Merge pull request #4451 from glavoie/KEYCLOAK-4858-ResourceServer
KEYCLOAK-4858: Slow query performance for client with large data volume
This commit is contained in:
commit
90db6654d3
44 changed files with 181 additions and 195 deletions
|
@ -108,7 +108,7 @@ public class ClientPolicyProviderFactory implements PolicyProviderFactory<Client
|
|||
PolicyStore policyStore = storeFactory.getPolicyStore();
|
||||
ClientModel removedClient = ((ClientRemovedEvent) event).getClient();
|
||||
ResourceServerStore resourceServerStore = storeFactory.getResourceServerStore();
|
||||
ResourceServer resourceServer = resourceServerStore.findByClient(removedClient.getId());
|
||||
ResourceServer resourceServer = resourceServerStore.findById(removedClient.getId());
|
||||
|
||||
if (resourceServer != null) {
|
||||
policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
|
||||
|
|
|
@ -222,7 +222,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
|
|||
}
|
||||
|
||||
private void updateResourceServer(ClientModel clientModel, RoleModel removedRole, ResourceServerStore resourceServerStore, PolicyStore policyStore) {
|
||||
ResourceServer resourceServer = resourceServerStore.findByClient(clientModel.getId());
|
||||
ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId());
|
||||
|
||||
if (resourceServer != null) {
|
||||
policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
|
||||
|
|
|
@ -181,7 +181,7 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPoli
|
|||
RealmModel realm = ((UserRemovedEvent) event).getRealm();
|
||||
ResourceServerStore resourceServerStore = storeFactory.getResourceServerStore();
|
||||
realm.getClients().forEach(clientModel -> {
|
||||
ResourceServer resourceServer = resourceServerStore.findByClient(clientModel.getId());
|
||||
ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId());
|
||||
|
||||
if (resourceServer != null) {
|
||||
policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
|
||||
|
|
|
@ -38,7 +38,7 @@ public class ResourceServerAdapter implements ResourceServer, CachedModel<Resour
|
|||
@Override
|
||||
public ResourceServer getDelegateForUpdate() {
|
||||
if (updated == null) {
|
||||
cacheSession.registerResourceServerInvalidation(cached.getId(), cached.getClientId());
|
||||
cacheSession.registerResourceServerInvalidation(cached.getId());
|
||||
updated = cacheSession.getResourceServerStoreDelegate().findById(cached.getId());
|
||||
if (updated == null) throw new IllegalStateException("Not found in database");
|
||||
}
|
||||
|
@ -78,12 +78,6 @@ public class ResourceServerAdapter implements ResourceServer, CachedModel<Resour
|
|||
return cached.getId();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getClientId() {
|
||||
if (isUpdated()) return updated.getClientId();
|
||||
return cached.getClientId();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAllowRemoteResourceManagement() {
|
||||
if (isUpdated()) return updated.isAllowRemoteResourceManagement();
|
||||
|
|
|
@ -53,13 +53,13 @@ public class StoreFactoryCacheManager extends CacheManager {
|
|||
}
|
||||
}
|
||||
|
||||
public void resourceServerUpdated(String id, String clientId, Set<String> invalidations) {
|
||||
public void resourceServerUpdated(String id, Set<String> invalidations) {
|
||||
invalidations.add(id);
|
||||
invalidations.add(StoreFactoryCacheSession.getResourceServerByClientCacheKey(clientId));
|
||||
invalidations.add(StoreFactoryCacheSession.getResourceServerByClientCacheKey(id));
|
||||
}
|
||||
|
||||
public void resourceServerRemoval(String id, String name, Set<String> invalidations) {
|
||||
resourceServerUpdated(id, name, invalidations);
|
||||
public void resourceServerRemoval(String id, Set<String> invalidations) {
|
||||
resourceServerUpdated(id, invalidations);
|
||||
|
||||
addInvalidations(InResourceServerPredicate.create().resourceServer(id), invalidations);
|
||||
}
|
||||
|
|
|
@ -229,12 +229,12 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
|
|||
return invalidations.contains(id);
|
||||
}
|
||||
|
||||
public void registerResourceServerInvalidation(String id, String clientId) {
|
||||
cache.resourceServerUpdated(id, clientId, invalidations);
|
||||
public void registerResourceServerInvalidation(String id) {
|
||||
cache.resourceServerUpdated(id, invalidations);
|
||||
ResourceServerAdapter adapter = managedResourceServers.get(id);
|
||||
if (adapter != null) adapter.invalidateFlag();
|
||||
|
||||
invalidationEvents.add(ResourceServerUpdatedEvent.create(id, clientId));
|
||||
invalidationEvents.add(ResourceServerUpdatedEvent.create(id));
|
||||
}
|
||||
|
||||
public void registerScopeInvalidation(String id, String name, String serverId) {
|
||||
|
@ -350,7 +350,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
|
|||
@Override
|
||||
public ResourceServer create(String clientId) {
|
||||
ResourceServer server = getResourceServerStoreDelegate().create(clientId);
|
||||
registerResourceServerInvalidation(server.getId(), server.getClientId());
|
||||
registerResourceServerInvalidation(server.getId());
|
||||
return server;
|
||||
}
|
||||
|
||||
|
@ -361,8 +361,8 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
|
|||
if (server == null) return;
|
||||
|
||||
cache.invalidateObject(id);
|
||||
invalidationEvents.add(ResourceServerRemovedEvent.create(id, server.getClientId()));
|
||||
cache.resourceServerRemoval(id, server.getClientId(), invalidations);
|
||||
invalidationEvents.add(ResourceServerRemovedEvent.create(id, server.getId()));
|
||||
cache.resourceServerRemoval(id, invalidations);
|
||||
getResourceServerStoreDelegate().delete(id);
|
||||
|
||||
}
|
||||
|
@ -392,33 +392,6 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
|
|||
managedResourceServers.put(id, adapter);
|
||||
return adapter;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public ResourceServer findByClient(String clientId) {
