libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

[KEYCLOAK-3135] - Part 1: Permission Management API

Browse source
This commit is contained in:
Pedro Igor 2017-04-07 13:36:09 -03:00
parent 00b832b1cd
commit 55f747ecd0
32 changed files with 1231 additions and 364 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyAdminResource.java
View file

@ -19,8 +19,8 @@
package org.keycloak.authorization.policy.provider.aggregated; package org.keycloak.authorization.policy.provider.aggregated;
import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService; import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
@ -30,19 +30,13 @@ import java.util.List;
*/ */
public class AggregatePolicyAdminResource implements PolicyProviderAdminService { public class AggregatePolicyAdminResource implements PolicyProviderAdminService {
private final ResourceServer resourceServer;
public AggregatePolicyAdminResource(ResourceServer resourceServer) {
this.resourceServer = resourceServer;
}
@Override @Override
public void onCreate(Policy policy) { public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
verifyCircularReference(policy, new ArrayList<>()); verifyCircularReference(policy, new ArrayList<>());
} }
@Override @Override
public void onUpdate(Policy policy) { public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
verifyCircularReference(policy, new ArrayList<>()); verifyCircularReference(policy, new ArrayList<>());
} }

4
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
View file

@ -49,8 +49,8 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new AggregatePolicyAdminResource(resourceServer); return new AggregatePolicyAdminResource();
} }
@Override @Override

2
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
View file

@ -40,7 +40,7 @@ public class ClientPolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null; return null;
} }

2
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java
View file

@ -42,7 +42,7 @@ public class JSPolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null; return null;
} }

51
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
View file

@ -1,13 +1,17 @@
package org.keycloak.authorization.policy.provider.resource; package org.keycloak.authorization.policy.provider.resource;
import java.util.Map;
import org.keycloak.Config; import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider; import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService; import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory; import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -32,8 +36,51 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null; return new PolicyProviderAdminService<ResourcePermissionRepresentation>() {
@Override
public void onCreate(Policy policy, ResourcePermissionRepresentation representation) {
updateResourceType(policy, representation);
}
@Override
public void onUpdate(Policy policy, ResourcePermissionRepresentation representation) {
updateResourceType(policy, representation);
}
private void updateResourceType(Policy policy, ResourcePermissionRepresentation representation) {
//TODO: remove this check once we migrate to new API
if (representation != null) {
Map<String, String> config = policy.getConfig();
config.compute("defaultResourceType", (key, value) -> {
String resourceType = representation.getResourceType();
return resourceType != null ? representation.getResourceType() : null;
});
policy.setConfig(config);
}
}
@Override
public void onRemove(Policy policy) {
}
@Override
public Class<ResourcePermissionRepresentation> getRepresentationType() {
return ResourcePermissionRepresentation.class;
}
@Override
public ResourcePermissionRepresentation toRepresentation(Policy policy) {
ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
representation.setResourceType(policy.getConfig().get("defaultResourceType"));
return representation;
}
};
} }
@Override @Override

3
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
View file

@ -42,7 +42,6 @@ import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.function.Consumer;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -67,7 +66,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null; return null;
} }

31
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/scope/ScopePolicyProviderFactory.java
View file

@ -2,12 +2,14 @@ package org.keycloak.authorization.policy.provider.scope;
import org.keycloak.Config; import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider; import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService; import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory; import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -32,8 +34,33 @@ public class ScopePolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null; return new PolicyProviderAdminService<ScopePermissionRepresentation>() {
@Override
public void onCreate(Policy policy, ScopePermissionRepresentation representation) {
}
@Override
public void onUpdate(Policy policy, ScopePermissionRepresentation representation) {
}
@Override
public void onRemove(Policy policy) {
}
@Override
public Class<ScopePermissionRepresentation> getRepresentationType() {
return ScopePermissionRepresentation.class;
}
@Override
public ScopePermissionRepresentation toRepresentation(Policy policy) {
return new ScopePermissionRepresentation();
}
};
} }
@Override @Override

5
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
View file

@ -20,6 +20,7 @@ package org.keycloak.authorization.policy.provider.time;
import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService; import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
@ -29,7 +30,7 @@ import java.text.SimpleDateFormat;
public class TimePolicyAdminResource implements PolicyProviderAdminService { public class TimePolicyAdminResource implements PolicyProviderAdminService {
@Override @Override
public void onCreate(Policy policy) { public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
validateConfig(policy); validateConfig(policy);
} }
@ -44,7 +45,7 @@ public class TimePolicyAdminResource implements PolicyProviderAdminService {
} }
@Override @Override
public void onUpdate(Policy policy) { public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
validateConfig(policy); validateConfig(policy);
} }

2
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
View file

@ -32,7 +32,7 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new TimePolicyAdminResource(); return new TimePolicyAdminResource();
} }

2
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
View file

@ -62,7 +62,7 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null; return null;
} }

10
authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
View file

@ -17,8 +17,8 @@
package org.keycloak.authorization.policy.provider.drools; package org.keycloak.authorization.policy.provider.drools;
import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService; import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.kie.api.runtime.KieContainer; import org.kie.api.runtime.KieContainer;
@ -33,21 +33,19 @@ import javax.ws.rs.core.Response;
*/ */
public class DroolsPolicyAdminResource implements PolicyProviderAdminService { public class DroolsPolicyAdminResource implements PolicyProviderAdminService {
private final ResourceServer resourceServer;
private final DroolsPolicyProviderFactory factory; private final DroolsPolicyProviderFactory factory;
public DroolsPolicyAdminResource(ResourceServer resourceServer, DroolsPolicyProviderFactory factory) { public DroolsPolicyAdminResource(DroolsPolicyProviderFactory factory) {
this.resourceServer = resourceServer;
this.factory = factory; this.factory = factory;
} }
@Override @Override
public void onCreate(Policy policy) { public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
this.factory.update(policy); this.factory.update(policy);
} }
@Override @Override
public void onUpdate(Policy policy) { public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
this.factory.update(policy); this.factory.update(policy);
} }

4
authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
View file

@ -49,8 +49,8 @@ public class DroolsPolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new DroolsPolicyAdminResource(resourceServer, this); return new DroolsPolicyAdminResource(this);
} }
@Override @Override

132
core/src/main/java/org/keycloak/representations/idm/authorization/AbstractPolicyRepresentation.java Normal file
View file

@ -0,0 +1,132 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm.authorization;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class AbstractPolicyRepresentation {
private String id;
private String name;
private String description;
private String type;
private Set<String> policies;
private Set<String> resources;
private Set<String> scopes;
private Logic logic = Logic.POSITIVE;
private DecisionStrategy decisionStrategy = DecisionStrategy.UNANIMOUS;
public String getId() {
return this.id;
}
public void setId(String id) {
this.id = id;
}
public String getType() {
return this.type;
}
public void setType(String type) {
this.type = type;
}
public DecisionStrategy getDecisionStrategy() {
return this.decisionStrategy;
}
public void setDecisionStrategy(DecisionStrategy decisionStrategy) {
this.decisionStrategy = decisionStrategy;
}
public Logic getLogic() {
return logic;
}
public void setLogic(Logic logic) {
this.logic = logic;
}
public String getName() {
return name;
}
public void setName(String name) {
this.name = name;
}
public String getDescription() {
return this.description;
}
public void setDescription(String description) {
this.description = description;
}
public Set<String> getPolicies() {
return policies;
}
public void addPolicies(String... id) {
if (this.policies == null) {
this.policies = new HashSet<>();
}
this.policies.addAll(Arrays.asList(id));
}
public Set<String> getResources() {
return resources;
}
public void addResource(String id) {
if (this.resources == null) {
this.resources = new HashSet<>();
}
this.resources.add(id);
}
public Set<String> getScopes() {
return scopes;
}
public void addScopes(String... id) {
if (this.scopes == null) {
this.scopes = new HashSet<>();
}
this.scopes.addAll(Arrays.asList(id));
}
@Override
public boolean equals(final Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
final AbstractPolicyRepresentation policy = (AbstractPolicyRepresentation) o;
return Objects.equals(getId(), policy.getId());
}
@Override
public int hashCode() {
return Objects.hash(getId());
}
}

