleName -> realmAccess.addRole(roleName));
String clientId = representation.getClientId(); String clientId = representation.getClientId();
if (clientId == null) { if (clientId == null) {
@ -223,17 +211,18 @@ public class PolicyEvaluationService {
clientSession = keycloakSession.sessions().createClientSession(realm, clientModel); clientSession = keycloakSession.sessions().createClientSession(realm, clientModel);
userSession = keycloakSession.sessions().createUserSession(realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null); userSession = keycloakSession.sessions().createUserSession(realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null);
UserSessionModel finalUserSession = userSession; new TokenManager().attachClientSession(userSession, clientSession);
ClientSessionModel finalClientSession = clientSession;
for (ProtocolMapperModel mapping : clientModel.getProtocolMappers()) { Set<RoleModel> requestedRoles = new HashSet<>();
KeycloakSessionFactory sessionFactory = keycloakSession.getKeycloakSessionFactory(); for (String roleId : clientSession.getRoles()) {
ProtocolMapper mapper = (ProtocolMapper)sessionFactory.getProviderFactory(ProtocolMapper.class, mapping.getProtocolMapper()); RoleModel role = realm.getRoleById(roleId);
if (role != null) {
if (mapper != null && (mapper instanceof OIDCAccessTokenMapper)) { requestedRoles.add(role);
accessToken = ((OIDCAccessTokenMapper)mapper).transformAccessToken(accessToken, mapping, keycloakSession, finalUserSession, finalClientSession);
} }
} }
accessToken = new TokenManager().createClientAccessToken(keycloakSession, requestedRoles, realm, clientModel, userModel, userSession, clientSession);
} finally { } finally {
if (clientSession != null) { if (clientSession != null) {
keycloakSession.sessions().removeClientSession(realm, clientSession); keycloakSession.sessions().removeClientSession(realm, clientSession);
@ -243,21 +232,30 @@ public class PolicyEvaluationService {
keycloakSession.sessions().removeUserSession(realm, userSession); keycloakSession.sessions().removeUserSession(realm, userSession);
} }
} }
AccessToken.Access clientAccess = accessToken.addAccess(clientModel.getClientId());
clientAccess.roles(new HashSet<>());
userModel.getClientRoleMappings(clientModel).stream().map(RoleModel::getName).forEach(roleName -> clientAccess.addRole(roleName));
ClientModel resourceServerClient = realm.getClientById(resourceServer.getClientId());
AccessToken.Access resourceServerAccess = accessToken.addAccess(resourceServerClient.getClientId());
resourceServerAccess.roles(new HashSet<>());
userModel.getClientRoleMappings(resourceServerClient).stream().map(RoleModel::getName).forEach(roleName -> resourceServerAccess.addRole(roleName));
} }
} }
} }
if (accessToken == null) {
accessToken = new AccessToken();
accessToken.subject(representation.getUserId());
accessToken.issuedFor(representation.getClientId());
accessToken.audience(representation.getClientId());
accessToken.issuer(Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realm.getName()));
accessToken.setRealmAccess(new AccessToken.Access());
}
AccessToken.Access realmAccess = accessToken.getRealmAccess();
Map<String, Object> claims = accessToken.getOtherClaims();
Map<String, String> givenAttributes = representation.getContext().get("attributes");
if (givenAttributes != null) {
givenAttributes.forEach((key, value) -> claims.put(key, asList(value)));
}
if (representation.getRoleIds() != null) { if (representation.getRoleIds() != null) {
representation.getRoleIds().forEach(roleName -> realmAccess.addRole(roleName)); representation.getRoleIds().forEach(roleName -> realmAccess.addRole(roleName));
} }

231
services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java → services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java
View file

@ -1,13 +1,12 @@
/* /*
* JBoss, Home of Professional Open Source. * Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2016 Red Hat, Inc., and individual contributors * and other contributors as indicated by the @author tags.