|
||||
String cacheKey = getResourceServerByClientCacheKey(clientId);
|
||||
ResourceServerListQuery query = cache.get(cacheKey, ResourceServerListQuery.class);
|
||||
if (query != null) {
|
||||
logger.tracev("ResourceServer by clientId cache hit: {0}", clientId);
|
||||
}
|
||||
if (query == null) {
|
||||
Long loaded = cache.getCurrentRevision(cacheKey);
|
||||
ResourceServer model = getResourceServerStoreDelegate().findByClient(clientId);
|
||||
if (model == null) return null;
|
||||
if (invalidations.contains(model.getId())) return model;
|
||||
query = new ResourceServerListQuery(loaded, cacheKey, model.getId());
|
||||
cache.addRevisioned(query, startupRevision);
|
||||
return model;
|
||||
} else if (invalidations.contains(cacheKey)) {
|
||||
return getResourceServerStoreDelegate().findByClient(clientId);
|
||||
} else {
|
||||
String serverId = query.getResourceServers().iterator().next();
|
||||
if (invalidations.contains(serverId)) {
|
||||
return getResourceServerStoreDelegate().findByClient(clientId);
|
||||
}
|
||||
return findById(serverId);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
protected class ScopeCache implements ScopeStore {
|
||||
|
|
|
@ -22,29 +22,20 @@ import org.keycloak.authorization.model.ResourceServer;
|
|||
import org.keycloak.models.cache.infinispan.entities.AbstractRevisioned;
|
||||
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
|
||||
|
||||
import java.io.Serializable;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
public class CachedResourceServer extends AbstractRevisioned {
|
||||
|
||||
private String clientId;
|
||||
private boolean allowRemoteResourceManagement;
|
||||
private PolicyEnforcementMode policyEnforcementMode;
|
||||
|
||||
public CachedResourceServer(Long revision, ResourceServer resourceServer) {
|
||||
super(revision, resourceServer.getId());
|
||||
this.clientId = resourceServer.getClientId();
|
||||
this.allowRemoteResourceManagement = resourceServer.isAllowRemoteResourceManagement();
|
||||
this.policyEnforcementMode = resourceServer.getPolicyEnforcementMode();
|
||||
}
|
||||
|
||||
|
||||
public String getClientId() {
|
||||
return this.clientId;
|
||||
}
|
||||
|
||||
public boolean isAllowRemoteResourceManagement() {
|
||||
return this.allowRemoteResourceManagement;
|
||||
}
|
||||
|
|
|
@ -49,6 +49,6 @@ public class ResourceServerRemovedEvent extends InvalidationEvent implements Aut
|
|||
|
||||
@Override
|
||||
public void addInvalidations(StoreFactoryCacheManager cache, Set<String> invalidations) {
|
||||
cache.resourceServerRemoval(id, clientId, invalidations);
|
||||
cache.resourceServerRemoval(id, invalidations);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -28,12 +28,10 @@ import java.util.Set;
|
|||
public class ResourceServerUpdatedEvent extends InvalidationEvent implements AuthorizationCacheInvalidationEvent {
|
||||
|
||||
private String id;
|
||||
private String clientId;
|
||||
|
||||
public static ResourceServerUpdatedEvent create(String id, String clientId) {
|
||||
public static ResourceServerUpdatedEvent create(String id) {
|
||||
ResourceServerUpdatedEvent event = new ResourceServerUpdatedEvent();
|
||||
event.id = id;
|
||||
event.clientId = clientId;
|
||||
return event;
|
||||
}
|
||||
|
||||
|
@ -44,11 +42,11 @@ public class ResourceServerUpdatedEvent extends InvalidationEvent implements Aut
|
|||
|
||||
@Override
|
||||
public String toString() {
|
||||
return String.format("ResourceServerRemovedEvent [ id=%s, clientId=%s ]", id, clientId);
|
||||
return String.format("ResourceServerRemovedEvent [ id=%s, clientId=%s ]", id, id);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void addInvalidations(StoreFactoryCacheManager cache, Set<String> invalidations) {
|
||||
cache.resourceServerUpdated(id, clientId, invalidations);
|
||||
cache.resourceServerUpdated(id, invalidations);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -18,41 +18,24 @@
|
|||
|
||||
package org.keycloak.authorization.jpa.entities;
|
||||
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
|
||||
|
||||
import javax.persistence.Access;
|
||||
import javax.persistence.AccessType;
|
||||
import javax.persistence.Column;
|
||||
import javax.persistence.Entity;
|
||||
import javax.persistence.Id;
|
||||
import javax.persistence.NamedQueries;
|
||||
import javax.persistence.NamedQuery;
|
||||
import javax.persistence.OneToMany;
|
||||
import javax.persistence.Table;
|
||||
import javax.persistence.UniqueConstraint;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
*/
|
||||
@Entity
|
||||
@Table(name = "RESOURCE_SERVER", uniqueConstraints = {@UniqueConstraint(columnNames = "CLIENT_ID")})
|
||||
@NamedQueries(
|
||||
{
|
||||
@NamedQuery(name="findResourceServerIdByClient", query="select r.id from ResourceServerEntity r where r.clientId = :clientId"),
|
||||
}
|
||||
)
|
||||
@Table(name = "RESOURCE_SERVER")
|
||||
public class ResourceServerEntity {
|
||||
|
||||
@Id
|
||||
@Column(name="ID", length = 36)
|
||||
@Access(AccessType.PROPERTY) // we do this because relationships often fetch id, but not entity. This avoids an extra SQL
|
||||
private String id;
|
||||
|
||||
@Column(name = "CLIENT_ID")
|
||||
private String clientId;
|
||||
|
||||
@Column(name = "ALLOW_RS_REMOTE_MGMT")
|
||||
private boolean allowRemoteResourceManagement;
|
||||
|
||||
|
@ -67,14 +50,6 @@ public class ResourceServerEntity {
|
|||
this.id = id;
|
||||
}
|
||||
|
||||
public String getClientId() {
|
||||
return this.clientId;
|
||||
}
|
||||
|
||||
public void setClientId(String clientId) {
|
||||
this.clientId = clientId;
|
||||
}
|
||||
|
||||
public boolean isAllowRemoteResourceManagement() {
|
||||
return this.allowRemoteResourceManagement;
|
||||
}
|
||||
|
|
|
@ -22,16 +22,11 @@ import org.keycloak.authorization.jpa.entities.PolicyEntity;
|
|||
