[KEYCLOAK-4983] - Authz settings export of role base policy generates json where are just role-names
This commit is contained in:
Pedro Igor
parent
1cddaeb707
commit
3760f2753b
7 changed files with 62 additions and 21 deletions
|
|
@ -108,6 +108,30 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void onExport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorizationProvider) {
|
||||||
|
Map<String, String> config = new HashMap<>();
|
||||||
|
Set<RolePolicyRepresentation.RoleDefinition> roles = toRepresentation(policy, new RolePolicyRepresentation()).getRoles();
|
||||||
|
|
||||||
|
for (RolePolicyRepresentation.RoleDefinition roleDefinition : roles) {
|
||||||
|
RoleModel role = authorizationProvider.getRealm().getRoleById(roleDefinition.getId());
|
||||||
|
|
||||||
|
if (role.isClientRole()) {
|
||||||
|
roleDefinition.setId(ClientModel.class.cast(role.getContainer()).getClientId() + "/" + role.getName());
|
||||||
|
} else {
|
||||||
|
roleDefinition.setId(role.getName());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
config.put("roles", JsonSerialization.writeValueAsString(roles));
|
||||||
|
} catch (IOException cause) {
|
||||||
|
throw new RuntimeException("Failed to export role policy [" + policy.getName() + "]", cause);
|
||||||
|
}
|
||||||
|
|
||||||
|
representation.setConfig(config);
|
||||||
|
}
|
||||||
|
|
||||||
private void updateRoles(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
|
private void updateRoles(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
|
||||||
updateRoles(policy, authorization, representation.getRoles());
|
updateRoles(policy, authorization, representation.getRoles());
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -20,11 +20,13 @@ package org.keycloak.authorization.policy.provider.user;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
import java.util.HashMap;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.function.Function;
|
import java.util.function.Function;
|
||||||
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
import org.keycloak.Config;
|
import org.keycloak.Config;
|
||||||
import org.keycloak.authorization.AuthorizationProvider;
|
import org.keycloak.authorization.AuthorizationProvider;
|
||||||
|
|
@ -106,6 +108,23 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPoli
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void onExport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorizationProvider) {
|
||||||
|
UserPolicyRepresentation userRep = toRepresentation(policy, new UserPolicyRepresentation());
|
||||||
|
Map<String, String> config = new HashMap<>();
|
||||||
|
|
||||||
|
try {
|
||||||
|
UserProvider userProvider = authorizationProvider.getKeycloakSession().users();
|
||||||
|
RealmModel realm = authorizationProvider.getRealm();
|
||||||
|
|
||||||
|
config.put("users", JsonSerialization.writeValueAsString(userRep.getUsers().stream().map(id -> userProvider.getUserById(id, realm).getUsername()).collect(Collectors.toList())));
|
||||||
|
} catch (IOException cause) {
|
||||||
|
throw new RuntimeException("Failed to export user policy [" + policy.getName() + "]", cause);
|
||||||
|
}
|
||||||
|
|
||||||
|
representation.setConfig(config);
|
||||||
|
}
|
||||||
|
|
||||||
private void updateUsers(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
|
private void updateUsers(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
|
||||||
updateUsers(policy, authorization, representation.getUsers());
|
updateUsers(policy, authorization, representation.getUsers());
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -60,6 +60,10 @@ public interface PolicyProviderFactory<R extends AbstractPolicyRepresentation> e
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
default void onExport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorizationProvider) {
|
||||||
|
representation.setConfig(policy.getConfig());
|
||||||
|
}
|
||||||
|
|
||||||
default PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
|
default PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -817,7 +817,11 @@ public class ModelToRepresentation {
|
||||||
representation.setLogic(policy.getLogic());
|
representation.setLogic(policy.getLogic());
|
||||||
|
|
||||||
if (representation instanceof PolicyRepresentation) {
|
if (representation instanceof PolicyRepresentation) {
|
||||||
|
if (providerFactory != null) {
|
||||||
|
providerFactory.onExport(policy, PolicyRepresentation.class.cast(representation), authorization);