* as indicated by the @author tags.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
@ -15,9 +14,24 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.keycloak.authorization.admin.representation; package org.keycloak.authorization.admin.representation;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Comparator; import java.util.Comparator;
@ -29,56 +43,37 @@ import java.util.function.Function;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import java.util.stream.Stream; import java.util.stream.Stream;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.Decision.Effect;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.policy.evaluation.Result.PolicyResult;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/ */
public class PolicyEvaluationResponse { public class PolicyEvaluationResponseBuilder {
private List<EvaluationResultRepresentation> results;
private boolean entitlements;
private Effect status;
private AccessToken rpt;
private PolicyEvaluationResponse() {
}
public static PolicyEvaluationResponse build(List<Result> results, ResourceServer resourceServer, AuthorizationProvider authorization, KeycloakIdentity identity) { public static PolicyEvaluationResponse build(List<Result> results, ResourceServer resourceServer, AuthorizationProvider authorization, KeycloakIdentity identity) {
PolicyEvaluationResponse response = new PolicyEvaluationResponse(); PolicyEvaluationResponse response = new PolicyEvaluationResponse();
List<EvaluationResultRepresentation> resultsRep = new ArrayList<>(); List<PolicyEvaluationResponse.EvaluationResultRepresentation> resultsRep = new ArrayList<>();
AccessToken accessToken = identity.getAccessToken(); AccessToken accessToken = identity.getAccessToken();
AccessToken.Authorization authorizationData = new AccessToken.Authorization(); AccessToken.Authorization authorizationData = new AccessToken.Authorization();
authorizationData.setPermissions(Permissions.permits(results, authorization, resourceServer.getId())); authorizationData.setPermissions(Permissions.permits(results, authorization, resourceServer.getId()));
accessToken.setAuthorization(authorizationData); accessToken.setAuthorization(authorizationData);
response.rpt = accessToken; response.setRpt(accessToken);
if (results.stream().anyMatch(evaluationResult -> evaluationResult.getEffect().equals(Effect.DENY))) { if (results.stream().anyMatch(evaluationResult -> evaluationResult.getEffect().equals(Decision.Effect.DENY))) {
response.status = Effect.DENY; response.setStatus(DecisionEffect.DENY);
} else { } else {
response.status = Effect.PERMIT; response.setStatus(DecisionEffect.PERMIT);
} }
for (Result result : results) { for (Result result : results) {
EvaluationResultRepresentation rep = new EvaluationResultRepresentation(); PolicyEvaluationResponse.EvaluationResultRepresentation rep = new PolicyEvaluationResponse.EvaluationResultRepresentation();
rep.setStatus(result.getEffect()); if (result.getEffect() == Decision.Effect.DENY) {
rep.setStatus(DecisionEffect.DENY);
} else {
rep.setStatus(DecisionEffect.PERMIT);
}
resultsRep.add(rep); resultsRep.add(rep);
if (result.getPermission().getResource() != null) { if (result.getPermission().getResource() != null) {
@ -105,9 +100,9 @@ public class PolicyEvaluationResponse {
return representation; return representation;
}).collect(Collectors.toList())); }).collect(Collectors.toList()));
List<PolicyResultRepresentation> policies = new ArrayList<>(); List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = new ArrayList<>();
for (PolicyResult policy : result.getResults()) { for (Result.PolicyResult policy : result.getResults()) {
policies.add(toRepresentation(policy, authorization)); policies.add(toRepresentation(policy, authorization));
} }
@ -116,10 +111,10 @@ public class PolicyEvaluationResponse {
resultsRep.sort(Comparator.comparing(o -> o.getResource().getName())); resultsRep.sort(Comparator.comparing(o -> o.getResource().getName()));
Map<String, EvaluationResultRepresentation> groupedResults = new HashMap<>(); Map<String, PolicyEvaluationResponse.EvaluationResultRepresentation> groupedResults = new HashMap<>();