import org.keycloak.authorization.jpa.entities.ResourceEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ScopeEntity;
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.model.Resource;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.model.Scope;
|
||||
import org.keycloak.authorization.store.ResourceServerStore;
|
||||
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||
|
||||
import javax.persistence.EntityManager;
|
||||
import javax.persistence.NoResultException;
|
||||
import javax.persistence.Query;
|
||||
import javax.persistence.TypedQuery;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
|
@ -53,8 +48,7 @@ public class JPAResourceServerStore implements ResourceServerStore {
|
|||
public ResourceServer create(String clientId) {
|
||||
ResourceServerEntity entity = new ResourceServerEntity();
|
||||
|
||||
entity.setId(KeycloakModelUtils.generateId());
|
||||
entity.setClientId(clientId);
|
||||
entity.setId(clientId);
|
||||
|
||||
this.entityManager.persist(entity);
|
||||
|
||||
|
@ -116,17 +110,4 @@ public class JPAResourceServerStore implements ResourceServerStore {
|
|||
if (entity == null) return null;
|
||||
return new ResourceServerAdapter(entity, entityManager, provider.getStoreFactory());
|
||||
}
|
||||
|
||||
@Override
|
||||
public ResourceServer findByClient(final String clientId) {
|
||||
TypedQuery<String> query = entityManager.createNamedQuery("findResourceServerIdByClient", String.class);
|
||||
|
||||
query.setParameter("clientId", clientId);
|
||||
try {
|
||||
String id = query.getSingleResult();
|
||||
return provider.getStoreFactory().getResourceServerStore().findById(id);
|
||||
} catch (NoResultException ex) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -16,7 +16,6 @@
|
|||
*/
|
||||
package org.keycloak.authorization.jpa.store;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.jpa.entities.PolicyEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ResourceEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ScopeEntity;
|
||||
|
|
|
@ -16,7 +16,6 @@
|
|||
*/
|
||||
package org.keycloak.authorization.jpa.store;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.jpa.entities.ResourceEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ScopeEntity;
|
||||
import org.keycloak.authorization.model.Resource;
|
||||
|
|
|
@ -16,11 +16,7 @@
|
|||
*/
|
||||
package org.keycloak.authorization.jpa.store;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.jpa.entities.ResourceEntity;
|
||||
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
|
||||
import org.keycloak.authorization.model.Policy;
|
||||
import org.keycloak.authorization.model.Resource;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.models.jpa.JpaModel;
|
||||
|
@ -53,11 +49,6 @@ public class ResourceServerAdapter implements ResourceServer, JpaModel<ResourceS
|
|||
return entity.getId();
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getClientId() {
|
||||
return entity.getClientId();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isAllowRemoteResourceManagement() {
|
||||
return entity.isAllowRemoteResourceManagement();
|
||||
|
|
|
@ -16,12 +16,10 @@
|
|||
*/
|
||||
package org.keycloak.authorization.jpa.store;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.jpa.entities.ScopeEntity;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.model.Scope;
|
||||
import org.keycloak.authorization.store.StoreFactory;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.jpa.JpaModel;
|
||||
|
||||
import javax.persistence.EntityManager;
|
||||
|
|
115
model/jpa/src/main/resources/META-INF/jpa-changelog-authz-3.4.0.CR1.xml
Executable file
115
model/jpa/src/main/resources/META-INF/jpa-changelog-authz-3.4.0.CR1.xml
Executable file
|
@ -0,0 +1,115 @@
|
|||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
|
||||
<!--
|
||||
~ * Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
~ * and other contributors as indicated by the @author tags.
|
||||
~ *
|
||||
~ * Licensed under the Apache License, Version 2.0 (the "License");
|
||||
~ * you may not use this file except in compliance with the License.
|
||||
~ * You may obtain a copy of the License at
|
||||
~ *
|
||||
~ * http://www.apache.org/licenses/LICENSE-2.0
|
||||
~ *
|
||||
~ * Unless required by applicable law or agreed to in writing, software
|
||||
~ * distributed under the License is distributed on an "AS IS" BASIS,
|
||||
~ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
~ * See the License for the specific language governing permissions and
|
||||
~ * limitations under the License.
|
||||
-->
|
||||
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.2.xsd">
|
||||
<changeSet author="glavoie@gmail.com" id="authz-3.4.0.CR1-resource-server-pk-change-part1">
|
||||
<!-- Data migration to change the PK of RESOURCE_SERVER to use the CLIENT_ID. -->
|
||||
<addColumn tableName="RESOURCE_SERVER_POLICY">
|
||||
<column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
|
||||
</addColumn>
|
||||
<addColumn tableName="RESOURCE_SERVER_RESOURCE">
|
||||
<column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
|
||||
</addColumn>
|
||||
<addColumn tableName="RESOURCE_SERVER_SCOPE">
|
||||
<column name="RESOURCE_SERVER_CLIENT_ID" type="VARCHAR(36)"/>
|
||||
</addColumn>
|
||||
</changeSet>
|
||||
|
||||
<changeSet author="glavoie@gmail.com" id="authz-3.4.0.CR1-resource-server-pk-change-part2">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<not>
|
||||
<dbms type="mssql" />
|
||||
</not>
|
||||
</preConditions>
|
||||
<sql>
|
||||
UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID);
|
||||
UPDATE RESOURCE_SERVER_RESOURCE p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID);
|
||||
UPDATE RESOURCE_SERVER_SCOPE p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID);
|
||||
</sql>
|
||||
</changeSet>
|
||||
<changeSet author="glavoie@gmail.com" id="authz-3.4.0.CR1-resource-server-pk-change-part2-mssql">