33
core/src/main/java/org/keycloak/representations/idm/authorization/ResourcePermissionRepresentation.java Normal file
View file

@ -0,0 +1,33 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm.authorization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class ResourcePermissionRepresentation extends AbstractPolicyRepresentation {
private String resourceType;
public void setResourceType(String resourceType) {
this.resourceType = resourceType;
}
public String getResourceType() {
return resourceType;
}
}

23
core/src/main/java/org/keycloak/representations/idm/authorization/ScopePermissionRepresentation.java Normal file
View file

@ -0,0 +1,23 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm.authorization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class ScopePermissionRepresentation extends AbstractPolicyRepresentation {
}

3
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
View file

@ -285,6 +285,7 @@ public class CachedPolicyStore implements PolicyStore {
public void removeScope(Scope scope) { public void removeScope(Scope scope) {
getDelegateForUpdate().removeScope(getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId())); getDelegateForUpdate().removeScope(getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId()));
cached.removeScope(scope); cached.removeScope(scope);
scopes.remove(scope);
} }
@Override @Override
@ -297,6 +298,7 @@ public class CachedPolicyStore implements PolicyStore {
public void removeAssociatedPolicy(Policy associatedPolicy) { public void removeAssociatedPolicy(Policy associatedPolicy) {
getDelegateForUpdate().removeAssociatedPolicy(getStoreFactory().getPolicyStore().findById(associatedPolicy.getId(), cached.getResourceServerId())); getDelegateForUpdate().removeAssociatedPolicy(getStoreFactory().getPolicyStore().findById(associatedPolicy.getId(), cached.getResourceServerId()));
cached.removeAssociatedPolicy(associatedPolicy); cached.removeAssociatedPolicy(associatedPolicy);
associatedPolicies.remove(associatedPolicy);
} }
@Override @Override
@ -309,6 +311,7 @@ public class CachedPolicyStore implements PolicyStore {
public void removeResource(Resource resource) { public void removeResource(Resource resource) {
getDelegateForUpdate().removeResource(getStoreFactory().getResourceStore().findById(resource.getId(), cached.getResourceServerId())); getDelegateForUpdate().removeResource(getStoreFactory().getResourceStore().findById(resource.getId(), cached.getResourceServerId()));
cached.removeResource(resource); cached.removeResource(resource);
resources.remove(resource);
} }
@Override @Override

2
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java
View file

@ -160,7 +160,7 @@ public class CachedPolicy implements Policy, Serializable {
@Override @Override
public void removeResource(Resource resource) { public void removeResource(Resource resource) {
this.resourcesIds.add(resource.getId()); this.resourcesIds.remove(resource.getId());
} }
@Override @Override

15
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
View file

@ -19,15 +19,24 @@
package org.keycloak.authorization.policy.provider; package org.keycloak.authorization.policy.provider;
import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Policy;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/ */
public interface PolicyProviderAdminService { public interface PolicyProviderAdminService<R extends AbstractPolicyRepresentation> {
void onCreate(Policy policy); void onCreate(Policy policy, R representation);
void onUpdate(Policy policy); void onUpdate(Policy policy, R representation);
void onRemove(Policy policy); void onRemove(Policy policy);
default AbstractPolicyRepresentation toRepresentation(Policy policy) {
return null;
}
default Class<R> getRepresentationType() {
return null;
}
} }

3
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
View file

@ -19,7 +19,6 @@
package org.keycloak.authorization.policy.provider; package org.keycloak.authorization.policy.provider;
import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.provider.ProviderFactory; import org.keycloak.provider.ProviderFactory;
@ -34,5 +33,5 @@ public interface PolicyProviderFactory extends ProviderFactory<PolicyProvider> {
PolicyProvider create(AuthorizationProvider authorization); PolicyProvider create(AuthorizationProvider authorization);
PolicyProviderAdminService getAdminResource(ResourceServer resourceServer); PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization);
} }

164
server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
View file

@ -25,6 +25,7 @@ import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.provider.PolicyProvider; import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore; import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore; import org.keycloak.authorization.store.ResourceStore;
@ -92,6 +93,7 @@ import org.keycloak.representations.idm.UserConsentRepresentation;
import org.keycloak.representations.idm.UserFederationMapperRepresentation; import org.keycloak.representations.idm.UserFederationMapperRepresentation;
import org.keycloak.representations.idm.UserFederationProviderRepresentation; import org.keycloak.representations.idm.UserFederationProviderRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode; import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation; import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation;
@ -2101,6 +2103,168 @@ public class RepresentationToModel {
return null; return null;
} }
public static Policy toModel(AbstractPolicyRepresentation representation, ResourceServer resourceServer, AuthorizationProvider authorization) {
String type = representation.getType();
PolicyProvider provider = authorization.getProvider(type);
if (provider == null) {
//TODO: temporary, remove this check on future versions as drools type is now deprecated
if ("drools".equalsIgnoreCase(type)) {
type = "rules";
}
if (authorization.getProvider(type) == null) {
throw new RuntimeException("Unknown polucy type [" + type + "]. Could not find a provider for this type.");
}
}
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
Policy existing;
if (representation.getId() != null) {
existing = policyStore.findById(representation.getId(), resourceServer.getId());
} else {
existing = policyStore.findByName(representation.getName(), resourceServer.getId());
}
if (existing != null) {
existing.setName(representation.getName());
existing.setDescription(representation.getDescription());
existing.setDecisionStrategy(representation.getDecisionStrategy());
existing.setLogic(representation.getLogic());
updatePolicy(existing, representation, authorization);
return existing;
}
Policy model = policyStore.create(representation.getName(), type, resourceServer);
model.setDescription(representation.getDescription());
model.setDecisionStrategy(representation.getDecisionStrategy());
model.setLogic(representation.getLogic());
updatePolicy(model, representation, authorization);
representation.setId(model.getId());
return model;
}
private static void updatePolicy(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
ResourceServer resourceServer = policy.getResourceServer();
StoreFactory storeFactory = authorization.getStoreFactory();
Set<String> newResources = representation.getResources();
if (newResources != null && !newResources.isEmpty()) {
Set<Resource> associatedResources = policy.getResources();
String newResourceId = newResources.iterator().next();
if (newResourceId != null) {
Resource newResource = storeFactory.getResourceStore().findById(newResourceId, resourceServer.getId());
if (newResource == null) {
throw new RuntimeException("Resource with id [" + newResourceId + "] does not exist");
}
if (!associatedResources.isEmpty()) {
Resource associatedResource = associatedResources.iterator().next();
if (!associatedResource.getId().equals(newResource.getId())) {
policy.removeResource(associatedResource);
}
}
policy.addResource(newResource);
} else {
for (Resource resource : new ArrayList<>(associatedResources)) {
policy.removeResource(resource);
}
}
} else {
for (Resource associatedResource : new HashSet<Resource>(policy.getResources())) {
policy.removeResource(associatedResource);
}
}
PolicyStore policyStore = storeFactory.getPolicyStore();
Set<String> policies = representation.getPolicies();
for (String policyId : policies) {
boolean hasPolicy = false;
for (Policy policyModel : new HashSet<Policy>(policy.getAssociatedPolicies())) {
if (policyModel.getId().equals(policyId) || policyModel.getName().equals(policyId)) {
hasPolicy = true;
}
}
if (!hasPolicy) {
Policy associatedPolicy = policyStore.findById(policyId, resourceServer.getId());
if (associatedPolicy == null) {
associatedPolicy = policyStore.findByName(policyId, resourceServer.getId());
}
policy.addAssociatedPolicy(associatedPolicy);
}
}
for (Policy policyModel : new HashSet<Policy>(policy.getAssociatedPolicies())) {
boolean hasPolicy = false;
for (String policyId : policies) {
if (policyModel.getId().equals(policyId) || policyModel.getName().equals(policyId)) {
hasPolicy = true;
}
}
if (!hasPolicy) {
policy.removeAssociatedPolicy(policyModel);
;
}
}
Set<String> newScopes = representation.getScopes();
if (newScopes != null && !newScopes.isEmpty()) {
for (String scopeId : newScopes) {
boolean hasScope = false;
for (Scope scopeModel : new HashSet<Scope>(policy.getScopes())) {
if (scopeModel.getId().equals(scopeId)) {
hasScope = true;
}
}
if (!hasScope) {
Scope scope = storeFactory.getScopeStore().findById(scopeId, resourceServer.getId());
if (scope == null) {
storeFactory.getScopeStore().findByName(scopeId, resourceServer.getId());
}
policy.addScope(scope);
}
}
for (Scope scopeModel : new HashSet<Scope>(policy.getScopes())) {
boolean hasScope = false;
for (String scopeId : newScopes) {
if (scopeModel.getId().equals(scopeId)) {
hasScope = true;
}
}
if (!hasScope) {
policy.removeScope(scopeModel);
}
}
} else {
for (Scope associatedScope : new HashSet<Scope>(policy.getScopes())) {
policy.removeScope(associatedScope);
}
}
}
public static Policy toModel(PolicyRepresentation policy, ResourceServer resourceServer, AuthorizationProvider authorization) { public static Policy toModel(PolicyRepresentation policy, ResourceServer resourceServer, AuthorizationProvider authorization) {
String type = policy.getType(); String type = policy.getType();
PolicyProvider provider = authorization.getProvider(type); PolicyProvider provider = authorization.getProvider(type);

