libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

[KEYCLOAK-3135] - Using abstract policy representation when creating policies and updating tests

Browse source
This commit is contained in:
Pedro Igor 2017-04-11 16:47:42 -03:00
parent d60dcb4c62
commit 54ebc1918c
28 changed files with 385 additions and 358 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
View file

@ -17,7 +17,7 @@ import org.keycloak.representations.idm.authorization.ResourcePermissionRepresen
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class ResourcePolicyProviderFactory implements PolicyProviderFactory {
public class ResourcePolicyProviderFactory implements PolicyProviderFactory<ResourcePermissionRepresentation> {
private ResourcePolicyProvider provider = new ResourcePolicyProvider();
@ -36,6 +36,17 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory {
return provider;
}
@Override
public Class<ResourcePermissionRepresentation> getRepresentationType() {
return ResourcePermissionRepresentation.class;
}
@Override
public ResourcePermissionRepresentation toRepresentation(Policy policy, ResourcePermissionRepresentation representation) {
representation.setResourceType(policy.getConfig().get("defaultResourceType"));
return representation;
}
@Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new PolicyProviderAdminService() {
@ -71,20 +82,6 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory {
public void onRemove(Policy policy) {
}
@Override
public Class<? extends AbstractPolicyRepresentation> getRepresentationType() {
return ResourcePermissionRepresentation.class;
}
@Override
public ResourcePermissionRepresentation toRepresentation(Policy policy) {
ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
representation.setResourceType(policy.getConfig().get("defaultResourceType"));
return representation;
}
};
}

27
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/scope/ScopePolicyProviderFactory.java
View file

@ -3,9 +3,7 @@ package org.keycloak.authorization.policy.provider.scope;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
@ -14,7 +12,7 @@ import org.keycloak.representations.idm.authorization.ScopePermissionRepresentat
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class ScopePolicyProviderFactory implements PolicyProviderFactory {
public class ScopePolicyProviderFactory implements PolicyProviderFactory<ScopePermissionRepresentation> {
private ScopePolicyProvider provider = new ScopePolicyProvider();
@ -34,23 +32,18 @@ public class ScopePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new PolicyProviderAdminService() {
@Override
public Class<ScopePermissionRepresentation> getRepresentationType() {
return ScopePermissionRepresentation.class;
}
@Override
public ScopePermissionRepresentation toRepresentation(Policy policy) {
return new ScopePermissionRepresentation();
}
};
public PolicyProvider create(KeycloakSession session) {
return null;
}
@Override
public PolicyProvider create(KeycloakSession session) {
return null;
public Class<ScopePermissionRepresentation> getRepresentationType() {
return ScopePermissionRepresentation.class;
}
@Override
public ScopePermissionRepresentation toRepresentation(Policy policy, ScopePermissionRepresentation representation) {
return representation;
}
@Override

2
core/src/main/java/org/keycloak/representations/idm/authorization/AbstractPolicyRepresentation.java
View file

@ -110,7 +110,7 @@ public class AbstractPolicyRepresentation {
return scopes;
}
public void addScopes(String... id) {
public void addScope(String... id) {
if (this.scopes == null) {
this.scopes = new HashSet<>();
}

5
core/src/main/java/org/keycloak/representations/idm/authorization/ResourcePermissionRepresentation.java
View file

@ -23,6 +23,11 @@ public class ResourcePermissionRepresentation extends AbstractPolicyRepresentati
private String resourceType;
@Override
public String getType() {
return "resource";
}
public void setResourceType(String resourceType) {
this.resourceType = resourceType;
}

5
core/src/main/java/org/keycloak/representations/idm/authorization/ScopePermissionRepresentation.java
View file

@ -20,4 +20,9 @@ package org.keycloak.representations.idm.authorization;
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class ScopePermissionRepresentation extends AbstractPolicyRepresentation {
@Override
public String getType() {
return "scope";
}
}

5
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
View file

@ -42,6 +42,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.authorization.infinispan.InfinispanStoreFactoryProvider.CacheTransaction;
import org.keycloak.models.authorization.infinispan.entities.CachedPolicy;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
@ -74,8 +75,8 @@ public class CachedPolicyStore implements PolicyStore {
}
@Override
public Policy create(String name, String type, ResourceServer resourceServer) {
Policy policy = getDelegate().create(name, type, getStoreFactory().getResourceServerStore().findById(resourceServer.getId()));
public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
Policy policy = getDelegate().create(representation, getStoreFactory().getResourceServerStore().findById(resourceServer.getId()));
String id = policy.getId();
this.transaction.whenRollback(() -> {