resultsRep.forEach(evaluationResultRepresentation -> { resultsRep.forEach(evaluationResultRepresentation -> {
EvaluationResultRepresentation result = groupedResults.get(evaluationResultRepresentation.getResource().getId()); PolicyEvaluationResponse.EvaluationResultRepresentation result = groupedResults.get(evaluationResultRepresentation.getResource().getId());
ResourceRepresentation resource = evaluationResultRepresentation.getResource(); ResourceRepresentation resource = evaluationResultRepresentation.getResource();
if (result == null) { if (result == null) {
@ -127,8 +122,8 @@ public class PolicyEvaluationResponse {
result = evaluationResultRepresentation; result = evaluationResultRepresentation;
} }
if (result.getStatus().equals(Effect.PERMIT) || (evaluationResultRepresentation.getStatus().equals(Effect.PERMIT) && result.getStatus().equals(Effect.DENY))) { if (result.getStatus().equals(DecisionEffect.PERMIT) || (evaluationResultRepresentation.getStatus().equals(DecisionEffect.PERMIT) && result.getStatus().equals(DecisionEffect.DENY))) {
result.setStatus(Effect.PERMIT); result.setStatus(DecisionEffect.PERMIT);
} }
List<ScopeRepresentation> scopes = result.getScopes(); List<ScopeRepresentation> scopes = result.getScopes();
@ -146,15 +141,15 @@ public class PolicyEvaluationResponse {
if (!scopes.contains(scope)) { if (!scopes.contains(scope)) {
scopes.add(scope); scopes.add(scope);
} }
if (evaluationResultRepresentation.getStatus().equals(Effect.PERMIT)) { if (evaluationResultRepresentation.getStatus().equals(Decision.Effect.PERMIT)) {
if (!allowedScopes.contains(scope)) { if (!allowedScopes.contains(scope)) {
allowedScopes.add(scope); allowedScopes.add(scope);
} }
} else { } else {
evaluationResultRepresentation.getPolicies().forEach(new Consumer<PolicyResultRepresentation>() { evaluationResultRepresentation.getPolicies().forEach(new Consumer<PolicyEvaluationResponse.PolicyResultRepresentation>() {
@Override @Override
public void accept(PolicyResultRepresentation policyResultRepresentation) { public void accept(PolicyEvaluationResponse.PolicyResultRepresentation policyResultRepresentation) {
if (policyResultRepresentation.getStatus().equals(Effect.PERMIT)) { if (policyResultRepresentation.getStatus().equals(Decision.Effect.PERMIT)) {
if (!allowedScopes.contains(scope)) { if (!allowedScopes.contains(scope)) {
allowedScopes.add(scope); allowedScopes.add(scope);
} }
@ -176,16 +171,16 @@ public class PolicyEvaluationResponse {
result.getResource().setName("Any Resource with Scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList())); result.getResource().setName("Any Resource with Scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList()));
} }
List<PolicyResultRepresentation> policies = result.getPolicies(); List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = result.getPolicies();
for (PolicyResultRepresentation policy : new ArrayList<>(evaluationResultRepresentation.getPolicies())) { for (PolicyEvaluationResponse.PolicyResultRepresentation policy : new ArrayList<>(evaluationResultRepresentation.getPolicies())) {
if (!policies.contains(policy)) { if (!policies.contains(policy)) {
policies.add(policy); policies.add(policy);
} else { } else {
policy = policies.get(policies.indexOf(policy)); policy = policies.get(policies.indexOf(policy));
} }
if (policy.getStatus().equals(Effect.DENY)) { if (policy.getStatus().equals(Decision.Effect.DENY)) {
Policy policyModel = authorization.getStoreFactory().getPolicyStore().findById(policy.getPolicy().getId(), resourceServer.getId()); Policy policyModel = authorization.getStoreFactory().getPolicyStore().findById(policy.getPolicy().getId(), resourceServer.getId());
for (ScopeRepresentation scope : policyModel.getScopes().stream().map(scopeModel -> ModelToRepresentation.toRepresentation(scopeModel, authorization)).collect(Collectors.toList())) { for (ScopeRepresentation scope : policyModel.getScopes().stream().map(scopeModel -> ModelToRepresentation.toRepresentation(scopeModel, authorization)).collect(Collectors.toList())) {
if (!policy.getScopes().contains(scope) && policyModel.getScopes().stream().filter(policyScope -> policyScope.getId().equals(scope.getId())).findFirst().isPresent()) { if (!policy.getScopes().contains(scope) && policyModel.getScopes().stream().filter(policyScope -> policyScope.getId().equals(scope.getId())).findFirst().isPresent()) {