91
services/src/main/java/org/keycloak/authorization/admin/PermissionResourceService.java Normal file
View file

@ -0,0 +1,91 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.admin;
import static org.keycloak.models.utils.RepresentationToModel.toModel;
import java.io.IOException;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class PermissionResourceService extends PolicyResourceService {
public PermissionResourceService(Policy policy, ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
super(policy, resourceServer, authorization, auth);
}
@Override
protected void doUpdate(Policy policy, String payload) {
String type = policy.getType();
PolicyProviderAdminService provider = getPolicyProviderAdminResource(type);
AbstractPolicyRepresentation representation = toRepresentation(type, payload, provider);
policy = toModel(representation, policy.getResourceServer(), authorization);
try {
provider.onUpdate(policy, representation);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
private AbstractPolicyRepresentation toRepresentation(String type, String payload, PolicyProviderAdminService provider) {
Class<? extends AbstractPolicyRepresentation> representationType = provider.getRepresentationType();
if (representationType == null) {
throw new RuntimeException("Policy provider for type [" + type + "] returned a null representation type.");
}
AbstractPolicyRepresentation representation;
try {
representation = JsonSerialization.readValue(payload, representationType);
} catch (IOException e) {
throw new RuntimeException("Failed to deserialize JSON using policy provider for type [" + type + "].", e);
}
return representation;
}
@Override
protected Object toRepresentation(Policy policy) {
PolicyProviderAdminService provider = getPolicyProviderAdminResource(policy.getType());
return toRepresentation(policy, provider.toRepresentation(policy));
}
private AbstractPolicyRepresentation toRepresentation(Policy policy, AbstractPolicyRepresentation representation) {
representation.setId(policy.getId());
representation.setName(policy.getName());
representation.setDescription(policy.getDescription());
representation.setType(policy.getType());
representation.setDecisionStrategy(policy.getDecisionStrategy());
representation.setLogic(policy.getLogic());
representation.addResource(policy.getResources().stream().map(resource -> resource.getId()).findFirst().orElse(null));
representation.addPolicies(policy.getAssociatedPolicies().stream().map(associated -> associated.getId()).toArray(value -> new String[value]));
representation.addScopes(policy.getScopes().stream().map(associated -> associated.getId()).toArray(value -> new String[value]));
return representation;
}
}

50
services/src/main/java/org/keycloak/authorization/admin/PermissionService.java Normal file
View file

@ -0,0 +1,50 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.admin;
import java.util.List;
import java.util.Map;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.services.resources.admin.RealmAuth;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class PermissionService extends PolicyService {
public PermissionService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
super(resourceServer, authorization, auth);
}
@Override
protected Object doCreatePolicyTypeResource(String type) {
return new PermissionTypeService(type, resourceServer, authorization, auth);
}
@Override
protected PolicyResourceService doCreatePolicyResource(Policy policy) {
return new PermissionResourceService(policy, resourceServer, authorization, auth);
}
@Override
protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
filters.put("permission", new String[] {Boolean.TRUE.toString()});
return super.doSearch(firstResult, maxResult, filters);
}
}

94
services/src/main/java/org/keycloak/authorization/admin/PermissionTypeService.java Normal file
View file

@ -0,0 +1,94 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.admin;
import static org.keycloak.models.utils.RepresentationToModel.toModel;
import java.io.IOException;
import javax.ws.rs.Path;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class PermissionTypeService extends PolicyService {
private final String type;
PermissionTypeService(String type, ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
super(resourceServer, authorization, auth);
this.type = type;
}
@Path("/provider")
public Object getPolicyAdminResourceProvider() {
PolicyProviderAdminService resource = getPolicyProviderAdminResource(type);
ResteasyProviderFactory.getInstance().injectProperties(resource);
return resource;
}
@Override
protected Object doCreatePolicyResource(Policy policy) {
return new PermissionResourceService(policy, resourceServer,authorization, auth);
}
@Override
protected Object doCreate(String payload) {
PolicyProviderAdminService provider = getPolicyProviderAdminResource(type);
AbstractPolicyRepresentation representation = toRepresentation(type, payload, provider);
Policy policy = toModel(representation, this.resourceServer, authorization);
if (provider != null) {
try {
provider.onCreate(policy, representation);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
return representation;
}
private AbstractPolicyRepresentation toRepresentation(String type, String payload, PolicyProviderAdminService provider) {
Class<? extends AbstractPolicyRepresentation> representationType = provider.getRepresentationType();
if (representationType == null) {
throw new RuntimeException("Policy provider for type [" + type + "] returned a null representation type.");
}
AbstractPolicyRepresentation representation;
try {
representation = JsonSerialization.readValue(payload, representationType);
} catch (IOException e) {
throw new RuntimeException("Failed to deserialize JSON using policy provider for type [" + type + "].", e);
}
return representation;
}
}

221
services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java Normal file
View file