17
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
View file

@ -19,12 +19,13 @@ package org.keycloak.authorization.jpa.store;
import org.keycloak.authorization.jpa.entities.PolicyEntity;
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
import org.keycloak.authorization.jpa.entities.ScopeEntity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import javax.persistence.EntityManager;
import javax.persistence.NoResultException;
@ -34,7 +35,6 @@ import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Predicate;
import javax.persistence.criteria.Root;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
@ -45,19 +45,22 @@ import java.util.Map;
public class JPAPolicyStore implements PolicyStore {
private final EntityManager entityManager;
private final StoreFactory storeFactory;
public JPAPolicyStore(EntityManager entityManager) {
public JPAPolicyStore(EntityManager entityManager, StoreFactory storeFactory) {
this.entityManager = entityManager;
this.storeFactory = storeFactory;
}
@Override
public Policy create(String name, String type, ResourceServer resourceServer) {
public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
PolicyEntity entity = new PolicyEntity();
entity.setId(KeycloakModelUtils.generateId());
entity.setName(name);
entity.setType(type);
entity.setResourceServer((ResourceServerEntity) resourceServer);
entity.setType(representation.getType());
entity = (PolicyEntity) RepresentationToModel.toModel(representation, storeFactory, entity);
this.entityManager.persist(entity);

2
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
View file

@ -39,7 +39,7 @@ public class JPAStoreFactory implements StoreFactory {
@Override
public PolicyStore getPolicyStore() {
return new JPAPolicyStore(this.entityManager);
return new JPAPolicyStore(this.entityManager, this);
}
@Override

8
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
View file

@ -37,12 +37,4 @@ public interface PolicyProviderAdminService<R extends AbstractPolicyRepresentati
default void onRemove(Policy policy) {
}
default R toRepresentation(Policy policy) {
return null;
}
default Class<R> getRepresentationType() {
return null;
}
}

17
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
View file

@ -19,13 +19,16 @@
package org.keycloak.authorization.policy.provider;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public interface PolicyProviderFactory extends ProviderFactory<PolicyProvider> {
public interface PolicyProviderFactory<R extends AbstractPolicyRepresentation> extends ProviderFactory<PolicyProvider> {
String getName();
@ -33,5 +36,15 @@ public interface PolicyProviderFactory extends ProviderFactory<PolicyProvider> {
PolicyProvider create(AuthorizationProvider authorization);
PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization);
default R toRepresentation(Policy policy, R representation) {
return representation;
}
default Class<R> getRepresentationType() {
return (Class<R>) PolicyRepresentation.class;
}
default PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null;
}
}

12
server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java
View file

@ -18,12 +18,13 @@
package org.keycloak.authorization.store;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import java.util.List;
import java.util.Map;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
* A {@link PolicyStore} is responsible to manage the persistence of {@link Policy} instances.
*
@ -35,12 +36,11 @@ public interface PolicyStore {
* Creates a new {@link Policy} instance. The new instance is not necessarily persisted though, which may require
* a call to the {#save} method to actually make it persistent.
*
* @param name the name of the policy
* @param type the type of the policy
* @param representation the policy representation
* @param resourceServer the resource server to which this policy belongs
* @return a new instance of {@link Policy}
*/
Policy create(String name, String type, ResourceServer resourceServer);
Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer);
/**
* Deletes a policy from the underlying persistence mechanism.

33
server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
View file

@ -33,6 +33,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.Time;
@ -87,6 +88,7 @@ import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserConsentRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
@ -793,16 +795,29 @@ public class ModelToRepresentation {
return server;
}
public static PolicyRepresentation toRepresentation(Policy model) {
PolicyRepresentation representation = new PolicyRepresentation();
public static <R extends AbstractPolicyRepresentation> R toRepresentation(Policy policy, Class<R> representationType, AuthorizationProvider authorization) {
R representation;
representation.setId(model.getId());
representation.setName(model.getName());
representation.setDescription(model.getDescription());
representation.setType(model.getType());
representation.setDecisionStrategy(model.getDecisionStrategy());
representation.setLogic(model.getLogic());
representation.setConfig(new HashMap<>(model.getConfig()));
try {
representation = representationType.newInstance();
} catch (Exception cause) {
throw new RuntimeException("Could not create policy [" + policy.getType() + "] representation", cause);
}
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policy.getType());
representation.setId(policy.getId());
representation.setName(policy.getName());
representation.setDescription(policy.getDescription());
representation.setType(policy.getType());
representation.setDecisionStrategy(policy.getDecisionStrategy());
representation.setLogic(policy.getLogic());
if (representation instanceof PolicyRepresentation) {
PolicyRepresentation.class.cast(representation).setConfig(policy.getConfig());
} else {
representation = (R) providerFactory.toRepresentation(policy, representation);
}
return representation;
}

