libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

13647 Added null checks and some comments/questions for discussions. Will be squashed later if accepted.

Browse source
This commit is contained in:
Sebastian Schuster 2022-08-12 09:42:29 +02:00 committed by Pedro Igor
parent 53472e097c
commit 916cfbbaf1
6 changed files with 26 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
View file

@ -93,6 +93,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM
private void initialize(ClientModel client) { private void initialize(ClientModel client) {
ResourceServer server = root.findOrCreateResourceServer(client); ResourceServer server = root.findOrCreateResourceServer(client);
if (server==null) return;
Scope manageScope = manageScope(server); Scope manageScope = manageScope(server);
if (manageScope == null) { if (manageScope == null) {
manageScope = authz.getStoreFactory().getScopeStore().create(server, AdminPermissionManagement.MANAGE_SCOPE); manageScope = authz.getStoreFactory().getScopeStore().create(server, AdminPermissionManagement.MANAGE_SCOPE);
@ -291,6 +292,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM
@Override @Override
public Map<String, String> getPermissions(ClientModel client) { public Map<String, String> getPermissions(ClientModel client) {
if (authz == null) return null;
initialize(client); initialize(client);
Map<String, String> scopes = new LinkedHashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId()); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId());

7
services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
View file

@ -61,7 +61,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
GroupPermissions(AuthorizationProvider authz, MgmtPermissions root) { GroupPermissions(AuthorizationProvider authz, MgmtPermissions root) {
this.authz = authz; this.authz = authz;
this.root = root; this.root = root;
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) { if (authz!=null) {
resourceStore = authz.getStoreFactory().getResourceStore(); resourceStore = authz.getStoreFactory().getResourceStore();
policyStore = authz.getStoreFactory().getPolicyStore(); policyStore = authz.getStoreFactory().getPolicyStore();
} else { } else {
@ -96,9 +96,9 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
} }
private void initialize(GroupModel group) { private void initialize(GroupModel group) {
root.initializeRealmResourceServer(); ResourceServer server = root.initializeRealmResourceServer();
if (server == null) return;
root.initializeRealmDefaultScopes(); root.initializeRealmDefaultScopes();
ResourceServer server = root.realmResourceServer();
Scope manageScope = root.realmManageScope(); Scope manageScope = root.realmManageScope();
Scope viewScope = root.realmViewScope(); Scope viewScope = root.realmViewScope();
Scope manageMembersScope = root.initializeRealmScope(MANAGE_MEMBERS_SCOPE); Scope manageMembersScope = root.initializeRealmScope(MANAGE_MEMBERS_SCOPE);
@ -221,6 +221,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
@Override @Override
public Map<String, String> getPermissions(GroupModel group) { public Map<String, String> getPermissions(GroupModel group) {
if (authz == null) return null;
initialize(group); initialize(group);
Map<String, String> scopes = new LinkedHashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId()); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId());

2
services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java
View file

@ -70,6 +70,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme
private void initialize(IdentityProviderModel idp) { private void initialize(IdentityProviderModel idp) {
ResourceServer server = root.initializeRealmResourceServer(); ResourceServer server = root.initializeRealmResourceServer();
if (server == null) return;
Scope exchangeToScope = root.initializeScope(TOKEN_EXCHANGE, server); Scope exchangeToScope = root.initializeScope(TOKEN_EXCHANGE, server);
String resourceName = getResourceName(idp); String resourceName = getResourceName(idp);
@ -139,6 +140,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme
@Override @Override
public Map<String, String> getPermissions(IdentityProviderModel idp) { public Map<String, String> getPermissions(IdentityProviderModel idp) {
if (authz==null) return null;
initialize(idp); initialize(idp);
Map<String, String> scopes = new LinkedHashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(TOKEN_EXCHANGE, exchangeToPermission(idp).getId()); scopes.put(TOKEN_EXCHANGE, exchangeToPermission(idp).getId());