|
||||
<preConditions onSqlOutput="TEST" onFail="MARK_RAN">
|
||||
<dbms type="mssql" />
|
||||
</preConditions>
|
||||
<sql>
|
||||
UPDATE RESOURCE_SERVER_POLICY SET RESOURCE_SERVER_CLIENT_ID = s.CLIENT_ID FROM (SELECT ID, CLIENT_ID FROM RESOURCE_SERVER) s WHERE s.ID = RESOURCE_SERVER_POLICY.RESOURCE_SERVER_ID;
|
||||
UPDATE RESOURCE_SERVER_RESOURCE SET RESOURCE_SERVER_CLIENT_ID = s.CLIENT_ID FROM (SELECT ID, CLIENT_ID FROM RESOURCE_SERVER) s WHERE s.ID = RESOURCE_SERVER_RESOURCE.RESOURCE_SERVER_ID;
|
||||
UPDATE RESOURCE_SERVER_SCOPE SET RESOURCE_SERVER_CLIENT_ID = s.CLIENT_ID FROM (SELECT ID, CLIENT_ID FROM RESOURCE_SERVER) s WHERE s.ID = RESOURCE_SERVER_SCOPE.RESOURCE_SERVER_ID;
|
||||
</sql>
|
||||
</changeSet>
|
||||
|
||||
<changeSet author="glavoie@gmail.com" id="authz-3.4.0.CR1-resource-server-pk-change-part3">
|
||||
<addNotNullConstraint tableName="RESOURCE_SERVER_POLICY" columnName="RESOURCE_SERVER_CLIENT_ID" columnDataType="VARCHAR(36)"/>
|
||||
<addNotNullConstraint tableName="RESOURCE_SERVER_RESOURCE" columnName="RESOURCE_SERVER_CLIENT_ID" columnDataType="VARCHAR(36)"/>
|
||||
<addNotNullConstraint tableName="RESOURCE_SERVER_SCOPE" columnName="RESOURCE_SERVER_CLIENT_ID" columnDataType="VARCHAR(36)"/>
|
||||
|
||||
<dropUniqueConstraint tableName="RESOURCE_SERVER_POLICY" constraintName="UK_FRSRPT700S9V50BU18WS5HA6"/>
|
||||
<dropUniqueConstraint tableName="RESOURCE_SERVER_RESOURCE" constraintName="UK_FRSR6T700S9V50BU18WS5HA6"/>
|
||||
<dropUniqueConstraint tableName="RESOURCE_SERVER_SCOPE" constraintName="UK_FRSRST700S9V50BU18WS5HA6"/>
|
||||
|
||||
<dropForeignKeyConstraint baseTableName="RESOURCE_SERVER_POLICY" constraintName="FK_FRSRPO213XCX4WNKOG82SSRFY"/>
|
||||
<dropIndex tableName="RESOURCE_SERVER_POLICY" indexName="IDX_RES_SERV_POL_RES_SERV"/>
|
||||
<dropColumn tableName="RESOURCE_SERVER_POLICY" columnName="RESOURCE_SERVER_ID"/>
|
||||
|
||||
<dropForeignKeyConstraint baseTableName="RESOURCE_SERVER_RESOURCE" constraintName="FK_FRSRHO213XCX4WNKOG82SSRFY"/>
|
||||
<dropIndex tableName="RESOURCE_SERVER_RESOURCE" indexName="IDX_RES_SRV_RES_RES_SRV"/>
|
||||
<dropColumn tableName="RESOURCE_SERVER_RESOURCE" columnName="RESOURCE_SERVER_ID"/>
|
||||
|
||||
<dropForeignKeyConstraint baseTableName="RESOURCE_SERVER_SCOPE" constraintName="FK_FRSRSO213XCX4WNKOG82SSRFY"/>
|
||||
<dropIndex tableName="RESOURCE_SERVER_SCOPE" indexName="IDX_RES_SRV_SCOPE_RES_SRV"/>
|
||||
<dropColumn tableName="RESOURCE_SERVER_SCOPE" columnName="RESOURCE_SERVER_ID"/>
|
||||
|
||||
<dropPrimaryKey tableName="RESOURCE_SERVER" constraintName="CONSTRAINT_FARS"/>
|
||||
<dropUniqueConstraint tableName="RESOURCE_SERVER" constraintName="UK_AU8TT6T700S9V50BU18WS5HA6"/>
|
||||
|
||||
<dropColumn tableName="RESOURCE_SERVER" columnName="ID"/>
|
||||
|
||||
<renameColumn tableName="RESOURCE_SERVER" oldColumnName="CLIENT_ID" newColumnName="ID" columnDataType="VARCHAR(36)"/>
|
||||
<renameColumn tableName="RESOURCE_SERVER_POLICY" oldColumnName="RESOURCE_SERVER_CLIENT_ID" newColumnName="RESOURCE_SERVER_ID" columnDataType="VARCHAR(36)"/>
|
||||
<renameColumn tableName="RESOURCE_SERVER_RESOURCE" oldColumnName="RESOURCE_SERVER_CLIENT_ID" newColumnName="RESOURCE_SERVER_ID" columnDataType="VARCHAR(36)"/>
|
||||
<renameColumn tableName="RESOURCE_SERVER_SCOPE" oldColumnName="RESOURCE_SERVER_CLIENT_ID" newColumnName="RESOURCE_SERVER_ID" columnDataType="VARCHAR(36)"/>
|
||||
|
||||
<addUniqueConstraint tableName="RESOURCE_SERVER_POLICY" constraintName="UK_FRSRPT700S9V50BU18WS5HA6"
|
||||
columnNames="NAME, RESOURCE_SERVER_ID"/>
|
||||
<addUniqueConstraint tableName="RESOURCE_SERVER_RESOURCE" constraintName="UK_FRSR6T700S9V50BU18WS5HA6"
|
||||
columnNames="NAME, OWNER, RESOURCE_SERVER_ID"/>
|
||||
<addUniqueConstraint tableName="RESOURCE_SERVER_SCOPE" constraintName="UK_FRSRST700S9V50BU18WS5HA6"
|
||||
columnNames="NAME, RESOURCE_SERVER_ID"/>
|
||||
|
||||
<createIndex indexName="IDX_RES_SERV_POL_RES_SERV" tableName="RESOURCE_SERVER_POLICY">
|
||||
<column name="RESOURCE_SERVER_ID" type="VARCHAR(36)"/>
|
||||
</createIndex>
|
||||
<createIndex indexName="IDX_RES_SRV_RES_RES_SRV" tableName="RESOURCE_SERVER_RESOURCE">
|
||||
<column name="RESOURCE_SERVER_ID" type="VARCHAR(36)"/>
|
||||
</createIndex>
|
||||
<createIndex indexName="IDX_RES_SRV_SCOPE_RES_SRV" tableName="RESOURCE_SERVER_SCOPE">
|
||||
<column name="RESOURCE_SERVER_ID" type="VARCHAR(36)"/>
|
||||
</createIndex>
|
||||
|
||||
<addPrimaryKey tableName="RESOURCE_SERVER" constraintName="PK_RESOURCE_SERVER" columnNames="ID"/>
|
||||
<addForeignKeyConstraint constraintName="FK_FRSRPO213XCX4WNKOG82SSRFY"
|
||||
baseTableName="RESOURCE_SERVER_POLICY" baseColumnNames="RESOURCE_SERVER_ID"
|
||||
referencedTableName="RESOURCE_SERVER" referencedColumnNames="ID"/>
|
||||
<addForeignKeyConstraint constraintName="FK_FRSRHO213XCX4WNKOG82SSRFY"
|
||||
baseTableName="RESOURCE_SERVER_RESOURCE" baseColumnNames="RESOURCE_SERVER_ID"
|
||||
referencedTableName="RESOURCE_SERVER" referencedColumnNames="ID"/>
|
||||
<addForeignKeyConstraint constraintName="FK_FRSRSO213XCX4WNKOG82SSRFY"
|
||||
baseTableName="RESOURCE_SERVER_SCOPE" baseColumnNames="RESOURCE_SERVER_ID"
|
||||
referencedTableName="RESOURCE_SERVER" referencedColumnNames="ID"/>
|
||||
</changeSet>
|
||||
</databaseChangeLog>
|
|
@ -49,4 +49,5 @@
|
|||
<include file="META-INF/jpa-changelog-3.0.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-3.2.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-3.3.0.xml"/>
|
||||
<include file="META-INF/jpa-changelog-authz-3.4.0.CR1.xml"/>
|
||||
</databaseChangeLog>
|
||||
|
|
|
@ -35,14 +35,6 @@ public interface ResourceServer {
|
|||
*/
|
||||
String getId();
|
||||
|
||||
/**
|
||||
* Returns the identifier of the client application (which already exists in Keycloak) that is also acting as a resource
|
||||
* server.