198
server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
View file

@ -36,7 +36,6 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@ -2037,7 +2036,7 @@ public class RepresentationToModel {
return newScope.getId();
}).collect(Collectors.toList())));
} catch (Exception e) {
throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
throw new RuntimeException("Error while importing policy [" + policyRepresentation.getName() + "].", e);
}
}
@ -2061,7 +2060,7 @@ public class RepresentationToModel {
return resource.getId();
}).collect(Collectors.toList())));
} catch (Exception e) {
throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
throw new RuntimeException("Error while importing policy [" + policyRepresentation.getName() + "].", e);
}
}
@ -2088,118 +2087,93 @@ public class RepresentationToModel {
return policy.getId();
}).collect(Collectors.toList())));
} catch (Exception e) {
throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
throw new RuntimeException("Error while importing policy [" + policyRepresentation.getName() + "].", e);
}
}
if (parentPolicyName == null) {
toModel(policyRepresentation, resourceServer, authorization);
} else if (parentPolicyName.equals(policyRepresentation.getName())) {
return toModel(policyRepresentation, resourceServer, authorization);
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.findById(policyRepresentation.getId(), resourceServer.getId());
if (policy == null) {
policy = policyStore.findByName(policyRepresentation.getName(), resourceServer.getId());
}
if (policy == null) {
policy = policyStore.create(policyRepresentation, resourceServer);
} else {
toModel(policyRepresentation, storeFactory, policy);
}
if (parentPolicyName != null && parentPolicyName.equals(policyRepresentation.getName())) {
return policy;
}
}
return null;
}
public static Policy toModel(AbstractPolicyRepresentation representation, ResourceServer resourceServer, AuthorizationProvider authorization) {
String type = representation.getType();
PolicyProvider provider = authorization.getProvider(type);
public static Policy toModel(AbstractPolicyRepresentation representation, StoreFactory storeFactory, Policy model) {
model.setName(representation.getName());
model.setDescription(representation.getDescription());
model.setDecisionStrategy(representation.getDecisionStrategy());
model.setLogic(representation.getLogic());
if (provider == null) {
//TODO: temporary, remove this check on future versions as drools type is now deprecated
if ("drools".equalsIgnoreCase(type)) {
type = "rules";
Set resources = representation.getResources();
Set scopes = representation.getScopes();
Set policies = representation.getPolicies();
if (representation instanceof PolicyRepresentation) {
PolicyRepresentation policy = PolicyRepresentation.class.cast(representation);
String resourcesConfig = policy.getConfig().get("resources");
if (resourcesConfig != null) {
try {
resources = JsonSerialization.readValue(resourcesConfig, Set.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
if (authorization.getProvider(type) == null) {
throw new RuntimeException("Unknown policy type [" + type + "]. Could not find a provider for this type.");
String scopesConfig = policy.getConfig().get("scopes");
if (scopesConfig != null) {
try {
scopes = JsonSerialization.readValue(scopesConfig, Set.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
String policiesConfig = policy.getConfig().get("applyPolicies");
if (policiesConfig != null) {
try {
policies = JsonSerialization.readValue(policiesConfig, Set.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
model.setConfig(policy.getConfig());
}
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
Policy model;
if (representation.getId() != null) {
model = policyStore.findById(representation.getId(), resourceServer.getId());
} else {
model = policyStore.findByName(representation.getName(), resourceServer.getId());
}
if (model != null) {
model.setName(representation.getName());
model.setDescription(representation.getDescription());
model.setDecisionStrategy(representation.getDecisionStrategy());
model.setLogic(representation.getLogic());
} else {
model = policyStore.create(representation.getName(), type, resourceServer);
model.setDescription(representation.getDescription());
model.setDecisionStrategy(representation.getDecisionStrategy());
model.setLogic(representation.getLogic());
}
updateResources(representation.getResources(), model, authorization);
updateScopes(representation.getScopes(), model, authorization);
updateAssociatedPolicies(representation.getPolicies(), model, authorization);
updateResources(resources, model, storeFactory);
updateScopes(scopes, model, storeFactory);
updateAssociatedPolicies(policies, model, storeFactory);
representation.setId(model.getId());
return model;
}
public static Policy toModel(PolicyRepresentation policy, ResourceServer resourceServer, AuthorizationProvider authorization) {
Policy model = toModel(AbstractPolicyRepresentation.class.cast(policy), resourceServer, authorization);
String resources = policy.getConfig().get("resources");
if (resources != null) {
Set resourceIds;
try {
resourceIds = JsonSerialization.readValue(resources, Set.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
updateResources(resourceIds, model, authorization);
}
String scopes = policy.getConfig().get("scopes");
if (scopes != null) {
Set scopeIds;
try {
scopeIds = JsonSerialization.readValue(scopes, Set.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
updateScopes(scopeIds, model, authorization);
}
String policies = policy.getConfig().get("applyPolicies");
if (policies != null) {
Set policyIds;
try {
policyIds = JsonSerialization.readValue(policies, Set.class);
} catch (IOException e) {
throw new RuntimeException(e);
}
updateAssociatedPolicies(policyIds, model, authorization);
}
model.setConfig(policy.getConfig());
return model;
}
private static void updateScopes(Set<String> scopeIds, Policy policy, AuthorizationProvider authorization) {
private static void updateScopes(Set<String> scopeIds, Policy policy, StoreFactory storeFactory) {
if (scopeIds != null) {
StoreFactory storeFactory = authorization.getStoreFactory();
if (scopeIds.isEmpty()) {
for (Scope scope : new HashSet<Scope>(policy.getScopes())) {
policy.removeScope(scope);
}
return;
}
for (String scopeId : scopeIds) {
boolean hasScope = false;
@ -2235,16 +2209,22 @@ public class RepresentationToModel {
policy.removeScope(scopeModel);
}
}
policy.getConfig().remove("scopes");
}
policy.getConfig().remove("scopes");
}
private static void updateAssociatedPolicies(Set<String> policyIds, Policy policy, AuthorizationProvider authorization) {
private static void updateAssociatedPolicies(Set<String> policyIds, Policy policy, StoreFactory storeFactory) {
ResourceServer resourceServer = policy.getResourceServer();
if (policyIds != null) {
StoreFactory storeFactory = authorization.getStoreFactory();
if (policyIds.isEmpty()) {
for (Policy associated: new HashSet<Policy>(policy.getAssociatedPolicies())) {
policy.removeAssociatedPolicy(associated);
}
return;
}
PolicyStore policyStore = storeFactory.getPolicyStore();
for (String policyId : policyIds) {
@ -2280,18 +2260,20 @@ public class RepresentationToModel {
}
if (!hasPolicy) {
policy.removeAssociatedPolicy(policyModel);
;
}
}
policy.getConfig().remove("applyPolicies");
}
policy.getConfig().remove("applyPolicies");
}
private static void updateResources(Set<String> resourceIds, Policy policy, AuthorizationProvider authorization) {
private static void updateResources(Set<String> resourceIds, Policy policy, StoreFactory storeFactory) {
if (resourceIds != null) {
StoreFactory storeFactory = authorization.getStoreFactory();
if (resourceIds.isEmpty()) {
for (Scope scope : new HashSet<Scope>(policy.getScopes())) {
policy.removeScope(scope);
}
}
for (String resourceId : resourceIds) {
boolean hasResource = false;
for (Resource resourceModel : new HashSet<Resource>(policy.getResources())) {
@ -2326,9 +2308,13 @@ public class RepresentationToModel {
policy.removeResource(resourceModel);
}
}
policy.getConfig().remove("resources");
} else {
for (Resource resourceModel : new HashSet<Resource>(policy.getResources())) {
policy.removeResource(resourceModel);
}
}
policy.getConfig().remove("resources");
}
public static Resource toModel(ResourceRepresentation resource, ResourceServer resourceServer, AuthorizationProvider authorization) {