|
||||||
|
} else {
|
||||||
PolicyRepresentation.class.cast(representation).setConfig(policy.getConfig());
|
PolicyRepresentation.class.cast(representation).setConfig(policy.getConfig());
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
representation = (R) providerFactory.toRepresentation(policy, representation);
|
representation = (R) providerFactory.toRepresentation(policy, representation);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -370,24 +370,6 @@ public class ExportUtils {
|
||||||
|
|
||||||
rep.setConfig(config);
|
rep.setConfig(config);
|
||||||
|
|
||||||
String roles = config.get("roles");
|
|
||||||
|
|
||||||
if (roles != null && !roles.isEmpty()) {
|
|
||||||
List<Map> rolesMap = JsonSerialization.readValue(roles, List.class);
|
|
||||||
config.put("roles", JsonSerialization.writeValueAsString(rolesMap.stream().map(roleMap -> {
|
|
||||||
roleMap.put("id", realm.getRoleById(roleMap.get("id").toString()).getName());
|
|
||||||
return roleMap;
|
|
||||||
}).collect(Collectors.toList())));
|
|
||||||
}
|
|
||||||
|
|
||||||
String users = config.get("users");
|
|
||||||
|
|
||||||
if (users != null && !users.isEmpty()) {
|
|
||||||
UserProvider userManager = session.users();
|
|
||||||
List<String> userIds = JsonSerialization.readValue(users, List.class);
|
|
||||||
config.put("users", JsonSerialization.writeValueAsString(userIds.stream().map(userId -> userManager.getUserById(userId, realm).getUsername()).collect(Collectors.toList())));
|
|
||||||
}
|
|
||||||
|
|
||||||
Set<Scope> scopes = policy.getScopes();
|
Set<Scope> scopes = policy.getScopes();
|
||||||
|
|
||||||
if (!scopes.isEmpty()) {
|
if (!scopes.isEmpty()) {
|
||||||
|
|
|
||||||
|
|
@ -627,10 +627,11 @@ public class ExportImportUtil {
|
||||||
assertPredicate(scopes, scopePredicates);
|
assertPredicate(scopes, scopePredicates);
|
||||||
|
|
||||||
List<PolicyRepresentation> policies = authzResource.policies().policies();
|
List<PolicyRepresentation> policies = authzResource.policies().policies();
|
||||||
Assert.assertEquals(11, policies.size());
|
Assert.assertEquals(12, policies.size());
|
||||||
List<Predicate<PolicyRepresentation>> policyPredicates = new ArrayList<>();
|
List<Predicate<PolicyRepresentation>> policyPredicates = new ArrayList<>();
|
||||||
policyPredicates.add(policyRepresentation -> "Any Admin Policy".equals(policyRepresentation.getName()));
|
policyPredicates.add(policyRepresentation -> "Any Admin Policy".equals(policyRepresentation.getName()));
|
||||||
policyPredicates.add(policyRepresentation -> "Any User Policy".equals(policyRepresentation.getName()));
|
policyPredicates.add(policyRepresentation -> "Any User Policy".equals(policyRepresentation.getName()));
|
||||||
|
policyPredicates.add(representation -> "Client and Realm Role Policy".equals(representation.getName()) && representation.getConfig().get("roles").contains("\"id\":\"realm-management/impersonation\""));
|
||||||
policyPredicates.add(policyRepresentation -> "Only Premium User Policy".equals(policyRepresentation.getName()));
|
policyPredicates.add(policyRepresentation -> "Only Premium User Policy".equals(policyRepresentation.getName()));
|
||||||
policyPredicates.add(policyRepresentation -> "wburke policy".equals(policyRepresentation.getName()));
|
policyPredicates.add(policyRepresentation -> "wburke policy".equals(policyRepresentation.getName()));
|
||||||
policyPredicates.add(policyRepresentation -> "All Users Policy".equals(policyRepresentation.getName()));
|
policyPredicates.add(policyRepresentation -> "All Users Policy".equals(policyRepresentation.getName()));
|
||||||
|
|
|
||||||
|
|
@ -282,6 +282,13 @@
|
||||||
"roles": "[{\"id\":\"user\"}]"
|
"roles": "[{\"id\":\"user\"}]"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"name": "Client and Realm Role Policy",
|
||||||
|
"type": "role",
|
||||||
|
"config": {
|
||||||
|
"roles": "[{\"id\":\"realm-management/impersonation\",\"required\":false},{\"id\":\"realm-management/manage-authorization\",\"required\":true},{\"id\":\"user\",\"required\":false}]"
|
||||||
|
}
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"name": "Only Premium User Policy",
|
"name": "Only Premium User Policy",
|
||||||
"description": "Defines that only premium users can do something",
|
"description": "Defines that only premium users can do something",
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue