libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Fixed tests. Removed styling changes.

Browse source
This commit is contained in:
stefvdwel 2021-02-16 15:37:23 +01:00 committed by Pedro Igor
parent 11b0c23937
commit 8f719885fd
2 changed files with 19 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
authz/client/src/main/java/org/keycloak/authorization/client/resource/PermissionResource.java
View file

@ -65,10 +65,10 @@ public class PermissionResource {
final String requester, final String requester,
final Boolean granted, final Boolean granted,
final Boolean returnNames) { final Boolean returnNames) {
Callable<Map<String, Long>> callable = new Callable<Map<String, Long>>() { Callable<Long> callable = new Callable<Long>() {
@Override @Override
public Map<String, Long> call() throws Exception { public Long call() throws Exception {
return http.<Map<String, Long>>get(serverConfiguration.getPermissionEndpoint()+"/ticket/count") return http.<Long>get(serverConfiguration.getPermissionEndpoint()+"/ticket/count")
.authorizationBearer(pat.call()) .authorizationBearer(pat.call())
.param("resourceId", resourceId) .param("resourceId", resourceId)
.param("scopeId", scopeId) .param("scopeId", scopeId)
@ -76,14 +76,13 @@ public class PermissionResource {
.param("requester", requester) .param("requester", requester)
.param("granted", granted == null ? null : granted.toString()) .param("granted", granted == null ? null : granted.toString())
.param("returnNames", returnNames == null ? null : returnNames.toString()) .param("returnNames", returnNames == null ? null : returnNames.toString())
.response().json(new TypeReference<Map<String, Long>>(){}).execute(); .response().json(new TypeReference<Long>(){}).execute();
} }
}; };
try { try {
return callable.call().get("count"); return callable.call();
} catch (Exception cause) { } catch (Exception cause) {
return Throwables.retryAndWrapExceptionIfNecessary(callable, pat, "Error querying permission ticket count", cause) return Throwables.retryAndWrapExceptionIfNecessary(callable, pat, "Error querying permission ticket count", cause);
.get("count");
} }
} }

26
services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java
View file

@ -81,23 +81,23 @@ public class PermissionTicketService {
throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST); throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST);
if (representation.getRequester() == null && representation.getRequesterName() == null) if (representation.getRequester() == null && representation.getRequesterName() == null)
throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST); throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore(); ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore();
Resource resource = rstore.findById(representation.getResource(), resourceServer.getId()); Resource resource = rstore.findById(representation.getResource(), resourceServer.getId());
if (resource == null ) throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST); if (resource == null ) throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
if (!resource.getOwner().equals(this.identity.getId())) if (!resource.getOwner().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN); throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
UserModel user = null; UserModel user = null;
if(representation.getRequester() != null) if(representation.getRequester() != null)
user = this.authorization.getKeycloakSession().userStorageManager().getUserById(this.authorization.getRealm(), representation.getRequester()); user = this.authorization.getKeycloakSession().userStorageManager().getUserById(this.authorization.getRealm(), representation.getRequester());
else else
user = this.authorization.getKeycloakSession().userStorageManager().getUserByUsername(this.authorization.getRealm(), representation.getRequesterName()); user = this.authorization.getKeycloakSession().userStorageManager().getUserByUsername(this.authorization.getRealm(), representation.getRequesterName());
if (user == null) if (user == null)
throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST); throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST);
Scope scope = null; Scope scope = null;
ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore(); ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore();
@ -114,16 +114,16 @@ public class PermissionTicketService {
boolean match = resource.getScopes().contains(scope); boolean match = resource.getScopes().contains(scope);
if (!match) if (!match)
throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not have Scope [" + scope.getName() + "]", Response.Status.BAD_REQUEST); throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not have Scope [" + scope.getName() + "]", Response.Status.BAD_REQUEST);
Map<String, String> attributes = new HashMap<>(); Map<String, String> attributes = new HashMap<>();
attributes.put(PermissionTicket.RESOURCE, resource.getId()); attributes.put(PermissionTicket.RESOURCE, resource.getId());
attributes.put(PermissionTicket.SCOPE, scope.getId()); attributes.put(PermissionTicket.SCOPE, scope.getId());
attributes.put(PermissionTicket.REQUESTER, user.getId()); attributes.put(PermissionTicket.REQUESTER, user.getId());
if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty()) if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty())
throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST); throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer); PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer);
if(representation.isGranted()) if(representation.isGranted())
ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis()); ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis());
@ -144,7 +144,7 @@ public class PermissionTicketService {
if (ticket == null) { if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST); throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
} }
if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer()) if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer())
throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be updated only by the owner or by the resource server", Response.Status.FORBIDDEN); throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be updated only by the owner or by the resource server", Response.Status.FORBIDDEN);
@ -153,7 +153,7 @@ public class PermissionTicketService {
return Response.noContent().build(); return Response.noContent().build();
} }
@Path("{id}") @Path("{id}")
@DELETE @DELETE
@Consumes("application/json") @Consumes("application/json")
@ -168,7 +168,7 @@ public class PermissionTicketService {
if (ticket == null) { if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST); throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
} }
if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer() && !ticket.getRequester().equals(this.identity.getId())) if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer() && !ticket.getRequester().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + ticket.getResource() + "] can be deleted only by the owner, the requester, or the resource server", Response.Status.FORBIDDEN); throw new ErrorResponseException("not_authorised", "permissions for [" + ticket.getResource() + "] can be deleted only by the owner, the requester, or the resource server", Response.Status.FORBIDDEN);