21
services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
View file

@ -34,7 +34,6 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.utils.ModelToRepresentation;
@ -78,7 +77,7 @@ public class PolicyResourceService {
representation.setId(policy.getId());
Policy updated = toModel(representation);
Policy updated = RepresentationToModel.toModel(representation, authorization.getStoreFactory(), policy);
PolicyProviderAdminService resource = getPolicyProviderAdminResource(updated.getType());
@ -93,10 +92,6 @@ public class PolicyResourceService {
return Response.status(Status.CREATED).build();
}
protected Policy toModel(AbstractPolicyRepresentation representation) {
return RepresentationToModel.toModel(PolicyRepresentation.class.cast(representation), resourceServer, authorization);
}
@DELETE
public Response delete() {
this.auth.requireManage();
@ -140,11 +135,11 @@ public class PolicyResourceService {
return Response.status(Status.NOT_FOUND).build();
}
return Response.ok(toRepresentation(policy)).build();
return Response.ok(toRepresentation(policy, authorization)).build();
}
protected Object toRepresentation(Policy model) {
return ModelToRepresentation.toRepresentation(model);
protected AbstractPolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
return ModelToRepresentation.toRepresentation(policy, PolicyRepresentation.class, authorization);
}
@Path("/dependentPolicies")
@ -248,13 +243,7 @@ public class PolicyResourceService {
}
protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyType);
if (providerFactory != null) {
return providerFactory.getAdminResource(resourceServer, authorization);
}
return null;
return authorization.getProviderFactory(policyType).getAdminResource(resourceServer, authorization);
}
protected Policy getPolicy() {

50
services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
View file

@ -17,8 +17,6 @@
*/
package org.keycloak.authorization.admin;
import static org.keycloak.models.utils.RepresentationToModel.toModel;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
@ -53,7 +51,7 @@ import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyProviderRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.util.JsonSerialization;
@ -97,14 +95,7 @@ public class PolicyService {
this.auth.requireManage();
AbstractPolicyRepresentation representation = doCreateRepresentation(payload);
Policy existing = authorization.getStoreFactory().getPolicyStore().findByName(representation.getName(), resourceServer.getId());
if (existing != null) {
return ErrorResponse.exists("Policy with name [" + representation.getName() + "] already exists");
}
Policy policy = doCreate(representation);
Policy policy = create(representation);
PolicyProviderAdminService provider = getPolicyProviderAdminResource(representation.getType());
if (provider != null) {
@ -121,10 +112,6 @@ public class PolicyService {
return Response.status(Status.CREATED).entity(representation).build();
}
protected Policy doCreate(AbstractPolicyRepresentation representation) {
return create(PolicyRepresentation.class.cast(representation));
}
protected AbstractPolicyRepresentation doCreateRepresentation(String payload) {
PolicyRepresentation representation;
@ -137,8 +124,15 @@ public class PolicyService {
return representation;
}
public Policy create(PolicyRepresentation representation) {
Policy policy = toModel(representation, this.resourceServer, authorization);
public Policy create(AbstractPolicyRepresentation representation) {
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
Policy existing = policyStore.findByName(representation.getName(), resourceServer.getId());
if (existing != null) {
throw new ErrorResponseException("Policy with name [" + representation.getName() + "] already exists", "Conflicting policy", Status.CONFLICT);
}
Policy policy = policyStore.create(representation, resourceServer);
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
if (resource != null) {
@ -152,10 +146,6 @@ public class PolicyService {
return policy;
}
protected Object toRepresentation(Policy model) {
return ModelToRepresentation.toRepresentation(model);
}
@Path("/search")
@GET
@Produces(MediaType.APPLICATION_JSON)
@ -174,7 +164,7 @@ public class PolicyService {
return Response.status(Status.OK).build();
}
return Response.ok(toRepresentation(model)).build();
return Response.ok(toRepresentation(model, authorization)).build();
}
@GET
@ -251,10 +241,14 @@ public class PolicyService {
.build();
}
protected AbstractPolicyRepresentation toRepresentation(Policy model, AuthorizationProvider authorization) {
return ModelToRepresentation.toRepresentation(model, PolicyRepresentation.class, authorization);
}
protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
return policyStore.findByResourceServer(filters, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream()
.map(policy -> toRepresentation(policy))
.map(policy -> toRepresentation(policy, authorization))
.collect(Collectors.toList());
}
@ -290,16 +284,10 @@ public class PolicyService {
}
protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
PolicyProviderFactory providerFactory = getPolicyProviderFactory(policyType);
if (providerFactory != null) {
return providerFactory.getAdminResource(resourceServer, authorization);
}
return null;
return getPolicyProviderFactory(policyType).getAdminResource(resourceServer, authorization);
}
private PolicyProviderFactory getPolicyProviderFactory(String policyType) {
protected PolicyProviderFactory getPolicyProviderFactory(String policyType) {
return authorization.getProviderFactory(policyType);
}