@ -197,13 +192,13 @@ public class PolicyEvaluationResponse {
} }
}); });
response.results = groupedResults.values().stream().collect(Collectors.toList()); response.setResults(groupedResults.values().stream().collect(Collectors.toList()));
return response; return response;
} }
private static PolicyResultRepresentation toRepresentation(PolicyResult policy, AuthorizationProvider authorization) { private static PolicyEvaluationResponse.PolicyResultRepresentation toRepresentation(Result.PolicyResult policy, AuthorizationProvider authorization) {
PolicyResultRepresentation policyResultRep = new PolicyResultRepresentation(); PolicyEvaluationResponse.PolicyResultRepresentation policyResultRep = new PolicyEvaluationResponse.PolicyResultRepresentation();
PolicyRepresentation representation = new PolicyRepresentation(); PolicyRepresentation representation = new PolicyRepresentation();
@ -213,127 +208,15 @@ public class PolicyEvaluationResponse {
representation.setDecisionStrategy(policy.getPolicy().getDecisionStrategy()); representation.setDecisionStrategy(policy.getPolicy().getDecisionStrategy());
policyResultRep.setPolicy(representation); policyResultRep.setPolicy(representation);
policyResultRep.setStatus(policy.getStatus()); if (policy.getStatus() == Decision.Effect.DENY) {
policyResultRep.setStatus(DecisionEffect.DENY);
} else {
policyResultRep.setStatus(DecisionEffect.PERMIT);
}
policyResultRep.setAssociatedPolicies(policy.getAssociatedPolicies().stream().map(result -> toRepresentation(result, authorization)).collect(Collectors.toList())); policyResultRep.setAssociatedPolicies(policy.getAssociatedPolicies().stream().map(result -> toRepresentation(result, authorization)).collect(Collectors.toList()));
return policyResultRep; return policyResultRep;
} }
public List<EvaluationResultRepresentation> getResults() {
return results;
}
public Effect getStatus() {
return status;
}
public boolean isEntitlements() {
return entitlements;
}
public AccessToken getRpt() {
return rpt;
}
public static class EvaluationResultRepresentation {
private ResourceRepresentation resource;
private List<ScopeRepresentation> scopes;
private List<PolicyResultRepresentation> policies;
private Effect status;
private List<ScopeRepresentation> allowedScopes = new ArrayList<>();
public void setResource(final ResourceRepresentation resource) {
this.resource = resource;
}
public ResourceRepresentation getResource() {
return resource;
}
public void setScopes(List<ScopeRepresentation> scopes) {
this.scopes = scopes;
}
public List<ScopeRepresentation> getScopes() {
return scopes;
}
public void setPolicies(final List<PolicyResultRepresentation> policies) {
this.policies = policies;
}
public List<PolicyResultRepresentation> getPolicies() {
return policies;
}
public void setStatus(final Effect status) {
this.status = status;
}
public Effect getStatus() {
return status;
}
public void setAllowedScopes(List<ScopeRepresentation> allowedScopes) {
this.allowedScopes = allowedScopes;
}
public List<ScopeRepresentation> getAllowedScopes() {
return allowedScopes;
}
}
public static class PolicyResultRepresentation {
private PolicyRepresentation policy;
private Effect status;
private List<PolicyResultRepresentation> associatedPolicies;
private List<ScopeRepresentation> scopes = new ArrayList<>();
public PolicyRepresentation getPolicy() {
return policy;
}
public void setPolicy(final PolicyRepresentation policy) {
this.policy = policy;
}
public Effect getStatus() {
return status;
}
public void setStatus(final Effect status) {
this.status = status;
}
public List<PolicyResultRepresentation> getAssociatedPolicies() {
return associatedPolicies;
}
public void setAssociatedPolicies(final List<PolicyResultRepresentation> associatedPolicies) {
this.associatedPolicies = associatedPolicies;
}
@Override
public int hashCode() {
return this.policy.hashCode();
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
final PolicyResultRepresentation policy = (PolicyResultRepresentation) o;
return this.policy.equals(policy.getPolicy());
}