@ -0,0 +1,221 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.admin;
import static org.keycloak.models.utils.RepresentationToModel.toModel;
import java.io.IOException;
import java.util.List;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class PolicyResourceService {
private final Policy policy;
protected final ResourceServer resourceServer;
protected final AuthorizationProvider authorization;
protected final RealmAuth auth;
public PolicyResourceService(Policy policy, ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
this.policy = policy;
this.resourceServer = resourceServer;
this.authorization = authorization;
this.auth = auth;
}
@PUT
@Consumes("application/json")
@Produces("application/json")
@NoCache
public Response update(String payload) {
this.auth.requireManage();
doUpdate(policy, payload);
return Response.status(Status.CREATED).build();
}
protected void doUpdate(Policy policy, String payload) {
PolicyRepresentation representation;
try {
representation = JsonSerialization.readValue(payload, PolicyRepresentation.class);
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize representation", cause);
}
representation.setId(policy.getId());
policy = toModel(representation, resourceServer, authorization);
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
if (resource != null) {
try {
resource.onUpdate(policy, null);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
}
@DELETE
public Response delete() {
this.auth.requireManage();
StoreFactory storeFactory = authorization.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
if (resource != null) {
try {
resource.onRemove(policy);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
policyStore.findDependentPolicies(policy.getId(), resourceServer.getId()).forEach(dependentPolicy -> {
if (dependentPolicy.getAssociatedPolicies().size() == 1) {
policyStore.delete(dependentPolicy.getId());
} else {
dependentPolicy.removeAssociatedPolicy(policy);
}
});
policyStore.delete(policy.getId());
return Response.noContent().build();
}
@GET
@Produces("application/json")
@NoCache
public Response findById() {
this.auth.requireView();
return Response.ok(toRepresentation(policy)).build();
}
protected Object toRepresentation(Policy model) {
return ModelToRepresentation.toRepresentation(model);
}
@Path("/dependentPolicies")
@GET
@Produces("application/json")
@NoCache
public Response getDependentPolicies() {
this.auth.requireView();
List<Policy> policies = authorization.getStoreFactory().getPolicyStore().findDependentPolicies(policy.getId(), resourceServer.getId());
return Response.ok(policies.stream().map(policy -> {
PolicyRepresentation representation1 = new PolicyRepresentation();
representation1.setId(policy.getId());
representation1.setName(policy.getName());
representation1.setType(policy.getType());
return representation1;
}).collect(Collectors.toList())).build();
}
@Path("/scopes")
@GET
@Produces("application/json")
@NoCache
public Response getScopes() {
this.auth.requireView();
return Response.ok(policy.getScopes().stream().map(scope -> {
ScopeRepresentation representation = new ScopeRepresentation();
representation.setId(scope.getId());
representation.setName(scope.getName());
return representation;
}).collect(Collectors.toList())).build();
}
@Path("/resources")
@GET
@Produces("application/json")
@NoCache
public Response getResources() {
this.auth.requireView();
return Response.ok(policy.getResources().stream().map(resource -> {
ResourceRepresentation representation = new ResourceRepresentation();
representation.setId(resource.getId());
representation.setName(resource.getName());
return representation;
}).collect(Collectors.toList())).build();
}
@Path("/associatedPolicies")
@GET
@Produces("application/json")
@NoCache
public Response getAssociatedPolicies() {
this.auth.requireView();
return Response.ok(policy.getAssociatedPolicies().stream().map(policy -> {
PolicyRepresentation representation1 = new PolicyRepresentation();
representation1.setId(policy.getId());
representation1.setName(policy.getName());
representation1.setType(policy.getType());
return representation1;
}).collect(Collectors.toList())).build();
}
protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyType);
if (providerFactory != null) {
return providerFactory.getAdminResource(resourceServer, authorization);
}
return null;
}
}

284
services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
View file

@ -17,9 +17,9 @@
*/ */
package org.keycloak.authorization.admin; package org.keycloak.authorization.admin;
import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
import static org.keycloak.models.utils.RepresentationToModel.toModel; import static org.keycloak.models.utils.RepresentationToModel.toModel;
import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
@ -29,14 +29,13 @@ import java.util.Map;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.ws.rs.Consumes; import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET; import javax.ws.rs.GET;
import javax.ws.rs.POST; import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path; import javax.ws.rs.Path;
import javax.ws.rs.PathParam; import javax.ws.rs.PathParam;
import javax.ws.rs.Produces; import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam; import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status; import javax.ws.rs.core.Response.Status;
@ -48,24 +47,22 @@ import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService; import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory; import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory; import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.authorization.PolicyProviderRepresentation; import org.keycloak.representations.idm.authorization.PolicyProviderRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.resources.admin.RealmAuth; import org.keycloak.services.resources.admin.RealmAuth;
import org.keycloak.util.JsonSerialization;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/ */
public class PolicyService { public class PolicyService {
private final ResourceServer resourceServer; protected final ResourceServer resourceServer;
private final AuthorizationProvider authorization; protected final AuthorizationProvider authorization;
private final RealmAuth auth; protected final RealmAuth auth;
public PolicyService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) { public PolicyService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
this.resourceServer = resourceServer; this.resourceServer = resourceServer;
@ -73,210 +70,80 @@ public class PolicyService {
this.auth = auth; this.auth = auth;
} }
@POST @Path("{type}")
@Consumes("application/json") public Object getResource(@PathParam("type") String type) {
@Produces("application/json")
@NoCache
public Response create(PolicyRepresentation representation) {
this.auth.requireManage(); this.auth.requireManage();
PolicyProviderFactory providerFactory = authorization.getProviderFactory(type);
if (providerFactory != null) {
return doCreatePolicyTypeResource(type);
}
Policy policy = authorization.getStoreFactory().getPolicyStore().findById(type, resourceServer.getId());
if (policy == null) {
return Response.status(Status.NOT_FOUND).build();
}
return doCreatePolicyResource(policy);
}
protected Object doCreatePolicyTypeResource(String type) {
return new PolicyTypeService(type, resourceServer, authorization, auth);
}
protected Object doCreatePolicyResource(Policy policy) {
return new PolicyResourceService(policy, resourceServer, authorization, auth);
}
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@NoCache
@Deprecated
public Response create(String payload) {
this.auth.requireManage();
return Response.status(Status.CREATED).entity(doCreate(payload)).build();
}
protected Object doCreate(String payload) {
PolicyRepresentation representation;
try {
representation = JsonSerialization.readValue(payload, PolicyRepresentation.class);
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize representation", cause);
}
create(representation);
return representation;
}
public void create(PolicyRepresentation representation) {
Policy policy = toModel(representation, this.resourceServer, authorization); Policy policy = toModel(representation, this.resourceServer, authorization);
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType(), authorization); PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
if (resource != null) { if (resource != null) {
try { try {
resource.onCreate(policy); resource.onCreate(policy, null);
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} }
representation.setId(policy.getId()); representation.setId(policy.getId());
return Response.status(Status.CREATED).entity(representation).build();
} }
@Path("{id}") protected Object toRepresentation(Policy model) {
@PUT return ModelToRepresentation.toRepresentation(model);
@Consumes("application/json")
@Produces("application/json")
@NoCache
public Response update(@PathParam("id") String id, PolicyRepresentation representation) {
this.auth.requireManage();
representation.setId(id);
StoreFactory storeFactory = authorization.getStoreFactory();
Policy policy = storeFactory.getPolicyStore().findById(representation.getId(), resourceServer.getId());
if (policy == null) {
return Response.status(Status.NOT_FOUND).build();
}
policy = toModel(representation, resourceServer, authorization);
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType(), authorization);
if (resource != null) {
try {
resource.onUpdate(policy);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
return Response.status(Status.CREATED).build();
}
@Path("{id}")
@DELETE
public Response delete(@PathParam("id") String id) {
this.auth.requireManage();
StoreFactory storeFactory = authorization.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.findById(id, resourceServer.getId());
if (policy == null) {
return Response.status(Status.NOT_FOUND).build();
}
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType(), authorization);
if (resource != null) {
try {
resource.onRemove(policy);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
policyStore.findDependentPolicies(id, resourceServer.getId()).forEach(dependentPolicy -> {
if (dependentPolicy.getAssociatedPolicies().size() == 1) {
policyStore.delete(dependentPolicy.getId());
} else {
dependentPolicy.removeAssociatedPolicy(policy);
}
});
policyStore.delete(policy.getId());
return Response.noContent().build();
}
@Path("{id}")
@GET
@Produces("application/json")
@NoCache
public Response findById(@PathParam("id") String id) {
this.auth.requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}
return Response.ok(toRepresentation(model)).build();
}
@Path("{id}/dependentPolicies")
@GET
@Produces("application/json")
@NoCache
public Response getDependentPolicies(@PathParam("id") String id) {
this.auth.requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}
List<Policy> policies = authorization.getStoreFactory().getPolicyStore().findDependentPolicies(model.getId(), resourceServer.getId());
return Response.ok(policies.stream().map(policy -> {
PolicyRepresentation representation1 = new PolicyRepresentation();
representation1.setId(policy.getId());
representation1.setName(policy.getName());
representation1.setType(policy.getType());
return representation1;
}).collect(Collectors.toList())).build();
}
@Path("{id}/scopes")
@GET
@Produces("application/json")
@NoCache
public Response getScopes(@PathParam("id") String id) {
this.auth.requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}
return Response.ok(model.getScopes().stream().map(scope -> {
ScopeRepresentation representation = new ScopeRepresentation();
representation.setId(scope.getId());
representation.setName(scope.getName());
return representation;
}).collect(Collectors.toList())).build();
}
@Path("{id}/resources")
@GET
@Produces("application/json")
@NoCache
public Response getResources(@PathParam("id") String id) {
this.auth.requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}
return Response.ok(model.getResources().stream().map(resource -> {
ResourceRepresentation representation = new ResourceRepresentation();
representation.setId(resource.getId());
representation.setName(resource.getName());
return representation;
}).collect(Collectors.toList())).build();
}
@Path("{id}/associatedPolicies")
@GET
@Produces("application/json")
@NoCache
public Response getAssociatedPolicies(@PathParam("id") String id) {
this.auth.requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
}
return Response.ok(model.getAssociatedPolicies().stream().map(policy -> {
PolicyRepresentation representation1 = new PolicyRepresentation();
representation1.setId(policy.getId());
representation1.setName(policy.getName());
representation1.setType(policy.getType());
return representation1;
}).collect(Collectors.toList())).build();
} }
@Path("/search") @Path("/search")
@GET @GET
@Produces("application/json") @Produces(MediaType.APPLICATION_JSON)
@NoCache @NoCache
public Response find(@QueryParam("name") String name) { public Response findByName(@QueryParam("name") String name) {
this.auth.requireView(); this.auth.requireView();
StoreFactory storeFactory = authorization.getStoreFactory(); StoreFactory storeFactory = authorization.getStoreFactory();
@ -294,7 +161,7 @@ public class PolicyService {
} }
@GET @GET
@Produces("application/json") @Produces(MediaType.APPLICATION_JSON)
@NoCache @NoCache
public Response findAll(@QueryParam("policyId") String id, public Response findAll(@QueryParam("policyId") String id,
@QueryParam("name") String name, @QueryParam("name") String name,
@ -363,15 +230,20 @@ public class PolicyService {
} }
return Response.ok( return Response.ok(
policyStore.findByResourceServer(search, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream() doSearch(firstResult, maxResult, search))
.map(policy -> toRepresentation(policy))
.collect(Collectors.toList()))
.build(); .build();
} }
protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
return policyStore.findByResourceServer(filters, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream()
.map(policy -> toRepresentation(policy))
.collect(Collectors.toList());
}
@Path("providers") @Path("providers")
@GET @GET
@Produces("application/json") @Produces(MediaType.APPLICATION_JSON)
@NoCache @NoCache
public Response findPolicyProviders() { public Response findPolicyProviders() {
this.auth.requireView(); this.auth.requireView();
@ -400,17 +272,11 @@ public class PolicyService {
return resource; return resource;
} }
@Path("{policyType}") protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
public Object getPolicyTypeResource(@PathParam("policyType") String policyType) {
this.auth.requireView();
return getPolicyProviderAdminResource(policyType, this.authorization);
}
private PolicyProviderAdminService getPolicyProviderAdminResource(String policyType, AuthorizationProvider authorization) {
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyType); PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyType);
if (providerFactory != null) { if (providerFactory != null) {
return providerFactory.getAdminResource(this.resourceServer); return providerFactory.getAdminResource(resourceServer, authorization);
} }
return null; return null;