|
||||
*
|
||||
* @return the identifier of the client application associated with this instance.
|
||||
*/
|
||||
String getClientId();
|
||||
|
||||
/**
|
||||
* Indicates if the resource server is allowed to manage its own resources remotely using the Protection API.
|
||||
*
|
||||
|
|
|
@ -165,7 +165,7 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
|
|||
List<Resource> resourcesByType = resourceStore.findByType(type, resource.getResourceServer().getId());
|
||||
|
||||
for (Resource resourceType : resourcesByType) {
|
||||
if (resourceType.getOwner().equals(resource.getResourceServer().getClientId())) {
|
||||
if (resourceType.getOwner().equals(resource.getResourceServer().getId())) {
|
||||
resources.add(resourceType);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -51,13 +51,4 @@ public interface ResourceServerStore {
|
|||
* @return the resource server instance with the given identifier or null if no instance was found
|
||||
*/
|
||||
ResourceServer findById(String id);
|
||||
|
||||
/**
|
||||
* Returns a {@link ResourceServer} instance based on the identifier of a client application.
|
||||
*
|
||||
* @param id the identifier of an existing client application
|
||||
*
|
||||
* @return the resource server instance, with the given client id or null if no instance was found
|
||||
*/
|
||||
ResourceServer findByClient(String id);
|
||||
}
|
||||
|
|
|
@ -37,7 +37,7 @@ public class ClientApplicationSynchronizer implements Synchronizer<ClientRemoved
|
|||
AuthorizationProvider authorizationProvider = providerFactory.create(event.getKeycloakSession());
|
||||
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
|
||||
ResourceServerStore store = storeFactory.getResourceServerStore();
|
||||
ResourceServer resourceServer = store.findByClient(event.getClient().getId());
|
||||
ResourceServer resourceServer = store.findById(event.getClient().getId());
|
||||
|
||||
if (resourceServer != null) {
|
||||
String id = resourceServer.getId();
|
||||
|
|
|
@ -36,7 +36,7 @@ public class RealmSynchronizer implements Synchronizer<RealmRemovedEvent> {
|
|||
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
|
||||
|
||||
event.getRealm().getClients().forEach(clientModel -> {
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel.getId());
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(clientModel.getId());
|
||||
|
||||
if (resourceServer != null) {
|
||||
String id = resourceServer.getId();
|
||||
|
|
|
@ -17,8 +17,6 @@
|
|||
|
||||
package org.keycloak.authorization.store.syncronization;
|
||||
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.authorization.store.PolicyStore;
|
||||
|
@ -48,7 +46,7 @@ public class UserSynchronizer implements Synchronizer<UserRemovedEvent> {
|
|||
RealmModel realm = event.getRealm();
|
||||
|
||||
realm.getClients().forEach(clientModel -> {
|
||||
ResourceServer resourceServer = resourceServerStore.findByClient(clientModel.getId());
|
||||
ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId());
|
||||
|
||||
if (resourceServer != null) {
|
||||
resourceStore.findByOwner(userModel.getId(), resourceServer.getId()).forEach(resource -> {
|
||||
|
|
|
@ -67,7 +67,7 @@ public class MigrateTo2_1_0 implements Migration {
|
|||
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
|
||||
PolicyStore policyStore = storeFactory.getPolicyStore();
|
||||
realm.getClients().forEach(clientModel -> {
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel.getId());
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(clientModel.getId());
|
||||
|
||||
if (resourceServer != null) {
|
||||
policyStore.findByType("role", resourceServer.getId()).forEach(policy -> {
|
||||
|
|
|
@ -35,7 +35,6 @@ import org.keycloak.authorization.model.ResourceServer;
|
|||
import org.keycloak.authorization.model.Scope;
|
||||
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
|
||||
import org.keycloak.authorization.store.ResourceStore;
|
||||
import org.keycloak.common.Profile;
|
||||
import org.keycloak.common.util.MultivaluedHashMap;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.component.ComponentModel;
|
||||
|
@ -43,10 +42,10 @@ import org.keycloak.credential.CredentialModel;
|
|||
import org.keycloak.events.Event;
|
||||
import org.keycloak.events.admin.AdminEvent;
|
||||
import org.keycloak.events.admin.AuthDetails;
|
||||
import org.keycloak.models.AuthenticatedClientSessionModel;
|
||||
import org.keycloak.models.AuthenticationExecutionModel;
|
||||
import org.keycloak.models.AuthenticationFlowModel;
|
||||
import org.keycloak.models.AuthenticatorConfigModel;
|
||||
import org.keycloak.models.AuthenticatedClientSessionModel;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.ClientTemplateModel;
|
||||
import org.keycloak.models.FederatedIdentityModel;
|
||||
|
@ -789,7 +788,7 @@ public class ModelToRepresentation {
|
|||
ResourceServerRepresentation server = new ResourceServerRepresentation();
|
||||
|
||||
server.setId(model.getId());
|
||||
server.setClientId(model.getClientId());
|
||||
server.setClientId(model.getId());
|
||||
server.setName(client.getClientId());
|
||||
server.setAllowRemoteResourceManagement(model.isAllowRemoteResourceManagement());
|
||||
server.setPolicyEnforcementMode(model.getPolicyEnforcementMode());
|
||||
|
@ -852,8 +851,8 @@ public class ModelToRepresentation {
|
|||
KeycloakSession keycloakSession = authorization.getKeycloakSession();
|
||||
RealmModel realm = authorization.getRealm();
|
||||
|
||||
if (owner.getId().equals(resourceServer.getClientId())) {
|
||||
ClientModel clientModel = realm.getClientById(resourceServer.getClientId());
|
||||
if (owner.getId().equals(resourceServer.getId())) {
|
||||
ClientModel clientModel = realm.getClientById(resourceServer.getId());
|
||||
owner.setName(clientModel.getClientId());
|
||||
} else {
|
||||
UserModel userModel = keycloakSession.users().getUserById(owner.getId(), realm);
|
||||
|
@ -882,7 +881,7 @@ public class ModelToRepresentation {
|
|||
if (resource.getType() != null) {
|
||||
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
|
||||
for (Resource typed : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
|
||||
if (typed.getOwner().equals(resourceServer.getClientId()) && !typed.getId().equals(resource.getId())) {
|
||||