16
services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
View file

@ -67,6 +67,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
protected RealmPermissions realmPermissions; protected RealmPermissions realmPermissions;
protected ClientPermissions clientPermissions; protected ClientPermissions clientPermissions;
protected IdentityProviderPermissions idpPermissions; protected IdentityProviderPermissions idpPermissions;
protected RolePermissions rolePermissions;
MgmtPermissions(KeycloakSession session, RealmModel realm) { MgmtPermissions(KeycloakSession session, RealmModel realm) {
@ -203,7 +204,9 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
@Override @Override
public RolePermissions roles() { public RolePermissions roles() {
return new RolePermissions(session, realm, authz, this); if (rolePermissions!=null) return rolePermissions;
rolePermissions = new RolePermissions(session, realm, authz, this);
return rolePermissions;
} }
@Override @Override
@ -251,20 +254,20 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
@Override @Override
public ResourceServer realmResourceServer() { public ResourceServer realmResourceServer() {
if (!Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) return null; if (authz == null) return null;
if (realmResourceServer != null) return realmResourceServer; if (realmResourceServer != null) return realmResourceServer;
ClientModel client = getRealmManagementClient(); ClientModel client = getRealmManagementClient();
if (client == null) return null; if (client == null) return null;
ResourceServerStore resourceServerStore = authz.getStoreFactory().getResourceServerStore(); realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client);
realmResourceServer = resourceServerStore.findByClient(client);
return realmResourceServer; return realmResourceServer;
} }
public ResourceServer initializeRealmResourceServer() { public ResourceServer initializeRealmResourceServer() {
if (!Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) return null; if (authz == null) return null;
if (realmResourceServer != null) return realmResourceServer; if (realmResourceServer != null) return realmResourceServer;
ClientModel client = getRealmManagementClient(); ClientModel client = getRealmManagementClient();
if (client == null) return null;
realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client); realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client);
if (realmResourceServer == null) { if (realmResourceServer == null) {
realmResourceServer = authz.getStoreFactory().getResourceServerStore().create(client); realmResourceServer = authz.getStoreFactory().getResourceServerStore().create(client);
@ -277,12 +280,14 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
public void initializeRealmDefaultScopes() { public void initializeRealmDefaultScopes() {
ResourceServer server = initializeRealmResourceServer(); ResourceServer server = initializeRealmResourceServer();
if (server == null) return;
manageScope = initializeRealmScope(MgmtPermissions.MANAGE_SCOPE); manageScope = initializeRealmScope(MgmtPermissions.MANAGE_SCOPE);
viewScope = initializeRealmScope(MgmtPermissions.VIEW_SCOPE); viewScope = initializeRealmScope(MgmtPermissions.VIEW_SCOPE);
} }
public Scope initializeRealmScope(String name) { public Scope initializeRealmScope(String name) {
ResourceServer server = initializeRealmResourceServer(); ResourceServer server = initializeRealmResourceServer();
if (server == null) return null;
Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name); Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name);
if (scope == null) { if (scope == null) {
scope = authz.getStoreFactory().getScopeStore().create(server, name); scope = authz.getStoreFactory().getScopeStore().create(server, name);
@ -291,6 +296,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
} }
public Scope initializeScope(String name, ResourceServer server) { public Scope initializeScope(String name, ResourceServer server) {
if (authz == null) return null;
Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name); Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name);
if (scope == null) { if (scope == null) {
scope = authz.getStoreFactory().getScopeStore().create(server, name); scope = authz.getStoreFactory().getScopeStore().create(server, name);

9
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
View file

@ -90,6 +90,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
@Override @Override
public Map<String, String> getPermissions(RoleModel role) { public Map<String, String> getPermissions(RoleModel role) {
if (authz == null) return null;
initialize(role); initialize(role);
Map<String, String> scopes = new LinkedHashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId()); scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId());
@ -123,9 +124,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
@Override @Override
public Resource resource(RoleModel role) { public Resource resource(RoleModel role) {
ResourceStore resourceStore = authz.getStoreFactory().getResourceStore();
ResourceServer server = resourceServer(role); ResourceServer server = resourceServer(role);
if (server == null) return null; if (server == null) return null;
ResourceStore resourceStore = authz.getStoreFactory().getResourceStore();
return resourceStore.findByName(server, getRoleResourceName(role)); return resourceStore.findByName(server, getRoleResourceName(role));
} }
@ -546,6 +547,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
if (server == null) { if (server == null) {
ClientModel client = getRoleClient(role); ClientModel client = getRoleClient(role);
server = root.findOrCreateResourceServer(client); server = root.findOrCreateResourceServer(client);
if (server == null ) return;
} }
Scope mapRoleScope = mapRoleScope(server); Scope mapRoleScope = mapRoleScope(server);
if (mapRoleScope == null) { if (mapRoleScope == null) {
@ -602,11 +604,6 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
return MAP_ROLE_COMPOSITE_SCOPE + ".permission." + role.getId(); return MAP_ROLE_COMPOSITE_SCOPE + ".permission." + role.getId();
} }
private ResourceServer sdfgetResourceServer(RoleModel role) {
ClientModel client = getRoleClient(role);
return root.findOrCreateResourceServer(client);
}
private static String getRoleResourceName(RoleModel role) { private static String getRoleResourceName(RoleModel role) {
return "role.resource." + role.getId(); return "role.resource." + role.getId();
} }

7
services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
View file

@ -83,7 +83,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
this.session = session; this.session = session;
this.authz = authz; this.authz = authz;
this.root = root; this.root = root;
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) { if (authz != null) {
policyStore = authz.getStoreFactory().getPolicyStore(); policyStore = authz.getStoreFactory().getPolicyStore();
resourceStore = authz.getStoreFactory().getResourceStore(); resourceStore = authz.getStoreFactory().getResourceStore();
} else { } else {
@ -94,9 +94,9 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
private void initialize() { private void initialize() {
root.initializeRealmResourceServer(); ResourceServer server = root.initializeRealmResourceServer();
if (server == null) return;
root.initializeRealmDefaultScopes(); root.initializeRealmDefaultScopes();
ResourceServer server = root.realmResourceServer();
Scope manageScope = root.realmManageScope(); Scope manageScope = root.realmManageScope();
Scope viewScope = root.realmViewScope(); Scope viewScope = root.realmViewScope();
Scope mapRolesScope = root.initializeRealmScope(MAP_ROLES_SCOPE); Scope mapRolesScope = root.initializeRealmScope(MAP_ROLES_SCOPE);
@ -144,6 +144,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
@Override @Override
public Map<String, String> getPermissions() { public Map<String, String> getPermissions() {
if (authz == null) return null;
initialize(); initialize();
Map<String, String> scopes = new LinkedHashMap<>(); Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId()); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());