47
services/src/main/java/org/keycloak/authorization/admin/PolicyTypeService.java Normal file
View file

@ -0,0 +1,47 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.admin;
import javax.ws.rs.Path;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.services.resources.admin.RealmAuth;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class PolicyTypeService extends PolicyService {
private final String type;
PolicyTypeService(String type, ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
super(resourceServer, authorization, auth);
this.type = type;
}
@Path("/provider")
public Object getPolicyAdminResourceProvider() {
PolicyProviderAdminService resource = getPolicyProviderAdminResource(type);
ResteasyProviderFactory.getInstance().injectProperties(resource);
return resource;
}
}

41
services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
View file

@ -17,6 +17,22 @@
*/ */
package org.keycloak.authorization.admin; package org.keycloak.authorization.admin;
import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
import java.io.IOException;
import java.util.HashMap;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.spi.ResteasyProviderFactory; import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.ResourceServer;
@ -38,21 +54,6 @@ import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation; import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.services.resources.admin.RealmAuth; import org.keycloak.services.resources.admin.RealmAuth;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import java.io.IOException;
import java.util.HashMap;
import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/ */
@ -171,6 +172,16 @@ public class ResourceServerService {
return resource; return resource;
} }
@Path("/permission")
public Object getPermissionTypeResource() {
this.auth.requireView();
PermissionService resource = new PermissionService(this.resourceServer, this.authorization, this.auth);
ResteasyProviderFactory.getInstance().injectProperties(resource);
return resource;
}
private void createDefaultPermission(ResourceRepresentation resource, PolicyRepresentation policy) { private void createDefaultPermission(ResourceRepresentation resource, PolicyRepresentation policy) {
PolicyRepresentation defaultPermission = new PolicyRepresentation(); PolicyRepresentation defaultPermission = new PolicyRepresentation();

2
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authorization/TestPolicyProviderFactory.java
View file

@ -47,7 +47,7 @@ public class TestPolicyProviderFactory implements PolicyProviderFactory {
} }
@Override @Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) { public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null; return null;
} }