public void setScopes(List<ScopeRepresentation> scopes) {
this.scopes = scopes;
}
public List<ScopeRepresentation> getScopes() {
return scopes;
}
}
} }

63
services/src/main/java/org/keycloak/authorization/common/AbstractEvaluationContext.java Normal file
View file

@ -0,0 +1,63 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.common;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.representations.AccessToken;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public abstract class AbstractEvaluationContext implements EvaluationContext {
private final KeycloakSession keycloakSession;
public AbstractEvaluationContext(KeycloakSession keycloakSession) {
this.keycloakSession = keycloakSession;
}
public Map<String, Collection<String>> getBaseAttributes() {
HashMap<String, Collection<String>> attributes = new HashMap<>();
attributes.put("kc.time.date_time", Arrays.asList(new SimpleDateFormat("MM/dd/yyyy hh:mm:ss").format(new Date())));
attributes.put("kc.client.network.ip_address", Arrays.asList(this.keycloakSession.getContext().getConnection().getRemoteAddr()));
attributes.put("kc.client.network.host", Arrays.asList(this.keycloakSession.getContext().getConnection().getRemoteHost()));
List<String> userAgents = this.keycloakSession.getContext().getRequestHeaders().getRequestHeader("User-Agent");
if (userAgents != null) {
attributes.put("kc.client.user_agent", userAgents);
}
attributes.put("kc.realm.name", Arrays.asList(this.keycloakSession.getContext().getRealm().getName()));
return attributes;
}
}

76
services/src/main/java/org/keycloak/authorization/common/UserModelIdentity.java Normal file
View file

@ -0,0 +1,76 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.common;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import java.util.Collection;
import java.util.Map;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class UserModelIdentity implements Identity {
protected RealmModel realm;
protected UserModel user;
public UserModelIdentity(UserModel user) {
this.user = user;
}
@Override
public String getId() {
return user.getId();
}
@Override
public Attributes getAttributes() {
Map attr = user.getAttributes();
return Attributes.from(attr);
}
@Override
public boolean hasRealmRole(String roleName) {
RoleModel role = realm.getRole(roleName);
if (role == null) return false;
return user.hasRole(role);
}
@Override
public boolean hasClientRole(String clientId, String roleName) {
ClientModel client = realm.getClientByClientId(clientId);
RoleModel role = client.getRole(roleName);
if (role == null) return false;
return user.hasRole(role);
}
@Override
public boolean hasRole(String roleName) {
throw new RuntimeException("Should not execute");
}
@Override
public boolean hasClientRole(String roleName) {
throw new RuntimeException("Should not execute");
}
}

215
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java Normal file
View file

@ -0,0 +1,215 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.admin;
import org.junit.Assert;
import org.junit.Ignore;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
//@Ignore
public class FineGrainAdminLocalTest extends AbstractKeycloakTest {
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmRepresentation testRealmRep = new RealmRepresentation();
testRealmRep.setId(TEST);
testRealmRep.setRealm(TEST);
testRealmRep.setEnabled(true);
testRealms.add(testRealmRep);
}
public static void setupDefaults(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = realm.getClientByClientId("realm-management");
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
Scope mapRoleScope = authz.getStoreFactory().getScopeStore().create("map-role", resourceServer);
Scope manageScope = authz.getStoreFactory().getScopeStore().create("manage", resourceServer);
Policy manageUsersPolicy = null;
Policy manageClientsPolicy = null;
for (RoleModel role : client.getRoles()) {
Policy policy = createRolePolicy(authz, resourceServer, role);
if (role.getName().equals(AdminRoles.MANAGE_USERS)) {
manageUsersPolicy = policy;
} else if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
manageClientsPolicy = policy;
}
Resource resource = createRoleResource(authz, resourceServer, role);