26
services/src/main/java/org/keycloak/authorization/admin/PolicyTypeResourceService.java
View file

@ -21,8 +21,8 @@ import java.io.IOException;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.util.JsonSerialization;
@ -39,7 +39,7 @@ public class PolicyTypeResourceService extends PolicyResourceService {
@Override
protected AbstractPolicyRepresentation doCreateRepresentation(String payload) {
String type = getPolicy().getType();
Class<? extends AbstractPolicyRepresentation> representationType = getPolicyProviderAdminResource(type).getRepresentationType();
Class<? extends AbstractPolicyRepresentation> representationType = authorization.getProviderFactory(type).getRepresentationType();
if (representationType == null) {
throw new RuntimeException("Policy provider for type [" + type + "] returned a null representation type.");
@ -59,22 +59,8 @@ public class PolicyTypeResourceService extends PolicyResourceService {
}
@Override
protected Policy toModel(AbstractPolicyRepresentation representation) {
return RepresentationToModel.toModel(representation, resourceServer, authorization);
}
@Override
protected Object toRepresentation(Policy policy) {
PolicyProviderAdminService provider = getPolicyProviderAdminResource(policy.getType());
AbstractPolicyRepresentation representation = provider.toRepresentation(policy);
representation.setId(policy.getId());
representation.setName(policy.getName());
representation.setDescription(policy.getDescription());
representation.setType(policy.getType());
representation.setDecisionStrategy(policy.getDecisionStrategy());
representation.setLogic(policy.getLogic());
return representation;
protected AbstractPolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policy.getType());
return ModelToRepresentation.toRepresentation(policy, providerFactory.getRepresentationType(), authorization);
}
}

15
services/src/main/java/org/keycloak/authorization/admin/PolicyTypeService.java
View file

@ -16,8 +16,6 @@
*/
package org.keycloak.authorization.admin;
import static org.keycloak.models.utils.RepresentationToModel.toModel;
import java.io.IOException;
import javax.ws.rs.Path;
@ -27,6 +25,8 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.util.JsonSerialization;
@ -47,6 +47,10 @@ public class PolicyTypeService extends PolicyService {
public Object getPolicyAdminResourceProvider() {
PolicyProviderAdminService resource = getPolicyProviderAdminResource(type);
if (resource == null) {
return null;
}
ResteasyProviderFactory.getInstance().injectProperties(resource);
return resource;
@ -59,7 +63,7 @@ public class PolicyTypeService extends PolicyService {
@Override
protected AbstractPolicyRepresentation doCreateRepresentation(String payload) {
PolicyProviderAdminService provider = getPolicyProviderAdminResource(type);
PolicyProviderFactory provider = getPolicyProviderFactory(type);
Class<? extends AbstractPolicyRepresentation> representationType = provider.getRepresentationType();
if (representationType == null) {
@ -80,7 +84,8 @@ public class PolicyTypeService extends PolicyService {
}
@Override
protected Policy doCreate(AbstractPolicyRepresentation representation) {
return toModel(representation, resourceServer, authorization);
protected AbstractPolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policy.getType());
return ModelToRepresentation.toRepresentation(policy, providerFactory.getRepresentationType(), authorization);
}
}

1
services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
View file

@ -58,7 +58,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;

2
services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
View file

@ -337,7 +337,7 @@ public class ExportUtils {
RealmModel realm = authorizationProvider.getRealm();
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
try {
PolicyRepresentation rep = toRepresentation(policy);
PolicyRepresentation rep = toRepresentation(policy, PolicyRepresentation.class, authorizationProvider);
rep.setId(null);

15
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
View file

@ -29,6 +29,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
@ -73,15 +74,19 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
Policy policy = authz.getStoreFactory().getPolicyStore().create(role.getName(), "role", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName(role.getName());
representation.setType("role");
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
policy.setLogic(Logic.POSITIVE);
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
policy.setConfig(config);
return policy;
representation.setConfig(config);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}

40
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java
View file

@ -39,6 +39,8 @@ import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.util.HashMap;
@ -102,21 +104,16 @@ public class FineGrainAdminLocalTest extends AbstractKeycloakTest {
}
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
Policy permission = authz.getStoreFactory().getPolicyStore().create(name, "scope", resourceServer);
String resources = "[\"" + resource.getId() + "\"]";
String scopes = "[\"" + scope.getId() + "\"]";
String applyPolicies = "[\"" + policy.getId() + "\"]";
Map<String, String> config = new HashMap<>();
config.put("resources", resources);
config.put("scopes", scopes);
config.put("applyPolicies", applyPolicies);
permission.setConfig(config);
permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
permission.setLogic(Logic.POSITIVE);
permission.addResource(resource);
permission.addScope(scope);
permission.addAssociatedPolicy(policy);
return permission;
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName(name);
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
representation.addResource(resource.getName());
representation.addScope(scope.getName());
representation.addPolicy(policy.getName());
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
private static Resource createRoleResource(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
@ -144,15 +141,18 @@ public class FineGrainAdminLocalTest extends AbstractKeycloakTest {
roleName = client.getClientId() ;
}
roleName = "role.policy." + roleName + "." + role.getName();
Policy policy = authz.getStoreFactory().getPolicyStore().create(roleName, "role", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName(roleName);
representation.setType("role");
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
policy.setLogic(Logic.POSITIVE);
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
policy.setConfig(config);
return policy;
representation.setConfig(config);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
public static void setupUsers(KeycloakSession session) {

12
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ScopePermissionManagementTest.java
View file

@ -19,8 +19,6 @@ package org.keycloak.testsuite.admin.client.authorization;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import java.util.Collections;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.core.Response;
@ -47,7 +45,7 @@ public class ScopePermissionManagementTest extends AbstractPermissionManagementT
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
representation.addResource("Resource A");
representation.addScopes("read", "execute");
representation.addScope("read", "execute");
representation.addPolicy("Only Marta Policy", "Only Kolo Policy");
assertCreated(authorization, representation);
@ -62,7 +60,7 @@ public class ScopePermissionManagementTest extends AbstractPermissionManagementT
representation.setDescription("description");
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
representation.addScopes("read", "write");
representation.addScope("read", "write");
representation.addPolicy("Only Marta Policy");
assertCreated(authorization, representation);
@ -78,7 +76,7 @@ public class ScopePermissionManagementTest extends AbstractPermissionManagementT
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
representation.addResource("Resource A");
representation.addScopes("read", "execute");
representation.addScope("read", "execute");
representation.addPolicy("Only Marta Policy", "Only Kolo Policy");
assertCreated(authorization, representation);
@ -106,7 +104,7 @@ public class ScopePermissionManagementTest extends AbstractPermissionManagementT
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName("Test Delete Permission");
representation.addScopes("execute");
representation.addScope("execute");
representation.addPolicy("Only Marta Policy");
assertCreated(authorization, representation);
@ -131,7 +129,7 @@ public class ScopePermissionManagementTest extends AbstractPermissionManagementT
ScopePermissionRepresentation permission1 = new ScopePermissionRepresentation();
permission1.setName("Conflicting Name Permission");
permission1.addScopes("read");
permission1.addScope("read");
permission1.addPolicy("Only Marta Policy");
ScopePermissionsResource permissions = authorization.permissions().scope();

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java
View file

@ -213,7 +213,7 @@ public class ConflictingScopePermissionTest extends AbstractKeycloakTest {
representation.addResource(resourceName);
}
representation.addScopes(scopes.toArray(new String[scopes.size()]));
representation.addScope(scopes.toArray(new String[scopes.size()]));
representation.addPolicy(scopes.toArray(new String[policies.size()]));
authorization.permissions().scope().create(representation);

43
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java
View file

@ -24,9 +24,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
@ -38,6 +36,8 @@ import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.util.HashMap;
@ -82,34 +82,33 @@ public class PolicyEvaluationCompositeRoleTest extends AbstractKeycloakTest {
}
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
Policy permission = authz.getStoreFactory().getPolicyStore().create(name, "scope", resourceServer);
String resources = "[\"" + resource.getId() + "\"]";
String scopes = "[\"" + scope.getId() + "\"]";
String applyPolicies = "[\"" + policy.getId() + "\"]";
Map<String, String> config = new HashMap<>();
config.put("resources", resources);
config.put("scopes", scopes);
config.put("applyPolicies", applyPolicies);
permission.setConfig(config);
permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
permission.setLogic(Logic.POSITIVE);
permission.addResource(resource);
permission.addScope(scope);
permission.addAssociatedPolicy(policy);
return permission;
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName(name);
representation.setType("scope");
representation.addResource(resource.getName());
representation.addScope(scope.getName());
representation.addPolicy(policy.getName());
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
Policy policy = authz.getStoreFactory().getPolicyStore().create(role.getName(), "role", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName(role.getName());
representation.setType("role");
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
policy.setLogic(Logic.POSITIVE);
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
policy.setConfig(config);
return policy;
representation.setConfig(config);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}

48
testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
View file

@ -38,6 +38,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.util.JsonSerialization;
@ -246,10 +247,14 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.create("Administration Policy", "aggregate", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
policy.addAssociatedPolicy(anyAdminPolicy);
policy.addAssociatedPolicy(onlyFromSpecificAddressPolicy);
representation.setName("Administration Policy");
representation.setType("aggregate");
representation.addPolicy(anyAdminPolicy.getName());
representation.addPolicy(onlyFromSpecificAddressPolicy.getName());
Policy policy = policyStore.create(representation, resourceServer);
return policy;
});
@ -259,19 +264,22 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.create("Only From a Specific Client Address", "js", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName("Only From a Specific Client Address");
representation.setType("js");
HashedMap config = new HashedMap();
config.put("code",
"var contextAttributes = $evaluation.getContext().getAttributes();" +
"var networkAddress = contextAttributes.getValue('kc.client.network.ip_address');" +
"if ('127.0.0.1'.equals(networkAddress.asInetAddress(0).getHostAddress())) {" +
"$evaluation.grant();" +
"}");
"var networkAddress = contextAttributes.getValue('kc.client.network.ip_address');" +
"if ('127.0.0.1'.equals(networkAddress.asInetAddress(0).getHostAddress())) {" +
"$evaluation.grant();" +
"}");
policy.setConfig(config);
representation.setConfig(config);
return policy;
return policyStore.create(representation, resourceServer);
});
}
@ -279,7 +287,11 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.create("Any Admin Policy", "role", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName("Any Admin Policy");
representation.setType("role");
HashedMap config = new HashedMap();
RealmModel realm = authorizationProvider.getKeycloakSession().realms().getRealmByName(TEST_REALM_NAME);
RoleModel adminRole = realm.getRole("admin");
@ -294,9 +306,9 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
throw new RuntimeException(e);
}
policy.setConfig(config);
representation.setConfig(config);
return policy;
return policyStore.create(representation, resourceServer);
});
}
@ -358,7 +370,11 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.create("Any User Policy", "role", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName("Any User Policy");
representation.setType("role");
HashedMap config = new HashedMap();
RealmModel realm = authorizationProvider.getKeycloakSession().realms().getRealmByName(TEST_REALM_NAME);
RoleModel userRole = realm.getRole("user");
@ -373,7 +389,9 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
throw new RuntimeException(e);
}
policy.setConfig(config);
representation.setConfig(config);
Policy policy = policyStore.create(representation, resourceServer);
return policy;
});

12
testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/ResourcePermissionManagementTest.java
View file

@ -46,12 +46,9 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
@ -392,7 +389,10 @@ public class ResourcePermissionManagementTest extends AbstractPhotozAdminTest {
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.create("Client-Based Policy", "client", resourceServer);
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName("Client-Based Policy");
representation.setType("client");
List<String> clientIds = new ArrayList<>();
for (ClientModel client : allowedClients) {
@ -408,9 +408,9 @@ public class ResourcePermissionManagementTest extends AbstractPhotozAdminTest {
throw new RuntimeException(e);
}
policy.setConfig(config);
representation.setConfig(config);
return policy;
return policyStore.create(representation, resourceServer);
});
}

86
themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
View file

@ -1078,11 +1078,11 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
$scope.selectResource = function() {
$scope.selectedScopes = null;
if ($scope.policy.resources) {
if ($scope.selectedResource) {
ResourceServerResource.scopes({
realm: $route.current.params.realm,
client: client.id,
rsrid: $scope.policy.resources._id
rsrid: $scope.selectedResource._id
}, function (data) {
$scope.resourceScopes = data;
});
@ -1091,7 +1091,6 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
},
onInitUpdate : function(policy) {
$scope.selectedScopes = [];
ResourceServerPolicy.resources({
realm : $route.current.params.realm,
client : client.id,
@ -1111,29 +1110,48 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
deep: false
}, function (resource) {
resource[0].text = resource[0].name;
$scope.policy.resources = resource[0];
$scope.selectedResource = resource[0];
var copy = angular.copy($scope.selectedResource);
$scope.$watch('selectedResource', function() {
if (!angular.equals($scope.selectedResource, copy)) {
$scope.changed = true;
}
}, true);
ResourceServerResource.scopes({
realm: $route.current.params.realm,
client: client.id,
rsrid: resource[0]._id
}, function (scopes) {
$scope.resourceScopes = scopes;
});
ResourceServerPolicy.scopes({
realm: $route.current.params.realm,
client: client.id,
id: policy.id
}, function (scopes) {
$scope.selectedScopes = [];
for (i = 0; i < scopes.length; i++) {
$scope.selectedScopes.push(scopes[i].id);
}
ResourceServerPolicy.scopes({
realm : $route.current.params.realm,
client : client.id,
id : policy.id
}, function(scopes) {
$scope.selectedScopes = [];
for (i = 0; i < scopes.length; i++) {
scopes[i].text = scopes[i].name;
$scope.selectedScopes.push(scopes[i].id);
}
var copy = angular.copy($scope.selectedScopes);
$scope.$watch('selectedScopes', function() {
if (!angular.equals($scope.selectedScopes, copy)) {
$scope.changed = true;
}
}, true);
});
});
});
});
}
} else {
$scope.policy.resources = null;
$scope.selectedResource = null;
var copy = angular.copy($scope.selectedResource);
$scope.$watch('selectedResource', function() {
if (!angular.equals($scope.selectedResource, copy)) {
$scope.changed = true;
}
}, true);
ResourceServerPolicy.scopes({
realm : $route.current.params.realm,
client : client.id,
@ -1144,26 +1162,38 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
scopes[i].text = scopes[i].name;
$scope.selectedScopes.push(scopes[i]);
}
var copy = angular.copy($scope.selectedScopes);
$scope.$watch('selectedScopes', function() {
if (!angular.equals($scope.selectedScopes, copy)) {
$scope.changed = true;
}
}, true);
});
}
});
policy.policies = [];
ResourceServerPolicy.associatedPolicies({
realm : $route.current.params.realm,
client : client.id,
id : policy.id
}, function(policies) {
$scope.selectedPolicies = [];
for (i = 0; i < policies.length; i++) {
policies[i].text = policies[i].name;
$scope.policy.policies.push(policies[i]);
$scope.selectedPolicies.push(policies[i]);
}
var copy = angular.copy($scope.selectedPolicies);
$scope.$watch('selectedPolicies', function() {
if (!angular.equals($scope.selectedPolicies, copy)) {
$scope.changed = true;
}
}, true);
});
},
onUpdate : function() {
if ($scope.policy.resources != null) {
$scope.policy.resources = [$scope.policy.resources._id];
if ($scope.selectedResource != null) {
$scope.policy.resources = [$scope.selectedResource._id];
} else {
delete $scope.policy.resources;
}
@ -1182,16 +1212,16 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
var policies = [];
for (i = 0; i < $scope.policy.policies.length; i++) {
policies.push($scope.policy.policies[i].id);
for (i = 0; i < $scope.selectedPolicies.length; i++) {
policies.push($scope.selectedPolicies[i].id);
}
$scope.policy.policies = policies;
delete $scope.policy.config;
},
onInitCreate : function(newPolicy) {
newPolicy.decisionStrategy = 'UNANIMOUS';
newPolicy.resources = null;
var scopeId = $location.search()['scpid'];
@ -1203,16 +1233,16 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
}, function (data) {
data.text = data.name;
if (!$scope.policy.scopes) {
$scope.policy.scopes = [];
$scope.selectedScopes = [];
}
$scope.policy.scopes.push(data);
$scope.selectedScopes.push(data);
});
}
},
onCreate : function() {
if ($scope.policy.resources != null) {
$scope.policy.resources = [$scope.policy.resources._id];
if ($scope.selectedResource != null) {
$scope.policy.resources = [$scope.selectedResource._id];
}
var scopes = [];
@ -1229,8 +1259,8 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
var policies = [];
for (i = 0; i < $scope.policy.policies.length; i++) {
policies.push($scope.policy.policies[i].id);
for (i = 0; i < $scope.selectedPolicies.length; i++) {
policies.push($scope.selectedPolicies[i].id);
}
$scope.policy.policies = policies;

12
themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-scope-detail.html
View file

@ -32,28 +32,28 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-resource' | translate}}</label>
<div class="col-md-6">
<input type="hidden" ui-select2="resourcesUiSelect" data-ng-change="selectResource()" id="reqActions" data-ng-model="policy.resources" data-placeholder="{{:: 'authz-any-resource' | translate}}..." />
<input type="hidden" ui-select2="resourcesUiSelect" data-ng-change="selectResource()" id="reqActions" data-ng-model="selectedResource" data-placeholder="{{:: 'authz-any-resource' | translate}}..." />
</div>
<kc-tooltip>{{:: 'authz-permission-scope-resource.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group clearfix" data-ng-show="policy.resources">
<div class="form-group clearfix" data-ng-show="selectedResource">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
<select ui-select2 id="reqActions2"
data-ng-model="selectedScopes"
data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple
data-ng-required="policy.resources != null">
data-ng-required="selectedResource != null">
<option ng-repeat="scope in resourceScopes" value="{{scope.id}}">{{scope.name}}</option>
</select>
</div>
<kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group clearfix" data-ng-show="!policy.resources">
<div class="form-group clearfix" data-ng-show="!selectedResource">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
<input type="hidden" ui-select2="scopesUiSelect" id="reqActions" data-ng-model="selectedScopes" data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple data-ng-required="policy.resources == null" />
<input type="hidden" ui-select2="scopesUiSelect" id="reqActions" data-ng-model="selectedScopes" data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple data-ng-required="selectedResource == null" />
</div>
<kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip>
</div>
@ -61,7 +61,7 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-policy-apply-policy' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
<input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="policy.policies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
<input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="selectedPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
</div>
<kc-tooltip>{{:: 'authz-policy-apply-policy.tooltip' | translate}}</kc-tooltip>