207
themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
View file

@ -646,7 +646,7 @@ module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $l
}; };
}); });
module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) { module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPermission, PolicyProvider, client) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.policyProviders = []; $scope.policyProviders = [];
@ -654,7 +654,6 @@ module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route
$scope.query = { $scope.query = {
realm: realm.realm, realm: realm.realm,
client : client.id, client : client.id,
permission: true,
max : 20, max : 20,
first : 0 first : 0
}; };
@ -705,7 +704,7 @@ module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route
$scope.searchQuery = function() { $scope.searchQuery = function() {
$scope.searchLoaded = false; $scope.searchLoaded = false;
ResourceServerPolicy.query($scope.query, function(data) { ResourceServerPermission.query($scope.query, function(data) {
$scope.policies = data; $scope.policies = data;
$scope.searchLoaded = true; $scope.searchLoaded = true;
$scope.lastSearch = $scope.query.search; $scope.lastSearch = $scope.query.search;
@ -723,7 +722,7 @@ module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route
policy.details = {loaded: false}; policy.details = {loaded: false};
ResourceServerPolicy.associatedPolicies({ ResourceServerPermission.associatedPolicies({
realm : $route.current.params.realm, realm : $route.current.params.realm,
client : client.id, client : client.id,
id : policy.id id : policy.id
@ -758,7 +757,7 @@ module.controller('ResourceServerPolicyDroolsDetailCtrl', function($scope, $http
policy = $scope.policy; policy = $scope.policy;
} }
$http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/resolveModules' $http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/provider/resolveModules'
, policy).success(function(data) { , policy).success(function(data) {
$scope.drools.moduleNames = data; $scope.drools.moduleNames = data;
$scope.resolveSessions(); $scope.resolveSessions();
@ -766,7 +765,7 @@ module.controller('ResourceServerPolicyDroolsDetailCtrl', function($scope, $http
} }
$scope.resolveSessions = function() { $scope.resolveSessions = function() {
$http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/resolveSessions' $http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/provider/resolveSessions'
, $scope.policy).success(function(data) { , $scope.policy).success(function(data) {
$scope.drools.moduleSessions = data; $scope.drools.moduleSessions = data;
}); });
@ -789,7 +788,7 @@ module.controller('ResourceServerPolicyDroolsDetailCtrl', function($scope, $http
}, realm, client, $scope); }, realm, client, $scope);
}); });
module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $route, $location, realm, client, PolicyController, ResourceServerPolicy, ResourceServerResource) { module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $route, $location, realm, client, PolicyController, ResourceServerPermission, ResourceServerResource) {
PolicyController.onInit({ PolicyController.onInit({
getPolicyType : function() { getPolicyType : function() {
return "resource"; return "resource";
@ -848,7 +847,7 @@ module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $ro
max : 20, max : 20,
first : 0 first : 0
}; };
ResourceServerPolicy.query($scope.query, function(response) { ResourceServerPermission.searchPolicies($scope.query, function(response) {
data.results = response; data.results = response;
query.callback(data); query.callback(data);
}); });
@ -860,59 +859,89 @@ module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $ro
}; };
$scope.applyToResourceType = function() { $scope.applyToResourceType = function() {
if ($scope.policy.config.default) { if ($scope.applyToResourceTypeFlag) {
$scope.policy.config.resources = []; $scope.selectedResource = null;
} else { } else {
$scope.policy.config.defaultResourceType = null; $scope.policy.resourceType = null;
} }
} }
}, },
onInitUpdate : function(policy) { onInitUpdate : function(policy) {
policy.config.default = eval(policy.config.default); if (!policy.resourceType) {
policy.config.resources = {}; $scope.selectedResource = {};
ResourceServerPolicy.resources({ ResourceServerPermission.resources({
realm : $route.current.params.realm, realm: $route.current.params.realm,
client : client.id, client: client.id,
id : policy.id id: policy.id
}, function(resources) { }, function (resources) {
resources[0].text = resources[0].name; resources[0].text = resources[0].name;
$scope.policy.config.resources = resources[0]; $scope.selectedResource = resources[0];
}); var copy = angular.copy($scope.selectedResource);
$scope.$watch('selectedResource', function() {
if (!angular.equals($scope.selectedResource, copy)) {
$scope.changed = true;
}
}, true);
});
} else {
$scope.applyToResourceTypeFlag = true;
}
policy.config.applyPolicies = []; $scope.selectedPolicies = [];
ResourceServerPolicy.associatedPolicies({ ResourceServerPermission.associatedPolicies({
realm : $route.current.params.realm, realm : $route.current.params.realm,
client : client.id, client : client.id,
id : policy.id id : policy.id
}, function(policies) { }, function(policies) {
for (i = 0; i < policies.length; i++) { for (i = 0; i < policies.length; i++) {
policies[i].text = policies[i].name; policies[i].text = policies[i].name;
$scope.policy.config.applyPolicies.push(policies[i]); $scope.selectedPolicies.push(policies[i]);
var copy = angular.copy($scope.selectedPolicies);
$scope.$watch('selectedPolicies', function() {
if (!angular.equals($scope.selectedPolicies, copy)) {
$scope.changed = true;
}
}, true);
} }
}); });
}, },
onUpdate : function() { onUpdate : function() {
if ($scope.policy.config.resources && $scope.policy.config.resources._id) { if ($scope.selectedResource && $scope.selectedResource._id) {
$scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]); $scope.policy.resources = [];
$scope.policy.resources.push($scope.selectedResource._id);
} else { } else {
delete $scope.policy.config.resources delete $scope.policy.resources
} }
var policies = []; var policies = [];
for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) { for (i = 0; i < $scope.selectedPolicies.length; i++) {
policies.push($scope.policy.config.applyPolicies[i].id); policies.push($scope.selectedPolicies[i].id);
} }
$scope.policy.config.applyPolicies = JSON.stringify(policies); $scope.policy.policies = policies;
delete $scope.policy.config;
}, },
onInitCreate : function(newPolicy) { onInitCreate : function(newPolicy) {
newPolicy.decisionStrategy = 'UNANIMOUS'; newPolicy.decisionStrategy = 'UNANIMOUS';
newPolicy.config = {}; $scope.selectedResource = null;
newPolicy.config.resources = null; var copy = angular.copy($scope.selectedResource);
$scope.$watch('selectedResource', function() {
if (!angular.equals($scope.selectedResource, copy)) {
$scope.changed = true;
}
}, true);
$scope.selectedPolicies = null;
var copy = angular.copy($scope.selectedPolicies);
$scope.$watch('selectedPolicies', function() {
if (!angular.equals($scope.selectedPolicies, copy)) {
$scope.changed = true;
}
}, true);
var resourceId = $location.search()['rsrid']; var resourceId = $location.search()['rsrid'];
@ -923,25 +952,27 @@ module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $ro
rsrid : resourceId rsrid : resourceId
}, function(data) { }, function(data) {
data.text = data.name; data.text = data.name;
$scope.policy.config.resources = data; $scope.selectedResource = data;
}); });
} }
}, },
onCreate : function() { onCreate : function() {
if ($scope.policy.config.resources && $scope.policy.config.resources._id) { if ($scope.selectedResource && $scope.selectedResource._id) {
$scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]); $scope.policy.resources = [];
$scope.policy.resources.push($scope.selectedResource._id);
} else { } else {
delete $scope.policy.config.resources delete $scope.policy.resources
} }
var policies = []; var policies = [];
for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) { for (i = 0; i < $scope.selectedPolicies.length; i++) {
policies.push($scope.policy.config.applyPolicies[i].id); policies.push($scope.selectedPolicies[i].id);
} }
$scope.policy.config.applyPolicies = JSON.stringify(policies); $scope.policy.policies = policies;
delete $scope.policy.config;
} }
}, realm, client, $scope); }, realm, client, $scope);
}); });
@ -1046,20 +1077,21 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
}; };
$scope.selectResource = function() { $scope.selectResource = function() {
$scope.policy.config.scopes = null; $scope.selectedScopes = null;
if ($scope.policy.config.resources) { if ($scope.policy.resources) {
ResourceServerResource.scopes({ ResourceServerResource.scopes({
realm: $route.current.params.realm, realm: $route.current.params.realm,
client: client.id, client: client.id,
rsrid: $scope.policy.config.resources._id rsrid: $scope.policy.resources._id
}, function (data) { }, function (data) {
$scope.policy.config.resources.scopes = data; $scope.resourceScopes = data;
}); });
} }
} }
}, },
onInitUpdate : function(policy) { onInitUpdate : function(policy) {
$scope.selectedScopes = [];
ResourceServerPolicy.resources({ ResourceServerPolicy.resources({
realm : $route.current.params.realm, realm : $route.current.params.realm,
client : client.id, client : client.id,
@ -1079,44 +1111,44 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
