Fix to evaluation tool
This commit is contained in:
parent
366cb78a36
commit
829bcf5eaf
8 changed files with 61 additions and 62 deletions
|
@ -19,13 +19,11 @@
|
|||
package org.keycloak.representations.idm.authorization;
|
||||
|
||||
import org.keycloak.representations.AccessToken;
|
||||
import org.keycloak.representations.idm.authorization.DecisionEffect;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
|
@ -123,7 +121,7 @@ public class PolicyEvaluationResponse {
|
|||
private PolicyRepresentation policy;
|
||||
private DecisionEffect status;
|
||||
private List<PolicyResultRepresentation> associatedPolicies;
|
||||
private List<ScopeRepresentation> scopes = new ArrayList<>();
|
||||
private Set<String> scopes = new HashSet<>();
|
||||
|
||||
public PolicyRepresentation getPolicy() {
|
||||
return policy;
|
||||
|
@ -162,11 +160,11 @@ public class PolicyEvaluationResponse {
|
|||
return this.policy.equals(policy.getPolicy());
|
||||
}
|
||||
|
||||
public void setScopes(List<ScopeRepresentation> scopes) {
|
||||
public void setScopes(Set<String> scopes) {
|
||||
this.scopes = scopes;
|
||||
}
|
||||
|
||||
public List<ScopeRepresentation> getScopes() {
|
||||
public Set<String> getScopes() {
|
||||
return scopes;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -38,6 +38,18 @@ public class PermissionService extends PolicyService {
|
|||
return new PolicyTypeResourceService(policy, resourceServer, authorization, auth);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected PolicyTypeService doCreatePolicyTypeResource(String type) {
|
||||
return new PolicyTypeService(type, resourceServer, authorization, auth) {
|
||||
@Override
|
||||
protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
|
||||
filters.put("permission", new String[] {Boolean.TRUE.toString()});
|
||||
filters.put("type", new String[] {type});
|
||||
return super.doSearch(firstResult, maxResult, filters);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
|
||||
filters.put("permission", new String[] {Boolean.TRUE.toString()});
|
||||
|
|
|
@ -75,7 +75,7 @@ public class PolicyService {
|
|||
PolicyProviderFactory providerFactory = getPolicyProviderFactory(type);
|
||||
|
||||
if (providerFactory != null) {
|
||||
return new PolicyTypeService(type, resourceServer, authorization, auth);
|
||||
return doCreatePolicyTypeResource(type);
|
||||
}
|
||||
|
||||
Policy policy = authorization.getStoreFactory().getPolicyStore().findById(type, resourceServer.getId());
|
||||
|
@ -83,6 +83,10 @@ public class PolicyService {
|
|||
return doCreatePolicyResource(policy);
|
||||
}
|
||||
|
||||
protected PolicyTypeService doCreatePolicyTypeResource(String type) {
|
||||
return new PolicyTypeService(type, resourceServer, authorization, auth);
|
||||
}
|
||||
|
||||
protected Object doCreatePolicyResource(Policy policy) {
|
||||
return new PolicyResourceService(policy, resourceServer, authorization, auth);
|
||||
}
|
||||
|
|
|
@ -17,6 +17,8 @@
|
|||
package org.keycloak.authorization.admin;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.ws.rs.Path;
|
||||
|
||||
|
@ -88,4 +90,10 @@ public class PolicyTypeService extends PolicyService {
|
|||
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policy.getType());
|
||||
return ModelToRepresentation.toRepresentation(policy, providerFactory.getRepresentationType(), authorization);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
|
||||
filters.put("type", new String[] {type});
|
||||
return super.doSearch(firstResult, maxResult, filters);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -19,12 +19,10 @@ package org.keycloak.authorization.admin.representation;
|
|||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.Decision;
|
||||
import org.keycloak.authorization.common.KeycloakIdentity;
