libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

show permissions

Browse source
This commit is contained in:
Bill Burke 2017-08-09 10:39:59 -04:00
parent 3470b1839d
commit 45eac1093d
5 changed files with 30 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
View file

@ -40,9 +40,13 @@ import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_FROM_SCOPE;
import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_TO_SCOPE;
/** /**
* Manages default policies for all users. * Manages default policies for all users.
* *
@ -88,11 +92,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
} }
private String getExchangeToPermissionName(ClientModel client) { private String getExchangeToPermissionName(ClientModel client) {
return AdminPermissionManagement.EXCHANGE_TO_SCOPE + ".permission.client." + client.getId(); return EXCHANGE_TO_SCOPE + ".permission.client." + client.getId();
} }
private String getExchangeFromPermissionName(ClientModel client) { private String getExchangeFromPermissionName(ClientModel client) {
return AdminPermissionManagement.EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId(); return EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId();
} }
private void initialize(ClientModel client) { private void initialize(ClientModel client) {
@ -112,8 +116,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
Scope mapRoleClientScope = root.initializeScope(MAP_ROLES_CLIENT_SCOPE, server); Scope mapRoleClientScope = root.initializeScope(MAP_ROLES_CLIENT_SCOPE, server);
Scope mapRoleCompositeScope = root.initializeScope(MAP_ROLES_COMPOSITE_SCOPE, server); Scope mapRoleCompositeScope = root.initializeScope(MAP_ROLES_COMPOSITE_SCOPE, server);
Scope configureScope = root.initializeScope(CONFIGURE_SCOPE, server); Scope configureScope = root.initializeScope(CONFIGURE_SCOPE, server);
Scope exchangeFromScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server); Scope exchangeFromScope = root.initializeScope(EXCHANGE_FROM_SCOPE, server);
Scope exchangeToScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server); Scope exchangeToScope = root.initializeScope(EXCHANGE_TO_SCOPE, server);
String resourceName = getResourceName(client); String resourceName = getResourceName(client);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId()); Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
@ -190,6 +194,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
deletePolicy(getMapRolesClientScopePermissionName(client), server); deletePolicy(getMapRolesClientScopePermissionName(client), server);
deletePolicy(getMapRolesCompositePermissionName(client), server); deletePolicy(getMapRolesCompositePermissionName(client), server);
deletePolicy(getConfigurePermissionName(client), server); deletePolicy(getConfigurePermissionName(client), server);
deletePolicy(getExchangeToPermissionName(client), server);
deletePolicy(getExchangeFromPermissionName(client), server);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());; Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());;
if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId()); if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
} }
@ -218,11 +224,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
} }
private Scope exchangeFromScope(ResourceServer server) { private Scope exchangeFromScope(ResourceServer server) {
return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server.getId()); return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_FROM_SCOPE, server.getId());
} }
private Scope exchangeToScope(ResourceServer server) { private Scope exchangeToScope(ResourceServer server) {
return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server.getId()); return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_TO_SCOPE, server.getId());
} }
private Scope configureScope(ResourceServer server) { private Scope configureScope(ResourceServer server) {
@ -301,13 +307,15 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
@Override @Override
public Map<String, String> getPermissions(ClientModel client) { public Map<String, String> getPermissions(ClientModel client) {
initialize(client); initialize(client);
Map<String, String> scopes = new HashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(MAP_ROLES_SCOPE, mapRolesPermission(client).getId());
scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId());
scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId()); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId());
scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(client).getId()); scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(client).getId());
scopes.put(CONFIGURE_SCOPE, configurePermission(client).getId()); scopes.put(CONFIGURE_SCOPE, configurePermission(client).getId());
scopes.put(MAP_ROLES_SCOPE, mapRolesPermission(client).getId());
scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId());
scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
scopes.put(EXCHANGE_FROM_SCOPE, exchangeFromPermission(client).getId());
scopes.put(EXCHANGE_TO_SCOPE, exchangeToPermission(client).getId());
return scopes; return scopes;
} }
@ -341,7 +349,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
Scope scope = exchangeFromScope(server); Scope scope = exchangeFromScope(server);
if (scope == null) { if (scope == null) {
logger.debug(AdminPermissionManagement.EXCHANGE_FROM_SCOPE + " not initialized"); logger.debug(EXCHANGE_FROM_SCOPE + " not initialized");
return false; return false;
} }
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient); ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
@ -390,7 +398,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
Scope scope = exchangeToScope(server); Scope scope = exchangeToScope(server);
if (scope == null) { if (scope == null) {
logger.debug(AdminPermissionManagement.EXCHANGE_TO_SCOPE + " not initialized"); logger.debug(EXCHANGE_TO_SCOPE + " not initialized");
return false; return false;
} }
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient); ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);

5
services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
View file

@ -31,6 +31,7 @@ import org.keycloak.services.ForbiddenException;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -243,11 +244,11 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
@Override @Override
public Map<String, String> getPermissions(GroupModel group) { public Map<String, String> getPermissions(GroupModel group) {
initialize(group); initialize(group);
Map<String, String> scopes = new HashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId()); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId());
scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(group).getId()); scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(group).getId());
scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId());
scopes.put(VIEW_MEMBERS_SCOPE, viewMembersPermission(group).getId()); scopes.put(VIEW_MEMBERS_SCOPE, viewMembersPermission(group).getId());
scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId());
scopes.put(MANAGE_MEMBERSHIP_SCOPE, manageMembershipPermission(group).getId()); scopes.put(MANAGE_MEMBERSHIP_SCOPE, manageMembershipPermission(group).getId());
return scopes; return scopes;
} }

3
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
View file

@ -36,6 +36,7 @@ import org.keycloak.services.ForbiddenException;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -88,7 +89,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
@Override @Override
public Map<String, String> getPermissions(RoleModel role) { public Map<String, String> getPermissions(RoleModel role) {
initialize(role); initialize(role);
Map<String, String> scopes = new HashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId()); scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId());
scopes.put(RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE, mapClientScopePermission(role).getId()); scopes.put(RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE, mapClientScopePermission(role).getId());
scopes.put(RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE, mapCompositePermission(role).getId()); scopes.put(RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE, mapCompositePermission(role).getId());

5
services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
View file

@ -34,6 +34,7 @@ import org.keycloak.services.ForbiddenException;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
@ -122,9 +123,9 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
@Override @Override
public Map<String, String> getPermissions() { public Map<String, String> getPermissions() {
initialize(); initialize();
Map<String, String> scopes = new HashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId()); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());
scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId()); scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId());
scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId()); scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId()); scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());

2
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -1340,6 +1340,8 @@ manage-permissions-group.tooltip=Fine grain permssions for admins that want to m
manage-authz-group-scope-description=Policies that decide if an admin can manage this group manage-authz-group-scope-description=Policies that decide if an admin can manage this group
view-authz-group-scope-description=Policies that decide if an admin can view this group view-authz-group-scope-description=Policies that decide if an admin can view this group
view-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group view-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
exchange-to-authz-client-scope-description=Policies that decide which clients are allowed exchange tokens for a token that is targeted to this client.
exchange-from-authz-client-scope-description=Policies that decide which clients are allowed to exchange tokens that were generated for this client.
manage-authz-client-scope-description=Policies that decide if an admin can manage this client manage-authz-client-scope-description=Policies that decide if an admin can manage this client
configure-authz-client-scope-description=Reduced management permissions for admin. Cannot set scope, template, or protocol mappers. configure-authz-client-scope-description=Reduced management permissions for admin. Cannot set scope, template, or protocol mappers.
view-authz-client-scope-description=Policies that decide if an admin can view this client view-authz-client-scope-description=Policies that decide if an admin can view this client