deep: false deep: false
}, function (resource) { }, function (resource) {
resource[0].text = resource[0].name; resource[0].text = resource[0].name;
$scope.policy.config.resources = resource[0]; $scope.policy.resources = resource[0];
ResourceServerResource.scopes({ ResourceServerResource.scopes({
realm: $route.current.params.realm, realm: $route.current.params.realm,
client: client.id, client: client.id,
rsrid: resource[0]._id rsrid: resource[0]._id
}, function (scopes) { }, function (scopes) {
$scope.policy.config.resources.scopes = scopes; $scope.resourceScopes = scopes;
}); });
ResourceServerPolicy.scopes({ ResourceServerPolicy.scopes({
realm: $route.current.params.realm, realm: $route.current.params.realm,
client: client.id, client: client.id,
id: policy.id id: policy.id
}, function (scopes) { }, function (scopes) {
$scope.policy.config.scopes = []; $scope.selectedScopes = [];
for (i = 0; i < scopes.length; i++) { for (i = 0; i < scopes.length; i++) {
$scope.policy.config.scopes.push(scopes[i].id); $scope.selectedScopes.push(scopes[i].id);
} }
}); });
}); });
}); });
} }
} else { } else {
$scope.policy.config.resources = null; $scope.policy.resources = null;
ResourceServerPolicy.scopes({ ResourceServerPolicy.scopes({
realm : $route.current.params.realm, realm : $route.current.params.realm,
client : client.id, client : client.id,
id : policy.id id : policy.id
}, function(scopes) { }, function(scopes) {
$scope.policy.config.scopes = []; $scope.selectedScopes = [];
for (i = 0; i < scopes.length; i++) { for (i = 0; i < scopes.length; i++) {
scopes[i].text = scopes[i].name; scopes[i].text = scopes[i].name;
$scope.policy.config.scopes.push(scopes[i]); $scope.selectedScopes.push(scopes[i]);
} }
}); });
} }
}); });
policy.config.applyPolicies = []; policy.policies = [];
ResourceServerPolicy.associatedPolicies({ ResourceServerPolicy.associatedPolicies({
realm : $route.current.params.realm, realm : $route.current.params.realm,
client : client.id, client : client.id,
@ -1124,43 +1156,42 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
}, function(policies) { }, function(policies) {
for (i = 0; i < policies.length; i++) { for (i = 0; i < policies.length; i++) {
policies[i].text = policies[i].name; policies[i].text = policies[i].name;
$scope.policy.config.applyPolicies.push(policies[i]); $scope.policy.policies.push(policies[i]);
} }
}); });
}, },
onUpdate : function() { onUpdate : function() {
if ($scope.policy.config.resources != null) { if ($scope.policy.resources != null) {
$scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]); $scope.policy.resources = [$scope.policy.resources._id];
} else { } else {
$scope.policy.config.resources = JSON.stringify([""]); delete $scope.policy.resources;
} }
var scopes = []; var scopes = [];
for (i = 0; i < $scope.policy.config.scopes.length; i++) { for (i = 0; i < $scope.selectedScopes.length; i++) {
if ($scope.policy.config.scopes[i].id) { if ($scope.selectedScopes[i].id) {
scopes.push($scope.policy.config.scopes[i].id); scopes.push($scope.selectedScopes[i].id);
} else { } else {
scopes.push($scope.policy.config.scopes[i]); scopes.push($scope.selectedScopes[i]);
} }
} }
$scope.policy.config.scopes = JSON.stringify(scopes); $scope.policy.scopes = scopes;
var policies = []; var policies = [];
for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) { for (i = 0; i < $scope.policy.policies.length; i++) {
policies.push($scope.policy.config.applyPolicies[i].id); policies.push($scope.policy.policies[i].id);
} }
$scope.policy.config.applyPolicies = JSON.stringify(policies); $scope.policy.policies = policies;
}, },
onInitCreate : function(newPolicy) { onInitCreate : function(newPolicy) {
newPolicy.decisionStrategy = 'UNANIMOUS'; newPolicy.decisionStrategy = 'UNANIMOUS';
newPolicy.config = {}; newPolicy.resources = null;
newPolicy.config.resources = null;
var scopeId = $location.search()['scpid']; var scopeId = $location.search()['scpid'];
@ -1171,38 +1202,39 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
id: scopeId, id: scopeId,
}, function (data) { }, function (data) {
data.text = data.name; data.text = data.name;
if (!$scope.policy.config.scopes) { if (!$scope.policy.scopes) {
$scope.policy.config.scopes = []; $scope.policy.scopes = [];
} }
$scope.policy.config.scopes.push(data); $scope.policy.scopes.push(data);
}); });
} }
}, },
onCreate : function() { onCreate : function() {
if ($scope.policy.config.resources != null) { if ($scope.policy.resources != null) {
$scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]); $scope.policy.resources = [$scope.policy.resources._id];
} }
var scopes = []; var scopes = [];
for (i = 0; i < $scope.policy.config.scopes.length; i++) { for (i = 0; i < $scope.selectedScopes.length; i++) {
if ($scope.policy.config.scopes[i].id) { if ($scope.selectedScopes[i].id) {
scopes.push($scope.policy.config.scopes[i].id); scopes.push($scope.selectedScopes[i].id);
} else { } else {
scopes.push($scope.policy.config.scopes[i]); scopes.push($scope.selectedScopes[i]);
} }
} }
$scope.policy.config.scopes = JSON.stringify(scopes); $scope.policy.scopes = scopes;
var policies = []; var policies = [];
for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) { for (i = 0; i < $scope.policy.policies.length; i++) {
policies.push($scope.policy.config.applyPolicies[i].id); policies.push($scope.policy.policies[i].id);
} }
$scope.policy.config.applyPolicies = JSON.stringify(policies); $scope.policy.policies = policies;
delete $scope.policy.config;
} }
}, realm, client, $scope); }, realm, client, $scope);
}); });
@ -1743,7 +1775,7 @@ module.controller('ResourceServerPolicyAggregateDetailCtrl', function($scope, $r
}, realm, client, $scope); }, realm, client, $scope);
}); });
module.service("PolicyController", function($http, $route, $location, ResourceServer, ResourceServerPolicy, AuthzDialog, Notifications) { module.service("PolicyController", function($http, $route, $location, ResourceServer, ResourceServerPolicy, ResourceServerPermission, AuthzDialog, Notifications) {
var PolicyController = {}; var PolicyController = {};
@ -1754,6 +1786,12 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
} }
} }
var service = ResourceServerPolicy;
if (delegate.isPermission()) {
service = ResourceServerPermission;
}
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
@ -1799,7 +1837,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
if (delegate.onCreate) { if (delegate.onCreate) {
delegate.onCreate(); delegate.onCreate();
} }
ResourceServerPolicy.save({realm : realm.realm, client : client.id}, $scope.policy, function(data) { service.save({realm : realm.realm, client : client.id, type: $scope.policy.type}, $scope.policy, function(data) {
if (delegate.isPermission()) { if (delegate.isPermission()) {
$location.url("/realms/" + realm.realm + "/clients/" + client.id + "/authz/resource-server/permission/" + $scope.policy.type + "/" + data.id); $location.url("/realms/" + realm.realm + "/clients/" + client.id + "/authz/resource-server/permission/" + $scope.policy.type + "/" + data.id);
Notifications.success("The permission has been created."); Notifications.success("The permission has been created.");
@ -1819,9 +1857,10 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
} }
} }
} else { } else {
ResourceServerPolicy.get({ service.get({
realm: realm.realm, realm: realm.realm,
client : client.id, client : client.id,
type: delegate.getPolicyType(),
id: $route.current.params.id id: $route.current.params.id
}, function(data) { }, function(data) {
$scope.originalPolicy = data; $scope.originalPolicy = data;
@ -1845,7 +1884,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
if (delegate.onUpdate) { if (delegate.onUpdate) {
delegate.onUpdate(); delegate.onUpdate();
} }
ResourceServerPolicy.update({realm : realm.realm, client : client.id, id : $scope.policy.id}, $scope.policy, function() { service.update({realm : realm.realm, client : client.id, type: $scope.policy.type, id : $scope.policy.id}, $scope.policy, function() {
$route.reload(); $route.reload();
if (delegate.isPermission()) { if (delegate.isPermission()) {
Notifications.success("The permission has been updated."); Notifications.success("The permission has been updated.");
@ -1871,7 +1910,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
$scope.remove = function() { $scope.remove = function() {
var msg = ""; var msg = "";
ResourceServerPolicy.dependentPolicies({ service.dependentPolicies({
realm : $route.current.params.realm, realm : $route.current.params.realm,
client : client.id, client : client.id,
id : $scope.policy.id id : $scope.policy.id
@ -1887,7 +1926,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
} }
AuthzDialog.confirmDeleteWithMsg($scope.policy.name, "Policy", msg, function() { AuthzDialog.confirmDeleteWithMsg($scope.policy.name, "Policy", msg, function() {
ResourceServerPolicy.delete({realm : $scope.realm.realm, client : $scope.client.id, id : $scope.policy.id}, null, function() { service.delete({realm : $scope.realm.realm, client : $scope.client.id, id : $scope.policy.id}, null, function() {
if (delegate.isPermission()) { if (delegate.isPermission()) {
$location.url("/realms/" + realm.realm + "/clients/" + client.id + "/authz/resource-server/permission"); $location.url("/realms/" + realm.realm + "/clients/" + client.id + "/authz/resource-server/permission");
Notifications.success("The permission has been deleted."); Notifications.success("The permission has been deleted.");