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.model.Scope;
|
||||
import org.keycloak.authorization.policy.evaluation.Result;
|
||||
import org.keycloak.authorization.util.Permissions;
|
||||
import org.keycloak.models.utils.ModelToRepresentation;
|
||||
import org.keycloak.representations.AccessToken;
|
||||
import org.keycloak.representations.idm.authorization.DecisionEffect;
|
||||
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
|
||||
|
@ -38,7 +36,7 @@ import java.util.Comparator;
|
|||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.function.Consumer;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
import java.util.stream.Collectors;
|
||||
import java.util.stream.Stream;
|
||||
|
@ -128,37 +126,8 @@ public class PolicyEvaluationResponseBuilder {
|
|||
|
||||
List<ScopeRepresentation> scopes = result.getScopes();
|
||||
|
||||
if (scopes == null) {
|
||||
scopes = new ArrayList<>();
|
||||
result.setScopes(scopes);
|
||||
}
|
||||
|
||||
List<ScopeRepresentation> currentScopes = evaluationResultRepresentation.getScopes();
|
||||
|
||||
if (currentScopes != null) {
|
||||
List<ScopeRepresentation> allowedScopes = result.getAllowedScopes();
|
||||
for (ScopeRepresentation scope : currentScopes) {
|
||||
if (!scopes.contains(scope)) {
|
||||
scopes.add(scope);
|
||||
}
|
||||
if (evaluationResultRepresentation.getStatus().equals(Decision.Effect.PERMIT)) {
|
||||
if (!allowedScopes.contains(scope)) {
|
||||
allowedScopes.add(scope);
|
||||
}
|
||||
} else {
|
||||
evaluationResultRepresentation.getPolicies().forEach(new Consumer<PolicyEvaluationResponse.PolicyResultRepresentation>() {
|
||||
@Override
|
||||
public void accept(PolicyEvaluationResponse.PolicyResultRepresentation policyResultRepresentation) {
|
||||
if (policyResultRepresentation.getStatus().equals(Decision.Effect.PERMIT)) {
|
||||
if (!allowedScopes.contains(scope)) {
|
||||
allowedScopes.add(scope);
|
||||
}
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
result.setAllowedScopes(allowedScopes);
|
||||
if (DecisionEffect.PERMIT.equals(result.getStatus())) {
|
||||
result.setAllowedScopes(scopes);
|
||||
}
|
||||
|
||||
if (resource.getId() != null) {
|
||||
|
@ -176,19 +145,7 @@ public class PolicyEvaluationResponseBuilder {
|
|||
for (PolicyEvaluationResponse.PolicyResultRepresentation policy : new ArrayList<>(evaluationResultRepresentation.getPolicies())) {
|
||||
if (!policies.contains(policy)) {
|
||||
policies.add(policy);
|
||||
} else {
|
||||
policy = policies.get(policies.indexOf(policy));
|
||||
}
|
||||
|
||||
if (policy.getStatus().equals(Decision.Effect.DENY)) {
|
||||
Policy policyModel = authorization.getStoreFactory().getPolicyStore().findById(policy.getPolicy().getId(), resourceServer.getId());
|
||||
for (ScopeRepresentation scope : policyModel.getScopes().stream().map(scopeModel -> ModelToRepresentation.toRepresentation(scopeModel, authorization)).collect(Collectors.toList())) {
|
||||
if (!policy.getScopes().contains(scope) && policyModel.getScopes().stream().filter(policyScope -> policyScope.getId().equals(scope.getId())).findFirst().isPresent()) {
|
||||
result.getAllowedScopes().remove(scope);
|
||||
policy.getScopes().add(scope);
|
||||
}
|
||||
}
|
||||
} else {}
|
||||
}
|
||||
});
|
||||
|
||||
|
@ -207,12 +164,19 @@ public class PolicyEvaluationResponseBuilder {
|
|||
representation.setType(policy.getPolicy().getType());
|
||||
representation.setDecisionStrategy(policy.getPolicy().getDecisionStrategy());
|
||||
|
||||
representation.setResources(policy.getPolicy().getResources().stream().map(resource -> resource.getName()).collect(Collectors.toSet()));
|
||||
|
||||
Set<String> scopeNames = policy.getPolicy().getScopes().stream().map(scope -> scope.getName()).collect(Collectors.toSet());