if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(resource.getId())) {
|
||||
resource.setTypedScopes(typed.getScopes().stream().map(model1 -> {
|
||||
ScopeRepresentation scope = new ScopeRepresentation();
|
||||
scope.setId(model1.getId());
|
||||
|
|
|
@ -1922,7 +1922,7 @@ public class RepresentationToModel {
|
|||
public static void toModel(ResourceServerRepresentation rep, AuthorizationProvider authorization) {
|
||||
ResourceServerStore resourceServerStore = authorization.getStoreFactory().getResourceServerStore();
|
||||
ResourceServer resourceServer;
|
||||
ResourceServer existing = resourceServerStore.findByClient(rep.getClientId());
|
||||
ResourceServer existing = resourceServerStore.findById(rep.getClientId());
|
||||
|
||||
if (existing == null) {
|
||||
resourceServer = resourceServerStore.create(rep.getClientId());
|
||||
|
@ -1947,7 +1947,7 @@ public class RepresentationToModel {
|
|||
|
||||
if (owner == null) {
|
||||
owner = new ResourceOwnerRepresentation();
|
||||
owner.setId(resourceServer.getClientId());
|
||||
owner.setId(resourceServer.getId());
|
||||
resource.setOwner(owner);
|
||||
} else if (owner.getName() != null) {
|
||||
UserModel user = session.users().getUserByUsername(owner.getName(), realm);
|
||||
|
@ -2270,7 +2270,7 @@ public class RepresentationToModel {
|
|||
|
||||
if (owner == null) {
|
||||
owner = new ResourceOwnerRepresentation();
|
||||
owner.setId(resourceServer.getClientId());
|
||||
owner.setId(resourceServer.getId());
|
||||
}
|
||||
|
||||
String ownerId = owner.getId();
|
||||
|
@ -2279,7 +2279,7 @@ public class RepresentationToModel {
|
|||
throw new RuntimeException("No owner specified for resource [" + resource.getName() + "].");
|
||||
}
|
||||
|
||||
if (!resourceServer.getClientId().equals(ownerId)) {
|
||||
if (!resourceServer.getId().equals(ownerId)) {
|
||||
RealmModel realm = authorization.getRealm();
|
||||
KeycloakSession keycloakSession = authorization.getKeycloakSession();
|
||||
UserProvider users = keycloakSession.users();
|
||||
|
|
|
@ -18,15 +18,15 @@
|
|||
|
||||
package org.keycloak.authorization.admin;
|
||||
|
||||
import javax.ws.rs.Path;
|
||||
|
||||
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
||||
import org.keycloak.authorization.AuthorizationProvider;
|
||||
import org.keycloak.authorization.model.ResourceServer;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
|
||||
import org.keycloak.services.resources.admin.AdminEventBuilder;
|
||||
|
||||
import javax.ws.rs.Path;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
|
||||
|
@ -43,7 +43,7 @@ public class AuthorizationService {
|
|||
this.client = client;
|
||||
this.authorization = session.getProvider(AuthorizationProvider.class);
|
||||
this.adminEvent = adminEvent;
|
||||
this.resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findByClient(this.client.getId());
|
||||
this.resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findById(this.client.getId());
|
||||
this.auth = auth;
|
||||
}
|
||||
|
||||
|
|
|
@ -229,7 +229,7 @@ public class PolicyEvaluationService {
|
|||
String clientId = representation.getClientId();
|
||||
|
||||
if (clientId == null) {
|
||||
clientId = resourceServer.getClientId();
|
||||
clientId = resourceServer.getId();
|
||||
}
|
||||
|
||||
if (clientId != null) {
|
||||
|
|
|
@ -30,17 +30,15 @@ import org.keycloak.events.admin.OperationType;
|
|||
import org.keycloak.events.admin.ResourceType;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.UserProvider;
|
||||
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
|
||||
import org.keycloak.services.ErrorResponse;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
|
||||
import org.keycloak.services.resources.admin.AdminEventBuilder;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
|
||||
|
||||
import javax.ws.rs.Consumes;
|
||||
import javax.ws.rs.DELETE;
|
||||
|
@ -103,7 +101,7 @@ public class ResourceSetService {
|
|||
|
||||
if (owner == null) {
|
||||
owner = new ResourceOwnerRepresentation();
|
||||
owner.setId(resourceServer.getClientId());
|
||||
owner.setId(resourceServer.getId());
|
||||
}
|
||||
|
||||
String ownerId = owner.getId();
|
||||
|
@ -217,7 +215,7 @@ public class ResourceSetService {
|
|||
if (model.getType() != null) {
|
||||
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
|
||||
for (Resource typed : resourceStore.findByType(model.getType(), resourceServer.getId())) {
|
||||
if (typed.getOwner().equals(resourceServer.getClientId()) && !typed.getId().equals(model.getId())) {
|
||||
if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(model.getId())) {
|
||||
scopes.addAll(typed.getScopes().stream().map(model1 -> {
|
||||
ScopeRepresentation scope = new ScopeRepresentation();
|
||||
scope.setId(model1.getId());
|
||||
|
|
|
@ -119,7 +119,7 @@ public class EntitlementService {
|
|||
}
|
||||
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(client.getId());
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(client.getId());
|
||||
|
||||
if (resourceServer == null) {
|
||||
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.FORBIDDEN);
|
||||
|
@ -152,7 +152,7 @@ public class EntitlementService {
|
|||
}
|
||||
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(client.getId());
|
||||
ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(client.getId());
|
||||
|
||||
if (resourceServer == null) {
|
||||
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.FORBIDDEN);
|
||||
|
|
|
@ -100,7 +100,7 @@ public class ProtectionService {
|
|||
ResourceServer resourceServer = getResourceServer(identity);
|
||||
KeycloakSession keycloakSession = authorization.getKeycloakSession();
|
||||
RealmModel realm = keycloakSession.getContext().getRealm();
|
||||
ClientModel client = realm.getClientById(resourceServer.getClientId());
|
||||
ClientModel client = realm.getClientById(resourceServer.getId());
|
||||
|
||||
if (!identity.hasClientRole(client.getClientId(), "uma_protection")) {
|
||||
throw new ErrorResponseException(OAuthErrorException.INVALID_SCOPE, "Requires uma_protection scope.", Status.FORBIDDEN);
|
||||
|
@ -117,7 +117,7 @@ public class ProtectionService {
|
|||
throw new ErrorResponseException("invalid_clientId", "Client application with id [" + identity.getId() + "] does not exist in realm [" + realm.getName() + "]", Status.BAD_REQUEST);