Set<Scope> scopeset = new HashSet<>();
scopeset.add(mapRoleScope);
resource.updateScopes(scopeset);
String name = "map.role.permission." + client.getClientId() + "." + role.getName();
Policy permission = addScopePermission(authz, resourceServer, name, resource, mapRoleScope, policy);
}
Resource usersResource = authz.getStoreFactory().getResourceStore().create("Users", resourceServer, resourceServer.getClientId());
Set<Scope> scopeset = new HashSet<>();
scopeset.add(manageScope);
usersResource.updateScopes(scopeset);
addScopePermission(authz, resourceServer, "Users.manage.permission", usersResource, manageScope, manageUsersPolicy);
}
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
Policy permission = authz.getStoreFactory().getPolicyStore().create(name, "scope", resourceServer);
String resources = "[\"" + resource.getId() + "\"]";
String scopes = "[\"" + scope.getId() + "\"]";
String applyPolicies = "[\"" + policy.getId() + "\"]";
Map<String, String> config = new HashMap<>();
config.put("resources", resources);
config.put("scopes", scopes);
config.put("applyPolicies", applyPolicies);
permission.setConfig(config);
permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
permission.setLogic(Logic.POSITIVE);
permission.addResource(resource);
permission.addScope(scope);
permission.addAssociatedPolicy(policy);
return permission;
}
private static Resource createRoleResource(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
String roleName = getRoleResourceName(role);
Resource resource = authz.getStoreFactory().getResourceStore().create(roleName, resourceServer, resourceServer.getClientId());
resource.setType("Role");
return resource;
}
private static String getRoleResourceName(RoleModel role) {
String roleName = "realm";
if (role.getContainer() instanceof ClientModel) {
ClientModel client = (ClientModel)role.getContainer();
roleName = client.getClientId();
}
roleName = "role.resource." + roleName + "." + role.getName();
return roleName;
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
String roleName = "realm";
if (role.getContainer() instanceof ClientModel) {
ClientModel client = (ClientModel) role.getContainer();
roleName = client.getClientId() ;
}
roleName = "role.policy." + roleName + "." + role.getName();
Policy policy = authz.getStoreFactory().getPolicyStore().create(roleName, "role", resourceServer);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
policy.setLogic(Logic.POSITIVE);
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
policy.setConfig(config);
return policy;
}
public static void setupUsers(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
UserModel admin = session.users().addUser(realm, "admin");
admin.grantRole(client.getRole(AdminRoles.REALM_ADMIN));
UserModel manageUserOnlyUser = session.users().addUser(realm, "manage-user");
RoleModel manageUsersRole = client.getRole(AdminRoles.MANAGE_USERS);
manageUserOnlyUser.grantRole(manageUsersRole);
UserModel manageRealmUser = session.users().addUser(realm, "manage-realm");
manageRealmUser.grantRole(manageUsersRole);
RoleModel manageRealmRole = client.getRole(AdminRoles.MANAGE_REALM);
manageRealmUser.grantRole(manageRealmRole);
}
@Test
public void testUI() throws Exception {
testingClient.server().run(FineGrainAdminLocalTest::setupDefaults);
testingClient.server().run(FineGrainAdminLocalTest::setupUsers);
//Thread.sleep(1000000000);
}
public static void evaluateAdminHasManageRealmPermissions(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
UserModel admin = session.users().getUserByUsername("admin", realm);
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
RoleModel manageRealmRole = client.getRole(AdminRoles.MANAGE_REALM);
Resource roleResource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(manageRealmRole), resourceServer.getId());
}
@Test
public void testEvaluation() throws Exception {
testingClient.server().run(FineGrainAdminLocalTest::setupDefaults);
testingClient.server().run(FineGrainAdminLocalTest::setupUsers);
RealmResource realm = adminClient.realm(TEST);
String resourceServerId = realm.clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0).getId();
UserRepresentation admin = realm.users().search("admin").get(0);