|
||||
|
||||
representation.setScopes(scopeNames);
|
||||
|
||||
policyResultRep.setPolicy(representation);
|
||||
|
||||
if (policy.getStatus() == Decision.Effect.DENY) {
|
||||
policyResultRep.setStatus(DecisionEffect.DENY);
|
||||
policyResultRep.setScopes(representation.getScopes());
|
||||
} else {
|
||||
policyResultRep.setStatus(DecisionEffect.PERMIT);
|
||||
|
||||
}
|
||||
|
||||
policyResultRep.setAssociatedPolicies(policy.getAssociatedPolicies().stream().map(result -> toRepresentation(result, authorization)).collect(Collectors.toList()));
|
||||
|
|
|
@ -2082,13 +2082,21 @@ module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $locatio
|
|||
$scope.client = client;
|
||||
$scope.clients = clients;
|
||||
$scope.roles = roles;
|
||||
$scope.authzRequest = {};
|
||||
$scope.authzRequest.resources = [];
|
||||
$scope.authzRequest.context = {};
|
||||
$scope.authzRequest.context.attributes = {};
|
||||
$scope.authzRequest.roleIds = [];
|
||||
authzRequest = {};
|
||||
authzRequest.resources = [];
|
||||
authzRequest.context = {};
|
||||
authzRequest.context.attributes = {};
|
||||
authzRequest.roleIds = [];
|
||||
$scope.resultUrl = resourceUrl + '/partials/authz/policy/resource-server-policy-evaluate-result.html';
|
||||
|
||||
$scope.authzRequest = angular.copy(authzRequest);
|
||||
|
||||
$scope.$watch('authzRequest', function() {
|
||||
if (!angular.equals($scope.authzRequest, authzRequest)) {
|
||||
$scope.changed = true;
|
||||
}
|
||||
}, true);
|
||||
|
||||
$scope.addContextAttribute = function() {
|
||||
if (!$scope.newContextAttribute.value || $scope.newContextAttribute.value == '') {
|
||||
Notifications.error("You must provide a value to a context attribute.");
|
||||
|
@ -2396,4 +2404,9 @@ module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $locatio
|
|||
|
||||
$scope.authzRequest.userId = user.id;
|
||||
}
|
||||
|
||||
$scope.reset = function() {
|
||||
$scope.authzRequest = angular.copy(authzRequest);
|
||||
$scope.changed = false;
|
||||
}
|
||||
});
|
|
@ -45,7 +45,7 @@
|
|||
href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/{{policyResult.policy.type}}/{{policyResult.policy.id}}">{{policyResult.policy.name}}</a></strong>
|
||||
decision was <span style="color: green" data-ng-show="policyResult.status == 'PERMIT'"><strong>{{policyResult.status}}</strong></span>
|
||||
<span style="color: red" data-ng-hide="policyResult.status == 'PERMIT'"><strong>{{policyResult.status}}</strong></span>
|
||||
by <strong>{{policyResult.policy.decisionStrategy}}</strong> decision. {{policyResult.scopes.length > 0 ? 'Denied Scopes:' : ''}} <span data-ng-repeat="scope in policyResult.scopes"><strong style="color: red">{{scope.name}}{{$last ? '' : ', '}}</strong></span>{{policyResult.scopes.length > 0 ? '.' : ''}}
|
||||
by <strong>{{policyResult.policy.decisionStrategy}}</strong> decision. {{policyResult.policy.scopes.length > 0 ? (policyResult.status == 'DENY' ? 'Denied Scopes:' : 'Granted Scopes:') : ''}} <span data-ng-repeat="scope in policyResult.policy.scopes"><strong style="color: {{(policyResult.status == 'DENY' ? 'red' : 'green')}}">{{scope}}{{$last ? '' : ', '}}</strong></span>{{policyResult.policy.scopes.length > 0 ? '.' : ''}}
|
||||
<ul>
|
||||
<li data-ng-repeat="subPolicy in policyResult.associatedPolicies">
|
||||
<strong><a
|
||||
|
|
|
@ -11,7 +11,7 @@
|
|||
|
||||
<div data-ng-show="showResult">
|
||||
<br>
|
||||
<a href="" data-ng-click="showRequestTab()">{{:: 'authz-evaluation-new' | translate}}</a>
|
||||
<a href="" data-ng-click="showRequestTab()">{{:: 'back' | translate}}</a>
|
||||
|
|
||||
<a href="" data-ng-click="reevaluate()">{{:: 'authz-evaluation-re-evaluate' | translate}}</a>
|
||||
|
|
||||
|
|
Loading…
Reference in a new issue