|
||||
}
|
||||
|
||||
ResourceServer resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findByClient(identity.getId());
|
||||
ResourceServer resourceServer = this.authorization.getStoreFactory().getResourceServerStore().findById(identity.getId());
|
||||
|
||||
if (resourceServer == null) {
|
||||
throw new ErrorResponseException("invalid_clientId", "Client application [" + clientApplication.getClientId() + "] is not registered as resource server.", Status.FORBIDDEN);
|
||||
|
|
|
@ -114,7 +114,7 @@ public class AbstractPermissionService {
|
|||
}
|
||||
|
||||
for (Resource baseResource : authorization.getStoreFactory().getResourceStore().findByType(resource.getType(), resourceServer.getId())) {
|
||||
if (baseResource.getOwner().equals(resource.getResourceServer().getClientId())) {
|
||||
if (baseResource.getOwner().equals(resource.getResourceServer().getId())) {
|
||||
for (Scope baseScope : baseResource.getScopes()) {
|
||||
if (baseScope.getName().equals(scopeName)) {
|
||||
return new ScopeRepresentation(scopeName);
|
||||
|
|
|
@ -20,8 +20,6 @@ package org.keycloak.authorization.util;
|
|||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.LinkedList;
|
||||
|
@ -70,7 +68,7 @@ public final class Permissions {
|
|||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
ResourceStore resourceStore = storeFactory.getResourceStore();
|
||||
|
||||
resourceStore.findByOwner(resourceServer.getClientId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization)));
|
||||
resourceStore.findByOwner(resourceServer.getId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization)));
|
||||
resourceStore.findByOwner(identity.getId(), resourceServer.getId()).stream().forEach(resource -> permissions.addAll(createResourcePermissionsWithScopes(resource, new LinkedList(resource.getScopes()), authorization)));
|
||||
|
||||
return permissions;
|
||||
|
@ -86,11 +84,11 @@ public final class Permissions {
|
|||
scopes = new LinkedList<>(resource.getScopes());
|
||||
// check if there is a typed resource whose scopes are inherited by the resource being requested. In this case, we assume that parent resource
|
||||
// is owned by the resource server itself
|
||||
if (type != null && !resource.getOwner().equals(resourceServer.getClientId())) {
|
||||
if (type != null && !resource.getOwner().equals(resourceServer.getId())) {
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
ResourceStore resourceStore = storeFactory.getResourceStore();
|
||||
resourceStore.findByType(type, resourceServer.getId()).forEach(resource1 -> {
|
||||
if (resource1.getOwner().equals(resourceServer.getClientId())) {
|
||||
if (resource1.getOwner().equals(resourceServer.getId())) {
|
||||
for (Scope typeScope : resource1.getScopes()) {
|
||||
if (!scopes.contains(typeScope)) {
|
||||
scopes.add(typeScope);
|
||||
|
@ -123,11 +121,11 @@ public final class Permissions {
|
|||
|
||||
// check if there is a typed resource whose scopes are inherited by the resource being requested. In this case, we assume that parent resource
|
||||
// is owned by the resource server itself
|
||||
if (type != null && !resource.getOwner().equals(resourceServer.getClientId())) {
|
||||
if (type != null && !resource.getOwner().equals(resourceServer.getId())) {
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
ResourceStore resourceStore = storeFactory.getResourceStore();
|
||||
resourceStore.findByType(type, resourceServer.getId()).forEach(resource1 -> {
|
||||
if (resource1.getOwner().equals(resourceServer.getClientId())) {
|
||||
if (resource1.getOwner().equals(resourceServer.getId())) {
|
||||
for (Scope typeScope : resource1.getScopes()) {
|
||||
if (!scopes.contains(typeScope)) {
|
||||
scopes.add(typeScope);
|
||||
|
|
|
@ -55,7 +55,6 @@ import org.keycloak.models.RoleContainerModel;
|
|||
import org.keycloak.models.RoleModel;
|
||||
import org.keycloak.models.UserConsentModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.UserProvider;
|
||||
import org.keycloak.models.utils.ModelToRepresentation;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.ClientTemplateRepresentation;
|
||||
|
@ -73,6 +72,7 @@ import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
|||
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
|
||||
import com.fasterxml.jackson.core.JsonEncoding;
|
||||
import com.fasterxml.jackson.core.JsonFactory;
|
||||
import com.fasterxml.jackson.core.JsonGenerator;
|
||||
|
@ -298,7 +298,7 @@ public class ExportUtils {
|
|||
AuthorizationProviderFactory providerFactory = (AuthorizationProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
|
||||
AuthorizationProvider authorization = providerFactory.create(session, client.getRealm());
|
||||
StoreFactory storeFactory = authorization.getStoreFactory();
|
||||
ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findByClient(client.getId());
|
||||
ResourceServer settingsModel = authorization.getStoreFactory().getResourceServerStore().findById(client.getId());
|
||||
|
||||
if (settingsModel == null) {
|
||||
return null;
|
||||
|
@ -314,7 +314,7 @@ public class ExportUtils {
|
|||
.stream().map(resource -> {
|
||||
ResourceRepresentation rep = toRepresentation(resource, settingsModel, authorization);
|
||||
|
||||
if (rep.getOwner().getId().equals(settingsModel.getClientId())) {
|
||||
if (rep.getOwner().getId().equals(settingsModel.getId())) {
|
||||
rep.setOwner(null);
|
||||
} else {
|
||||
rep.getOwner().setId(null);
|
||||
|
|
|
@ -112,7 +112,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM
|
|||
String resourceName = getResourceName(client);
|
||||
Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
|
||||
if (resource == null) {
|
||||
resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getClientId());
|
||||
resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getId());
|
||||
resource.setType("Client");
|
||||
Set<Scope> scopeset = new HashSet<>();
|
||||
scopeset.add(configureScope);
|
||||
|
|
|
@ -26,7 +26,6 @@ import org.keycloak.models.AdminRoles;
|
|||
import org.keycloak.models.GroupModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.utils.ModelToRepresentation;
|
||||
import org.keycloak.services.ForbiddenException;
|
||||