UserRepresentation manageUser = realm.users().search("manage-user").get(0);
UserRepresentation manageRealm = realm.users().search("manage-realm").get(0);
PolicyEvaluationRequest request = new PolicyEvaluationRequest();
request.setUserId(admin.getId());
request.setClientId(resourceServerId);
request.addResource("role.resource." + Constants.REALM_MANAGEMENT_CLIENT_ID + "." + AdminRoles.MANAGE_REALM,
"map-role");
PolicyEvaluationResponse result = realm.clients().get(resourceServerId).authorization().policies().evaluate(request);
Assert.assertEquals(result.getStatus(), DecisionEffect.PERMIT);
}
}

133
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java Normal file
View file

@ -0,0 +1,133 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.authz;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class PolicyEvaluationCompositeRoleTest extends AbstractKeycloakTest {
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmRepresentation testRealmRep = new RealmRepresentation();
testRealmRep.setId(TEST);
testRealmRep.setRealm(TEST);
testRealmRep.setEnabled(true);
testRealms.add(testRealmRep);
}
public static void setup(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = session.realms().addClient(realm, "myclient");
RoleModel role1 = client.addRole("client-role1");
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
Policy policy = createRolePolicy(authz, resourceServer, role1);
Scope scope = authz.getStoreFactory().getScopeStore().create("myscope", resourceServer);
Resource resource = authz.getStoreFactory().getResourceStore().create("myresource", resourceServer, resourceServer.getClientId());
addScopePermission(authz, resourceServer, "mypermission", resource, scope, policy);
RoleModel composite = realm.addRole("composite");
composite.addCompositeRole(role1);
UserModel user = session.users().addUser(realm, "user");
user.grantRole(composite);
}
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
Policy permission = authz.getStoreFactory().getPolicyStore().create(name, "scope", resourceServer);
String resources = "[\"" + resource.getId() + "\"]";
String scopes = "[\"" + scope.getId() + "\"]";
String applyPolicies = "[\"" + policy.getId() + "\"]";
Map<String, String> config = new HashMap<>();
config.put("resources", resources);
config.put("scopes", scopes);
config.put("applyPolicies", applyPolicies);
permission.setConfig(config);
permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
permission.setLogic(Logic.POSITIVE);
permission.addResource(resource);
permission.addScope(scope);
permission.addAssociatedPolicy(policy);
return permission;
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
Policy policy = authz.getStoreFactory().getPolicyStore().create(role.getName(), "role", resourceServer);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
policy.setLogic(Logic.POSITIVE);
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
policy.setConfig(config);
return policy;
}
@Test
public void testCreate() throws Exception {
testingClient.server().run(PolicyEvaluationCompositeRoleTest::setup);
RealmResource realm = adminClient.realm(TEST);
String resourceServerId = realm.clients().findByClientId("myclient").get(0).getId();
UserRepresentation user = realm.users().search("user").get(0);
PolicyEvaluationRequest request = new PolicyEvaluationRequest();
request.setUserId(user.getId());
request.setClientId(resourceServerId);
request.addResource("myresource", "myscope");
PolicyEvaluationResponse result = realm.clients().get(resourceServerId).authorization().policies().evaluate(request);
Assert.assertEquals(result.getStatus(), DecisionEffect.PERMIT);
}
}

2
testsuite/integration/src/test/java/org/keycloak/testsuite/adapter/AdapterTest.java
View file

@ -99,7 +99,7 @@ public class AdapterTest {
@Rule @Rule
public AdapterTestStrategy testStrategy = new AdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8081", keycloakRule); public AdapterTestStrategy testStrategy = new AdapterTestStrategy("http://localhost:8081/auth", "http://localhost:8081", keycloakRule);
//@Test @Test
public void testUi() throws Exception { public void testUi() throws Exception {
Thread.sleep(1000000000); Thread.sleep(1000000000);
} }