22
themes/src/main/resources/theme/base/admin/resources/js/authz/authz-services.js
View file

@ -36,10 +36,11 @@ module.factory('ResourceServerScope', function($resource) {
}); });
module.factory('ResourceServerPolicy', function($resource) { module.factory('ResourceServerPolicy', function($resource) {
return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:id', { return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:type/:id', {
realm : '@realm', realm : '@realm',
client: '@client', client: '@client',
id : '@id' id : '@id',
type: '@type'
}, { }, {
'update' : {method : 'PUT'}, 'update' : {method : 'PUT'},
'search' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/search', method : 'GET'}, 'search' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/search', method : 'GET'},
@ -50,6 +51,23 @@ module.factory('ResourceServerPolicy', function($resource) {
}); });
}); });
module.factory('ResourceServerPermission', function($resource) {
return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/:type/:id', {
realm : '@realm',
client: '@client',
type: '@type',
id : '@id'
}, {
'update' : {method : 'PUT'},
'search' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/search', method : 'GET'},
'searchPolicies' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy', method : 'GET', isArray: true},
'associatedPolicies' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:id/associatedPolicies', method : 'GET', isArray: true},
'dependentPolicies' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:id/dependentPolicies', method : 'GET', isArray: true},
'scopes' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/:id/scopes', method : 'GET', isArray: true},
'resources' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/:id/resources', method : 'GET', isArray: true}
});
});
module.factory('PolicyProvider', function($resource) { module.factory('PolicyProvider', function($resource) {
return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/providers', { return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/providers', {
realm : '@realm', realm : '@realm',

16
themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-resource-detail.html
View file

@ -29,25 +29,25 @@
<kc-tooltip>{{:: 'authz-permission-description.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-permission-description.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group"> <div class="form-group">
<label class="col-md-2 control-label" for="policy.config.default">{{:: 'authz-permission-resource-apply-to-resource-type' | translate}}</label> <label class="col-md-2 control-label" for="applyToResourceTypeFlag">{{:: 'authz-permission-resource-apply-to-resource-type' | translate}}</label>
<div class="col-md-6"> <div class="col-md-6">
<input ng-model="policy.config.default" id="policy.config.default" onoffswitch data-ng-click="applyToResourceType()"/> <input ng-model="applyToResourceTypeFlag" id="applyToResourceTypeFlag" onoffswitch data-ng-click="applyToResourceType()"/>
</div> </div>
<kc-tooltip>{{:: 'authz-permission-resource-apply-to-resource-type.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-permission-resource-apply-to-resource-type.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group clearfix" data-ng-hide="policy.config.default"> <div class="form-group clearfix" data-ng-hide="applyToResourceTypeFlag">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-resources' | translate}} <span class="required">*</span></label> <label class="col-md-2 control-label" for="reqActions">{{:: 'authz-resources' | translate}} <span class="required">*</span></label>
<div class="col-md-6"> <div class="col-md-6">
<input type="hidden" ui-select2="resourcesUiSelect" id="reqActions" data-ng-model="policy.config.resources" data-placeholder="{{:: 'authz-select-resource' | translate}}..." data-ng-required="!policy.config.default"/> <input type="hidden" ui-select2="resourcesUiSelect" id="reqActions" data-ng-model="selectedResource" data-placeholder="{{:: 'authz-select-resource' | translate}}..." data-ng-required="!applyToResourceTypeFlag"/>
</div> </div>
<kc-tooltip>{{:: 'authz-permission-resource-resource.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-permission-resource-resource.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group clearfix" data-ng-show="policy.config.default"> <div class="form-group clearfix" data-ng-show="applyToResourceTypeFlag">
<label class="col-md-2 control-label" for="policy.config.defaultResourceType">{{:: 'authz-resource-type' | translate}} <span class="required">*</span></label> <label class="col-md-2 control-label" for="policy.resourceType">{{:: 'authz-resource-type' | translate}} <span class="required">*</span></label>
<div class="col-md-6"> <div class="col-md-6">
<input class="form-control" type="text" id="policy.config.defaultResourceType" name="policy.config.defaultResourceType" data-ng-model="policy.config.defaultResourceType" data-ng-required="policy.config.default"> <input class="form-control" type="text" id="policy.resourceType" name="policy.resourceType" data-ng-model="policy.resourceType" data-ng-required="applyToResourceTypeFlag">
</div> </div>
<kc-tooltip>{{:: 'authz-permission-resource-type.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-permission-resource-type.tooltip' | translate}}</kc-tooltip>
@ -56,7 +56,7 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-policy-apply-policy' | translate}} <span class="required">*</span></label> <label class="col-md-2 control-label" for="reqActions">{{:: 'authz-policy-apply-policy' | translate}} <span class="required">*</span></label>
<div class="col-md-6"> <div class="col-md-6">
<input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="policy.config.applyPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required /> <input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="selectedPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
</div> </div>
<kc-tooltip>{{:: 'authz-policy-apply-policy.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-policy-apply-policy.tooltip' | translate}}</kc-tooltip>

17
themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-scope-detail.html
View file

@ -32,27 +32,28 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-resource' | translate}}</label> <label class="col-md-2 control-label" for="reqActions">{{:: 'authz-resource' | translate}}</label>
<div class="col-md-6"> <div class="col-md-6">
<input type="hidden" ui-select2="resourcesUiSelect" data-ng-change="selectResource()" id="reqActions" data-ng-model="policy.config.resources" data-placeholder="{{:: 'authz-any-resource' | translate}}..." /> <input type="hidden" ui-select2="resourcesUiSelect" data-ng-change="selectResource()" id="reqActions" data-ng-model="policy.resources" data-placeholder="{{:: 'authz-any-resource' | translate}}..." />
</div> </div>
<kc-tooltip>{{:: 'authz-permission-scope-resource.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-permission-scope-resource.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group clearfix" data-ng-show="policy.config.resources"> <div class="form-group clearfix" data-ng-show="policy.resources">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label> <label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label>
<div class="col-md-6"> <div class="col-md-6">
<select ui-select2 id="reqActions2" <select ui-select2 id="reqActions2"
data-ng-model="policy.config.scopes" data-ng-model="selectedScopes"
data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple
data-ng-required="policy.config.resources != null" data-ng-required="policy.resources != null">
data-ng-options="scope.id as scope.name for scope in policy.config.resources.scopes track by scope.id"/> <option ng-repeat="scope in resourceScopes" value="{{scope.id}}">{{scope.name}}</option>
</select>
</div> </div>
<kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip>
</div> </div>
<div class="form-group clearfix" data-ng-show="!policy.config.resources"> <div class="form-group clearfix" data-ng-show="!policy.resources">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label> <label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label>
<div class="col-md-6"> <div class="col-md-6">
<input type="hidden" ui-select2="scopesUiSelect" id="reqActions" data-ng-model="policy.config.scopes" data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple data-ng-required="policy.config.resources == null" /> <input type="hidden" ui-select2="scopesUiSelect" id="reqActions" data-ng-model="selectedScopes" data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple data-ng-required="policy.resources == null" />
</div> </div>
<kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip>
</div> </div>
@ -60,7 +61,7 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-policy-apply-policy' | translate}} <span class="required">*</span></label> <label class="col-md-2 control-label" for="reqActions">{{:: 'authz-policy-apply-policy' | translate}} <span class="required">*</span></label>
<div class="col-md-6"> <div class="col-md-6">
<input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="policy.config.applyPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required /> <input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="policy.policies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
</div> </div>
<kc-tooltip>{{:: 'authz-policy-apply-policy.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'authz-policy-apply-policy.tooltip' | translate}}</kc-tooltip>