|
||||
import java.util.HashMap;
|
||||
|
@ -95,7 +94,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
|
|||
String groupResourceName = getGroupResourceName(group);
|
||||
Resource groupResource = authz.getStoreFactory().getResourceStore().findByName(groupResourceName, server.getId());
|
||||
if (groupResource == null) {
|
||||
groupResource = authz.getStoreFactory().getResourceStore().create(groupResourceName, server, server.getClientId());
|
||||
groupResource = authz.getStoreFactory().getResourceStore().create(groupResourceName, server, server.getId());
|
||||
Set<Scope> scopeset = new HashSet<>();
|
||||
scopeset.add(manageScope);
|
||||
scopeset.add(viewScope);
|
||||
|
|
|
@ -32,7 +32,6 @@ import org.keycloak.models.RealmModel;
|
|||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.Map;
|
||||
|
@ -76,7 +75,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme
|
|||
String resourceName = getResourceName(idp);
|
||||
Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
|
||||
if (resource == null) {
|
||||
resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getClientId());
|
||||
resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getId());
|
||||
resource.setType("IdentityProvider");
|
||||
Set<Scope> scopeset = new HashSet<>();
|
||||
scopeset.add(exchangeToScope);
|
||||
|
|
|
@ -40,7 +40,6 @@ import org.keycloak.models.Constants;
|
|||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.RoleModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.services.ForbiddenException;
|
||||
import org.keycloak.services.managers.RealmManager;
|
||||
|
@ -252,7 +251,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
|
|||
ResourceServerStore resourceServerStore = authz.getStoreFactory().getResourceServerStore();
|
||||
ClientModel client = getRealmManagementClient();
|
||||
if (client == null) return null;
|
||||
realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
|
||||
realmResourceServer = authz.getStoreFactory().getResourceServerStore().findById(client.getId());
|
||||
return realmResourceServer;
|
||||
|
||||
}
|
||||
|
@ -260,7 +259,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
|
|||
public ResourceServer initializeRealmResourceServer() {
|
||||
if (realmResourceServer != null) return realmResourceServer;
|
||||
ClientModel client = getRealmManagementClient();
|
||||
realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
|
||||
realmResourceServer = authz.getStoreFactory().getResourceServerStore().findById(client.getId());
|
||||
if (realmResourceServer == null) {
|
||||
realmResourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
|
||||
}
|
||||
|
|
|
@ -34,7 +34,6 @@ import org.keycloak.models.RoleModel;
|
|||
import org.keycloak.representations.idm.authorization.DecisionStrategy;
|
||||
import org.keycloak.services.ForbiddenException;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.Map;
|
||||
|
@ -541,7 +540,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
|
|||
String roleResourceName = getRoleResourceName(role);
|
||||
Resource resource = authz.getStoreFactory().getResourceStore().findByName(roleResourceName, server.getId());
|
||||
if (resource == null) {
|
||||
resource = authz.getStoreFactory().getResourceStore().create(roleResourceName, server, server.getClientId());
|
||||
resource = authz.getStoreFactory().getResourceStore().create(roleResourceName, server, server.getId());
|
||||
Set<Scope> scopeset = new HashSet<>();
|
||||
scopeset.add(mapClientScope);
|
||||
scopeset.add(mapCompositeScope);
|
||||
|
|
|
@ -84,7 +84,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
|
|||
|
||||
Resource usersResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
|
||||
if (usersResource == null) {
|
||||
usersResource = authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, server, server.getClientId());
|
||||
usersResource = authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, server, server.getId());
|
||||
Set<Scope> scopeset = new HashSet<>();
|
||||
scopeset.add(manageScope);
|
||||
scopeset.add(viewScope);
|
||||
|
|
|
@ -85,7 +85,7 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
|
|||
session.getContext().setRealm(realm);
|
||||
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
|
||||
ClientModel myclient = realm.getClientByClientId("myclient");
|
||||
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(myclient.getId());
|
||||
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findById(myclient.getId());
|
||||
createRolePolicy(authz, resourceServer, "client-role-1");
|
||||
createRolePolicy(authz, resourceServer, "client-role-2");
|
||||
}
|
||||
|
|
|
@ -1829,7 +1829,7 @@ public class PermissionsTest extends AbstractKeycloakTest {
|
|||
|
||||
for (Method m : rep.getClass().getDeclaredMethods()) {
|
||||
if (m.getParameters().length == 0 && m.getName().startsWith("get") && !ignoreList.contains(m.getName())) {
|
||||
try {
|
||||
try {
|
||||
Object o = m.invoke(rep);
|
||||
assertNull("Expected " + m.getName() + " to be null", o);
|
||||
} catch (Exception e) {
|
||||
|
|
|
@ -87,7 +87,7 @@ public class PolicyEvaluationCompositeRoleTest extends AbstractAuthzTest {
|
|||
Policy policy = createRolePolicy(authz, resourceServer, role1);
|
||||
|
||||
Scope scope = authz.getStoreFactory().getScopeStore().create("myscope", resourceServer);
|
||||
Resource resource = authz.getStoreFactory().getResourceStore().create("myresource", resourceServer, resourceServer.getClientId());
|
||||
Resource resource = authz.getStoreFactory().getResourceStore().create("myresource", resourceServer, resourceServer.getId());
|
||||
addScopePermission(authz, resourceServer, "mypermission", resource, scope, policy);
|
||||
|
||||
RoleModel composite = realm.addRole("composite");
|
||||
|
|
|
@ -61,7 +61,6 @@ public class ResourceManagementTest extends AbstractPhotozAdminTest {
|
|||
assertEquals("Resource Type", resourceModel.getType());
|
||||
assertEquals("Resource Icon URI", resourceModel.getIconUri());
|
||||
assertEquals("Resource URI", resourceModel.getUri());
|
||||
assertEquals(resourceServer.getClientId(), resourceModel.getOwner());
|
||||
assertEquals(resourceServer.getId(), resourceModel.getResourceServer().getId());
|
||||
});
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue