From 99c06d11023689875b48ef56442c90bdb744c869 Mon Sep 17 00:00:00 2001 From: Michal Hajas Date: Tue, 22 Mar 2022 20:49:40 +0100 Subject: [PATCH] Authorization services refactoring Closes: #10447 * Prepare logical layer to distinguish between ResourceServer id and client.id * Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz * Prepare Logical (Models/Adapters) layer for returning other models instead of ids * Replace resourceServerId with resourceServer model in PermissionTicketStore * Replace resourceServerId with resourceServer model in PolicyStore * Replace resourceServerId with resourceServer model in ScopeStore * Replace resourceServerId with resourceServer model in ResourceStore * Fix PermissionTicketStore bug * Fix NPEs in caching layer * Replace primitive int with Integer for pagination parameters --- .../client/ClientPolicyProviderFactory.java | 2 +- .../ClientScopePolicyProviderFactory.java | 2 +- .../permission/UMAPolicyProviderFactory.java | 11 +- .../role/RolePolicyProviderFactory.java | 2 +- .../PermissionTicketAdapter.java | 12 +- .../authorization/PolicyAdapter.java | 14 +- .../authorization/ResourceAdapter.java | 15 +- .../authorization/ScopeAdapter.java | 4 +- .../StoreFactoryCacheSession.java | 387 ++++++++++-------- .../entities/CachedResource.java | 2 +- .../jpa/store/JPAPermissionTicketStore.java | 78 ++-- .../jpa/store/JPAPolicyStore.java | 71 ++-- .../jpa/store/JPAResourceStore.java | 74 ++-- .../jpa/store/JPAScopeStore.java | 28 +- .../jpa/store/PermissionTicketAdapter.java | 8 +- .../jpa/store/PolicyAdapter.java | 6 +- .../jpa/store/ResourceAdapter.java | 7 +- .../MapPermissionTicketStore.java | 104 ++--- .../map/authorization/MapPolicyStore.java | 76 ++-- .../authorization/MapResourceServerStore.java | 32 +- .../map/authorization/MapResourceStore.java | 91 ++-- .../map/authorization/MapScopeStore.java | 34 +- .../adapter/MapPermissionTicketAdapter.java | 7 +- .../adapter/MapPolicyAdapter.java | 10 +- .../adapter/MapResourceAdapter.java | 12 +- .../models/map/user/MapUserProvider.java | 3 +- .../authorization/AuthorizationProvider.java | 183 ++++----- .../UserManagedPermissionUtil.java | 8 +- .../authorization/model/Resource.java | 2 +- .../authorization/model/ResourceServer.java | 16 + .../authorization/permission/Permissions.java | 11 +- .../DecisionPermissionCollector.java | 4 +- .../evaluation/DefaultPolicyEvaluator.java | 13 +- ...ionTicketAwareDecisionResultCollector.java | 18 +- .../store/PermissionTicketStore.java | 73 ++-- .../authorization/store/PolicyStore.java | 98 +++-- .../store/ResourceServerStore.java | 2 - .../authorization/store/ResourceStore.java | 85 ++-- .../authorization/store/ScopeStore.java | 32 +- .../ClientApplicationSynchronizer.java | 2 +- .../syncronization/GroupSynchronizer.java | 2 +- .../syncronization/UserSynchronizer.java | 10 +- .../migration/migrators/MigrateTo2_1_0.java | 2 +- .../models/utils/ModelToRepresentation.java | 15 +- .../models/utils/RepresentationToModel.java | 46 +-- .../admin/PolicyEvaluationService.java | 12 +- .../admin/PolicyResourceService.java | 3 +- .../authorization/admin/PolicyService.java | 18 +- .../admin/ResourceSetService.java | 56 +-- .../authorization/admin/ScopeService.java | 34 +- .../PolicyEvaluationResponseBuilder.java | 4 +- .../AuthorizationTokenService.java | 28 +- .../protection/ProtectionService.java | 4 +- .../permission/AbstractPermissionService.java | 12 +- .../permission/PermissionTicketService.java | 24 +- .../policy/UserManagedPermissionService.java | 4 +- .../exportimport/util/ExportUtils.java | 12 +- .../freemarker/model/AuthorizationBean.java | 28 +- .../resources/account/AccountFormService.java | 49 ++- .../resources/AbstractResourceService.java | 4 +- .../account/resources/ResourceService.java | 14 +- .../account/resources/ResourcesService.java | 10 +- .../admin/permissions/ClientPermissions.java | 88 ++-- .../admin/permissions/GroupPermissions.java | 34 +- .../resources/admin/permissions/Helper.java | 6 +- .../IdentityProviderPermissions.java | 22 +- .../admin/permissions/MgmtPermissions.java | 10 +- .../admin/permissions/RolePermissions.java | 34 +- .../admin/permissions/UserPermissions.java | 42 +- .../BrokerLinkAndTokenExchangeTest.java | 4 +- .../testsuite/admin/AuthzCleanupTest.java | 2 +- .../admin/FineGrainAdminUnitTest.java | 37 +- .../PolicyEvaluationCompositeRoleTest.java | 8 +- .../testsuite/authz/PolicyEvaluationTest.java | 42 +- .../authz/UmaRepresentationTest.java | 7 +- .../UserManagedPermissionServiceTest.java | 16 +- .../testsuite/broker/SocialLoginTest.java | 2 +- .../oauth/ClientTokenExchangeSAML2Test.java | 6 +- .../oauth/ClientTokenExchangeTest.java | 6 +- 79 files changed, 1257 insertions(+), 1139 deletions(-) diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java index c1fc5c08c3..b8fe006f4b 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java @@ -112,7 +112,7 @@ public class ClientPolicyProviderFactory implements PolicyProviderFactory { + policyStore.findByType(resourceServer, getId()).forEach(policy -> { List clients = new ArrayList<>(); for (String clientId : getClients(policy)) { diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProviderFactory.java index a787603f0a..adf4232404 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProviderFactory.java @@ -74,7 +74,7 @@ public class ClientScopePolicyProviderFactory implements PolicyProviderFactory() { + policyStore.findByResourceServer(null, filters, null, null).forEach(new Consumer() { @Override public void accept(Policy policy) { diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProviderFactory.java index 51107ae8a2..760fc1bd99 100644 --- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProviderFactory.java +++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProviderFactory.java @@ -28,7 +28,6 @@ import org.keycloak.authorization.policy.provider.PolicyProvider; import org.keycloak.authorization.policy.provider.PolicyProviderFactory; import org.keycloak.authorization.store.PolicyStore; import org.keycloak.models.ClientModel; -import org.keycloak.models.GroupModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSessionFactory; import org.keycloak.models.RealmModel; @@ -397,7 +396,7 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory { + policyStore.findByType(resourceServer, getId()).forEach(policy -> { List roles = new ArrayList<>(); for (Map role : getRoles(policy)) { diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PermissionTicketAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PermissionTicketAdapter.java index 079783de1f..cbdcf2c511 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PermissionTicketAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PermissionTicketAdapter.java @@ -42,7 +42,8 @@ public class PermissionTicketAdapter implements PermissionTicket, CachedModel { protected boolean isUpdated() { if (updated != null) return true; if (!invalidated) return false; - updated = cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + updated = cacheSession.getPolicyStoreDelegate().findById(cacheSession.getResourceServerStore().findById(cached.getResourceServerId()), cached.getId()); if (updated == null) throw new IllegalStateException("Not found in database"); return true; } @@ -208,7 +208,7 @@ public class PolicyAdapter implements Policy, CachedModel { PolicyStore policyStore = cacheSession.getPolicyStore(); String resourceServerId = cached.getResourceServerId(); for (String id : cached.getAssociatedPoliciesIds(modelSupplier)) { - Policy policy = policyStore.findById(id, resourceServerId); + Policy policy = policyStore.findById(cacheSession.getResourceServerStore().findById(resourceServerId), id); cacheSession.cachePolicy(policy); associatedPolicies.add(policy); } @@ -223,9 +223,9 @@ public class PolicyAdapter implements Policy, CachedModel { if (resources != null) return resources; resources = new HashSet<>(); ResourceStore resourceStore = cacheSession.getResourceStore(); + ResourceServer resourceServer = getResourceServer(); for (String resourceId : cached.getResourcesIds(modelSupplier)) { - String resourceServerId = cached.getResourceServerId(); - Resource resource = resourceStore.findById(resourceId, resourceServerId); + Resource resource = resourceStore.findById(resourceServer, resourceId); cacheSession.cacheResource(resource); resources.add(resource); } @@ -287,10 +287,10 @@ public class PolicyAdapter implements Policy, CachedModel { if (isUpdated()) return updated.getScopes(); if (scopes != null) return scopes; scopes = new HashSet<>(); + ResourceServer resourceServer = getResourceServer(); ScopeStore scopeStore = cacheSession.getScopeStore(); - String resourceServerId = cached.getResourceServerId(); for (String scopeId : cached.getScopesIds(modelSupplier)) { - Scope scope = scopeStore.findById(scopeId, resourceServerId); + Scope scope = scopeStore.findById(resourceServer, scopeId); cacheSession.cacheScope(scope); scopes.add(scope); } @@ -325,6 +325,6 @@ public class PolicyAdapter implements Policy, CachedModel { } private Policy getPolicyModel() { - return cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + return cacheSession.getPolicyStoreDelegate().findById(cacheSession.getResourceServerStore().findById(cached.getResourceServerId()), cached.getId()); } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java index 4f4a302077..b07e9534b0 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java @@ -81,7 +81,7 @@ public class ResourceAdapter implements Resource, CachedModel { protected boolean isUpdated() { if (updated != null) return true; if (!invalidated) return false; - updated = cacheSession.getResourceStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + updated = cacheSession.getResourceStoreDelegate().findById(getResourceServer(), cached.getId()); if (updated == null) throw new IllegalStateException("Not found in database"); return true; } @@ -133,9 +133,8 @@ public class ResourceAdapter implements Resource, CachedModel { } @Override - public String getResourceServer() { - if (isUpdated()) return updated.getResourceServer(); - return cached.getResourceServerId(); + public ResourceServer getResourceServer() { + return cacheSession.getResourceServerStoreDelegate().findById(cached.getResourceServerId()); } @Override @@ -173,7 +172,7 @@ public class ResourceAdapter implements Resource, CachedModel { if (scopes != null) return scopes; scopes = new LinkedList<>(); for (String scopeId : cached.getScopesIds(modelSupplier)) { - scopes.add(cacheSession.getScopeStore().findById(scopeId, cached.getResourceServerId())); + scopes.add(cacheSession.getScopeStore().findById(getResourceServer(), scopeId)); } return scopes = Collections.unmodifiableList(scopes); } @@ -204,7 +203,7 @@ public class ResourceAdapter implements Resource, CachedModel { for (Scope scope : updated.getScopes()) { if (!scopes.contains(scope)) { PermissionTicketStore permissionStore = cacheSession.getPermissionTicketStore(); - List permissions = permissionStore.findByScope(scope.getId(), getResourceServer()); + List permissions = permissionStore.findByScope(getResourceServer(), scope); for (PermissionTicket permission : permissions) { permissionStore.delete(permission.getId()); @@ -216,7 +215,7 @@ public class ResourceAdapter implements Resource, CachedModel { for (Scope scope : updated.getScopes()) { if (!scopes.contains(scope)) { - policyStore.findByResource(getId(), getResourceServer(), policy -> policy.removeScope(scope)); + policyStore.findByResource(getResourceServer(), this, policy -> policy.removeScope(scope)); } } @@ -283,6 +282,6 @@ public class ResourceAdapter implements Resource, CachedModel { } private Resource getResourceModel() { - return cacheSession.getResourceStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + return cacheSession.getResourceStoreDelegate().findById(getResourceServer(), cached.getId()); } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java index f7195f4639..14433e8ce2 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java @@ -39,7 +39,7 @@ public class ScopeAdapter implements Scope, CachedModel { public Scope getDelegateForUpdate() { if (updated == null) { cacheSession.registerScopeInvalidation(cached.getId(), cached.getName(), cached.getResourceServerId()); - updated = cacheSession.getScopeStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + updated = cacheSession.getScopeStoreDelegate().findById(getResourceServer(), cached.getId()); if (updated == null) throw new IllegalStateException("Not found in database"); } return updated; @@ -66,7 +66,7 @@ public class ScopeAdapter implements Scope, CachedModel { protected boolean isUpdated() { if (updated != null) return true; if (!invalidated) return false; - updated = cacheSession.getScopeStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); + updated = cacheSession.getScopeStoreDelegate().findById(getResourceServer(), cached.getId()); if (updated == null) throw new IllegalStateException("Not found in database"); return true; } diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java index 9c99832315..673f54b0b6 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java @@ -309,8 +309,9 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { return Collections.emptySet(); } + ResourceServer resourceServer = getResourceServerStore().findById(serverId); return resources.stream().map(resourceId -> { - Resource resource = getResourceStore().findById(resourceId, serverId); + Resource resource = getResourceStore().findById(resourceServer, resourceId); String type = resource.getType(); if (type != null) { @@ -496,13 +497,13 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { protected class ScopeCache implements ScopeStore { @Override - public Scope create(String name, ResourceServer resourceServer) { - return create(null, name, resourceServer); + public Scope create(ResourceServer resourceServer, String name) { + return create(resourceServer, null, name); } @Override - public Scope create(String id, String name, ResourceServer resourceServer) { - Scope scope = getScopeStoreDelegate().create(id, name, resourceServer); + public Scope create(ResourceServer resourceServer, String id, String name) { + Scope scope = getScopeStoreDelegate().create(resourceServer, id, name); registerScopeInvalidation(scope.getId(), scope.getName(), resourceServer.getId()); return scope; } @@ -510,7 +511,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { @Override public void delete(String id) { if (id == null) return; - Scope scope = findById(id, null); + Scope scope = findById(null, id); if (scope == null) return; cache.invalidateObject(id); @@ -520,7 +521,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public Scope findById(String id, String resourceServerId) { + public Scope findById(ResourceServer resourceServer, String id) { if (id == null) return null; CachedScope cached = cache.get(id, CachedScope.class); if (cached != null) { @@ -529,7 +530,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { if (cached == null) { Long loaded = cache.getCurrentRevision(id); if (! modelMightExist(id)) return null; - Scope model = getScopeStoreDelegate().findById(id, resourceServerId); + Scope model = getScopeStoreDelegate().findById(resourceServer, id); if (model == null) { setModelDoesNotExists(id, loaded); return null; @@ -538,7 +539,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { cached = new CachedScope(loaded, model); cache.addRevisioned(cached, startupRevision); } else if (invalidations.contains(id)) { - return getScopeStoreDelegate().findById(id, resourceServerId); + return getScopeStoreDelegate().findById(resourceServer, id); } else if (managedScopes.containsKey(id)) { return managedScopes.get(id); } @@ -548,8 +549,9 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public Scope findByName(String name, String resourceServerId) { + public Scope findByName(ResourceServer resourceServer, String name) { if (name == null) return null; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getScopeByNameCacheKey(name, resourceServerId); ScopeListQuery query = cache.get(cacheKey, ScopeListQuery.class); if (query != null) { @@ -557,43 +559,43 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } if (query == null) { Long loaded = cache.getCurrentRevision(cacheKey); - Scope model = getScopeStoreDelegate().findByName(name, resourceServerId); + Scope model = getScopeStoreDelegate().findByName(resourceServer, name); if (model == null) return null; if (invalidations.contains(model.getId())) return model; query = new ScopeListQuery(loaded, cacheKey, model.getId(), resourceServerId); cache.addRevisioned(query, startupRevision); return model; } else if (invalidations.contains(cacheKey)) { - return getScopeStoreDelegate().findByName(name, resourceServerId); + return getScopeStoreDelegate().findByName(resourceServer, name); } else { String id = query.getScopes().iterator().next(); if (invalidations.contains(id)) { - return getScopeStoreDelegate().findByName(name, resourceServerId); + return getScopeStoreDelegate().findByName(resourceServer, name); } - return findById(id, query.getResourceServerId()); + return findById(resourceServer, id); } } @Override - public List findByResourceServer(String id) { - return getScopeStoreDelegate().findByResourceServer(id); + public List findByResourceServer(ResourceServer resourceServer) { + return getScopeStoreDelegate().findByResourceServer(resourceServer); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return getScopeStoreDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + return getScopeStoreDelegate().findByResourceServer(resourceServer, attributes, firstResult, maxResults); } } protected class ResourceCache implements ResourceStore { @Override - public Resource create(String id, String name, ResourceServer resourceServer, String owner) { - Resource resource = getResourceStoreDelegate().create(id, name, resourceServer, owner); - Resource cached = findById(resource.getId(), resourceServer.getId()); - registerResourceInvalidation(resource.getId(), resource.getName(), resource.getType(), resource.getUris(), resource.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toSet()), resourceServer.getId(), resource.getOwner()); + public Resource create(ResourceServer resourceServer, String id, String name, String owner) { + Resource resource = getResourceStoreDelegate().create(resourceServer, id, name, owner); + Resource cached = findById(resourceServer, resource.getId()); + registerResourceInvalidation(resource.getId(), resource.getName(), resource.getType(), resource.getUris(), resource.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()), resourceServer.getId(), resource.getOwner()); if (cached == null) { - cached = findById(resource.getId(), resourceServer.getId()); + cached = findById(resourceServer, resource.getId()); } return cached; } @@ -601,18 +603,18 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { @Override public void delete(String id) { if (id == null) return; - Resource resource = findById(id, null); + Resource resource = findById(null, id); if (resource == null) return; cache.invalidateObject(id); - invalidationEvents.add(ResourceRemovedEvent.create(id, resource.getName(), resource.getType(), resource.getUris(), resource.getOwner(), resource.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toSet()), resource.getResourceServer())); - cache.resourceRemoval(id, resource.getName(), resource.getType(), resource.getUris(), resource.getOwner(), resource.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toSet()), resource.getResourceServer(), invalidations); + invalidationEvents.add(ResourceRemovedEvent.create(id, resource.getName(), resource.getType(), resource.getUris(), resource.getOwner(), resource.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()), resource.getResourceServer().getId())); + cache.resourceRemoval(id, resource.getName(), resource.getType(), resource.getUris(), resource.getOwner(), resource.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()), resource.getResourceServer().getId(), invalidations); getResourceStoreDelegate().delete(id); } @Override - public Resource findById(String id, String resourceServerId) { + public Resource findById(ResourceServer resourceServer, String id) { if (id == null) return null; CachedResource cached = cache.get(id, CachedResource.class); if (cached != null) { @@ -621,7 +623,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { if (cached == null) { Long loaded = cache.getCurrentRevision(id); if (! modelMightExist(id)) return null; - Resource model = getResourceStoreDelegate().findById(id, resourceServerId); + Resource model = getResourceStoreDelegate().findById(resourceServer, id); if (model == null) { setModelDoesNotExists(id, loaded); return null; @@ -630,7 +632,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { cached = new CachedResource(loaded, model); cache.addRevisioned(cached, startupRevision); } else if (invalidations.contains(id)) { - return getResourceStoreDelegate().findById(id, resourceServerId); + return getResourceStoreDelegate().findById(resourceServer, id); } else if (managedResources.containsKey(id)) { return managedResources.get(id); } @@ -640,16 +642,12 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public Resource findByName(String name, String resourceServerId) { - return findByName(name, resourceServerId, resourceServerId); - } - - @Override - public Resource findByName(String name, String ownerId, String resourceServerId) { + public Resource findByName(ResourceServer resourceServer, String name, String ownerId) { if (name == null) return null; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByNameCacheKey(name, ownerId, resourceServerId); List result = cacheQuery(cacheKey, ResourceListQuery.class, () -> { - Resource resource = getResourceStoreDelegate().findByName(name, ownerId, resourceServerId); + Resource resource = getResourceStoreDelegate().findByName(resourceServer, name, ownerId); if (resource == null) { return Collections.emptyList(); @@ -657,7 +655,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { return Arrays.asList(resource); }, - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServerId); + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); if (result.isEmpty()) { return null; @@ -667,18 +665,20 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public List findByOwner(String ownerId, String resourceServerId) { + public List findByOwner(ResourceServer resourceServer, String ownerId) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByOwnerCacheKey(ownerId, resourceServerId); - return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByOwner(ownerId, resourceServerId), - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByOwner(resourceServer, ownerId), + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public void findByOwner(String ownerId, String resourceServerId, Consumer consumer) { + public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer consumer) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByOwnerCacheKey(ownerId, resourceServerId); cacheQuery(cacheKey, ResourceListQuery.class, () -> { List resources = new ArrayList<>(); - getResourceStoreDelegate().findByOwner(ownerId, resourceServerId, new Consumer() { + getResourceStoreDelegate().findByOwner(resourceServer, ownerId, new Consumer() { @Override public void accept(Resource resource) { consumer.andThen(resources::add) @@ -688,54 +688,57 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { }); return resources; }, - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } @Override - public List findByOwner(String ownerId, String resourceServerId, int first, int max) { - return getResourceStoreDelegate().findByOwner(ownerId, resourceServerId, first, max); + public List findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) { + return getResourceStoreDelegate().findByOwner(resourceServer, ownerId, firstResult, maxResults); } @Override - public List findByUri(String uri, String resourceServerId) { + public List findByUri(ResourceServer resourceServer, String uri) { if (uri == null) return null; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByUriCacheKey(uri, resourceServerId); - return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByUri(uri, resourceServerId), - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByUri(resourceServer, uri), + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public List findByResourceServer(String resourceServerId) { - return getResourceStoreDelegate().findByResourceServer(resourceServerId); + public List findByResourceServer(ResourceServer resourceServer) { + return getResourceStoreDelegate().findByResourceServer(resourceServer); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return getResourceStoreDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + return getResourceStoreDelegate().findByResourceServer(resourceServer, attributes, firstResult, maxResults); } @Override - public List findByScope(List ids, String resourceServerId) { - if (ids == null) return null; + public List findByScopes(ResourceServer resourceServer, Set scopes) { + if (scopes == null) return null; List result = new ArrayList<>(); + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); - for (String id : ids) { - String cacheKey = getResourceByScopeCacheKey(id, resourceServerId); - result.addAll(cacheQuery(cacheKey, ResourceScopeListQuery.class, () -> getResourceStoreDelegate().findByScope(Arrays.asList(id), resourceServerId), (revision, resources) -> new ResourceScopeListQuery(revision, cacheKey, id, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServerId)); + for (Scope scope : scopes) { + String cacheKey = getResourceByScopeCacheKey(scope.getId(), resourceServerId); + result.addAll(cacheQuery(cacheKey, ResourceScopeListQuery.class, () -> getResourceStoreDelegate().findByScopes(resourceServer, Collections.singleton(scope)), (revision, resources) -> new ResourceScopeListQuery(revision, cacheKey, scope.getId(), resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer)); } return result; } @Override - public void findByScope(List ids, String resourceServerId, Consumer consumer) { - if (ids == null) return; + public void findByScopes(ResourceServer resourceServer, Set scopes, Consumer consumer) { + if (scopes == null) return; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); - for (String id : ids) { - String cacheKey = getResourceByScopeCacheKey(id, resourceServerId); + for (Scope scope : scopes) { + String cacheKey = getResourceByScopeCacheKey(scope.getId(), resourceServerId); cacheQuery(cacheKey, ResourceScopeListQuery.class, () -> { List resources = new ArrayList<>(); - getResourceStoreDelegate().findByScope(Arrays.asList(id), resourceServerId, new Consumer() { + getResourceStoreDelegate().findByScopes(resourceServer, Collections.singleton(scope), new Consumer() { @Override public void accept(Resource resource) { consumer.andThen(resources::add) @@ -745,25 +748,27 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } }); return resources; - }, (revision, resources) -> new ResourceScopeListQuery(revision, cacheKey, id, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + }, (revision, resources) -> new ResourceScopeListQuery(revision, cacheKey, scope.getId(), resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } } @Override - public List findByType(String type, String resourceServerId) { + public List findByType(ResourceServer resourceServer, String type) { if (type == null) return Collections.emptyList(); + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByTypeCacheKey(type, resourceServerId); - return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByType(type, resourceServerId), - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByType(resourceServer, type), + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public void findByType(String type, String resourceServerId, Consumer consumer) { + public void findByType(ResourceServer resourceServer, String type, Consumer consumer) { if (type == null) return; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByTypeCacheKey(type, resourceServerId); cacheQuery(cacheKey, ResourceListQuery.class, () -> { List resources = new ArrayList<>(); - getResourceStoreDelegate().findByType(type, resourceServerId, new Consumer() { + getResourceStoreDelegate().findByType(resourceServer, type, new Consumer() { @Override public void accept(Resource resource) { consumer.andThen(resources::add) @@ -773,28 +778,30 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { }); return resources; }, - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } @Override - public List findByType(String type, String owner, String resourceServerId) { - if (resourceServerId.equals(owner)) { - return findByType(type, resourceServerId); + public List findByType(ResourceServer resourceServer, String type, String owner) { + if (resourceServer != null && resourceServer.getId().equals(owner)) { + return findByType(resourceServer, type); } else { if (type == null) return Collections.emptyList(); + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByTypeCacheKey(type, owner, resourceServerId); - return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByType(type, owner, resourceServerId), - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByType(resourceServer, type, owner), + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } } @Override - public void findByType(String type, String owner, String resourceServerId, Consumer consumer) { + public void findByType(ResourceServer resourceServer, String type, String owner, Consumer consumer) { if (type == null) return; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByTypeCacheKey(type, owner, resourceServerId); cacheQuery(cacheKey, ResourceListQuery.class, () -> { List resources = new ArrayList<>(); - getResourceStoreDelegate().findByType(type, owner, resourceServerId, new Consumer() { + getResourceStoreDelegate().findByType(resourceServer, type, owner, new Consumer() { @Override public void accept(Resource resource) { consumer.andThen(resources::add) @@ -804,24 +811,26 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { }); return resources; }, - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } @Override - public List findByTypeInstance(String type, String resourceServerId) { + public List findByTypeInstance(ResourceServer resourceServer, String type) { if (type == null) return Collections.emptyList(); + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByTypeInstanceCacheKey(type, resourceServerId); - return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByTypeInstance(type, resourceServerId), - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByTypeInstance(resourceServer, type), + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public void findByTypeInstance(String type, String resourceServerId, Consumer consumer) { + public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer consumer) { if (type == null) return; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getResourceByTypeInstanceCacheKey(type, resourceServerId); cacheQuery(cacheKey, ResourceListQuery.class, () -> { List resources = new ArrayList<>(); - getResourceStoreDelegate().findByTypeInstance(type, resourceServerId, new Consumer() { + getResourceStoreDelegate().findByTypeInstance(resourceServer, type, new Consumer() { @Override public void accept(Resource resource) { consumer.andThen(resources::add) @@ -831,18 +840,18 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { }); return resources; }, - (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + (revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } - private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, String resourceServerId, Consumer consumer) { - return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServerId, consumer, false); + private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, ResourceServer resourceServer, Consumer consumer) { + return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServer, consumer, false); } - private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, String resourceServerId) { - return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServerId, null, true); + private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, ResourceServer resourceServer) { + return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServer, null, true); } - private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, String resourceServerId, Consumer consumer, boolean cacheResult) { + private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, ResourceServer resourceServer, Consumer consumer, boolean cacheResult) { Q query = cache.get(cacheKey, queryType); if (query != null) { logger.tracev("cache hit for key: {0}", cacheKey); @@ -863,9 +872,9 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { Set resources = query.getResources(); if (consumer != null) { - resources.stream().map(resourceId -> (R) findById(resourceId, resourceServerId)).forEach(consumer); + resources.stream().map(resourceId -> (R) findById(resourceServer, resourceId)).forEach(consumer); } else { - model = resources.stream().map(resourceId -> (R) findById(resourceId, resourceServerId)).collect(Collectors.toList()); + model = resources.stream().map(resourceId -> (R) findById(resourceServer, resourceId)).collect(Collectors.toList()); } } @@ -879,12 +888,12 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { protected class PolicyCache implements PolicyStore { @Override - public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) { - Policy policy = getPolicyStoreDelegate().create(representation, resourceServer); - Policy cached = findById(policy.getId(), resourceServer.getId()); + public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) { + Policy policy = getPolicyStoreDelegate().create(resourceServer, representation); + Policy cached = findById(resourceServer, policy.getId()); registerPolicyInvalidation(policy.getId(), representation.getName(), representation.getResources(), representation.getScopes(), null, resourceServer.getId()); if (cached == null) { - cached = findById(policy.getId(), resourceServer.getId()); + cached = findById(resourceServer, policy.getId()); } return cached; } @@ -892,18 +901,18 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { @Override public void delete(String id) { if (id == null) return; - Policy policy = findById(id, null); + Policy policy = findById(null, id); if (policy == null) return; cache.invalidateObject(id); - Set resources = policy.getResources().stream().map(resource -> resource.getId()).collect(Collectors.toSet()); + Set resources = policy.getResources().stream().map(Resource::getId).collect(Collectors.toSet()); ResourceServer resourceServer = policy.getResourceServer(); Set resourceTypes = getResourceTypes(resources, resourceServer.getId()); String defaultResourceType = policy.getConfig().get("defaultResourceType"); if (Objects.nonNull(defaultResourceType)) { resourceTypes.add(defaultResourceType); } - Set scopes = policy.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toSet()); + Set scopes = policy.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()); invalidationEvents.add(PolicyRemovedEvent.create(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId())); cache.policyRemoval(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId(), invalidations); getPolicyStoreDelegate().delete(id); @@ -911,7 +920,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public Policy findById(String id, String resourceServerId) { + public Policy findById(ResourceServer resourceServer, String id) { if (id == null) return null; CachedPolicy cached = cache.get(id, CachedPolicy.class); @@ -920,7 +929,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } if (cached == null) { if (! modelMightExist(id)) return null; - Policy model = getPolicyStoreDelegate().findById(id, resourceServerId); + Policy model = getPolicyStoreDelegate().findById(resourceServer, id); Long loaded = cache.getCurrentRevision(id); if (model == null) { setModelDoesNotExists(id, loaded); @@ -930,7 +939,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { cached = new CachedPolicy(loaded, model); cache.addRevisioned(cached, startupRevision); } else if (invalidations.contains(id)) { - return getPolicyStoreDelegate().findById(id, resourceServerId); + return getPolicyStoreDelegate().findById(resourceServer, id); } else if (managedPolicies.containsKey(id)) { return managedPolicies.get(id); } @@ -940,18 +949,19 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public Policy findByName(String name, String resourceServerId) { + public Policy findByName(ResourceServer resourceServer, String name) { if (name == null) return null; + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getPolicyByNameCacheKey(name, resourceServerId); List result = cacheQuery(cacheKey, PolicyListQuery.class, () -> { - Policy policy = getPolicyStoreDelegate().findByName(name, resourceServerId); + Policy policy = getPolicyStoreDelegate().findByName(resourceServer, name); if (policy == null) { return Collections.emptyList(); } return Arrays.asList(policy); - }, (revision, policies) -> new PolicyListQuery(revision, cacheKey, policies.stream().map(policy -> policy.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + }, (revision, policies) -> new PolicyListQuery(revision, cacheKey, policies.stream().map(Policy::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); if (result.isEmpty()) { return null; @@ -961,28 +971,30 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public List findByResourceServer(String resourceServerId) { - return getPolicyStoreDelegate().findByResourceServer(resourceServerId); + public List findByResourceServer(ResourceServer resourceServer) { + return getPolicyStoreDelegate().findByResourceServer(resourceServer); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return getPolicyStoreDelegate().findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + return getPolicyStoreDelegate().findByResourceServer(resourceServer, attributes, firstResult, maxResults); } @Override - public List findByResource(String resourceId, String resourceServerId) { - String cacheKey = getPolicyByResource(resourceId, resourceServerId); - return cacheQuery(cacheKey, PolicyResourceListQuery.class, () -> getPolicyStoreDelegate().findByResource(resourceId, resourceServerId), - (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resourceId, policies.stream().map(policy -> policy.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + public List findByResource(ResourceServer resourceServer, Resource resource) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); + String cacheKey = getPolicyByResource(resource.getId(), resourceServerId); + return cacheQuery(cacheKey, PolicyResourceListQuery.class, () -> getPolicyStoreDelegate().findByResource(resourceServer, resource), + (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resource.getId(), policies.stream().map(Policy::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public void findByResource(String resourceId, String resourceServerId, Consumer consumer) { - String cacheKey = getPolicyByResource(resourceId, resourceServerId); + public void findByResource(ResourceServer resourceServer, Resource resource, Consumer consumer) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); + String cacheKey = getPolicyByResource(resource.getId(), resourceServerId); cacheQuery(cacheKey, PolicyResourceListQuery.class, () -> { List policies = new ArrayList<>(); - getPolicyStoreDelegate().findByResource(resourceId, resourceServerId, new Consumer() { + getPolicyStoreDelegate().findByResource(resourceServer, resource, new Consumer() { @Override public void accept(Policy policy) { consumer.andThen(policies::add) @@ -992,22 +1004,24 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { }); return policies; }, - (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resourceId, policies.stream().map(policy -> policy.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resource.getId(), policies.stream().map(Policy::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } @Override - public List findByResourceType(String resourceType, String resourceServerId) { + public List findByResourceType(ResourceServer resourceServer, String resourceType) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getPolicyByResourceType(resourceType, resourceServerId); - return cacheQuery(cacheKey, PolicyResourceListQuery.class, () -> getPolicyStoreDelegate().findByResourceType(resourceType, resourceServerId), - (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resourceType, policies.stream().map(policy -> policy.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, PolicyResourceListQuery.class, () -> getPolicyStoreDelegate().findByResourceType(resourceServer, resourceType), + (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resourceType, policies.stream().map(Policy::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public void findByResourceType(String resourceType, String resourceServerId, Consumer consumer) { + public void findByResourceType(ResourceServer resourceServer, String resourceType, Consumer consumer) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getPolicyByResourceType(resourceType, resourceServerId); cacheQuery(cacheKey, PolicyResourceListQuery.class, () -> { List policies = new ArrayList<>(); - getPolicyStoreDelegate().findByResourceType(resourceType, resourceServerId, new Consumer() { + getPolicyStoreDelegate().findByResourceType(resourceServer, resourceType, new Consumer() { @Override public void accept(Policy policy) { consumer.andThen(policies::add) @@ -1017,71 +1031,75 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { }); return policies; }, - (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resourceType, policies.stream().map(policy -> policy.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + (revision, policies) -> new PolicyResourceListQuery(revision, cacheKey, resourceType, policies.stream().map(Policy::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } @Override - public List findByScopeIds(List scopeIds, String resourceServerId) { - if (scopeIds == null) return null; + public List findByScopes(ResourceServer resourceServer, List scopes) { + if (scopes == null) return null; Set result = new HashSet<>(); + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); - for (String id : scopeIds) { - String cacheKey = getPolicyByScope(id, resourceServerId); - result.addAll(cacheQuery(cacheKey, PolicyScopeListQuery.class, () -> getPolicyStoreDelegate().findByScopeIds(Arrays.asList(id), resourceServerId), (revision, resources) -> new PolicyScopeListQuery(revision, cacheKey, id, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId)); + for (Scope scope : scopes) { + String cacheKey = getPolicyByScope(scope.getId(), resourceServerId); + result.addAll(cacheQuery(cacheKey, PolicyScopeListQuery.class, () -> getPolicyStoreDelegate().findByScopes(resourceServer, Collections.singletonList(scope)), (revision, resources) -> new PolicyScopeListQuery(revision, cacheKey, scope.getId(), resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServer)); } return new ArrayList<>(result); } @Override - public List findByScopeIds(List scopeIds, String resourceId, String resourceServerId) { - if (scopeIds == null) return null; + public List findByScopes(ResourceServer resourceServer, Resource resource, List scopes) { + if (scopes == null) return null; Set result = new HashSet<>(); + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); - for (String id : scopeIds) { - String cacheKey = getPolicyByResourceScope(id, resourceId, resourceServerId); - result.addAll(cacheQuery(cacheKey, PolicyScopeListQuery.class, () -> getPolicyStoreDelegate().findByScopeIds(Arrays.asList(id), resourceId, resourceServerId), (revision, resources) -> new PolicyScopeListQuery(revision, cacheKey, id, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId)); + for (Scope scope : scopes) { + String cacheKey = getPolicyByResourceScope(scope.getId(), resource.getId(), resourceServerId); + result.addAll(cacheQuery(cacheKey, PolicyScopeListQuery.class, () -> getPolicyStoreDelegate().findByScopes(resourceServer, resource, Collections.singletonList(scope)), (revision, resources) -> new PolicyScopeListQuery(revision, cacheKey, scope.getId(), resources.stream().map(Policy::getId).collect(Collectors.toSet()), resourceServerId), resourceServer)); } return new ArrayList<>(result); } @Override - public void findByScopeIds(List scopeIds, String resourceId, String resourceServerId, Consumer consumer) { - for (String id : scopeIds) { - String cacheKey = getPolicyByResourceScope(id, resourceId, resourceServerId); + public void findByScopes(ResourceServer resourceServer, Resource resource, List scopes, Consumer consumer) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); + String resourceId = resource == null ? null : resource.getId(); + for (Scope scope : scopes) { + String cacheKey = getPolicyByResourceScope(scope.getId(), resourceId, resourceServerId); cacheQuery(cacheKey, PolicyScopeListQuery.class, () -> { List policies = new ArrayList<>(); - getPolicyStoreDelegate().findByScopeIds(Arrays.asList(id), resourceId, resourceServerId, + getPolicyStoreDelegate().findByScopes(resourceServer, resource, Collections.singletonList(scope), policy -> { consumer.andThen(policies::add) .andThen(StoreFactoryCacheSession.this::cachePolicy) .accept(policy); }); return policies; - }, (revision, resources) -> new PolicyScopeListQuery(revision, cacheKey, id, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId, consumer); + }, (revision, resources) -> new PolicyScopeListQuery(revision, cacheKey, scope.getId(), resources.stream().map(Policy::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer); } } @Override - public List findByType(String type, String resourceServerId) { - return getPolicyStoreDelegate().findByType(type, resourceServerId); + public List findByType(ResourceServer resourceServer, String type) { + return getPolicyStoreDelegate().findByType(resourceServer, type); } @Override - public List findDependentPolicies(String id, String resourceServerId) { - return getPolicyStoreDelegate().findDependentPolicies(id, resourceServerId); + public List findDependentPolicies(ResourceServer resourceServer, String id) { + return getPolicyStoreDelegate().findDependentPolicies(resourceServer, id); } - private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, String resourceServerId) { - return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServerId, null, true); + private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, ResourceServer resourceServer) { + return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServer, null, true); } - private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, String resourceServerId, Consumer consumer) { - return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServerId, consumer, false); + private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, ResourceServer resourceServer, Consumer consumer) { + return cacheQuery(cacheKey, queryType, resultSupplier, querySupplier, resourceServer, consumer, false); } - private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, String resourceServerId, Consumer consumer, boolean cacheResults) { + private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, ResourceServer resourceServer, Consumer consumer, boolean cacheResults) { Q query = cache.get(cacheKey, queryType); if (query != null) { logger.tracev("cache hit for key: {0}", cacheKey); @@ -1103,10 +1121,10 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { if (consumer != null) { for (String id : policies) { - consumer.accept((R) findById(id, resourceServerId)); + consumer.accept((R) findById(resourceServer, id)); } } else { - model = policies.stream().map(resourceId -> (R) findById(resourceId, resourceServerId)) + model = policies.stream().map(resourceId -> (R) findById(resourceServer, resourceId)) .filter(Objects::nonNull).collect(Collectors.toList()); } } @@ -1119,21 +1137,21 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { protected class PermissionTicketCache implements PermissionTicketStore { @Override - public long count(Map attributes, String resourceServerId) { - return getPermissionTicketStoreDelegate().count(attributes, resourceServerId); + public long count(ResourceServer resourceServer, Map attributes) { + return getPermissionTicketStoreDelegate().count(resourceServer, attributes); } @Override - public PermissionTicket create(String resourceId, String scopeId, String requester, ResourceServer resourceServer) { - PermissionTicket created = getPermissionTicketStoreDelegate().create(resourceId, scopeId, requester, resourceServer); - registerPermissionTicketInvalidation(created.getId(), created.getOwner(), created.getRequester(), created.getResource().getId(), created.getResource().getName(), scopeId, created.getResourceServer().getId()); + public PermissionTicket create(ResourceServer resourceServer, Resource resource, Scope scope, String requester) { + PermissionTicket created = getPermissionTicketStoreDelegate().create(resourceServer, resource, scope, requester); + registerPermissionTicketInvalidation(created.getId(), created.getOwner(), created.getRequester(), created.getResource().getId(), created.getResource().getName(), scope == null ? null : scope.getId(), created.getResourceServer().getId()); return created; } @Override public void delete(String id) { if (id == null) return; - PermissionTicket permission = findById(id, null); + PermissionTicket permission = findById(null, id); if (permission == null) return; cache.invalidateObject(id); @@ -1149,7 +1167,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public PermissionTicket findById(String id, String resourceServerId) { + public PermissionTicket findById(ResourceServer resourceServer, String id) { if (id == null) return null; CachedPermissionTicket cached = cache.get(id, CachedPermissionTicket.class); @@ -1159,7 +1177,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { if (cached == null) { Long loaded = cache.getCurrentRevision(id); if (! modelMightExist(id)) return null; - PermissionTicket model = getPermissionTicketStoreDelegate().findById(id, resourceServerId); + PermissionTicket model = getPermissionTicketStoreDelegate().findById(resourceServer, id); if (model == null) { setModelDoesNotExists(id, loaded); return null; @@ -1168,7 +1186,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { cached = new CachedPermissionTicket(loaded, model); cache.addRevisioned(cached, startupRevision); } else if (invalidations.contains(id)) { - return getPermissionTicketStoreDelegate().findById(id, resourceServerId); + return getPermissionTicketStoreDelegate().findById(resourceServer, id); } else if (managedPermissionTickets.containsKey(id)) { return managedPermissionTickets.get(id); } @@ -1178,61 +1196,66 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } @Override - public List findByResourceServer(String resourceServerId) { - return getPermissionTicketStoreDelegate().findByResourceServer(resourceServerId); + public List findByResourceServer(ResourceServer resourceServer) { + return getPermissionTicketStoreDelegate().findByResourceServer(resourceServer); } @Override - public List findByResource(String resourceId, String resourceServerId) { - String cacheKey = getPermissionTicketByResource(resourceId, resourceServerId); - return cacheQuery(cacheKey, PermissionTicketResourceListQuery.class, () -> getPermissionTicketStoreDelegate().findByResource(resourceId, resourceServerId), - (revision, permissions) -> new PermissionTicketResourceListQuery(revision, cacheKey, resourceId, permissions.stream().map(permission -> permission.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + public List findByResource(ResourceServer resourceServer, Resource resource) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); + String cacheKey = getPermissionTicketByResource(resource.getId(), resourceServerId); + return cacheQuery(cacheKey, PermissionTicketResourceListQuery.class, () -> getPermissionTicketStoreDelegate().findByResource(resourceServer, resource), + (revision, permissions) -> new PermissionTicketResourceListQuery(revision, cacheKey, resource.getId(), permissions.stream().map(PermissionTicket::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public List findByScope(String scopeId, String resourceServerId) { - String cacheKey = getPermissionTicketByScope(scopeId, resourceServerId); - return cacheQuery(cacheKey, PermissionTicketScopeListQuery.class, () -> getPermissionTicketStoreDelegate().findByScope(scopeId, resourceServerId), - (revision, permissions) -> new PermissionTicketScopeListQuery(revision, cacheKey, scopeId, permissions.stream().map(permission -> permission.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + public List findByScope(ResourceServer resourceServer, Scope scope) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); + String cacheKey = getPermissionTicketByScope(scope.getId(), resourceServerId); + return cacheQuery(cacheKey, PermissionTicketScopeListQuery.class, () -> getPermissionTicketStoreDelegate().findByScope(resourceServer, scope), + (revision, permissions) -> new PermissionTicketScopeListQuery(revision, cacheKey, scope.getId(), permissions.stream().map(PermissionTicket::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public List find(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return getPermissionTicketStoreDelegate().find(attributes, resourceServerId, firstResult, maxResult); + public List find(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResult) { + return getPermissionTicketStoreDelegate().find(resourceServer, attributes, firstResult, maxResult); } @Override - public List findGranted(String userId, String resourceServerId) { + public List findGranted(ResourceServer resourceServer, String userId) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getPermissionTicketByGranted(userId, resourceServerId); - return cacheQuery(cacheKey, PermissionTicketListQuery.class, () -> getPermissionTicketStoreDelegate().findGranted(userId, resourceServerId), - (revision, permissions) -> new PermissionTicketListQuery(revision, cacheKey, permissions.stream().map(permission -> permission.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, PermissionTicketListQuery.class, () -> getPermissionTicketStoreDelegate().findGranted(resourceServer, userId), + (revision, permissions) -> new PermissionTicketListQuery(revision, cacheKey, permissions.stream().map(PermissionTicket::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public List findGranted(String resourceName, String userId, String resourceServerId) { + public List findGranted(ResourceServer resourceServer, String resourceName, String userId) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getPermissionTicketByResourceNameAndGranted(resourceName, userId, resourceServerId); - return cacheQuery(cacheKey, PermissionTicketListQuery.class, () -> getPermissionTicketStoreDelegate().findGranted(resourceName, userId, resourceServerId), - (revision, permissions) -> new PermissionTicketResourceListQuery(revision, cacheKey, resourceName, permissions.stream().map(permission -> permission.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, PermissionTicketListQuery.class, () -> getPermissionTicketStoreDelegate().findGranted(resourceServer, resourceName, userId), + (revision, permissions) -> new PermissionTicketResourceListQuery(revision, cacheKey, resourceName, permissions.stream().map(PermissionTicket::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } @Override - public List findGrantedResources(String requester, String name, int first, int max) { + public List findGrantedResources(String requester, String name, Integer first, Integer max) { return getPermissionTicketStoreDelegate().findGrantedResources(requester, name, first, max); } @Override - public List findGrantedOwnerResources(String owner, int first, int max) { - return getPermissionTicketStoreDelegate().findGrantedOwnerResources(owner, first, max); + public List findGrantedOwnerResources(String owner, Integer firstResult, Integer maxResults) { + return getPermissionTicketStoreDelegate().findGrantedOwnerResources(owner, firstResult, maxResults); } @Override - public List findByOwner(String owner, String resourceServerId) { + public List findByOwner(ResourceServer resourceServer, String owner) { + String resourceServerId = resourceServer == null ? null : resourceServer.getId(); String cacheKey = getPermissionTicketByOwner(owner, resourceServerId); - return cacheQuery(cacheKey, PermissionTicketListQuery.class, () -> getPermissionTicketStoreDelegate().findByOwner(owner, resourceServerId), - (revision, permissions) -> new PermissionTicketListQuery(revision, cacheKey, permissions.stream().map(permission -> permission.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId); + return cacheQuery(cacheKey, PermissionTicketListQuery.class, () -> getPermissionTicketStoreDelegate().findByOwner(resourceServer, owner), + (revision, permissions) -> new PermissionTicketListQuery(revision, cacheKey, permissions.stream().map(PermissionTicket::getId).collect(Collectors.toSet()), resourceServerId), resourceServer); } - private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, String resourceServerId) { + private List cacheQuery(String cacheKey, Class queryType, Supplier> resultSupplier, BiFunction, Q> querySupplier, ResourceServer resourceServer) { Q query = cache.get(cacheKey, queryType); if (query != null) { logger.tracev("cache hit for key: {0}", cacheKey); @@ -1248,7 +1271,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider { } else if (query.isInvalid(invalidations)) { return resultSupplier.get(); } else { - return query.getPermissions().stream().map(resourceId -> (R) findById(resourceId, resourceServerId)).collect(Collectors.toList()); + return query.getPermissions().stream().map(resourceId -> (R) findById(resourceServer, resourceId)).collect(Collectors.toList()); } } } diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResource.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResource.java index db12a7f742..ada982feee 100644 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResource.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/entities/CachedResource.java @@ -56,7 +56,7 @@ public class CachedResource extends AbstractRevisioned implements InResourceServ this.type = resource.getType(); this.owner = resource.getOwner(); this.iconUri = resource.getIconUri(); - this.resourceServerId = resource.getResourceServer(); + this.resourceServerId = resource.getResourceServer().getId(); ownerManagedAccess = resource.isOwnerManagedAccess(); this.uris = new DefaultLazyLoader<>(source -> new HashSet<>(source.getUris()), Collections::emptySet); diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPermissionTicketStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPermissionTicketStore.java index cd9581d163..9ef7ef83c8 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPermissionTicketStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPermissionTicketStore.java @@ -37,8 +37,10 @@ import org.keycloak.authorization.jpa.entities.PermissionTicketEntity; import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.PermissionTicketStore; import org.keycloak.authorization.store.ResourceStore; +import org.keycloak.common.util.Time; import org.keycloak.models.utils.KeycloakModelUtils; import javax.persistence.LockModeType; @@ -59,14 +61,14 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public long count(Map attributes, String resourceServerId) { + public long count(ResourceServer resourceServer, Map attributes) { CriteriaBuilder builder = entityManager.getCriteriaBuilder(); CriteriaQuery querybuilder = builder.createQuery(Long.class); Root root = querybuilder.from(PermissionTicketEntity.class); querybuilder.select(root.get("id")); - List predicates = getPredicates(builder, root, resourceServerId, attributes); + List predicates = getPredicates(builder, root, resourceServer, attributes); querybuilder.where(predicates.toArray(new Predicate[predicates.size()])).orderBy(builder.asc(root.get("id"))); @@ -77,12 +79,12 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { private List getPredicates(CriteriaBuilder builder, Root root, - String resourceServerId, + ResourceServer resourceServer, Map attributes) { List predicates = new ArrayList<>(); - if (resourceServerId != null) { - predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServerId)); + if (resourceServer != null) { + predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServer.getId())); } attributes.forEach((filterOption, value) -> { @@ -127,16 +129,16 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public PermissionTicket create(String resourceId, String scopeId, String requester, ResourceServer resourceServer) { + public PermissionTicket create(ResourceServer resourceServer, Resource resource, Scope scope, String requester) { PermissionTicketEntity entity = new PermissionTicketEntity(); entity.setId(KeycloakModelUtils.generateId()); - entity.setResource(ResourceAdapter.toEntity(entityManager, provider.getStoreFactory().getResourceStore().findById(resourceId, resourceServer.getId()))); + entity.setResource(ResourceAdapter.toEntity(entityManager, resource)); entity.setRequester(requester); - entity.setCreatedTimestamp(System.currentTimeMillis()); + entity.setCreatedTimestamp(Time.currentTimeMillis()); - if (scopeId != null) { - entity.setScope(ScopeAdapter.toEntity(entityManager, provider.getStoreFactory().getScopeStore().findById(scopeId, resourceServer.getId()))); + if (scope != null) { + entity.setScope(ScopeAdapter.toEntity(entityManager, scope)); } entity.setOwner(entity.getResource().getOwner()); @@ -158,7 +160,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { @Override - public PermissionTicket findById(String id, String resourceServerId) { + public PermissionTicket findById(ResourceServer resourceServer, String id) { if (id == null) { return null; } @@ -170,17 +172,17 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public List findByResourceServer(final String resourceServerId) { + public List findByResourceServer(final ResourceServer resourceServer) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByServerId", String.class); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); List result = query.getResultList(); List list = new LinkedList<>(); PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore(); for (String id : result) { - PermissionTicket ticket = ticketStore.findById(id, resourceServerId); + PermissionTicket ticket = ticketStore.findById(resourceServer, id); if (Objects.nonNull(ticket)) { list.add(ticket); } @@ -190,19 +192,19 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public List findByResource(final String resourceId, String resourceServerId) { + public List findByResource(ResourceServer resourceServer, final Resource resource) { TypedQuery query = entityManager.createNamedQuery("findPermissionIdByResource", String.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("resourceId", resourceId); - query.setParameter("serverId", resourceServerId); + query.setParameter("resourceId", resource.getId()); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); List result = query.getResultList(); List list = new LinkedList<>(); PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore(); for (String id : result) { - PermissionTicket ticket = ticketStore.findById(id, resourceServerId); + PermissionTicket ticket = ticketStore.findById(resourceServer, id); if (Objects.nonNull(ticket)) { list.add(ticket); } @@ -212,8 +214,8 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public List findByScope(String scopeId, String resourceServerId) { - if (scopeId==null) { + public List findByScope(ResourceServer resourceServer, Scope scope) { + if (scope == null) { return Collections.emptyList(); } @@ -221,15 +223,15 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { TypedQuery query = entityManager.createNamedQuery("findPermissionIdByScope", String.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("scopeId", scopeId); - query.setParameter("serverId", resourceServerId); + query.setParameter("scopeId", scope.getId()); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); List result = query.getResultList(); List list = new LinkedList<>(); PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore(); for (String id : result) { - PermissionTicket ticket = ticketStore.findById(id, resourceServerId); + PermissionTicket ticket = ticketStore.findById(resourceServer, id); if (Objects.nonNull(ticket)) { list.add(ticket); } @@ -239,14 +241,14 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public List find(Map attributes, String resourceServerId, int firstResult, int maxResult) { + public List find(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResult) { CriteriaBuilder builder = entityManager.getCriteriaBuilder(); CriteriaQuery querybuilder = builder.createQuery(PermissionTicketEntity.class); Root root = querybuilder.from(PermissionTicketEntity.class); querybuilder.select(root.get("id")); - List predicates = getPredicates(builder, root, resourceServerId, attributes); + List predicates = getPredicates(builder, root, resourceServer, attributes); querybuilder.where(predicates.toArray(new Predicate[predicates.size()])).orderBy(builder.asc(root.get("id"))); @@ -257,7 +259,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore(); for (String id : result) { - PermissionTicket ticket = ticketStore.findById(id, resourceServerId); + PermissionTicket ticket = ticketStore.findById(resourceServer, id); if (Objects.nonNull(ticket)) { list.add(ticket); } @@ -267,28 +269,28 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public List findGranted(String userId, String resourceServerId) { + public List findGranted(ResourceServer resourceServer, String userId) { Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); filters.put(PermissionTicket.FilterOption.REQUESTER, userId); - return find(filters, resourceServerId, -1, -1); + return find(resourceServer, filters, null, null); } @Override - public List findGranted(String resourceName, String userId, String resourceServerId) { + public List findGranted(ResourceServer resourceServer, String resourceName, String userId) { Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); filters.put(PermissionTicket.FilterOption.RESOURCE_NAME, resourceName); filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); filters.put(PermissionTicket.FilterOption.REQUESTER, userId); - return find(filters, resourceServerId, -1, -1); + return find(resourceServer, filters, null, null); } @Override - public List findGrantedResources(String requester, String name, int first, int max) { + public List findGrantedResources(String requester, String name, Integer first, Integer max) { TypedQuery query = name == null ? entityManager.createNamedQuery("findGrantedResources", String.class) : entityManager.createNamedQuery("findGrantedResourcesByName", String.class); @@ -305,7 +307,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { ResourceStore resourceStore = provider.getStoreFactory().getResourceStore(); for (String id : result) { - Resource resource = resourceStore.findById(id, null); + Resource resource = resourceStore.findById(null, id); if (Objects.nonNull(resource)) { list.add(resource); @@ -316,18 +318,18 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public List findGrantedOwnerResources(String owner, int first, int max) { + public List findGrantedOwnerResources(String owner, Integer firstResult, Integer maxResults) { TypedQuery query = entityManager.createNamedQuery("findGrantedOwnerResources", String.class); query.setFlushMode(FlushModeType.COMMIT); query.setParameter("owner", owner); - List result = paginateQuery(query, first, max).getResultList(); + List result = paginateQuery(query, firstResult, maxResults).getResultList(); List list = new LinkedList<>(); ResourceStore resourceStore = provider.getStoreFactory().getResourceStore(); for (String id : result) { - Resource resource = resourceStore.findById(id, null); + Resource resource = resourceStore.findById(null, id); if (Objects.nonNull(resource)) { list.add(resource); @@ -338,11 +340,11 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { } @Override - public List findByOwner(String owner, String resourceServerId) { + public List findByOwner(ResourceServer resourceServer, String owner) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByType", String.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); query.setParameter("owner", owner); List result = query.getResultList(); @@ -350,7 +352,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore { PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore(); for (String id : result) { - PermissionTicket ticket = ticketStore.findById(id, resourceServerId); + PermissionTicket ticket = ticketStore.findById(resourceServer, id); if (Objects.nonNull(ticket)) { list.add(ticket); } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java index 3a1bb83b59..f5678ad1b8 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java @@ -24,6 +24,7 @@ import java.util.List; import java.util.Map; import java.util.Objects; import java.util.function.Consumer; +import java.util.stream.Collectors; import javax.persistence.EntityManager; import javax.persistence.FlushModeType; @@ -37,7 +38,9 @@ import javax.persistence.criteria.Root; import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.jpa.entities.PolicyEntity; import org.keycloak.authorization.model.Policy; +import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.StoreFactory; import org.keycloak.models.utils.KeycloakModelUtils; @@ -60,7 +63,7 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) { + public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) { PolicyEntity entity = new PolicyEntity(); if (representation.getId() == null) { @@ -89,7 +92,7 @@ public class JPAPolicyStore implements PolicyStore { @Override - public Policy findById(String id, String resourceServerId) { + public Policy findById(ResourceServer resourceServer, String id) { if (id == null) { return null; } @@ -104,11 +107,11 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public Policy findByName(String name, String resourceServerId) { + public Policy findByName(ResourceServer resourceServer, String name) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByName", PolicyEntity.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer.getId()); query.setParameter("name", name); try { @@ -119,15 +122,15 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public List findByResourceServer(final String resourceServerId) { + public List findByResourceServer(final ResourceServer resourceServer) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByServerId", String.class); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer.getId()); List result = query.getResultList(); List list = new LinkedList<>(); for (String id : result) { - Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId); + Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id); if (Objects.nonNull(policy)) { list.add(policy); } @@ -136,15 +139,15 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { CriteriaBuilder builder = entityManager.getCriteriaBuilder(); CriteriaQuery querybuilder = builder.createQuery(PolicyEntity.class); Root root = querybuilder.from(PolicyEntity.class); List predicates = new ArrayList(); querybuilder.select(root.get("id")); - if (resourceServerId != null) { - predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServerId)); + if (resourceServer != null) { + predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServer.getId())); } attributes.forEach((filterOption, value) -> { @@ -193,10 +196,10 @@ public class JPAPolicyStore implements PolicyStore { TypedQuery query = entityManager.createQuery(querybuilder); - List result = paginateQuery(query, firstResult, maxResult).getResultList(); + List result = paginateQuery(query, firstResult, maxResults).getResultList(); List list = new LinkedList<>(); for (String id : result) { - Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId); + Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id); if (Objects.nonNull(policy)) { list.add(policy); } @@ -205,28 +208,28 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public void findByResource(String resourceId, String resourceServerId, Consumer consumer) { + public void findByResource(ResourceServer resourceServer, Resource resource, Consumer consumer) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByResource", PolicyEntity.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("resourceId", resourceId); - query.setParameter("serverId", resourceServerId); + query.setParameter("resourceId", resource.getId()); + query.setParameter("serverId", resourceServer.getId()); PolicyStore storeFactory = provider.getStoreFactory().getPolicyStore(); closing(query.getResultStream() - .map(entity -> storeFactory.findById(entity.getId(), resourceServerId)) + .map(entity -> storeFactory.findById(resourceServer, entity.getId())) .filter(Objects::nonNull)) .forEach(consumer::accept); } @Override - public void findByResourceType(String resourceType, String resourceServerId, Consumer consumer) { + public void findByResourceType(ResourceServer resourceServer, String resourceType, Consumer consumer) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByResourceType", PolicyEntity.class); query.setFlushMode(FlushModeType.COMMIT); query.setParameter("type", resourceType); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer.getId()); closing(query.getResultStream() .map(id -> new PolicyAdapter(id, entityManager, provider.getStoreFactory())) @@ -235,8 +238,8 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public List findByScopeIds(List scopeIds, String resourceServerId) { - if (scopeIds==null || scopeIds.isEmpty()) { + public List findByScopes(ResourceServer resourceServer, List scopes) { + if (scopes==null || scopes.isEmpty()) { return Collections.emptyList(); } @@ -244,34 +247,34 @@ public class JPAPolicyStore implements PolicyStore { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByScope", PolicyEntity.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("scopeIds", scopeIds); - query.setParameter("serverId", resourceServerId); + query.setParameter("scopeIds", scopes.stream().map(Scope::getId).collect(Collectors.toSet())); + query.setParameter("serverId", resourceServer.getId()); List list = new LinkedList<>(); PolicyStore storeFactory = provider.getStoreFactory().getPolicyStore(); for (PolicyEntity entity : query.getResultList()) { - list.add(storeFactory.findById(entity.getId(), resourceServerId)); + list.add(storeFactory.findById(resourceServer, entity.getId())); } return list; } @Override - public void findByScopeIds(List scopeIds, String resourceId, String resourceServerId, Consumer consumer) { + public void findByScopes(ResourceServer resourceServer, Resource resource, List scopes, Consumer consumer) { // Use separate subquery to handle DB2 and MSSSQL TypedQuery query; - if (resourceId == null) { + if (resource == null) { query = entityManager.createNamedQuery("findPolicyIdByNullResourceScope", PolicyEntity.class); } else { query = entityManager.createNamedQuery("findPolicyIdByResourceScope", PolicyEntity.class); - query.setParameter("resourceId", resourceId); + query.setParameter("resourceId", resource.getId()); } query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("scopeIds", scopeIds); - query.setParameter("serverId", resourceServerId); + query.setParameter("scopeIds", scopes.stream().map(Scope::getId).collect(Collectors.toSet())); + query.setParameter("serverId", resourceServer.getId()); StoreFactory storeFactory = provider.getStoreFactory(); @@ -282,17 +285,17 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public List findByType(String type, String resourceServerId) { + public List findByType(ResourceServer resourceServer, String type) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByType", String.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer.getId()); query.setParameter("type", type); List result = query.getResultList(); List list = new LinkedList<>(); for (String id : result) { - Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId); + Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id); if (Objects.nonNull(policy)) { list.add(policy); } @@ -301,18 +304,18 @@ public class JPAPolicyStore implements PolicyStore { } @Override - public List findDependentPolicies(String policyId, String resourceServerId) { + public List findDependentPolicies(ResourceServer resourceServer, String policyId) { TypedQuery query = entityManager.createNamedQuery("findPolicyIdByDependentPolices", String.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer.getId()); query.setParameter("policyId", policyId); List result = query.getResultList(); List list = new LinkedList<>(); for (String id : result) { - Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId); + Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id); if (Objects.nonNull(policy)) { list.add(policy); } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java index 2d760d32a9..a327d7ef17 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java @@ -21,6 +21,7 @@ import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.jpa.entities.ResourceEntity; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.ResourceStore; import org.keycloak.authorization.store.StoreFactory; import org.keycloak.models.utils.KeycloakModelUtils; @@ -38,7 +39,9 @@ import java.util.ArrayList; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.function.Consumer; +import java.util.stream.Collectors; import static org.keycloak.models.jpa.PaginationUtils.paginateQuery; import static org.keycloak.utils.StreamsUtil.closing; @@ -57,7 +60,7 @@ public class JPAResourceStore implements ResourceStore { } @Override - public Resource create(String id, String name, ResourceServer resourceServer, String owner) { + public Resource create(ResourceServer resourceServer, String id, String name, String owner) { ResourceEntity entity = new ResourceEntity(); if (id == null) { @@ -86,7 +89,7 @@ public class JPAResourceStore implements ResourceStore { } @Override - public Resource findById(String id, String resourceServerId) { + public Resource findById(ResourceServer resourceServer, String id) { if (id == null) { return null; } @@ -97,24 +100,24 @@ public class JPAResourceStore implements ResourceStore { } @Override - public void findByOwner(String ownerId, String resourceServerId, Consumer consumer) { - findByOwnerFilter(ownerId, resourceServerId, consumer, -1, -1); + public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer consumer) { + findByOwnerFilter(ownerId, resourceServer, consumer, -1, -1); } @Override - public List findByOwner(String ownerId, String resourceServerId, int first, int max) { + public List findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) { List list = new LinkedList<>(); - findByOwnerFilter(ownerId, resourceServerId, list::add, first, max); + findByOwnerFilter(ownerId, resourceServer, list::add, firstResult, maxResults); return list; } - private void findByOwnerFilter(String ownerId, String resourceServerId, Consumer consumer, int firstResult, int maxResult) { + private void findByOwnerFilter(String ownerId, ResourceServer resourceServer, Consumer consumer, int firstResult, int maxResult) { boolean pagination = firstResult > -1 && maxResult > -1; String queryName = pagination ? "findResourceIdByOwnerOrdered" : "findResourceIdByOwner"; - if (resourceServerId == null) { + if (resourceServer == null) { queryName = pagination ? "findAnyResourceIdByOwnerOrdered" : "findAnyResourceIdByOwner"; } @@ -123,8 +126,8 @@ public class JPAResourceStore implements ResourceStore { query.setFlushMode(FlushModeType.COMMIT); query.setParameter("owner", ownerId); - if (resourceServerId != null) { - query.setParameter("serverId", resourceServerId); + if (resourceServer != null) { + query.setParameter("serverId", resourceServer.getId()); } if (pagination) { @@ -133,23 +136,23 @@ public class JPAResourceStore implements ResourceStore { } ResourceStore resourceStore = provider.getStoreFactory().getResourceStore(); - closing(query.getResultStream().map(id -> resourceStore.findById(id.getId(), resourceServerId))).forEach(consumer); + closing(query.getResultStream().map(id -> resourceStore.findById(resourceServer, id.getId()))).forEach(consumer); } @Override - public List findByUri(String uri, String resourceServerId) { + public List findByUri(ResourceServer resourceServer, String uri) { TypedQuery query = entityManager.createNamedQuery("findResourceIdByUri", String.class); query.setFlushMode(FlushModeType.COMMIT); query.setParameter("uri", uri); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); List result = query.getResultList(); List list = new LinkedList<>(); ResourceStore resourceStore = provider.getStoreFactory().getResourceStore(); for (String id : result) { - Resource resource = resourceStore.findById(id, resourceServerId); + Resource resource = resourceStore.findById(resourceServer, id); if (resource != null) { list.add(resource); @@ -160,17 +163,17 @@ public class JPAResourceStore implements ResourceStore { } @Override - public List findByResourceServer(String resourceServerId) { + public List findByResourceServer(ResourceServer resourceServer) { TypedQuery query = entityManager.createNamedQuery("findResourceIdByServerId", String.class); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); List result = query.getResultList(); List list = new LinkedList<>(); ResourceStore resourceStore = provider.getStoreFactory().getResourceStore(); for (String id : result) { - Resource resource = resourceStore.findById(id, resourceServerId); + Resource resource = resourceStore.findById(resourceServer, id); if (resource != null) { list.add(resource); @@ -181,15 +184,15 @@ public class JPAResourceStore implements ResourceStore { } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { CriteriaBuilder builder = entityManager.getCriteriaBuilder(); CriteriaQuery querybuilder = builder.createQuery(ResourceEntity.class); Root root = querybuilder.from(ResourceEntity.class); querybuilder.select(root.get("id")); List predicates = new ArrayList(); - if (resourceServerId != null) { - predicates.add(builder.equal(root.get("resourceServer"), resourceServerId)); + if (resourceServer != null) { + predicates.add(builder.equal(root.get("resourceServer"), resourceServer.getId())); } attributes.forEach((filterOption, value) -> { @@ -229,12 +232,12 @@ public class JPAResourceStore implements ResourceStore { TypedQuery query = entityManager.createQuery(querybuilder); - List result = paginateQuery(query, firstResult, maxResult).getResultList(); + List result = paginateQuery(query, firstResult, maxResults).getResultList(); List list = new LinkedList<>(); ResourceStore resourceStore = provider.getStoreFactory().getResourceStore(); for (String id : result) { - Resource resource = resourceStore.findById(id, resourceServerId); + Resource resource = resourceStore.findById(resourceServer, id); if (resource != null) { list.add(resource); @@ -245,12 +248,12 @@ public class JPAResourceStore implements ResourceStore { } @Override - public void findByScope(List scopes, String resourceServerId, Consumer consumer) { + public void findByScopes(ResourceServer resourceServer, Set scopes, Consumer consumer) { TypedQuery query = entityManager.createNamedQuery("findResourceIdByScope", ResourceEntity.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("scopeIds", scopes); - query.setParameter("serverId", resourceServerId); + query.setParameter("scopeIds", scopes.stream().map(Scope::getId).collect(Collectors.toSet())); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); StoreFactory storeFactory = provider.getStoreFactory(); @@ -260,15 +263,10 @@ public class JPAResourceStore implements ResourceStore { } @Override - public Resource findByName(String name, String resourceServerId) { - return findByName(name, resourceServerId, resourceServerId); - } - - @Override - public Resource findByName(String name, String ownerId, String resourceServerId) { + public Resource findByName(ResourceServer resourceServer, String name, String ownerId) { TypedQuery query = entityManager.createNamedQuery("findResourceIdByName", ResourceEntity.class); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); query.setParameter("name", name); query.setParameter("ownerId", ownerId); @@ -280,12 +278,12 @@ public class JPAResourceStore implements ResourceStore { } @Override - public void findByType(String type, String resourceServerId, Consumer consumer) { - findByType(type, resourceServerId, resourceServerId, consumer); + public void findByType(ResourceServer resourceServer, String type, Consumer consumer) { + findByType(resourceServer, type, resourceServer == null ? null : resourceServer.getId(), consumer); } @Override - public void findByType(String type, String owner, String resourceServerId, Consumer consumer) { + public void findByType(ResourceServer resourceServer, String type, String owner, Consumer consumer) { TypedQuery query; if (owner != null) { @@ -301,7 +299,7 @@ public class JPAResourceStore implements ResourceStore { query.setParameter("ownerId", owner); } - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); StoreFactory storeFactory = provider.getStoreFactory(); @@ -311,12 +309,12 @@ public class JPAResourceStore implements ResourceStore { } @Override - public void findByTypeInstance(String type, String resourceServerId, Consumer consumer) { + public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer consumer) { TypedQuery query = entityManager.createNamedQuery("findResourceIdByTypeInstance", ResourceEntity.class); query.setFlushMode(FlushModeType.COMMIT); query.setParameter("type", type); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId()); StoreFactory storeFactory = provider.getStoreFactory(); diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java index 144347c66b..0f6dd02d3b 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java @@ -55,12 +55,12 @@ public class JPAScopeStore implements ScopeStore { } @Override - public Scope create(final String name, final ResourceServer resourceServer) { - return create(null, name, resourceServer); + public Scope create(final ResourceServer resourceServer, final String name) { + return create(resourceServer, null, name); } @Override - public Scope create(String id, final String name, final ResourceServer resourceServer) { + public Scope create(final ResourceServer resourceServer, String id, final String name) { ScopeEntity entity = new ScopeEntity(); if (id == null) { @@ -88,7 +88,7 @@ public class JPAScopeStore implements ScopeStore { } @Override - public Scope findById(String id, String resourceServerId) { + public Scope findById(ResourceServer resourceServer, String id) { if (id == null) { return null; } @@ -100,45 +100,45 @@ public class JPAScopeStore implements ScopeStore { } @Override - public Scope findByName(String name, String resourceServerId) { + public Scope findByName(ResourceServer resourceServer, String name) { try { TypedQuery query = entityManager.createNamedQuery("findScopeIdByName", String.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("serverId", resourceServerId); + query.setParameter("serverId", resourceServer.getId()); query.setParameter("name", name); String id = query.getSingleResult(); - return provider.getStoreFactory().getScopeStore().findById(id, resourceServerId); + return provider.getStoreFactory().getScopeStore().findById(resourceServer, id); } catch (NoResultException nre) { return null; } } @Override - public List findByResourceServer(final String serverId) { + public List findByResourceServer(final ResourceServer resourceServer) { TypedQuery query = entityManager.createNamedQuery("findScopeIdByResourceServer", String.class); query.setFlushMode(FlushModeType.COMMIT); - query.setParameter("serverId", serverId); + query.setParameter("serverId", resourceServer.getId()); List result = query.getResultList(); List list = new LinkedList<>(); for (String id : result) { - list.add(provider.getStoreFactory().getScopeStore().findById(id, serverId)); + list.add(provider.getStoreFactory().getScopeStore().findById(resourceServer, id)); } return list; } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { CriteriaBuilder builder = entityManager.getCriteriaBuilder(); CriteriaQuery querybuilder = builder.createQuery(ScopeEntity.class); Root root = querybuilder.from(ScopeEntity.class); querybuilder.select(root.get("id")); List predicates = new ArrayList(); - predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServerId)); + predicates.add(builder.equal(root.get("resourceServer").get("id"), resourceServer.getId())); attributes.forEach((filterOption, value) -> { switch (filterOption) { @@ -157,10 +157,10 @@ public class JPAScopeStore implements ScopeStore { TypedQuery query = entityManager.createQuery(querybuilder); - List result = paginateQuery(query, firstResult, maxResult).getResultList(); + List result = paginateQuery(query, firstResult, maxResults).getResultList(); List list = new LinkedList<>(); for (Object id : result) { - list.add(provider.getStoreFactory().getScopeStore().findById((String)id, resourceServerId)); + list.add(provider.getStoreFactory().getScopeStore().findById(resourceServer, (String)id)); } return list; diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PermissionTicketAdapter.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PermissionTicketAdapter.java index 5d728fa52f..4b3ce67539 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PermissionTicketAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PermissionTicketAdapter.java @@ -20,6 +20,7 @@ import static org.keycloak.authorization.UserManagedPermissionUtil.updatePolicy; import javax.persistence.EntityManager; +import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.jpa.entities.PermissionTicketEntity; import org.keycloak.authorization.jpa.entities.PolicyEntity; import org.keycloak.authorization.jpa.entities.ScopeEntity; @@ -101,7 +102,8 @@ public class PermissionTicketAdapter implements PermissionTicket, JpaModel getResources() { Set set = new HashSet<>(); + ResourceServer resourceServer = getResourceServer(); for (ResourceEntity res : entity.getResources()) { - set.add(storeFactory.getResourceStore().findById(res.getId(), entity.getResourceServer().getId())); + set.add(storeFactory.getResourceStore().findById(resourceServer, res.getId())); } return Collections.unmodifiableSet(set); } @@ -177,8 +178,9 @@ public class PolicyAdapter extends AbstractAuthorizationModel implements Policy, @Override public Set getScopes() { Set set = new HashSet<>(); + ResourceServer resourceServer = getResourceServer(); for (ScopeEntity res : entity.getScopes()) { - set.add(storeFactory.getScopeStore().findById(res.getId(), entity.getResourceServer().getId())); + set.add(storeFactory.getScopeStore().findById(resourceServer, res.getId())); } return Collections.unmodifiableSet(set); } diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java index d142050902..3dde7b8edd 100644 --- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java @@ -116,8 +116,9 @@ public class ResourceAdapter extends AbstractAuthorizationModel implements Resou @Override public List getScopes() { List scopes = new LinkedList<>(); + ResourceServer resourceServer = getResourceServer(); for (ScopeEntity scope : entity.getScopes()) { - scopes.add(storeFactory.getScopeStore().findById(scope.getId(), entity.getResourceServer())); + scopes.add(storeFactory.getScopeStore().findById(resourceServer, scope.getId())); } return Collections.unmodifiableList(scopes); @@ -136,8 +137,8 @@ public class ResourceAdapter extends AbstractAuthorizationModel implements Resou } @Override - public String getResourceServer() { - return entity.getResourceServer(); + public ResourceServer getResourceServer() { + return storeFactory.getResourceServerStore().findById(entity.getResourceServer()); } @Override diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java b/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java index 24c2d2fc62..a20ebfe692 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java @@ -24,8 +24,11 @@ import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.PermissionTicket.SearchableFields; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.PermissionTicketStore; +import org.keycloak.authorization.store.ResourceServerStore; import org.keycloak.authorization.store.ResourceStore; +import org.keycloak.common.util.Time; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelDuplicateException; import org.keycloak.models.map.authorization.adapter.MapPermissionTicketAdapter; @@ -69,18 +72,18 @@ public class MapPermissionTicketStore implements PermissionTicketStore { return new MapPermissionTicketAdapter(origEntity, authorizationProvider.getStoreFactory()); } - private DefaultModelCriteria forResourceServer(String resourceServerId) { + private DefaultModelCriteria forResourceServer(ResourceServer resourceServer) { DefaultModelCriteria mcb = criteria(); - return resourceServerId == null + return resourceServer == null ? mcb : mcb.compare(SearchableFields.RESOURCE_SERVER_ID, Operator.EQ, - resourceServerId); + resourceServer.getId()); } @Override - public long count(Map attributes, String resourceServerId) { - DefaultModelCriteria mcb = forResourceServer(resourceServerId).and( + public long count(ResourceServer resourceServer, Map attributes) { + DefaultModelCriteria mcb = forResourceServer(resourceServer).and( attributes.entrySet().stream() .map(this::filterEntryToDefaultModelCriteria) .toArray(DefaultModelCriteria[]::new) @@ -90,33 +93,33 @@ public class MapPermissionTicketStore implements PermissionTicketStore { } @Override - public PermissionTicket create(String resourceId, String scopeId, String requester, ResourceServer resourceServer) { - LOG.tracef("create(%s, %s, %s, %s)%s", resourceId, scopeId, requester, resourceServer, getShortStackTrace()); + public PermissionTicket create(ResourceServer resourceServer, Resource resource, Scope scope, String requester) { + LOG.tracef("create(%s, %s, %s, %s)%s", resource, scope, requester, resourceServer, getShortStackTrace()); - String owner = authorizationProvider.getStoreFactory().getResourceStore().findById(resourceId, resourceServer.getId()).getOwner(); + String owner = authorizationProvider.getStoreFactory().getResourceStore().findById(resourceServer, resource.getId()).getOwner(); // @UniqueConstraint(columnNames = {"OWNER", "REQUESTER", "RESOURCE_SERVER_ID", "RESOURCE_ID", "SCOPE_ID"}) - DefaultModelCriteria mcb = forResourceServer(resourceServer.getId()) + DefaultModelCriteria mcb = forResourceServer(resourceServer) .compare(SearchableFields.OWNER, Operator.EQ, owner) - .compare(SearchableFields.RESOURCE_ID, Operator.EQ, resourceId) + .compare(SearchableFields.RESOURCE_ID, Operator.EQ, resource) .compare(SearchableFields.REQUESTER, Operator.EQ, requester); - if (scopeId != null) { - mcb = mcb.compare(SearchableFields.SCOPE_ID, Operator.EQ, scopeId); + if (scope != null) { + mcb = mcb.compare(SearchableFields.SCOPE_ID, Operator.EQ, scope.getId()); } if (tx.getCount(withCriteria(mcb)) > 0) { throw new ModelDuplicateException("Permission ticket for resource server: '" + resourceServer.getId() - + ", Resource: " + resourceId + ", owner: " + owner + ", scopeId: " + scopeId + " already exists."); + + ", Resource: " + resource + ", owner: " + owner + ", scopeId: " + scope + " already exists."); } MapPermissionTicketEntity entity = new MapPermissionTicketEntityImpl(); - entity.setResourceId(resourceId); + entity.setResourceId(resource.getId()); entity.setRequester(requester); - entity.setCreatedTimestamp(System.currentTimeMillis()); + entity.setCreatedTimestamp(Time.currentTimeMillis()); - if (scopeId != null) { - entity.setScopeId(scopeId); + if (scope != null) { + entity.setScopeId(scope.getId()); } entity.setOwner(owner); @@ -131,7 +134,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore { public void delete(String id) { LOG.tracef("delete(%s)%s", id, getShortStackTrace()); - PermissionTicket permissionTicket = findById(id, null); + PermissionTicket permissionTicket = findById((ResourceServer) null, id); if (permissionTicket == null) return; tx.delete(id); @@ -139,10 +142,10 @@ public class MapPermissionTicketStore implements PermissionTicketStore { } @Override - public PermissionTicket findById(String id, String resourceServerId) { - LOG.tracef("findById(%s, %s)%s", id, resourceServerId, getShortStackTrace()); + public PermissionTicket findById(ResourceServer resourceServer, String id) { + LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.ID, Operator.EQ, id))) .findFirst() .map(this::entityToAdapter) @@ -150,47 +153,47 @@ public class MapPermissionTicketStore implements PermissionTicketStore { } @Override - public List findByResourceServer(String resourceServerId) { - LOG.tracef("findByResourceServer(%s)%s", resourceServerId, getShortStackTrace()); + public List findByResourceServer(ResourceServer resourceServer) { + LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId))) + return tx.read(withCriteria(forResourceServer(resourceServer))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findByOwner(String owner, String resourceServerId) { - LOG.tracef("findByOwner(%s, %s)%s", owner, resourceServerId, getShortStackTrace()); + public List findByOwner(ResourceServer resourceServer, String owner) { + LOG.tracef("findByOwner(%s, %s)%s", owner, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.OWNER, Operator.EQ, owner))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findByResource(String resourceId, String resourceServerId) { - LOG.tracef("findByResource(%s, %s)%s", resourceId, resourceServerId, getShortStackTrace()); + public List findByResource(ResourceServer resourceServer, Resource resource) { + LOG.tracef("findByResource(%s, %s)%s", resource, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) - .compare(SearchableFields.RESOURCE_ID, Operator.EQ, resourceId))) + return tx.read(withCriteria(forResourceServer(resourceServer) + .compare(SearchableFields.RESOURCE_ID, Operator.EQ, resource.getId()))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findByScope(String scopeId, String resourceServerId) { - LOG.tracef("findByScope(%s, %s)%s", scopeId, resourceServerId, getShortStackTrace()); + public List findByScope(ResourceServer resourceServer, Scope scope) { + LOG.tracef("findByScope(%s, %s)%s", scope, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) - .compare(SearchableFields.SCOPE_ID, Operator.EQ, scopeId))) + return tx.read(withCriteria(forResourceServer(resourceServer) + .compare(SearchableFields.SCOPE_ID, Operator.EQ, scope.getId()))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List find(Map attributes, String resourceServerId, int firstResult, int maxResult) { - DefaultModelCriteria mcb = forResourceServer(resourceServerId); + public List find(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResult) { + DefaultModelCriteria mcb = forResourceServer(resourceServer); if (attributes.containsKey(PermissionTicket.FilterOption.RESOURCE_NAME)) { String expectedResourceName = attributes.remove(PermissionTicket.FilterOption.RESOURCE_NAME); @@ -199,7 +202,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore { filterOptionStringMap.put(Resource.FilterOption.EXACT_NAME, new String[]{expectedResourceName}); - List r = authorizationProvider.getStoreFactory().getResourceStore().findByResourceServer(filterOptionStringMap, resourceServerId, -1, -1); + List r = authorizationProvider.getStoreFactory().getResourceStore().findByResourceServer(resourceServer, filterOptionStringMap, null, null); if (r == null || r.isEmpty()) { return Collections.emptyList(); } @@ -248,28 +251,28 @@ public class MapPermissionTicketStore implements PermissionTicketStore { } @Override - public List findGranted(String userId, String resourceServerId) { + public List findGranted(ResourceServer resourceServer, String userId) { Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); filters.put(PermissionTicket.FilterOption.REQUESTER, userId); - return find(filters, resourceServerId, -1, -1); + return find(resourceServer, filters, null, null); } @Override - public List findGranted(String resourceName, String userId, String resourceServerId) { + public List findGranted(ResourceServer resourceServer, String resourceName, String userId) { Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); filters.put(PermissionTicket.FilterOption.RESOURCE_NAME, resourceName); filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); filters.put(PermissionTicket.FilterOption.REQUESTER, userId); - return find(filters, resourceServerId, -1, -1); + return find(resourceServer, filters, null, null); } @Override - public List findGrantedResources(String requester, String name, int first, int max) { + public List findGrantedResources(String requester, String name, Integer first, Integer max) { DefaultModelCriteria mcb = criteria(); mcb = mcb.compare(SearchableFields.REQUESTER, Operator.EQ, requester) .compare(SearchableFields.GRANTED_TIMESTAMP, Operator.EXISTS); @@ -277,6 +280,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore { Function ticketResourceMapper; ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore(); + ResourceServerStore resourceServerStore = authorizationProvider.getStoreFactory().getResourceServerStore(); if (name != null) { ticketResourceMapper = ticket -> { Map filterOptionMap = new EnumMap<>(Resource.FilterOption.class); @@ -284,13 +288,13 @@ public class MapPermissionTicketStore implements PermissionTicketStore { filterOptionMap.put(Resource.FilterOption.ID, new String[] {ticket.getResourceId()}); filterOptionMap.put(Resource.FilterOption.NAME, new String[] {name}); - List resource = resourceStore.findByResourceServer(filterOptionMap, ticket.getResourceServerId(), -1, 1); + List resource = resourceStore.findByResourceServer(resourceServerStore.findById(ticket.getResourceServerId()), filterOptionMap, -1, 1); return resource.isEmpty() ? null : resource.get(0); }; } else { ticketResourceMapper = ticket -> resourceStore - .findById(ticket.getResourceId(), ticket.getResourceServerId()); + .findById(resourceServerStore.findById(ticket.getResourceServerId()), ticket.getResourceId()); } return paginatedStream(tx.read(withCriteria(mcb).orderBy(SearchableFields.RESOURCE_ID, ASCENDING)) @@ -301,14 +305,16 @@ public class MapPermissionTicketStore implements PermissionTicketStore { } @Override - public List findGrantedOwnerResources(String owner, int first, int max) { + public List findGrantedOwnerResources(String owner, Integer firstResult, Integer maxResults) { DefaultModelCriteria mcb = criteria(); mcb = mcb.compare(SearchableFields.OWNER, Operator.EQ, owner); + ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore(); + ResourceServerStore resourceServerStore = authorizationProvider.getStoreFactory().getResourceServerStore(); + return paginatedStream(tx.read(withCriteria(mcb).orderBy(SearchableFields.RESOURCE_ID, ASCENDING)) - .filter(distinctByKey(MapPermissionTicketEntity::getResourceId)), first, max) - .map(ticket -> authorizationProvider.getStoreFactory().getResourceStore() - .findById(ticket.getResourceId(), ticket.getResourceServerId())) + .filter(distinctByKey(MapPermissionTicketEntity::getResourceId)), firstResult, maxResults) + .map(ticket -> resourceStore.findById(resourceServerStore.findById(ticket.getResourceServerId()), ticket.getResourceId())) .collect(Collectors.toList()); } } diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/MapPolicyStore.java b/model/map/src/main/java/org/keycloak/models/map/authorization/MapPolicyStore.java index 2975de81fd..9b78fc1784 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/MapPolicyStore.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/MapPolicyStore.java @@ -21,7 +21,9 @@ import org.jboss.logging.Logger; import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Policy.SearchableFields; +import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.PolicyStore; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelDuplicateException; @@ -63,21 +65,21 @@ public class MapPolicyStore implements PolicyStore { return new MapPolicyAdapter(origEntity, authorizationProvider.getStoreFactory()); } - private DefaultModelCriteria forResourceServer(String resourceServerId) { + private DefaultModelCriteria forResourceServer(ResourceServer resourceServer) { DefaultModelCriteria mcb = criteria(); - return resourceServerId == null + return resourceServer == null ? mcb : mcb.compare(SearchableFields.RESOURCE_SERVER_ID, Operator.EQ, - resourceServerId); + resourceServer.getId()); } @Override - public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) { + public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) { LOG.tracef("create(%s, %s, %s)%s", representation.getId(), resourceServer.getId(), resourceServer, getShortStackTrace()); // @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID"}) - DefaultModelCriteria mcb = forResourceServer(resourceServer.getId()) + DefaultModelCriteria mcb = forResourceServer(resourceServer) .compare(SearchableFields.NAME, Operator.EQ, representation.getName()); if (tx.getCount(withCriteria(mcb)) > 0) { @@ -103,10 +105,10 @@ public class MapPolicyStore implements PolicyStore { } @Override - public Policy findById(String id, String resourceServerId) { - LOG.tracef("findById(%s, %s)%s", id, resourceServerId, getShortStackTrace()); + public Policy findById(ResourceServer resourceServer, String id) { + LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.ID, Operator.EQ, id))) .findFirst() .map(this::entityToAdapter) @@ -114,10 +116,10 @@ public class MapPolicyStore implements PolicyStore { } @Override - public Policy findByName(String name, String resourceServerId) { - LOG.tracef("findByName(%s, %s)%s", name, resourceServerId, getShortStackTrace()); + public Policy findByName(ResourceServer resourceServer, String name) { + LOG.tracef("findByName(%s, %s)%s", name, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.NAME, Operator.EQ, name))) .findFirst() .map(this::entityToAdapter) @@ -125,19 +127,19 @@ public class MapPolicyStore implements PolicyStore { } @Override - public List findByResourceServer(String id) { - LOG.tracef("findByResourceServer(%s)%s", id, getShortStackTrace()); + public List findByResourceServer(ResourceServer resourceServer) { + LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(id))) + return tx.read(withCriteria(forResourceServer(resourceServer))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - LOG.tracef("findByResourceServer(%s, %s, %d, %d)%s", attributes, resourceServerId, firstResult, maxResult, getShortStackTrace()); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + LOG.tracef("findByResourceServer(%s, %s, %d, %d)%s", attributes, resourceServer, firstResult, maxResults, getShortStackTrace()); - DefaultModelCriteria mcb = forResourceServer(resourceServerId).and( + DefaultModelCriteria mcb = forResourceServer(resourceServer).and( attributes.entrySet().stream() .map(this::filterEntryToDefaultModelCriteria) .filter(Objects::nonNull) @@ -148,10 +150,10 @@ public class MapPolicyStore implements PolicyStore { mcb = mcb.compare(SearchableFields.OWNER, Operator.NOT_EXISTS); } - return tx.read(withCriteria(mcb).pagination(firstResult, maxResult, SearchableFields.NAME)) + return tx.read(withCriteria(mcb).pagination(firstResult, maxResults, SearchableFields.NAME)) .map(MapPolicyEntity::getId) // We need to go through cache - .map(id -> authorizationProvider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)) + .map(id -> authorizationProvider.getStoreFactory().getPolicyStore().findById(resourceServer, id)) .collect(Collectors.toList()); } @@ -194,39 +196,39 @@ public class MapPolicyStore implements PolicyStore { } @Override - public void findByResource(String resourceId, String resourceServerId, Consumer consumer) { - LOG.tracef("findByResource(%s, %s, %s)%s", resourceId, resourceServerId, consumer, getShortStackTrace()); + public void findByResource(ResourceServer resourceServer, Resource resource, Consumer consumer) { + LOG.tracef("findByResource(%s, %s, %s)%s", resourceServer, resource, consumer, getShortStackTrace()); - tx.read(withCriteria(forResourceServer(resourceServerId) - .compare(SearchableFields.RESOURCE_ID, Operator.EQ, resourceId))) + tx.read(withCriteria(forResourceServer(resourceServer) + .compare(SearchableFields.RESOURCE_ID, Operator.EQ, resource.getId()))) .map(this::entityToAdapter) .forEach(consumer); } @Override - public void findByResourceType(String type, String resourceServerId, Consumer policyConsumer) { - tx.read(withCriteria(forResourceServer(resourceServerId) + public void findByResourceType(ResourceServer resourceServer, String type, Consumer policyConsumer) { + tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.CONFIG, Operator.LIKE, (Object[]) new String[]{"defaultResourceType", type}))) .map(this::entityToAdapter) .forEach(policyConsumer); } @Override - public List findByScopeIds(List scopeIds, String resourceServerId) { - return tx.read(withCriteria(forResourceServer(resourceServerId) - .compare(SearchableFields.SCOPE_ID, Operator.IN, scopeIds))) + public List findByScopes(ResourceServer resourceServer, List scopes) { + return tx.read(withCriteria(forResourceServer(resourceServer) + .compare(SearchableFields.SCOPE_ID, Operator.IN, scopes.stream().map(Scope::getId)))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public void findByScopeIds(List scopeIds, String resourceId, String resourceServerId, Consumer consumer) { - DefaultModelCriteria mcb = forResourceServer(resourceServerId) + public void findByScopes(ResourceServer resourceServer, Resource resource, List scopes, Consumer consumer) { + DefaultModelCriteria mcb = forResourceServer(resourceServer) .compare(SearchableFields.TYPE, Operator.EQ, "scope") - .compare(SearchableFields.SCOPE_ID, Operator.IN, scopeIds); + .compare(SearchableFields.SCOPE_ID, Operator.IN, scopes.stream().map(Scope::getId)); - if (resourceId != null) { - mcb = mcb.compare(SearchableFields.RESOURCE_ID, Operator.EQ, resourceId); + if (resource != null) { + mcb = mcb.compare(SearchableFields.RESOURCE_ID, Operator.EQ, resource.getId()); // @NamedQuery(name="findPolicyIdByNullResourceScope", query="PolicyEntity pe left join fetch pe.config c inner join pe.scopes s where pe.resourceServer.id = :serverId and pe.type = 'scope' and pe.resources is empty and s.id in (:scopeIds) and not exists (select pec from pe.config pec where KEY(pec) = 'defaultResourceType')"), } else { mcb = mcb.compare(SearchableFields.RESOURCE_ID, Operator.NOT_EXISTS) @@ -237,16 +239,16 @@ public class MapPolicyStore implements PolicyStore { } @Override - public List findByType(String type, String resourceServerId) { - return tx.read(withCriteria(forResourceServer(resourceServerId) + public List findByType(ResourceServer resourceServer, String type) { + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.TYPE, Operator.EQ, type))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findDependentPolicies(String id, String resourceServerId) { - return tx.read(withCriteria(forResourceServer(resourceServerId) + public List findDependentPolicies(ResourceServer resourceServer, String id) { + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.ASSOCIATED_POLICY_ID, Operator.EQ, id))) .map(this::entityToAdapter) .collect(Collectors.toList()); diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceServerStore.java b/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceServerStore.java index 042474aa3a..f95d0043e6 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceServerStore.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceServerStore.java @@ -29,6 +29,7 @@ import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.ResourceServerStore; import org.keycloak.authorization.store.ResourceStore; import org.keycloak.authorization.store.ScopeStore; +import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelDuplicateException; import org.keycloak.models.ModelException; @@ -40,17 +41,14 @@ import org.keycloak.models.map.storage.MapStorage; import org.keycloak.storage.StorageId; import static org.keycloak.common.util.StackUtil.getShortStackTrace; -import org.keycloak.models.ClientModel; public class MapResourceServerStore implements ResourceServerStore { private static final Logger LOG = Logger.getLogger(MapResourceServerStore.class); private final AuthorizationProvider authorizationProvider; final MapKeycloakTransaction tx; - private final MapStorage resourceServerStore; public MapResourceServerStore(KeycloakSession session, MapStorage resourceServerStore, AuthorizationProvider provider) { - this.resourceServerStore = resourceServerStore; this.tx = resourceServerStore.createTransaction(session); this.authorizationProvider = provider; session.getTransactionManager().enlist(tx); @@ -64,49 +62,53 @@ public class MapResourceServerStore implements ResourceServerStore { @Override public ResourceServer create(ClientModel client) { + LOG.tracef("create(%s)%s", client.getClientId(), getShortStackTrace()); + String clientId = client.getId(); - LOG.tracef("create(%s)%s", clientId, getShortStackTrace()); - if (clientId == null) return null; if (!StorageId.isLocalStorage(clientId)) { throw new ModelException("Creating resource server from federated ClientModel not supported"); } - if (tx.read(clientId) != null) { - throw new ModelDuplicateException("Resource server already exists: " + clientId); + if (findByClient(client) != null) { + throw new ModelDuplicateException("Resource server assiciated with client : " + client.getClientId() + " already exists."); } MapResourceServerEntity entity = new MapResourceServerEntityImpl(); entity.setId(clientId); - return entityToAdapter(tx.create(entity)); + entity = tx.create(entity); + return entityToAdapter(entity); } @Override public void delete(ClientModel client) { - String id = client.getId(); - LOG.tracef("delete(%s, %s)%s", id, getShortStackTrace()); - if (id == null) return; + LOG.tracef("delete(%s, %s)%s", client.getClientId(), getShortStackTrace()); + + ResourceServer resourceServer = findByClient(client); + if (resourceServer == null) return; + + String id = resourceServer.getId(); // TODO: Simplify the following, ideally by leveraging triggers, stored procedures or ref integrity PolicyStore policyStore = authorizationProvider.getStoreFactory().getPolicyStore(); - policyStore.findByResourceServer(id).stream() + policyStore.findByResourceServer(resourceServer).stream() .map(Policy::getId) .forEach(policyStore::delete); PermissionTicketStore permissionTicketStore = authorizationProvider.getStoreFactory().getPermissionTicketStore(); - permissionTicketStore.findByResourceServer(id).stream() + permissionTicketStore.findByResourceServer(resourceServer).stream() .map(PermissionTicket::getId) .forEach(permissionTicketStore::delete); ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore(); - resourceStore.findByResourceServer(id).stream() + resourceStore.findByResourceServer(resourceServer).stream() .map(Resource::getId) .forEach(resourceStore::delete); ScopeStore scopeStore = authorizationProvider.getStoreFactory().getScopeStore(); - scopeStore.findByResourceServer(id).stream() + scopeStore.findByResourceServer(resourceServer).stream() .map(Scope::getId) .forEach(scopeStore::delete); diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceStore.java b/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceStore.java index 113d819dc4..04ea0204ff 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceStore.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceStore.java @@ -22,6 +22,7 @@ import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.Resource.SearchableFields; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.ResourceStore; import org.keycloak.models.KeycloakSession; import org.keycloak.models.ModelDuplicateException; @@ -37,6 +38,7 @@ import java.util.Arrays; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.function.Consumer; import java.util.stream.Collectors; @@ -62,20 +64,20 @@ public class MapResourceStore implements ResourceStore { return new MapResourceAdapter(origEntity, authorizationProvider.getStoreFactory()); } - private DefaultModelCriteria forResourceServer(String resourceServerId) { + private DefaultModelCriteria forResourceServer(ResourceServer resourceServer) { DefaultModelCriteria mcb = criteria(); - return resourceServerId == null + return resourceServer == null ? mcb : mcb.compare(SearchableFields.RESOURCE_SERVER_ID, Operator.EQ, - resourceServerId); + resourceServer.getId()); } @Override - public Resource create(String id, String name, ResourceServer resourceServer, String owner) { + public Resource create(ResourceServer resourceServer, String id, String name, String owner) { LOG.tracef("create(%s, %s, %s, %s)%s", id, name, resourceServer, owner, getShortStackTrace()); // @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID", "OWNER"}) - DefaultModelCriteria mcb = forResourceServer(resourceServer.getId()) + DefaultModelCriteria mcb = forResourceServer(resourceServer) .compare(SearchableFields.NAME, Operator.EQ, name) .compare(SearchableFields.OWNER, Operator.EQ, owner); @@ -102,10 +104,10 @@ public class MapResourceStore implements ResourceStore { } @Override - public Resource findById(String id, String resourceServerId) { - LOG.tracef("findById(%s, %s)%s", id, resourceServerId, getShortStackTrace()); + public Resource findById(ResourceServer resourceServer, String id) { + LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.ID, Operator.EQ, id))) .findFirst() .map(this::entityToAdapter) @@ -113,57 +115,57 @@ public class MapResourceStore implements ResourceStore { } @Override - public void findByOwner(String ownerId, String resourceServerId, Consumer consumer) { - findByOwnerFilter(ownerId, resourceServerId, consumer, -1, -1); + public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer consumer) { + findByOwnerFilter(ownerId, resourceServer, consumer, -1, -1); } - private void findByOwnerFilter(String ownerId, String resourceServerId, Consumer consumer, int firstResult, int maxResult) { - LOG.tracef("findByOwnerFilter(%s, %s, %s, %d, %d)%s", ownerId, resourceServerId, consumer, firstResult, maxResult, getShortStackTrace()); + private void findByOwnerFilter(String ownerId, ResourceServer resourceServer, Consumer consumer, int firstResult, int maxResult) { + LOG.tracef("findByOwnerFilter(%s, %s, %s, %d, %d)%s", ownerId, resourceServer, consumer, firstResult, maxResult, getShortStackTrace()); - tx.read(withCriteria(forResourceServer(resourceServerId).compare(SearchableFields.OWNER, Operator.EQ, ownerId)) + tx.read(withCriteria(forResourceServer(resourceServer).compare(SearchableFields.OWNER, Operator.EQ, ownerId)) .pagination(firstResult, maxResult, SearchableFields.ID) ).map(this::entityToAdapter) .forEach(consumer); } @Override - public List findByOwner(String ownerId, String resourceServerId, int first, int max) { + public List findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) { List resourceList = new LinkedList<>(); - findByOwnerFilter(ownerId, resourceServerId, resourceList::add, first, max); + findByOwnerFilter(ownerId, resourceServer, resourceList::add, firstResult, maxResults); return resourceList; } @Override - public List findByUri(String uri, String resourceServerId) { - LOG.tracef("findByUri(%s, %s)%s", uri, resourceServerId, getShortStackTrace()); + public List findByUri(ResourceServer resourceServer, String uri) { + LOG.tracef("findByUri(%s, %s)%s", uri, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.URI, Operator.EQ, uri))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findByResourceServer(String resourceServerId) { - LOG.tracef("findByResourceServer(%s)%s", resourceServerId, getShortStackTrace()); + public List findByResourceServer(ResourceServer resourceServer) { + LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId))) + return tx.read(withCriteria(forResourceServer(resourceServer))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - LOG.tracef("findByResourceServer(%s, %s, %d, %d)%s", attributes, resourceServerId, firstResult, maxResult, getShortStackTrace()); - DefaultModelCriteria mcb = forResourceServer(resourceServerId).and( + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + LOG.tracef("findByResourceServer(%s, %s, %d, %d)%s", attributes, resourceServer, firstResult, maxResults, getShortStackTrace()); + DefaultModelCriteria mcb = forResourceServer(resourceServer).and( attributes.entrySet().stream() .map(this::filterEntryToDefaultModelCriteria) .toArray(DefaultModelCriteria[]::new) ); - return tx.read(withCriteria(mcb).pagination(firstResult, maxResult, SearchableFields.NAME)) + return tx.read(withCriteria(mcb).pagination(firstResult, maxResults, SearchableFields.NAME)) .map(this::entityToAdapter) .collect(Collectors.toList()); } @@ -194,24 +196,19 @@ public class MapResourceStore implements ResourceStore { } @Override - public void findByScope(List scopes, String resourceServerId, Consumer consumer) { - LOG.tracef("findByScope(%s, %s, %s)%s", scopes, resourceServerId, consumer, getShortStackTrace()); + public void findByScopes(ResourceServer resourceServer, Set scopes, Consumer consumer) { + LOG.tracef("findByScope(%s, %s, %s)%s", scopes, resourceServer, consumer, getShortStackTrace()); - tx.read(withCriteria(forResourceServer(resourceServerId) - .compare(SearchableFields.SCOPE_ID, Operator.IN, scopes))) + tx.read(withCriteria(forResourceServer(resourceServer) + .compare(SearchableFields.SCOPE_ID, Operator.IN, scopes.stream().map(Scope::getId)))) .map(this::entityToAdapter) .forEach(consumer); } @Override - public Resource findByName(String name, String resourceServerId) { - return findByName(name, resourceServerId, resourceServerId); - } - - @Override - public Resource findByName(String name, String ownerId, String resourceServerId) { - LOG.tracef("findByName(%s, %s, %s)%s", name, ownerId, resourceServerId, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + public Resource findByName(ResourceServer resourceServer, String name, String ownerId) { + LOG.tracef("findByName(%s, %s, %s)%s", name, ownerId, resourceServer, getShortStackTrace()); + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.OWNER, Operator.EQ, ownerId) .compare(SearchableFields.NAME, Operator.EQ, name))) .findFirst() @@ -220,19 +217,19 @@ public class MapResourceStore implements ResourceStore { } @Override - public void findByType(String type, String resourceServerId, Consumer consumer) { - LOG.tracef("findByType(%s, %s, %s)%s", type, resourceServerId, consumer, getShortStackTrace()); - tx.read(withCriteria(forResourceServer(resourceServerId) + public void findByType(ResourceServer resourceServer, String type, Consumer consumer) { + LOG.tracef("findByType(%s, %s, %s)%s", type, resourceServer, consumer, getShortStackTrace()); + tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.TYPE, Operator.EQ, type))) .map(this::entityToAdapter) .forEach(consumer); } @Override - public void findByType(String type, String owner, String resourceServerId, Consumer consumer) { - LOG.tracef("findByType(%s, %s, %s, %s)%s", type, owner, resourceServerId, consumer, getShortStackTrace()); + public void findByType(ResourceServer resourceServer, String type, String owner, Consumer consumer) { + LOG.tracef("findByType(%s, %s, %s, %s)%s", type, owner, resourceServer, consumer, getShortStackTrace()); - DefaultModelCriteria mcb = forResourceServer(resourceServerId) + DefaultModelCriteria mcb = forResourceServer(resourceServer) .compare(SearchableFields.TYPE, Operator.EQ, type); if (owner != null) { @@ -245,10 +242,10 @@ public class MapResourceStore implements ResourceStore { } @Override - public void findByTypeInstance(String type, String resourceServerId, Consumer consumer) { - LOG.tracef("findByTypeInstance(%s, %s, %s)%s", type, resourceServerId, consumer, getShortStackTrace()); - tx.read(withCriteria(forResourceServer(resourceServerId) - .compare(SearchableFields.OWNER, Operator.NE, resourceServerId) + public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer consumer) { + LOG.tracef("findByTypeInstance(%s, %s, %s)%s", type, resourceServer, consumer, getShortStackTrace()); + tx.read(withCriteria(forResourceServer(resourceServer) + .compare(SearchableFields.OWNER, Operator.NE, resourceServer.getClientId()) .compare(SearchableFields.TYPE, Operator.EQ, type))) .map(this::entityToAdapter) .forEach(consumer); diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/MapScopeStore.java b/model/map/src/main/java/org/keycloak/models/map/authorization/MapScopeStore.java index 1f706481d0..5a6579e594 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/MapScopeStore.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/MapScopeStore.java @@ -60,22 +60,22 @@ public class MapScopeStore implements ScopeStore { return new MapScopeAdapter(origEntity, authorizationProvider.getStoreFactory()); } - private DefaultModelCriteria forResourceServer(String resourceServerId) { + private DefaultModelCriteria forResourceServer(ResourceServer resourceServer) { DefaultModelCriteria mcb = criteria(); - return resourceServerId == null + return resourceServer == null ? mcb : mcb.compare(SearchableFields.RESOURCE_SERVER_ID, Operator.EQ, - resourceServerId); + resourceServer.getId()); } @Override - public Scope create(String id, String name, ResourceServer resourceServer) { + public Scope create(ResourceServer resourceServer, String id, String name) { LOG.tracef("create(%s, %s, %s)%s", id, name, resourceServer, getShortStackTrace()); // @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID"}) - DefaultModelCriteria mcb = forResourceServer(resourceServer.getId()) + DefaultModelCriteria mcb = forResourceServer(resourceServer) .compare(SearchableFields.NAME, Operator.EQ, name); if (tx.getCount(withCriteria(mcb)) > 0) { @@ -99,10 +99,10 @@ public class MapScopeStore implements ScopeStore { } @Override - public Scope findById(String id, String resourceServerId) { - LOG.tracef("findById(%s, %s)%s", id, resourceServerId, getShortStackTrace()); + public Scope findById(ResourceServer resourceServer, String id) { + LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId) + return tx.read(withCriteria(forResourceServer(resourceServer) .compare(SearchableFields.ID, Operator.EQ, id))) .findFirst() .map(this::entityToAdapter) @@ -110,10 +110,10 @@ public class MapScopeStore implements ScopeStore { } @Override - public Scope findByName(String name, String resourceServerId) { - LOG.tracef("findByName(%s, %s)%s", name, resourceServerId, getShortStackTrace()); + public Scope findByName(ResourceServer resourceServer, String name) { + LOG.tracef("findByName(%s, %s)%s", name, resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(resourceServerId).compare(SearchableFields.NAME, + return tx.read(withCriteria(forResourceServer(resourceServer).compare(SearchableFields.NAME, Operator.EQ, name))) .findFirst() .map(this::entityToAdapter) @@ -121,17 +121,17 @@ public class MapScopeStore implements ScopeStore { } @Override - public List findByResourceServer(String id) { - LOG.tracef("findByResourceServer(%s)%s", id, getShortStackTrace()); + public List findByResourceServer(ResourceServer resourceServer) { + LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace()); - return tx.read(withCriteria(forResourceServer(id))) + return tx.read(withCriteria(forResourceServer(resourceServer))) .map(this::entityToAdapter) .collect(Collectors.toList()); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - DefaultModelCriteria mcb = forResourceServer(resourceServerId); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + DefaultModelCriteria mcb = forResourceServer(resourceServer); for (Scope.FilterOption filterOption : attributes.keySet()) { String[] value = attributes.get(filterOption); @@ -148,7 +148,7 @@ public class MapScopeStore implements ScopeStore { } } - return tx.read(withCriteria(mcb).pagination(firstResult, maxResult, SearchableFields.NAME)) + return tx.read(withCriteria(mcb).pagination(firstResult, maxResults, SearchableFields.NAME)) .map(this::entityToAdapter) .collect(Collectors.toList()); } diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapPermissionTicketAdapter.java b/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapPermissionTicketAdapter.java index d5c9e6f903..a15eb479fb 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapPermissionTicketAdapter.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapPermissionTicketAdapter.java @@ -51,13 +51,13 @@ public class MapPermissionTicketAdapter extends AbstractPermissionTicketModel { String resourceServerId = entity.getResourceServerId(); Set ids = entity.getAssociatedPolicyIds(); return ids == null ? Collections.emptySet() : ids.stream() - .map(policyId -> storeFactory.getPolicyStore().findById(policyId, resourceServerId)) + .map(policyId -> storeFactory.getPolicyStore().findById(storeFactory.getResourceServerStore().findById(resourceServerId), policyId)) .collect(Collectors.toSet()); } @Override public Set getResources() { - String resourceServerId = entity.getResourceServerId(); + ResourceServer resourceServer = getResourceServer(); Set ids = entity.getResourceIds(); return ids == null ? Collections.emptySet() : ids.stream() - .map(resourceId -> storeFactory.getResourceStore().findById(resourceId, resourceServerId)) + .map(resourceId -> storeFactory.getResourceStore().findById(resourceServer, resourceId)) .collect(Collectors.toSet()); } @Override public Set getScopes() { - String resourceServerId = entity.getResourceServerId(); + ResourceServer resourceServer = getResourceServer(); Set ids = entity.getScopeIds(); return ids == null ? Collections.emptySet() : ids.stream() - .map(scopeId -> storeFactory.getScopeStore().findById(scopeId, resourceServerId)) + .map(scopeId -> storeFactory.getScopeStore().findById(resourceServer, scopeId)) .collect(Collectors.toSet()); } diff --git a/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java b/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java index b0768a1fcb..d4708bcf1e 100644 --- a/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java +++ b/model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java @@ -18,6 +18,7 @@ package org.keycloak.models.map.authorization.adapter; import org.keycloak.authorization.model.PermissionTicket; +import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.PermissionTicketStore; import org.keycloak.authorization.store.PolicyStore; @@ -90,9 +91,10 @@ public class MapResourceAdapter extends AbstractResourceModel @Override public List getScopes() { Set ids = entity.getScopeIds(); + ResourceServer resourceServer = getResourceServer(); return ids == null ? Collections.emptyList() : ids.stream() .map(id -> storeFactory - .getScopeStore().findById(id, entity.getResourceServerId())) + .getScopeStore().findById(resourceServer, id)) .collect(Collectors.toList()); } @@ -108,8 +110,8 @@ public class MapResourceAdapter extends AbstractResourceModel } @Override - public String getResourceServer() { - return entity.getResourceServerId(); + public ResourceServer getResourceServer() { + return storeFactory.getResourceServerStore().findById(entity.getResourceServerId()); } @Override @@ -141,13 +143,13 @@ public class MapResourceAdapter extends AbstractResourceModel // The scope^ was removed from the Resource // Remove permission tickets based on the scope - List permissions = permissionStore.findByScope(scope.getId(), getResourceServer()); + List permissions = permissionStore.findByScope(getResourceServer(), scope); for (PermissionTicket permission : permissions) { permissionStore.delete(permission.getId()); } // Remove the scope from each Policy for this Resource - policyStore.findByResource(getId(), getResourceServer(), policy -> policy.removeScope(scope)); + policyStore.findByResource(getResourceServer(), this, policy -> policy.removeScope(scope)); } } diff --git a/model/map/src/main/java/org/keycloak/models/map/user/MapUserProvider.java b/model/map/src/main/java/org/keycloak/models/map/user/MapUserProvider.java index 0170892e37..04496952db 100644 --- a/model/map/src/main/java/org/keycloak/models/map/user/MapUserProvider.java +++ b/model/map/src/main/java/org/keycloak/models/map/user/MapUserProvider.java @@ -47,7 +47,6 @@ import org.keycloak.models.map.storage.ModelCriteriaBuilder.Operator; import org.keycloak.models.map.storage.criteria.DefaultModelCriteria; import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.storage.StorageId; -import org.keycloak.storage.UserStorageManager; import org.keycloak.storage.UserStorageProvider; import org.keycloak.storage.client.ClientStorageProvider; @@ -684,7 +683,7 @@ public class MapUserProvider implements UserProvider.Streams, UserCredentialStor authorizedGroups.removeIf(id -> { Map values = new EnumMap<>(Resource.FilterOption.class); values.put(Resource.FilterOption.EXACT_NAME, new String[] {"group.resource." + id}); - return resourceStore.findByResourceServer(values, null, 0, 1).isEmpty(); + return resourceStore.findByResourceServer(null, values, 0, 1).isEmpty(); }); criteria = criteria.compare(SearchableFields.ASSIGNED_GROUP, Operator.IN, authorizedGroups); diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java index 86d9e091db..f8a4b1580c 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java @@ -242,20 +242,20 @@ public final class AuthorizationProvider implements Provider { ScopeStore delegate = storeFactory.getScopeStore(); @Override - public Scope create(String name, ResourceServer resourceServer) { - return delegate.create(name, resourceServer); + public Scope create(ResourceServer resourceServer, String name) { + return delegate.create(resourceServer, name); } @Override - public Scope create(String id, String name, ResourceServer resourceServer) { - return delegate.create(id, name, resourceServer); + public Scope create(ResourceServer resourceServer, String id, String name) { + return delegate.create(resourceServer, id, name); } @Override public void delete(String id) { - Scope scope = findById(id, null); + Scope scope = findById(null, id); PermissionTicketStore ticketStore = AuthorizationProvider.this.getStoreFactory().getPermissionTicketStore(); - List permissions = ticketStore.findByScope(id, scope.getResourceServer().getId()); + List permissions = ticketStore.findByScope(scope.getResourceServer(), scope); for (PermissionTicket permission : permissions) { ticketStore.delete(permission.getId()); @@ -265,23 +265,23 @@ public final class AuthorizationProvider implements Provider { } @Override - public Scope findById(String id, String resourceServerId) { - return delegate.findById(id, resourceServerId); + public Scope findById(ResourceServer resourceServer, String id) { + return delegate.findById(resourceServer, id); } @Override - public Scope findByName(String name, String resourceServerId) { - return delegate.findByName(name, resourceServerId); + public Scope findByName(ResourceServer resourceServer, String name) { + return delegate.findByName(resourceServer, name); } @Override - public List findByResourceServer(String id) { - return delegate.findByResourceServer(id); + public List findByResourceServer(ResourceServer resourceServer) { + return delegate.findByResourceServer(resourceServer); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + return delegate.findByResourceServer(resourceServer, attributes, firstResult, maxResults); } }; } @@ -292,15 +292,15 @@ public final class AuthorizationProvider implements Provider { PolicyStore policyStore = storeFactory.getPolicyStore(); @Override - public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) { + public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) { Set resources = representation.getResources(); if (resources != null) { representation.setResources(resources.stream().map(id -> { - Resource resource = storeFactory.getResourceStore().findById(id, resourceServer.getId()); + Resource resource = storeFactory.getResourceStore().findById(resourceServer, id); if (resource == null) { - resource = storeFactory.getResourceStore().findByName(id, resourceServer.getId()); + resource = storeFactory.getResourceStore().findByName(resourceServer, id); } if (resource == null) { @@ -315,10 +315,10 @@ public final class AuthorizationProvider implements Provider { if (scopes != null) { representation.setScopes(scopes.stream().map(id -> { - Scope scope = storeFactory.getScopeStore().findById(id, resourceServer.getId()); + Scope scope = storeFactory.getScopeStore().findById(resourceServer, id); if (scope == null) { - scope = storeFactory.getScopeStore().findByName(id, resourceServer.getId()); + scope = storeFactory.getScopeStore().findByName(resourceServer, id); } if (scope == null) { @@ -334,10 +334,10 @@ public final class AuthorizationProvider implements Provider { if (policies != null) { representation.setPolicies(policies.stream().map(id -> { - Policy policy = storeFactory.getPolicyStore().findById(id, resourceServer.getId()); + Policy policy = storeFactory.getPolicyStore().findById(resourceServer, id); if (policy == null) { - policy = storeFactory.getPolicyStore().findByName(id, resourceServer.getId()); + policy = storeFactory.getPolicyStore().findByName(resourceServer, id); } if (policy == null) { @@ -348,12 +348,12 @@ public final class AuthorizationProvider implements Provider { }).collect(Collectors.toSet())); } - return RepresentationToModel.toModel(representation, AuthorizationProvider.this, policyStore.create(representation, resourceServer)); + return RepresentationToModel.toModel(representation, AuthorizationProvider.this, policyStore.create(resourceServer, representation)); } @Override public void delete(String id) { - Policy policy = findById(id, null); + Policy policy = findById(null, id); if (policy != null) { ResourceServer resourceServer = policy.getResourceServer(); @@ -369,7 +369,7 @@ public final class AuthorizationProvider implements Provider { } } - findDependentPolicies(policy.getId(), resourceServer.getId()).forEach(dependentPolicy -> { + findDependentPolicies(resourceServer, policy.getId()).forEach(dependentPolicy -> { dependentPolicy.removeAssociatedPolicy(policy); if (dependentPolicy.getAssociatedPolicies().isEmpty()) { delete(dependentPolicy.getId()); @@ -381,68 +381,68 @@ public final class AuthorizationProvider implements Provider { } @Override - public Policy findById(String id, String resourceServerId) { - return policyStore.findById(id, resourceServerId); + public Policy findById(ResourceServer resourceServer, String id) { + return policyStore.findById(resourceServer, id); } @Override - public Policy findByName(String name, String resourceServerId) { - return policyStore.findByName(name, resourceServerId); + public Policy findByName(ResourceServer resourceServer, String name) { + return policyStore.findByName(resourceServer, name); } @Override - public List findByResourceServer(String resourceServerId) { - return policyStore.findByResourceServer(resourceServerId); + public List findByResourceServer(ResourceServer resourceServer) { + return policyStore.findByResourceServer(resourceServer); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return policyStore.findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + return policyStore.findByResourceServer(resourceServer, attributes, firstResult, maxResults); } @Override - public List findByResource(String resourceId, String resourceServerId) { - return policyStore.findByResource(resourceId, resourceServerId); + public List findByResource(ResourceServer resourceServer, Resource resource) { + return policyStore.findByResource(resourceServer, resource); } @Override - public void findByResource(String resourceId, String resourceServerId, Consumer consumer) { - policyStore.findByResource(resourceId, resourceServerId, consumer); + public void findByResource(ResourceServer resourceServer, Resource resource, Consumer consumer) { + policyStore.findByResource(resourceServer, resource, consumer); } @Override - public List findByResourceType(String resourceType, String resourceServerId) { - return policyStore.findByResourceType(resourceType, resourceServerId); + public List findByResourceType(ResourceServer resourceServer, String resourceType) { + return policyStore.findByResourceType(resourceServer, resourceType); } @Override - public List findByScopeIds(List scopeIds, String resourceServerId) { - return policyStore.findByScopeIds(scopeIds, resourceServerId); + public List findByScopes(ResourceServer resourceServer, List scopes) { + return policyStore.findByScopes(resourceServer, scopes); } @Override - public List findByScopeIds(List scopeIds, String resourceId, String resourceServerId) { - return policyStore.findByScopeIds(scopeIds, resourceId, resourceServerId); + public List findByScopes(ResourceServer resourceServer, Resource resource, List scopes) { + return policyStore.findByScopes(resourceServer, resource, scopes); } @Override - public void findByScopeIds(List scopeIds, String resourceId, String resourceServerId, Consumer consumer) { - policyStore.findByScopeIds(scopeIds, resourceId, resourceServerId, consumer); + public void findByScopes(ResourceServer resourceServer, Resource resource, List scopes, Consumer consumer) { + policyStore.findByScopes(resourceServer, resource, scopes, consumer); } @Override - public List findByType(String type, String resourceServerId) { - return policyStore.findByType(type, resourceServerId); + public List findByType(ResourceServer resourceServer, String type) { + return policyStore.findByType(resourceServer, type); } @Override - public List findDependentPolicies(String id, String resourceServerId) { - return policyStore.findDependentPolicies(id, resourceServerId); + public List findDependentPolicies(ResourceServer resourceServer, String id) { + return policyStore.findDependentPolicies(resourceServer, id); } @Override - public void findByResourceType(String type, String id, Consumer policyConsumer) { - policyStore.findByResourceType(type, id, policyConsumer); + public void findByResourceType(ResourceServer resourceServer, String type, Consumer policyConsumer) { + policyStore.findByResourceType(resourceServer, type, policyConsumer); } }; } @@ -452,28 +452,28 @@ public final class AuthorizationProvider implements Provider { ResourceStore delegate = storeFactory.getResourceStore(); @Override - public Resource create(String name, ResourceServer resourceServer, String owner) { - return delegate.create(name, resourceServer, owner); + public Resource create(ResourceServer resourceServer, String name, String owner) { + return delegate.create(resourceServer, name, owner); } @Override - public Resource create(String id, String name, ResourceServer resourceServer, String owner) { - return delegate.create(id, name, resourceServer, owner); + public Resource create(ResourceServer resourceServer, String id, String name, String owner) { + return delegate.create(resourceServer, id, name, owner); } @Override public void delete(String id) { - Resource resource = findById(id, null); + Resource resource = findById(null, id); StoreFactory storeFactory = AuthorizationProvider.this.getStoreFactory(); PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore(); - List permissions = ticketStore.findByResource(id, resource.getResourceServer()); + List permissions = ticketStore.findByResource(resource.getResourceServer(), resource); for (PermissionTicket permission : permissions) { ticketStore.delete(permission.getId()); } PolicyStore policyStore = storeFactory.getPolicyStore(); - List policies = policyStore.findByResource(id, resource.getResourceServer()); + List policies = policyStore.findByResource(resource.getResourceServer(), resource); for (Policy policyModel : policies) { if (policyModel.getResources().size() == 1) { @@ -487,88 +487,83 @@ public final class AuthorizationProvider implements Provider { } @Override - public Resource findById(String id, String resourceServerId) { - return delegate.findById(id, resourceServerId); + public Resource findById(ResourceServer resourceServer, String id) { + return delegate.findById(resourceServer, id); } @Override - public List findByOwner(String ownerId, String resourceServerId) { - return delegate.findByOwner(ownerId, resourceServerId); + public List findByOwner(ResourceServer resourceServer, String ownerId) { + return delegate.findByOwner(resourceServer, ownerId); } @Override - public void findByOwner(String ownerId, String resourceServerId, Consumer consumer) { - delegate.findByOwner(ownerId, resourceServerId, consumer); + public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer consumer) { + delegate.findByOwner(resourceServer, ownerId, consumer); } @Override - public List findByOwner(String ownerId, String resourceServerId, int first, int max) { - return delegate.findByOwner(ownerId, resourceServerId, first, max); + public List findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) { + return delegate.findByOwner(resourceServer, ownerId, firstResult, maxResults); } @Override - public List findByUri(String uri, String resourceServerId) { - return delegate.findByUri(uri, resourceServerId); + public List findByUri(ResourceServer resourceServer, String uri) { + return delegate.findByUri(resourceServer, uri); } @Override - public List findByResourceServer(String resourceServerId) { - return delegate.findByResourceServer(resourceServerId); + public List findByResourceServer(ResourceServer resourceServer) { + return delegate.findByResourceServer(resourceServer); } @Override - public List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult) { - return delegate.findByResourceServer(attributes, resourceServerId, firstResult, maxResult); + public List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults) { + return delegate.findByResourceServer(resourceServer, attributes, firstResult, maxResults); } @Override - public List findByScope(List id, String resourceServerId) { - return delegate.findByScope(id, resourceServerId); + public List findByScopes(ResourceServer resourceServer, Set scopes) { + return delegate.findByScopes(resourceServer, scopes); } @Override - public void findByScope(List scopes, String resourceServerId, Consumer consumer) { - delegate.findByScope(scopes, resourceServerId, consumer); + public void findByScopes(ResourceServer resourceServer, Set scopes, Consumer consumer) { + delegate.findByScopes(resourceServer, scopes, consumer); } @Override - public Resource findByName(String name, String resourceServerId) { - return delegate.findByName(name, resourceServerId); + public Resource findByName(ResourceServer resourceServer, String name, String ownerId) { + return delegate.findByName(resourceServer, name, ownerId); } @Override - public Resource findByName(String name, String ownerId, String resourceServerId) { - return delegate.findByName(name, ownerId, resourceServerId); + public List findByType(ResourceServer resourceServer, String type) { + return delegate.findByType(resourceServer, type); } @Override - public List findByType(String type, String resourceServerId) { - return delegate.findByType(type, resourceServerId); + public void findByType(ResourceServer resourceServer, String type, Consumer consumer) { + delegate.findByType(resourceServer, type, consumer); } @Override - public void findByType(String type, String resourceServerId, Consumer consumer) { - delegate.findByType(type, resourceServerId, consumer); + public void findByType(ResourceServer resourceServer, String type, String owner, Consumer consumer) { + delegate.findByType(resourceServer, type, owner, consumer); } @Override - public void findByType(String type, String owner, String resourceServerId, Consumer consumer) { - delegate.findByType(type, owner, resourceServerId, consumer); + public List findByType(ResourceServer resourceServer, String type, String owner) { + return delegate.findByType(resourceServer, type); } @Override - public List findByType(String type, String owner, String resourceServerId) { - return delegate.findByType(type, resourceServerId); + public List findByTypeInstance(ResourceServer resourceServer, String type) { + return delegate.findByTypeInstance(resourceServer, type); } @Override - public List findByTypeInstance(String type, String resourceServerId) { - return delegate.findByTypeInstance(type, resourceServerId); - } - - @Override - public void findByTypeInstance(String type, String resourceServerId, Consumer consumer) { - delegate.findByTypeInstance(type, resourceServerId, consumer); + public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer consumer) { + delegate.findByTypeInstance(resourceServer, type, consumer); } }; } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/UserManagedPermissionUtil.java b/server-spi-private/src/main/java/org/keycloak/authorization/UserManagedPermissionUtil.java index 8fbc7f1a09..556a35475e 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/UserManagedPermissionUtil.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/UserManagedPermissionUtil.java @@ -46,7 +46,7 @@ public class UserManagedPermissionUtil { filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId()); filter.put(PermissionTicket.FilterOption.POLICY_IS_NOT_NULL, Boolean.TRUE.toString()); - List tickets = storeFactory.getPermissionTicketStore().find(filter, ticket.getResourceServer().getId(), -1, 1); + List tickets = storeFactory.getPermissionTicketStore().find(ticket.getResourceServer(), filter, null, null); if (!tickets.isEmpty()) { policy = tickets.iterator().next().getPolicy(); @@ -80,7 +80,7 @@ public class UserManagedPermissionUtil { filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId()); filter.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); - List tickets = storeFactory.getPermissionTicketStore().find(filter, ticket.getResourceServer().getId(), -1, -1); + List tickets = storeFactory.getPermissionTicketStore().find(ticket.getResourceServer(), filter, null, null); if (tickets.isEmpty()) { PolicyStore policyStore = storeFactory.getPolicyStore(); @@ -103,7 +103,7 @@ public class UserManagedPermissionUtil { userPolicyRep.setName(KeycloakModelUtils.generateId()); userPolicyRep.addUser(ticket.getRequester()); - Policy userPolicy = policyStore.create(userPolicyRep, ticket.getResourceServer()); + Policy userPolicy = policyStore.create(ticket.getResourceServer(), userPolicyRep); userPolicy.setOwner(ticket.getOwner()); @@ -113,7 +113,7 @@ public class UserManagedPermissionUtil { policyRep.setType("uma"); policyRep.addPolicy(userPolicy.getId()); - Policy policy = policyStore.create(policyRep, ticket.getResourceServer()); + Policy policy = policyStore.create(ticket.getResourceServer(), policyRep); policy.setOwner(ticket.getOwner()); policy.addResource(ticket.getResource()); diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java b/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java index 349a2e1d6c..ee6b1333b3 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/model/Resource.java @@ -163,7 +163,7 @@ public interface Resource { * * @return the resource server associated with this resource */ - String getResourceServer(); + ResourceServer getResourceServer(); /** * Returns the resource's owner, which is usually an identifier that uniquely identifies the resource's owner. diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/model/ResourceServer.java b/server-spi-private/src/main/java/org/keycloak/authorization/model/ResourceServer.java index 6082f99649..0a01550ad0 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/model/ResourceServer.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/model/ResourceServer.java @@ -18,10 +18,19 @@ package org.keycloak.authorization.model; +import org.keycloak.models.ClientModel; +import org.keycloak.models.ClientScopeModel; +import org.keycloak.models.ProtocolMapperModel; +import org.keycloak.models.RealmModel; +import org.keycloak.models.RoleModel; import org.keycloak.representations.idm.authorization.DecisionStrategy; import org.keycloak.representations.idm.authorization.PolicyEnforcementMode; import org.keycloak.storage.SearchableModelField; +import java.util.Map; +import java.util.Set; +import java.util.stream.Stream; + /** * Represents a resource server, whose resources are managed and protected. A resource server is basically an existing * client application in Keycloak that will also act as a resource server. @@ -83,4 +92,11 @@ public interface ResourceServer { * @return the decision strategy */ DecisionStrategy getDecisionStrategy(); + + /** + * Returns id of a client that this {@link ResourceServer} is associated with + */ + default String getClientId() { + return getId(); + } } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/permission/Permissions.java b/server-spi-private/src/main/java/org/keycloak/authorization/permission/Permissions.java index bedaeb2f35..0ff27edc68 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/Permissions.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/Permissions.java @@ -25,6 +25,7 @@ import java.util.HashMap; import java.util.LinkedHashSet; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.concurrent.atomic.AtomicLong; import java.util.function.Consumer; @@ -73,16 +74,16 @@ public final class Permissions { } // obtain all resources where owner is the resource server - resourceStore.findByOwner(resourceServer.getId(), resourceServer.getId(), resource -> { + resourceStore.findByOwner(resourceServer, resourceServer.getClientId(), resource -> { if (limit.decrementAndGet() >= 0) { evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request)); } }); // resource server isn't current user - if (resourceServer.getId() != identity.getId()) { + if (!Objects.equals(resourceServer.getClientId(), identity.getId())) { // obtain all resources where owner is the current user - resourceStore.findByOwner(identity.getId(), resourceServer.getId(), resource -> { + resourceStore.findByOwner(resourceServer, identity.getId(), resource -> { if (limit.decrementAndGet() >= 0) { evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request)); } @@ -90,7 +91,7 @@ public final class Permissions { } // obtain all resources granted to the user via permission tickets (uma) - List tickets = storeFactory.getPermissionTicketStore().findGranted(identity.getId(), resourceServer.getId()); + List tickets = storeFactory.getPermissionTicketStore().findGranted(resourceServer, identity.getId()); if (!tickets.isEmpty()) { Map userManagedPermissions = new HashMap<>(); @@ -151,7 +152,7 @@ public final class Permissions { // is owned by the resource server itself StoreFactory storeFactory = authorization.getStoreFactory(); ResourceStore resourceStore = storeFactory.getResourceStore(); - resourceStore.findByType(type, resourceServer.getId(), resource1 -> { + resourceStore.findByType(resourceServer, type, resource1 -> { for (Scope typeScope : resource1.getScopes()) { if (!scopes.contains(typeScope)) { scopes.add(typeScope); diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DecisionPermissionCollector.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DecisionPermissionCollector.java index ce0072d623..0ed8ab60f2 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DecisionPermissionCollector.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DecisionPermissionCollector.java @@ -170,7 +170,7 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector { return true; } - return resource != null && !resource.getOwner().equals(resourceServer.getId()); + return resource != null && !resource.getOwner().equals(resourceServer.getClientId()); } public Collection results() { @@ -191,7 +191,7 @@ public class DecisionPermissionCollector extends AbstractDecisionCollector { } else if (!grantedScopes.isEmpty()) { ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore(); - resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request))); + resourceStore.findByScopes(resourceServer, new HashSet<>(grantedScopes), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request))); permissions.add(createPermission(null, scopeNames, permission.getClaims(), request)); } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java index 83069e7ebf..c695d7fbc6 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java @@ -19,6 +19,7 @@ package org.keycloak.authorization.policy.evaluation; import java.util.Collection; +import java.util.LinkedList; import java.util.Map; import java.util.concurrent.atomic.AtomicBoolean; import java.util.function.Consumer; @@ -67,14 +68,14 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator { Resource resource = permission.getResource(); if (resource != null) { - policyStore.findByResource(resource.getId(), resourceServer.getId(), policyConsumer); + policyStore.findByResource(resourceServer, resource, policyConsumer); if (resource.getType() != null) { - policyStore.findByResourceType(resource.getType(), resourceServer.getId(), policyConsumer); + policyStore.findByResourceType(resourceServer, resource.getType(), policyConsumer); - if (!resource.getOwner().equals(resourceServer.getId())) { - for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) { - policyStore.findByResource(typedResource.getId(), resourceServer.getId(), policyConsumer); + if (!resource.getOwner().equals(resourceServer.getClientId())) { + for (Resource typedResource : resourceStore.findByType(resourceServer, resource.getType())) { + policyStore.findByResource(resourceServer, typedResource, policyConsumer); } } } @@ -83,7 +84,7 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator { Collection scopes = permission.getScopes(); if (!scopes.isEmpty()) { - policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), null, resourceServer.getId(), policyConsumer); + policyStore.findByScopes(resourceServer, null, new LinkedList<>(scopes), policyConsumer); } if (verified.get()) { diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.java index 8131081e63..08f7e38abb 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.java @@ -93,13 +93,13 @@ public class PermissionTicketAwareDecisionResultCollector extends DecisionPermis if (permissions != null) { for (Permission permission : permissions) { - Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId()); + Resource resource = resourceStore.findById(resourceServer, permission.getResourceId()); if (resource == null) { - resource = resourceStore.findByName(permission.getResourceId(), identity.getId(), resourceServer.getId()); + resource = resourceStore.findByName(resourceServer, permission.getResourceId(), identity.getId()); } - if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getId())) { + if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getClientId())) { continue; } @@ -116,19 +116,19 @@ public class PermissionTicketAwareDecisionResultCollector extends DecisionPermis filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId()); filters.put(PermissionTicket.FilterOption.SCOPE_IS_NULL, Boolean.TRUE.toString()); - List tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1); + List tickets = authorization.getStoreFactory().getPermissionTicketStore().find(resource.getResourceServer(), filters, null, null); if (tickets.isEmpty()) { - authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), null, identity.getId(), resourceServer); + authorization.getStoreFactory().getPermissionTicketStore().create(resourceServer, resource, null, identity.getId()); } } else { ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore(); for (String scopeId : scopes) { - Scope scope = scopeStore.findByName(scopeId, resourceServer.getId()); + Scope scope = scopeStore.findByName(resourceServer, scopeId); if (scope == null) { - scope = scopeStore.findById(scopeId, resourceServer.getId()); + scope = scopeStore.findById(resourceServer, scopeId); } Map filters = new EnumMap<>(PermissionTicket.FilterOption.class); @@ -137,10 +137,10 @@ public class PermissionTicketAwareDecisionResultCollector extends DecisionPermis filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId()); filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId()); - List tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer(), -1, -1); + List tickets = authorization.getStoreFactory().getPermissionTicketStore().find(resource.getResourceServer(), filters, null, null); if (tickets.isEmpty()) { - authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), scope.getId(), identity.getId(), resourceServer); + authorization.getStoreFactory().getPermissionTicketStore().create(resourceServer, resource, scope, identity.getId()); } } } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/PermissionTicketStore.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/PermissionTicketStore.java index d2e1ad4bb2..3db192519d 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/PermissionTicketStore.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/PermissionTicketStore.java @@ -23,6 +23,7 @@ import java.util.Map; import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; /** * A {@link PermissionTicketStore} is responsible to manage the persistence of {@link org.keycloak.authorization.model.PermissionTicket} instances. @@ -34,21 +35,23 @@ public interface PermissionTicketStore { /** * Returns count of {@link PermissionTicket}, filtered by the given attributes. * + * @param resourceServer the resource server * @param attributes permission tickets that do not match the attributes are not included with the count; possible filter options are given by {@link PermissionTicket.FilterOption} - * @param resourceServerId the resource server id * @return an integer indicating the amount of permission tickets * @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map */ - long count(Map attributes, String resourceServerId); + long count(ResourceServer resourceServer, Map attributes); /** * Creates a new {@link PermissionTicket} instance. * - * @param permission the policy representation * @param resourceServer the resource server to which this policy belongs + * @param resource resource id + * @param scope scope id + * @param requester the policy representation * @return a new instance of {@link PermissionTicket} */ - PermissionTicket create(String resourceId, String scopeId, String requester, ResourceServer resourceServer); + PermissionTicket create(ResourceServer resourceServer, Resource resource, Scope scope, String requester); /** * Deletes a permission from the underlying persistence mechanism. @@ -60,97 +63,103 @@ public interface PermissionTicketStore { /** * Returns a {@link PermissionTicket} with the given id * + * @param resourceServer the resource server * @param id the identifier of the permission - * @param resourceServerId the resource server id * @return a permission with the given identifier. */ - PermissionTicket findById(String id, String resourceServerId); + PermissionTicket findById(ResourceServer resourceServer, String id); /** - * Returns a list of {@link PermissionTicket} associated with a {@link ResourceServer} with the given resourceServerId. + * Returns a list of {@link PermissionTicket} associated with a {@link ResourceServer}. * - * @param resourceServerId the identifier of a resource server + * @param resourceServer the resource server * @return a list of permissions belonging to the given resource server */ - List findByResourceServer(String resourceServerId); + List findByResourceServer(ResourceServer resourceServer); /** * Returns a list of {@link PermissionTicket} associated with the given owner. * + * @param resourceServer the resource server * @param owner the identifier of a resource server * @return a list of permissions belonging to the given owner */ - List findByOwner(String owner, String resourceServerId); + List findByOwner(ResourceServer resourceServer, String owner); /** - * Returns a list of {@link PermissionTicket} associated with a {@link org.keycloak.authorization.core.model.Resource} with the given resourceId. + * Returns a list of {@link PermissionTicket} associated with the {@link org.keycloak.authorization.model.Resource resource}. * - * @param resourceId the identifier of a resource - * @param resourceServerId the resource server id + * @param resourceServer the resource server + * @param resource the resource * @return a list of permissions associated with the given resource + * TODO: maybe we can get rid of reosourceServer param here as resource has method getResourceServer() */ - List findByResource(String resourceId, String resourceServerId); + List findByResource(ResourceServer resourceServer, Resource resource); /** - * Returns a list of {@link PermissionTicket} associated with a {@link org.keycloak.authorization.core.model.Scope} with the given scopeId. + * Returns a list of {@link PermissionTicket} associated with the {@link org.keycloak.authorization.model.Scope scope}. * - * @param scopeId the id of the scopes - * @param resourceServerId the resource server id + * @param resourceServer the resource server + * @param scope the scope * @return a list of permissions associated with the given scopes + * + * TODO: maybe we can get rid of reosourceServer param here as resource has method getResourceServer() */ - List findByScope(String scopeId, String resourceServerId); + List findByScope(ResourceServer resourceServer, Scope scope); /** * Returns a list of {@link PermissionTicket}, filtered by the given attributes. * + * @param resourceServer a resource server that resulting tickets should belong to. Ignored if {@code null} * @param attributes a map of keys and values to filter on; possible filter options are given by {@link PermissionTicket.FilterOption} - * @param resourceServerId an id of resource server that resulting tickets should belong to. Ignored if {@code null} - * @param firstResult first result to return; Ignored if negative or zero - * @param maxResult maximum number of results to return; Ignored if negative + * @param firstResult first result to return. Ignored if negative or {@code null}. + * @param maxResults maximum number of results to return. Ignored if negative or {@code null}. * @return a list of filtered and paginated permissions * * @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map * */ - List find(Map attributes, String resourceServerId, int firstResult, int maxResult); + List find(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults); /** * Returns a list of {@link PermissionTicket} granted to the given {@code userId}. * + * @param resourceServer the resource server * @param userId the user id - * @param resourceServerId the resource server id * @return a list of permissions granted for a particular user */ - List findGranted(String userId, String resourceServerId); + List findGranted(ResourceServer resourceServer, String userId); /** * Returns a list of {@link PermissionTicket} with name equal to {@code resourceName} granted to the given {@code userId}. * + * @param resourceServer the resource server * @param resourceName the name of a resource * @param userId the user id - * @param resourceServerId the resource server id * @return a list of permissions granted for a particular user + * + * TODO: investigate a way how to replace resourceName with Resource class */ - List findGranted(String resourceName, String userId, String resourceServerId); + List findGranted(ResourceServer resourceServer, String resourceName, String userId); /** * Returns a list of {@link Resource} granted to the given {@code requester} * * @param requester the requester * @param name the keyword to query resources by name or null if any resource - * @param first first result - * @param max max result + * @param firstResult first result to return. Ignored if negative or {@code null}. + * @param maxResults maximum number of results to return. Ignored if negative or {@code null}. * @return a list of {@link Resource} granted to the given {@code requester} */ - List findGrantedResources(String requester, String name, int first, int max); + List findGrantedResources(String requester, String name, Integer firstResult, Integer maxResults); /** * Returns a list of {@link Resource} granted by the owner to other users * * @param owner the owner - * @param first first result - * @param max max result + * @param firstResult first result to return. Ignored if negative or {@code null}. + * @param maxResults maximum number of results to return. Ignored if negative or {@code null}. * @return a list of {@link Resource} granted by the owner */ - List findGrantedOwnerResources(String owner, int first, int max); + List findGrantedOwnerResources(String owner, Integer firstResult, Integer maxResults); } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java index e3bae83bb3..a3b2be9b8f 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java @@ -24,7 +24,9 @@ import java.util.Map; import java.util.function.Consumer; import org.keycloak.authorization.model.Policy; +import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation; /** @@ -38,11 +40,11 @@ public interface PolicyStore { * Creates a new {@link Policy} instance. The new instance is not necessarily persisted though, which may require * a call to the {#save} method to actually make it persistent. * - * @param representation the policy representation * @param resourceServer the resource server to which this policy belongs + * @param representation the policy representation * @return a new instance of {@link Policy} */ - Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer); + Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation); /** * Deletes a policy from the underlying persistence mechanism. @@ -54,121 +56,137 @@ public interface PolicyStore { /** * Returns a {@link Policy} with the given id * + * @param resourceServer the resource server * @param id the identifier of the policy - * @param resourceServerId the resource server id * @return a policy with the given identifier. */ - Policy findById(String id, String resourceServerId); + Policy findById(ResourceServer resourceServer, String id); /** * Returns a {@link Policy} with the given name * + * @param resourceServer the resource server * @param name the name of the policy - * @param resourceServerId the resource server id * @return a policy with the given name. */ - Policy findByName(String name, String resourceServerId); + Policy findByName(ResourceServer resourceServer, String name); /** * Returns a list of {@link Policy} associated with a {@link ResourceServer} with the given resourceServerId. * - * @param resourceServerId the identifier of a resource server + * @param resourceServer the identifier of a resource server * @return a list of policies that belong to the given resource server */ - List findByResourceServer(String resourceServerId); + List findByResourceServer(ResourceServer resourceServer); /** * Returns a list of {@link Policy} associated with a {@link ResourceServer} with the given resourceServerId. * + * @param resourceServer the identifier of a resource server * @param attributes a map holding the attributes that will be used as a filter; possible filter options are given by {@link Policy.FilterOption} - * @param resourceServerId the identifier of a resource server + * @param firstResult first result to return. Ignored if negative or {@code null}. + * @param maxResults maximum number of results to return. Ignored if negative or {@code null}. * @return a list of policies that belong to the given resource server * * @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map */ - List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult); + List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults); /** - * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.core.model.Resource} with the given resourceId. + * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.Resource} with the given resourceId. * - * @param resourceId the identifier of a resource - * @param resourceServerId the resource server id + * @param resourceServer the resource server + * @param resource the resource * @return a list of policies associated with the given resource */ - default List findByResource(String resourceId, String resourceServerId) { + default List findByResource(ResourceServer resourceServer, Resource resource) { List result = new LinkedList<>(); - findByResource(resourceId, resourceServerId, result::add); + findByResource(resourceServer, resource, result::add); return result; } - void findByResource(String resourceId, String resourceServerId, Consumer consumer); + /** + * Searches for all policies associated with the {@link org.keycloak.authorization.model.Resource} and passes the result to the {@code consumer} + * + * @param resourceServer the resourceServer + * @param resource the resource + * @param consumer consumer of policies resulted from the search + */ + void findByResource(ResourceServer resourceServer, Resource resource, Consumer consumer); /** - * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.core.model.Resource} with the given type. + * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.ResourceServer} with the given type. * - * @param resourceType the type of a resource - * @param resourceServerId the resource server id + * @param resourceServer the resource server id + * @param resourceType the type of a resource * @return a list of policies associated with the given resource type */ - default List findByResourceType(String resourceType, String resourceServerId) { + default List findByResourceType(ResourceServer resourceServer, String resourceType) { List result = new LinkedList<>(); - findByResourceType(resourceType, resourceServerId, result::add); + findByResourceType((ResourceServer) null, resourceType, result::add); return result; } /** - * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.core.model.Scope} with the given scopeIds. + * Searches for policies associated with a {@link org.keycloak.authorization.model.ResourceServer} and passes the result to the consumer * - * @param scopeIds the id of the scopes - * @param resourceServerId the resource server id - * @return a list of policies associated with the given scopes + * @param resourceServer the resourceServer + * @param type the type of a resource + * @param policyConsumer consumer of policies resulted from the search */ - List findByScopeIds(List scopeIds, String resourceServerId); + void findByResourceType(ResourceServer resourceServer, String type, Consumer policyConsumer); /** - * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.core.model.Scope} with the given resourceId and scopeIds. + * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.Scope} within the given scope. * - * @param scopeIds the id of the scopes - * @param resourceId the id of the resource. Ignored if {@code null}. - * @param resourceServerId the resource server id + * @param resourceServer the resource server + * @param scopes the scopes * @return a list of policies associated with the given scopes */ - default List findByScopeIds(List scopeIds, String resourceId, String resourceServerId) { + List findByScopes(ResourceServer resourceServer, List scopes); + + /** + * Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.Scope} with the given resource and scopes. + * + * @param resourceServer the resource server + * @param resource the resource. Ignored if {@code null}. + * @param scopes the scopes + * @return a list of policies associated with the given scopes + */ + default List findByScopes(ResourceServer resourceServer, Resource resource, List scopes) { List result = new LinkedList<>(); - findByScopeIds(scopeIds, resourceId, resourceServerId, result::add); + findByScopes(resourceServer, resource, scopes, result::add); return result; } /** - * Effectively the same method as {@link #findByScopeIds(List, String, String)}, however in the end + * Effectively the same method as {@link #findByScopes(ResourceServer, Resource, List)}, however in the end * the {@code consumer} is fed with the result. * */ - void findByScopeIds(List scopeIds, String resourceId, String resourceServerId, Consumer consumer); + void findByScopes(ResourceServer resourceServer, Resource resource, List scopes, Consumer consumer); /** * Returns a list of {@link Policy} with the given type. * + * @param resourceServer the resource server id * @param type the type of the policy - * @param resourceServerId the resource server id * @return a list of policies with the given type */ - List findByType(String type, String resourceServerId); + List findByType(ResourceServer resourceServer, String type); /** * Returns a list of {@link Policy} that depends on another policy with the given id. * + * @param resourceServer the resource server * @param id the id of the policy to query its dependents - * @param resourceServerId the resource server id * @return a list of policies that depends on the a policy with the given identifier */ - List findDependentPolicies(String id, String resourceServerId); - - void findByResourceType(String type, String resourceServerId, Consumer policyConsumer); + List findDependentPolicies(ResourceServer resourceServer, String id); } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceServerStore.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceServerStore.java index 2d49abafab..68f4907978 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceServerStore.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceServerStore.java @@ -50,9 +50,7 @@ public interface ResourceServerStore { * @param id the identifier of an existing resource server instance * * @return the resource server instance with the given identifier or null if no instance was found - * @deprecated use {@code findByClient} instead. */ - @Deprecated ResourceServer findById(String id); /** diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java index c6f9bc2040..bae2d9dac2 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java @@ -19,11 +19,13 @@ package org.keycloak.authorization.store; import org.keycloak.authorization.model.Resource; import org.keycloak.authorization.model.ResourceServer; +import org.keycloak.authorization.model.Scope; import java.util.ArrayList; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.Set; import java.util.function.Consumer; /** @@ -36,25 +38,25 @@ public interface ResourceStore { /** *

Creates a {@link Resource} instance backed by this persistent storage implementation. * - * @param name the name of this resource. It must be unique. * @param resourceServer the resource server to where the given resource belongs to + * @param name the name of this resource. It must be unique. * @param owner the owner of this resource or null if the resource server is the owner * @return an instance backed by the underlying storage implementation */ - default Resource create(String name, ResourceServer resourceServer, String owner) { - return create(null, name, resourceServer, owner); + default Resource create(ResourceServer resourceServer, String name, String owner) { + return create(resourceServer, null, name, owner); } /** *

Creates a {@link Resource} instance backed by this persistent storage implementation. * + * @param resourceServer the resource server to where the given resource belongs to * @param id the id of this resource. It must be unique. Will be randomly generated if null. * @param name the name of this resource. It must be unique. - * @param resourceServer the resource server to where the given resource belongs to * @param owner the owner of this resource or null if the resource server is the owner * @return an instance backed by the underlying storage implementation */ - Resource create(String id, String name, ResourceServer resourceServer, String owner); + Resource create(ResourceServer resourceServer, String id, String name, String owner); /** * Removes a {@link Resource} instance, with the given {@code id} from the persistent storage. @@ -66,101 +68,114 @@ public interface ResourceStore { /** * Returns a {@link Resource} instance based on its identifier. * + * @param resourceServer the resource server * @param id the identifier of an existing resource instance * @return the resource instance with the given identifier or null if no instance was found */ - Resource findById(String id, String resourceServerId); + Resource findById(ResourceServer resourceServer, String id); /** * Finds all {@link Resource} instances with the given {@code ownerId}. * + * + * @param resourceServer * @param ownerId the identifier of the owner * @return a list with all resource instances owned by the given owner */ - default List findByOwner(String ownerId, String resourceServerId) { + default List findByOwner(ResourceServer resourceServer, String ownerId) { List list = new LinkedList<>(); - findByOwner(ownerId, resourceServerId, list::add); + findByOwner(resourceServer, ownerId, list::add); return list; } - void findByOwner(String ownerId, String resourceServerId, Consumer consumer); + void findByOwner(ResourceServer resourceServer, String ownerId, Consumer consumer); - List findByOwner(String ownerId, String resourceServerId, int first, int max); + List findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults); /** * Finds all {@link Resource} instances with the given uri. * + * + * @param resourceServer * @param uri the identifier of the uri * @return a list with all resource instances owned by the given owner */ - List findByUri(String uri, String resourceServerId); + List findByUri(ResourceServer resourceServer, String uri); /** * Finds all {@link Resource} instances associated with a given resource server. * - * @param resourceServerId the identifier of the resource server + * @param resourceServer the identifier of the resource server * @return a list with all resources associated with the given resource server */ - List findByResourceServer(String resourceServerId); + List findByResourceServer(ResourceServer resourceServer); /** * Finds all {@link Resource} instances associated with a given resource server. * + * @param resourceServer the identifier of the resource server * @param attributes a map holding the attributes that will be used as a filter; possible filter options are given by {@link Resource.FilterOption} - * @param resourceServerId the identifier of the resource server + * @param firstResult first result to return. Ignored if negative or {@code null}. + * @param maxResults maximum number of results to return. Ignored if negative or {@code null}. * @return a list with all resources associated with the given resource server * * @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map */ - List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult); + List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults); /** * Finds all {@link Resource} associated with a given scope. * - * @param id one or more scope identifiers + * + * @param resourceServer + * @param scopes one or more scope identifiers * @return a list of resources associated with the given scope(s) */ - default List findByScope(List id, String resourceServerId) { + default List findByScopes(ResourceServer resourceServer, Set scopes) { List result = new ArrayList<>(); - findByScope(id, resourceServerId, result::add); + findByScopes(resourceServer, scopes, result::add); return result; } - void findByScope(List scopes, String resourceServerId, Consumer consumer); + void findByScopes(ResourceServer resourceServer, Set scopes, Consumer consumer); /** * Find a {@link Resource} by its name where the owner is the resource server itself. * + * @param resourceServer the resource server * @param name the name of the resource - * @param resourceServerId the identifier of the resource server * @return a resource with the given name */ - Resource findByName(String name, String resourceServerId); + default Resource findByName(ResourceServer resourceServer, String name) { + return findByName(resourceServer, name, resourceServer.getClientId()); + } /** * Find a {@link Resource} by its name where the owner is the given ownerId. * + * @param resourceServer the identifier of the resource server * @param name the name of the resource * @param ownerId the owner id - * @param resourceServerId the identifier of the resource server * @return a resource with the given name */ - Resource findByName(String name, String ownerId, String resourceServerId); + Resource findByName(ResourceServer resourceServer, String name, String ownerId); /** * Finds all {@link Resource} with the given type. * + * + * @param resourceServer * @param type the type of the resource * @return a list of resources with the given type */ - default List findByType(String type, String resourceServerId) { + default List findByType(ResourceServer resourceServer, String type) { List list = new LinkedList<>(); - findByType(type, resourceServerId, list::add); + findByType(resourceServer, type, list::add); return list; } @@ -168,14 +183,16 @@ public interface ResourceStore { /** * Finds all {@link Resource} with the given type. * + * + * @param resourceServer * @param type the type of the resource * @param owner the resource owner or null for any resource with a given type * @return a list of resources with the given type */ - default List findByType(String type, String owner, String resourceServerId) { + default List findByType(ResourceServer resourceServer, String type, String owner) { List list = new LinkedList<>(); - findByType(type, owner, resourceServerId, list::add); + findByType(resourceServer, type, owner, list::add); return list; } @@ -183,31 +200,31 @@ public interface ResourceStore { /** * Finds all {@link Resource} with the given type. * + * @param resourceServer the resource server id * @param type the type of the resource - * @param resourceServerId the resource server id * @param consumer the result consumer * @return a list of resources with the given type */ - void findByType(String type, String resourceServerId, Consumer consumer); + void findByType(ResourceServer resourceServer, String type, Consumer consumer); /** * Finds all {@link Resource} with the given type. * + * @param resourceServer the resource server id * @param type the type of the resource * @param owner the resource owner or null for any resource with a given type - * @param resourceServerId the resource server id * @param consumer the result consumer * @return a list of resources with the given type */ - void findByType(String type, String owner, String resourceServerId, Consumer consumer); + void findByType(ResourceServer resourceServer, String type, String owner, Consumer consumer); - default List findByTypeInstance(String type, String resourceServerId) { + default List findByTypeInstance(ResourceServer resourceServer, String type) { List list = new LinkedList<>(); - findByTypeInstance(type, resourceServerId, list::add); + findByTypeInstance(resourceServer, type, list::add); return list; } - void findByTypeInstance(String type, String resourceServerId, Consumer consumer); + void findByTypeInstance(ResourceServer resourceServerId, String type, Consumer consumer); } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/ScopeStore.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/ScopeStore.java index 4b96cbff53..ecfa93f678 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/ScopeStore.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/ScopeStore.java @@ -35,26 +35,26 @@ public interface ScopeStore { * Creates a new {@link Scope} instance. The new instance is not necessarily persisted though, which may require * a call to the {#save} method to actually make it persistent. * - * @param name the name of the scope * @param resourceServer the resource server to which this scope belongs * + * @param name the name of the scope * @return a new instance of {@link Scope} */ - default Scope create(String name, ResourceServer resourceServer) { - return create(null, name, resourceServer); + default Scope create(ResourceServer resourceServer, String name) { + return create(resourceServer, null, name); } /** * Creates a new {@link Scope} instance. The new instance is not necessarily persisted though, which may require * a call to the {#save} method to actually make it persistent. * - * @param id the id of the scope. Is generated randomly when null - * @param name the name of the scope * @param resourceServer the resource server to which this scope belongs * + * @param id the id of the scope. Is generated randomly when null + * @param name the name of the scope * @return a new instance of {@link Scope} */ - Scope create(String id, String name, ResourceServer resourceServer); + Scope create(ResourceServer resourceServer, String id, String name); /** * Deletes a scope from the underlying persistence mechanism. @@ -66,40 +66,42 @@ public interface ScopeStore { /** * Returns a {@link Scope} with the given id * + * @param resourceServer the resource server id * @param id the identifier of the scope - * @param resourceServerId the resource server id * @return a scope with the given identifier. */ - Scope findById(String id, String resourceServerId); + Scope findById(ResourceServer resourceServer, String id); /** * Returns a {@link Scope} with the given name * + * @param resourceServer the resource server * @param name the name of the scope * - * @param resourceServerId the resource server id * @return a scope with the given name. */ - Scope findByName(String name, String resourceServerId); + Scope findByName(ResourceServer resourceServer, String name); /** - * Returns a list of {@link Scope} associated with a {@link ResourceServer} with the given resourceServerId. + * Returns a list of {@link Scope} associated with a {@link ResourceServer} with the given resourceServer. * - * @param resourceServerId the identifier of a resource server + * @param resourceServer the identifier of a resource server * * @return a list of scopes that belong to the given resource server */ - List findByResourceServer(String id); + List findByResourceServer(ResourceServer resourceServer); /** * Returns a list of {@link Scope} associated with a {@link ResourceServer} with the given resourceServerId. * + * @param resourceServer the resource server * @param attributes a map holding the attributes that will be used as a filter; possible filter options are given by {@link Scope.FilterOption} - * @param resourceServerId the identifier of a resource server + * @param firstResult first result to return. Ignored if negative or {@code null}. + * @param maxResults maximum number of results to return. Ignored if negative or {@code null}. * @return a list of scopes that belong to the given resource server * * @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map * */ - List findByResourceServer(Map attributes, String resourceServerId, int firstResult, int maxResult); + List findByResourceServer(ResourceServer resourceServer, Map attributes, Integer firstResult, Integer maxResults); } diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java index d94d8ba541..a0f78ff621 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java @@ -62,7 +62,7 @@ public class ClientApplicationSynchronizer implements Synchronizer search = storeFactory.getPolicyStore().findByResourceServer(attributes, null, -1, -1); + List search = storeFactory.getPolicyStore().findByResourceServer(null, attributes, null, null); for (Policy policy : search) { PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType()); diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/GroupSynchronizer.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/GroupSynchronizer.java index c10ea5f1a6..40332c272c 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/GroupSynchronizer.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/GroupSynchronizer.java @@ -51,7 +51,7 @@ public class GroupSynchronizer implements Synchronizer search = policyStore.findByResourceServer(attributes, null, -1, -1); + List search = policyStore.findByResourceServer(null, attributes, null, null); for (Policy policy : search) { PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType()); diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/UserSynchronizer.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/UserSynchronizer.java index a8d8df86d5..6cacb3ef5b 100644 --- a/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/UserSynchronizer.java +++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/UserSynchronizer.java @@ -60,7 +60,7 @@ public class UserSynchronizer implements Synchronizer { attributes.put(Policy.FilterOption.TYPE, new String[] {"user"}); attributes.put(Policy.FilterOption.CONFIG, new String[] {"users", userModel.getId()}); - List search = policyStore.findByResourceServer(attributes, null, -1, -1); + List search = policyStore.findByResourceServer(null, attributes, null, null); for (Policy policy : search) { PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType()); @@ -84,9 +84,9 @@ public class UserSynchronizer implements Synchronizer { ResourceStore resourceStore = storeFactory.getResourceStore(); UserModel userModel = event.getUser(); - resourceStore.findByOwner(userModel.getId(), null, resource -> { + resourceStore.findByOwner(null, userModel.getId(), resource -> { String resourceId = resource.getId(); - policyStore.findByResource(resourceId, resource.getResourceServer()).forEach(policy -> { + policyStore.findByResource(resource.getResourceServer(), resource).forEach(policy -> { if (policy.getResources().size() == 1) { policyStore.delete(policy.getId()); } else { @@ -105,7 +105,7 @@ public class UserSynchronizer implements Synchronizer { attributes.put(PermissionTicket.FilterOption.OWNER, userModel.getId()); - for (PermissionTicket ticket : ticketStore.find(attributes, null, -1, -1)) { + for (PermissionTicket ticket : ticketStore.find(null, attributes, null, null)) { ticketStore.delete(ticket.getId()); } @@ -113,7 +113,7 @@ public class UserSynchronizer implements Synchronizer { attributes.put(PermissionTicket.FilterOption.REQUESTER, userModel.getId()); - for (PermissionTicket ticket : ticketStore.find(attributes, null, -1, -1)) { + for (PermissionTicket ticket : ticketStore.find(null, attributes, null, null)) { ticketStore.delete(ticket.getId()); } } diff --git a/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java b/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java index 88f21d3635..f5a821c118 100644 --- a/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java +++ b/server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo2_1_0.java @@ -78,7 +78,7 @@ public class MigrateTo2_1_0 implements Migration { ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel); if (resourceServer != null) { - policyStore.findByType("role", resourceServer.getId()).forEach(policy -> { + policyStore.findByType(resourceServer, "role").forEach(policy -> { Map config = new HashMap(policy.getConfig()); String roles = config.get("roles"); List roleConfig; diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java index ff3f84edb5..e2ae138b53 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java @@ -910,7 +910,7 @@ public class ModelToRepresentation { ResourceServerRepresentation server = new ResourceServerRepresentation(); server.setId(model.getId()); - server.setClientId(model.getId()); + server.setClientId(model.getClientId()); server.setName(client.getClientId()); server.setAllowRemoteResourceManagement(model.isAllowRemoteResourceManagement()); server.setPolicyEnforcementMode(model.getPolicyEnforcementMode()); @@ -953,8 +953,9 @@ public class ModelToRepresentation { representation.setLogic(policy.getLogic()); if (allFields) { - representation.setResourcesData(policy.getResources().stream().map( - resource -> toRepresentation(resource, resource.getResourceServer(), authorization, true)).collect(Collectors.toSet())); + representation.setResourcesData(policy.getResources().stream() + .map(resource -> toRepresentation(resource, policy.getResourceServer(), authorization, true)) + .collect(Collectors.toSet())); representation.setScopesData(policy.getScopes().stream().map( resource -> toRepresentation(resource)).collect(Collectors.toSet())); } @@ -962,11 +963,11 @@ public class ModelToRepresentation { return representation; } - public static ResourceRepresentation toRepresentation(Resource model, String resourceServer, AuthorizationProvider authorization) { + public static ResourceRepresentation toRepresentation(Resource model, ResourceServer resourceServer, AuthorizationProvider authorization) { return toRepresentation(model, resourceServer, authorization, true); } - public static ResourceRepresentation toRepresentation(Resource model, String resourceServer, AuthorizationProvider authorization, Boolean deep) { + public static ResourceRepresentation toRepresentation(Resource model, ResourceServer resourceServer, AuthorizationProvider authorization, Boolean deep) { ResourceRepresentation resource = new ResourceRepresentation(); resource.setId(model.getId()); @@ -984,8 +985,8 @@ public class ModelToRepresentation { KeycloakSession keycloakSession = authorization.getKeycloakSession(); RealmModel realm = authorization.getRealm(); - if (owner.getId().equals(resourceServer)) { - ClientModel clientModel = realm.getClientById(resourceServer); + if (owner.getId().equals(resourceServer.getClientId())) { + ClientModel clientModel = realm.getClientById(resourceServer.getClientId()); owner.setName(clientModel.getClientId()); } else { UserModel userModel = keycloakSession.users().getUserById(realm, owner.getId()); diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java index a9b8dbe799..e7859971f6 100755 --- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java +++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java @@ -2324,7 +2324,7 @@ public class RepresentationToModel { if (owner == null) { owner = new ResourceOwnerRepresentation(); - owner.setId(resourceServer.getId()); + owner.setId(resourceServer.getClientId()); resource.setOwner(owner); } else if (owner.getName() != null) { UserModel user = session.users().getUserByUsername(realm, owner.getName()); @@ -2359,10 +2359,10 @@ public class RepresentationToModel { Set policyIds = new HashSet<>(); for (String policyName : policies) { - Policy policy = policyStore.findByName(policyName, resourceServer.getId()); + Policy policy = policyStore.findByName(resourceServer, policyName); if (policy == null) { - policy = policyStore.findById(policyName, resourceServer.getId()); + policy = policyStore.findById(resourceServer, policyName); } if (policy == null) { @@ -2382,14 +2382,14 @@ public class RepresentationToModel { } PolicyStore policyStore = storeFactory.getPolicyStore(); - Policy policy = policyStore.findById(policyRepresentation.getId(), resourceServer.getId()); + Policy policy = policyStore.findById(resourceServer, policyRepresentation.getId()); if (policy == null) { - policy = policyStore.findByName(policyRepresentation.getName(), resourceServer.getId()); + policy = policyStore.findByName(resourceServer, policyRepresentation.getName()); } if (policy == null) { - policy = policyStore.create(policyRepresentation, resourceServer); + policy = policyStore.create(resourceServer, policyRepresentation); } else { policy = toModel(policyRepresentation, authorization, policy); } @@ -2494,10 +2494,10 @@ public class RepresentationToModel { } if (!hasScope) { ResourceServer resourceServer = policy.getResourceServer(); - Scope scope = storeFactory.getScopeStore().findById(scopeId, resourceServer.getId()); + Scope scope = storeFactory.getScopeStore().findById(resourceServer, scopeId); if (scope == null) { - scope = storeFactory.getScopeStore().findByName(scopeId, resourceServer.getId()); + scope = storeFactory.getScopeStore().findByName(resourceServer, scopeId); if (scope == null) { throw new RuntimeException("Scope with id or name [" + scopeId + "] does not exist"); } @@ -2547,10 +2547,10 @@ public class RepresentationToModel { } if (!hasPolicy) { - Policy associatedPolicy = policyStore.findById(policyId, resourceServer.getId()); + Policy associatedPolicy = policyStore.findById(resourceServer, policyId); if (associatedPolicy == null) { - associatedPolicy = policyStore.findByName(policyId, resourceServer.getId()); + associatedPolicy = policyStore.findByName(resourceServer, policyId); if (associatedPolicy == null) { throw new RuntimeException("Policy with id or name [" + policyId + "] does not exist"); } @@ -2592,10 +2592,10 @@ public class RepresentationToModel { } } if (!hasResource && !"".equals(resourceId)) { - Resource resource = storeFactory.getResourceStore().findById(resourceId, policy.getResourceServer().getId()); + Resource resource = storeFactory.getResourceStore().findById(policy.getResourceServer(), resourceId); if (resource == null) { - resource = storeFactory.getResourceStore().findByName(resourceId, policy.getResourceServer().getId()); + resource = storeFactory.getResourceStore().findByName(policy.getResourceServer(), resourceId); if (resource == null) { throw new RuntimeException("Resource with id or name [" + resourceId + "] does not exist or is not owned by the resource server"); } @@ -2629,16 +2629,16 @@ public class RepresentationToModel { if (owner == null) { owner = new ResourceOwnerRepresentation(); - owner.setId(resourceServer.getId()); + owner.setId(resourceServer.getClientId()); } String ownerId = owner.getId(); if (ownerId == null) { - ownerId = resourceServer.getId(); + ownerId = resourceServer.getClientId(); } - if (!resourceServer.getId().equals(ownerId)) { + if (!resourceServer.getClientId().equals(ownerId)) { RealmModel realm = authorization.getRealm(); KeycloakSession keycloakSession = authorization.getKeycloakSession(); UserProvider users = keycloakSession.users(); @@ -2658,9 +2658,9 @@ public class RepresentationToModel { Resource existing; if (resource.getId() != null) { - existing = resourceStore.findById(resource.getId(), resourceServer.getId()); + existing = resourceStore.findById(resourceServer, resource.getId()); } else { - existing = resourceStore.findByName(resource.getName(), ownerId, resourceServer.getId()); + existing = resourceStore.findByName(resourceServer, resource.getName(), ownerId); } if (existing != null) { @@ -2695,7 +2695,7 @@ public class RepresentationToModel { return existing; } - Resource model = resourceStore.create(resource.getId(), resource.getName(), resourceServer, ownerId); + Resource model = resourceStore.create(resourceServer, resource.getId(), resource.getName(), ownerId); model.setDisplayName(resource.getDisplayName()); model.setType(resource.getType()); @@ -2732,9 +2732,9 @@ public class RepresentationToModel { Scope existing; if (scope.getId() != null) { - existing = scopeStore.findById(scope.getId(), resourceServer.getId()); + existing = scopeStore.findById(resourceServer, scope.getId()); } else { - existing = scopeStore.findByName(scope.getName(), resourceServer.getId()); + existing = scopeStore.findByName(resourceServer, scope.getName()); } if (existing != null) { @@ -2746,7 +2746,7 @@ public class RepresentationToModel { return existing; } - Scope model = scopeStore.create(scope.getId(), scope.getName(), resourceServer); + Scope model = scopeStore.create(resourceServer, scope.getId(), scope.getName()); model.setDisplayName(scope.getDisplayName()); model.setIconUri(scope.getIconUri()); @@ -2756,9 +2756,9 @@ public class RepresentationToModel { return model; } - public static PermissionTicket toModel(PermissionTicketRepresentation representation, String resourceServerId, AuthorizationProvider authorization) { + public static PermissionTicket toModel(PermissionTicketRepresentation representation, ResourceServer resourceServer, AuthorizationProvider authorization) { PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - PermissionTicket ticket = ticketStore.findById(representation.getId(), resourceServerId); + PermissionTicket ticket = ticketStore.findById(resourceServer, representation.getId()); boolean granted = representation.isGranted(); if (granted && !ticket.isGranted()) { diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java index 163d5a1209..0f48e41ac7 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java @@ -172,21 +172,21 @@ public class PolicyEvaluationService { ScopeStore scopeStore = storeFactory.getScopeStore(); - Set scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet()); + Set scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(resourceServer, scopeRepresentation.getName())).collect(Collectors.toSet()); if (resource.getId() != null) { - Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId()); + Resource resourceModel = storeFactory.getResourceStore().findById(resourceServer, resource.getId()); return new ArrayList<>(Arrays.asList( Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream(); } else if (resource.getType() != null) { - return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, + return storeFactory.getResourceStore().findByType(resourceServer, resource.getType()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, resourceServer, scopes, authorization, request)); } else { if (scopes.isEmpty()) { return Stream.empty(); } - List resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId()); + List resources = storeFactory.getResourceStore().findByScopes(resourceServer, scopes); if (resources.isEmpty()) { return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer)); @@ -254,7 +254,7 @@ public class PolicyEvaluationService { String clientId = representation.getClientId(); if (clientId == null) { - clientId = resourceServer.getId(); + clientId = resourceServer.getClientId(); } if (clientId != null) { @@ -287,7 +287,7 @@ public class PolicyEvaluationService { } if (client == null) { - client = realm.getClientById(resourceServer.getId()); + client = realm.getClientById(resourceServer.getClientId()); } accessToken.issuedFor(client.getClientId()); diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java index c17cd14947..cf8b56f3e5 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java @@ -39,7 +39,6 @@ import org.keycloak.authorization.store.PolicyStore; import org.keycloak.authorization.store.StoreFactory; import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.ResourceType; -import org.keycloak.models.KeycloakSession; import org.keycloak.models.utils.ModelToRepresentation; import org.keycloak.models.utils.RepresentationToModel; import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation; @@ -155,7 +154,7 @@ public class PolicyResourceService { return Response.status(Status.NOT_FOUND).build(); } - List policies = authorization.getStoreFactory().getPolicyStore().findDependentPolicies(policy.getId(), resourceServer.getId()); + List policies = authorization.getStoreFactory().getPolicyStore().findDependentPolicies(resourceServer, policy.getId()); return Response.ok(policies.stream().map(policy -> { PolicyRepresentation representation1 = new PolicyRepresentation(); diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java index 34e106abf9..085e36d617 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java @@ -88,7 +88,7 @@ public class PolicyService { return doCreatePolicyTypeResource(type); } - Policy policy = authorization.getStoreFactory().getPolicyStore().findById(type, resourceServer.getId()); + Policy policy = authorization.getStoreFactory().getPolicyStore().findById(resourceServer, type); return doCreatePolicyResource(policy); } @@ -134,13 +134,13 @@ public class PolicyService { public Policy create(AbstractPolicyRepresentation representation) { PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore(); - Policy existing = policyStore.findByName(representation.getName(), resourceServer.getId()); + Policy existing = policyStore.findByName(resourceServer, representation.getName()); if (existing != null) { throw new ErrorResponseException("Policy with name [" + representation.getName() + "] already exists", "Conflicting policy", Status.CONFLICT); } - return policyStore.create(representation, resourceServer); + return policyStore.create(resourceServer, representation); } @Path("/search") @@ -158,7 +158,7 @@ public class PolicyService { return Response.status(Status.BAD_REQUEST).build(); } - Policy model = storeFactory.getPolicyStore().findByName(name, this.resourceServer.getId()); + Policy model = storeFactory.getPolicyStore().findByName(this.resourceServer, name); if (model == null) { return Response.noContent().build(); @@ -206,7 +206,7 @@ public class PolicyService { if (resource != null && !"".equals(resource.trim())) { ResourceStore resourceStore = storeFactory.getResourceStore(); - Resource resourceModel = resourceStore.findById(resource, resourceServer.getId()); + Resource resourceModel = resourceStore.findById(resourceServer, resource); if (resourceModel == null) { Map resourceFilters = new EnumMap<>(Resource.FilterOption.class); @@ -217,7 +217,7 @@ public class PolicyService { resourceFilters.put(Resource.FilterOption.OWNER, new String[]{owner}); } - Set resources = resourceStore.findByResourceServer(resourceFilters, resourceServer.getId(), -1, 1).stream().map(Resource::getId).collect(Collectors.toSet()); + Set resources = resourceStore.findByResourceServer(resourceServer, resourceFilters, -1, 1).stream().map(Resource::getId).collect(Collectors.toSet()); if (resources.isEmpty()) { return Response.noContent().build(); @@ -231,14 +231,14 @@ public class PolicyService { if (scope != null && !"".equals(scope.trim())) { ScopeStore scopeStore = storeFactory.getScopeStore(); - Scope scopeModel = scopeStore.findById(scope, resourceServer.getId()); + Scope scopeModel = scopeStore.findById(resourceServer, scope); if (scopeModel == null) { Map scopeFilters = new EnumMap<>(Scope.FilterOption.class); scopeFilters.put(Scope.FilterOption.NAME, new String[]{scope}); - Set scopes = scopeStore.findByResourceServer(scopeFilters, resourceServer.getId(), -1, 1).stream().map(Scope::getId).collect(Collectors.toSet()); + Set scopes = scopeStore.findByResourceServer(resourceServer, scopeFilters, -1, 1).stream().map(Scope::getId).collect(Collectors.toSet()); if (scopes.isEmpty()) { return Response.noContent().build(); @@ -265,7 +265,7 @@ public class PolicyService { protected List doSearch(Integer firstResult, Integer maxResult, String fields, Map filters) { PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore(); - return policyStore.findByResourceServer(filters, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream() + return policyStore.findByResourceServer(resourceServer, filters, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream() .map(policy -> toRepresentation(policy, fields, authorization)) .collect(Collectors.toList()); } diff --git a/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java b/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java index 362df41dc1..95d887022b 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java @@ -113,7 +113,7 @@ public class ResourceSetService { if (owner == null) { owner = new ResourceOwnerRepresentation(); - owner.setId(resourceServer.getId()); + owner.setId(resourceServer.getClientId()); resource.setOwner(owner); } @@ -123,13 +123,13 @@ public class ResourceSetService { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "You must specify the resource owner.", Status.BAD_REQUEST); } - Resource existingResource = storeFactory.getResourceStore().findByName(resource.getName(), ownerId, this.resourceServer.getId()); + Resource existingResource = storeFactory.getResourceStore().findByName(this.resourceServer, resource.getName(), ownerId); if (existingResource != null) { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource with name [" + resource.getName() + "] already exists.", Status.CONFLICT); } - return toRepresentation(toModel(resource, this.resourceServer, authorization), resourceServer.getId(), authorization); + return toRepresentation(toModel(resource, this.resourceServer, authorization), resourceServer, authorization); } @Path("{id}") @@ -141,7 +141,7 @@ public class ResourceSetService { resource.setId(id); StoreFactory storeFactory = this.authorization.getStoreFactory(); ResourceStore resourceStore = storeFactory.getResourceStore(); - Resource model = resourceStore.findById(resource.getId(), resourceServer.getId()); + Resource model = resourceStore.findById(resourceServer, resource.getId()); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -159,7 +159,7 @@ public class ResourceSetService { public Response delete(@PathParam("id") String id) { requireManage(); StoreFactory storeFactory = authorization.getStoreFactory(); - Resource resource = storeFactory.getResourceStore().findById(id, resourceServer.getId()); + Resource resource = storeFactory.getResourceStore().findById(resourceServer, id); if (resource == null) { return Response.status(Status.NOT_FOUND).build(); @@ -167,7 +167,7 @@ public class ResourceSetService { storeFactory.getResourceStore().delete(id); - audit(toRepresentation(resource, resourceServer.getId(), authorization), OperationType.DELETE); + audit(toRepresentation(resource, resourceServer, authorization), OperationType.DELETE); return Response.noContent().build(); } @@ -177,13 +177,13 @@ public class ResourceSetService { @NoCache @Produces("application/json") public Response findById(@PathParam("id") String id) { - return findById(id, resource -> toRepresentation(resource, resourceServer.getId(), authorization, true)); + return findById(id, resource -> toRepresentation(resource, resourceServer, authorization, true)); } public Response findById(String id, Function toRepresentation) { requireView(); StoreFactory storeFactory = authorization.getStoreFactory(); - Resource model = storeFactory.getResourceStore().findById(id, resourceServer.getId()); + Resource model = storeFactory.getResourceStore().findById(resourceServer, id); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -199,7 +199,7 @@ public class ResourceSetService { public Response getScopes(@PathParam("id") String id) { requireView(); StoreFactory storeFactory = authorization.getStoreFactory(); - Resource model = storeFactory.getResourceStore().findById(id, resourceServer.getId()); + Resource model = storeFactory.getResourceStore().findById(resourceServer, id); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -214,10 +214,10 @@ public class ResourceSetService { return representation; }).collect(Collectors.toList()); - if (model.getType() != null && !model.getOwner().equals(resourceServer.getId())) { + if (model.getType() != null && !model.getOwner().equals(resourceServer.getClientId())) { ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore(); - for (Resource typed : resourceStore.findByType(model.getType(), resourceServer.getId())) { - if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(model.getId())) { + for (Resource typed : resourceStore.findByType(resourceServer, model.getType())) { + if (typed.getOwner().equals(resourceServer.getClientId()) && !typed.getId().equals(model.getId())) { scopes.addAll(typed.getScopes().stream().map(model1 -> { ScopeRepresentation scope = new ScopeRepresentation(); scope.setId(model1.getId()); @@ -243,7 +243,7 @@ public class ResourceSetService { requireView(); StoreFactory storeFactory = authorization.getStoreFactory(); ResourceStore resourceStore = storeFactory.getResourceStore(); - Resource model = resourceStore.findById(id, resourceServer.getId()); + Resource model = resourceStore.findById(resourceServer, id); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -252,23 +252,23 @@ public class ResourceSetService { PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore(); Set policies = new HashSet<>(); - policies.addAll(policyStore.findByResource(model.getId(), resourceServer.getId())); + policies.addAll(policyStore.findByResource(resourceServer, model)); if (model.getType() != null) { - policies.addAll(policyStore.findByResourceType(model.getType(), resourceServer.getId())); + policies.addAll(policyStore.findByResourceType(resourceServer, model.getType())); Map resourceFilter = new EnumMap<>(Resource.FilterOption.class); - resourceFilter.put(Resource.FilterOption.OWNER, new String[]{resourceServer.getId()}); + resourceFilter.put(Resource.FilterOption.OWNER, new String[]{resourceServer.getClientId()}); resourceFilter.put(Resource.FilterOption.TYPE, new String[]{model.getType()}); - for (Resource resourceType : resourceStore.findByResourceServer(resourceFilter, resourceServer.getId(), -1, -1)) { - policies.addAll(policyStore.findByResource(resourceType.getId(), resourceServer.getId())); + for (Resource resourceType : resourceStore.findByResourceServer(resourceServer, resourceFilter, null, null)) { + policies.addAll(policyStore.findByResource(resourceServer, resourceType)); } } - policies.addAll(policyStore.findByScopeIds(model.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toList()), id, resourceServer.getId())); - policies.addAll(policyStore.findByScopeIds(model.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toList()), null, resourceServer.getId())); + policies.addAll(policyStore.findByScopes(resourceServer, model, model.getScopes())); + policies.addAll(policyStore.findByScopes(resourceServer, null, model.getScopes())); List representation = new ArrayList<>(); @@ -296,7 +296,7 @@ public class ResourceSetService { public Response getAttributes(@PathParam("id") String id) { requireView(); StoreFactory storeFactory = authorization.getStoreFactory(); - Resource model = storeFactory.getResourceStore().findById(id, resourceServer.getId()); + Resource model = storeFactory.getResourceStore().findById(resourceServer, id); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -317,13 +317,13 @@ public class ResourceSetService { return Response.status(Status.BAD_REQUEST).build(); } - Resource model = storeFactory.getResourceStore().findByName(name, this.resourceServer.getId()); + Resource model = storeFactory.getResourceStore().findByName(this.resourceServer, name); if (model == null) { return Response.status(Status.NO_CONTENT).build(); } - return Response.ok(toRepresentation(model, this.resourceServer.getId(), authorization)).build(); + return Response.ok(toRepresentation(model, this.resourceServer, authorization)).build(); } @GET @@ -340,7 +340,7 @@ public class ResourceSetService { @QueryParam("deep") Boolean deep, @QueryParam("first") Integer firstResult, @QueryParam("max") Integer maxResult) { - return find(id, name, uri, owner, type, scope, matchingUri, exactName, deep, firstResult, maxResult, (BiFunction) (resource, deep1) -> toRepresentation(resource, resourceServer.getId(), authorization, deep1)); + return find(id, name, uri, owner, type, scope, matchingUri, exactName, deep, firstResult, maxResult, (BiFunction) (resource, deep1) -> toRepresentation(resource, resourceServer, authorization, deep1)); } public Response find(@QueryParam("_id") String id, @@ -403,7 +403,7 @@ public class ResourceSetService { scopeFilter.put(Scope.FilterOption.NAME, new String[] {scope}); - List scopes = authorization.getStoreFactory().getScopeStore().findByResourceServer(scopeFilter, resourceServer.getId(), -1, -1); + List scopes = authorization.getStoreFactory().getScopeStore().findByResourceServer(resourceServer, scopeFilter, null, null); if (scopes.isEmpty()) { return Response.ok(Collections.emptyList()).build(); @@ -412,15 +412,15 @@ public class ResourceSetService { search.put(Resource.FilterOption.SCOPE_ID, scopes.stream().map(Scope::getId).toArray(String[]::new)); } - List resources = storeFactory.getResourceStore().findByResourceServer(search, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS); + List resources = storeFactory.getResourceStore().findByResourceServer(this.resourceServer, search, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS); if (matchingUri != null && matchingUri && resources.isEmpty()) { Map attributes = new EnumMap<>(Resource.FilterOption.class); attributes.put(Resource.FilterOption.URI_NOT_NULL, new String[] {"true"}); - attributes.put(Resource.FilterOption.OWNER, new String[] {resourceServer.getId()}); + attributes.put(Resource.FilterOption.OWNER, new String[] {resourceServer.getClientId()}); - List serverResources = storeFactory.getResourceStore().findByResourceServer(attributes, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : -1); + List serverResources = storeFactory.getResourceStore().findByResourceServer(this.resourceServer, attributes, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : -1); PathMatcher> pathMatcher = new PathMatcher>() { @Override diff --git a/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java b/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java index 859166b48a..9b8c91937e 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java @@ -50,6 +50,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.Response.Status; import java.util.Arrays; +import java.util.Collections; import java.util.EnumMap; import java.util.List; import java.util.Map; @@ -100,7 +101,7 @@ public class ScopeService { this.auth.realm().requireManageAuthorization(); scope.setId(id); StoreFactory storeFactory = authorization.getStoreFactory(); - Scope model = storeFactory.getScopeStore().findById(scope.getId(), resourceServer.getId()); + Scope model = storeFactory.getScopeStore().findById(resourceServer, scope.getId()); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -118,20 +119,19 @@ public class ScopeService { public Response delete(@PathParam("id") String id) { this.auth.realm().requireManageAuthorization(); StoreFactory storeFactory = authorization.getStoreFactory(); - List resources = storeFactory.getResourceStore().findByScope(Arrays.asList(id), resourceServer.getId()); - - if (!resources.isEmpty()) { - return ErrorResponse.error("Scopes can not be removed while associated with resources.", Status.BAD_REQUEST); - } - - Scope scope = storeFactory.getScopeStore().findById(id, resourceServer.getId()); - + Scope scope = storeFactory.getScopeStore().findById(resourceServer, id); if (scope == null) { return Response.status(Status.NOT_FOUND).build(); } + List resources = storeFactory.getResourceStore().findByScopes(resourceServer, Collections.singleton(scope)); + if (!resources.isEmpty()) { + return ErrorResponse.error("Scopes can not be removed while associated with resources.", Status.BAD_REQUEST); + } + + PolicyStore policyStore = storeFactory.getPolicyStore(); - List policies = policyStore.findByScopeIds(Arrays.asList(scope.getId()), resourceServer.getId()); + List policies = policyStore.findByScopes(resourceServer, Collections.singletonList(scope)); for (Policy policyModel : policies) { if (policyModel.getScopes().size() == 1) { @@ -154,7 +154,7 @@ public class ScopeService { @Produces(MediaType.APPLICATION_JSON) public Response findById(@PathParam("id") String id) { this.auth.realm().requireViewAuthorization(); - Scope model = this.authorization.getStoreFactory().getScopeStore().findById(id, resourceServer.getId()); + Scope model = this.authorization.getStoreFactory().getScopeStore().findById(resourceServer, id); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -170,13 +170,13 @@ public class ScopeService { public Response getResources(@PathParam("id") String id) { this.auth.realm().requireViewAuthorization(); StoreFactory storeFactory = this.authorization.getStoreFactory(); - Scope model = storeFactory.getScopeStore().findById(id, resourceServer.getId()); + Scope model = storeFactory.getScopeStore().findById(resourceServer, id); if (model == null) { return Response.status(Status.NOT_FOUND).build(); } - return Response.ok(storeFactory.getResourceStore().findByScope(Arrays.asList(model.getId()), resourceServer.getId()).stream().map(resource -> { + return Response.ok(storeFactory.getResourceStore().findByScopes(resourceServer, Collections.singleton(model)).stream().map(resource -> { ResourceRepresentation representation = new ResourceRepresentation(); representation.setId(resource.getId()); @@ -193,7 +193,7 @@ public class ScopeService { public Response getPermissions(@PathParam("id") String id) { this.auth.realm().requireViewAuthorization(); StoreFactory storeFactory = this.authorization.getStoreFactory(); - Scope model = storeFactory.getScopeStore().findById(id, resourceServer.getId()); + Scope model = storeFactory.getScopeStore().findById(resourceServer, id); if (model == null) { return Response.status(Status.NOT_FOUND).build(); @@ -201,7 +201,7 @@ public class ScopeService { PolicyStore policyStore = storeFactory.getPolicyStore(); - return Response.ok(policyStore.findByScopeIds(Arrays.asList(model.getId()), resourceServer.getId()).stream().map(policy -> { + return Response.ok(policyStore.findByScopes(resourceServer, Collections.singletonList(model)).stream().map(policy -> { PolicyRepresentation representation = new PolicyRepresentation(); representation.setId(policy.getId()); @@ -224,7 +224,7 @@ public class ScopeService { return Response.status(Status.BAD_REQUEST).build(); } - Scope model = storeFactory.getScopeStore().findByName(name, this.resourceServer.getId()); + Scope model = storeFactory.getScopeStore().findByName(this.resourceServer, name); if (model == null) { return Response.status(Status.NO_CONTENT).build(); @@ -253,7 +253,7 @@ public class ScopeService { } return Response.ok( - this.authorization.getStoreFactory().getScopeStore().findByResourceServer(search, this.resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream() + this.authorization.getStoreFactory().getScopeStore().findByResourceServer(this.resourceServer, search, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream() .map(scope -> toRepresentation(scope)) .collect(Collectors.toList())) .build(); diff --git a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java index b43fcd7d81..f8b5101ea9 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java +++ b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java @@ -64,7 +64,7 @@ public class PolicyEvaluationResponseBuilder { authorizationData.setPermissions(decision.results()); accessToken.setAuthorization(authorizationData); - ClientModel clientModel = authorization.getRealm().getClientById(resourceServer.getId()); + ClientModel clientModel = authorization.getRealm().getClientById(resourceServer.getClientId()); if (!accessToken.hasAudience(clientModel.getClientId())) { accessToken.audience(clientModel.getClientId()); @@ -194,7 +194,7 @@ public class PolicyEvaluationResponseBuilder { filters.put(PermissionTicket.FilterOption.POLICY_ID, policy.getId()); - List tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, policy.getResourceServer().getId(), -1, 1); + List tickets = authorization.getStoreFactory().getPermissionTicketStore().find(policy.getResourceServer(), filters, -1, 1); if (!tickets.isEmpty()) { KeycloakSession keycloakSession = authorization.getKeycloakSession(); diff --git a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java index c1834665dc..d2f72c849e 100644 --- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java +++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java @@ -224,7 +224,7 @@ public class AuthorizationTokenService { if (isGranted(ticket, request, permissions)) { AuthorizationProvider authorization = request.getAuthorization(); - ClientModel targetClient = authorization.getRealm().getClientById(resourceServer.getId()); + ClientModel targetClient = authorization.getRealm().getClientById(resourceServer.getClientId()); Metadata metadata = request.getMetadata(); String responseMode = metadata != null ? metadata.getResponseMode() : null; @@ -516,7 +516,7 @@ public class AuthorizationTokenService { break; } - Resource resource = resourceStore.findById(grantedPermission.getResourceId(), resourceServer.getId()); + Resource resource = resourceStore.findById(resourceServer, grantedPermission.getResourceId()); if (resource != null) { ResourcePermission permission = permissionsToEvaluate.get(resource.getId()); @@ -540,7 +540,7 @@ public class AuthorizationTokenService { } for (String scopeName : grantedPermission.getScopes()) { - Scope scope = scopeStore.findByName(scopeName, resourceServer.getId()); + Scope scope = scopeStore.findByName(resourceServer, scopeName); if (scope != null) { if (!permission.getScopes().contains(scope)) { @@ -561,7 +561,7 @@ public class AuthorizationTokenService { Set requestedScopesModel) { AtomicBoolean processed = new AtomicBoolean(); - resourceStore.findByScope(requestedScopesModel.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource -> { + resourceStore.findByScopes(resourceServer, requestedScopesModel, resource -> { if (limit != null && limit.get() <= 0) { return; } @@ -600,7 +600,7 @@ public class AuthorizationTokenService { Resource resource; if (resourceId.indexOf('-') != -1) { - resource = resourceStore.findById(resourceId, resourceServer.getId()); + resource = resourceStore.findById(resourceServer, resourceId); } else { resource = null; } @@ -610,33 +610,33 @@ public class AuthorizationTokenService { } else if (resourceId.startsWith("resource-type:")) { // only resource types, no resource instances. resource types are owned by the resource server String resourceType = resourceId.substring("resource-type:".length()); - resourceStore.findByType(resourceType, resourceServer.getId(), resourceServer.getId(), + resourceStore.findByType(resourceServer, resourceType, resourceServer.getClientId(), resource1 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource1)); } else if (resourceId.startsWith("resource-type-any:")) { // any resource with a given type String resourceType = resourceId.substring("resource-type-any:".length()); - resourceStore.findByType(resourceType, null, resourceServer.getId(), + resourceStore.findByType(resourceServer, resourceType, null, resource12 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource12)); } else if (resourceId.startsWith("resource-type-instance:")) { // only resource instances with a given type String resourceType = resourceId.substring("resource-type-instance:".length()); - resourceStore.findByTypeInstance(resourceType, resourceServer.getId(), + resourceStore.findByTypeInstance(resourceServer, resourceType, resource13 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource13)); } else if (resourceId.startsWith("resource-type-owner:")) { // only resources where the current identity is the owner String resourceType = resourceId.substring("resource-type-owner:".length()); - resourceStore.findByType(resourceType, identity.getId(), resourceServer.getId(), + resourceStore.findByType(resourceServer, resourceType, identity.getId(), resource14 -> addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, resource14)); } else { - Resource ownerResource = resourceStore.findByName(resourceId, identity.getId(), resourceServer.getId()); + Resource ownerResource = resourceStore.findByName(resourceServer, resourceId, identity.getId()); if (ownerResource != null) { permission.setResourceId(ownerResource.getId()); addPermission(request, resourceServer, authorization, permissionsToEvaluate, limit, requestedScopesModel, ownerResource); } - if (!identity.isResourceServer() || !identity.getId().equals(resourceServer.getId())) { - List tickets = storeFactory.getPermissionTicketStore().findGranted(resourceId, identity.getId(), resourceServer.getId()); + if (!identity.isResourceServer() || !identity.getId().equals(resourceServer.getClientId())) { + List tickets = storeFactory.getPermissionTicketStore().findGranted(resourceServer, resourceId, identity.getId()); if (!tickets.isEmpty()) { List scopes = new ArrayList<>(); @@ -656,7 +656,7 @@ public class AuthorizationTokenService { resourcePermission.setGranted(true); } - Resource serverResource = resourceStore.findByName(resourceId, resourceServer.getId()); + Resource serverResource = resourceStore.findByName(resourceServer, resourceId); if (serverResource != null) { permission.setResourceId(serverResource.getId()); @@ -685,7 +685,7 @@ public class AuthorizationTokenService { requestedScopes.addAll(Arrays.asList(clientAdditionalScopes.split(" "))); } - Set requestedScopesModel = requestedScopes.stream().map(s -> scopeStore.findByName(s, resourceServer.getId())).filter( + Set requestedScopesModel = requestedScopes.stream().map(s -> scopeStore.findByName(resourceServer, s)).filter( Objects::nonNull).collect(Collectors.toSet()); if (!requestedScopes.isEmpty() && requestedScopesModel.isEmpty()) { diff --git a/services/src/main/java/org/keycloak/authorization/protection/ProtectionService.java b/services/src/main/java/org/keycloak/authorization/protection/ProtectionService.java index e1bfb311d4..e01e808a14 100644 --- a/services/src/main/java/org/keycloak/authorization/protection/ProtectionService.java +++ b/services/src/main/java/org/keycloak/authorization/protection/ProtectionService.java @@ -73,7 +73,7 @@ public class ProtectionService { private AdminEventBuilder createAdminEventBuilder(KeycloakIdentity identity, ResourceServer resourceServer) { RealmModel realm = authorization.getRealm(); - ClientModel client = realm.getClientById(resourceServer.getId()); + ClientModel client = realm.getClientById(resourceServer.getClientId()); KeycloakSession keycloakSession = authorization.getKeycloakSession(); UserModel serviceAccount = keycloakSession.users().getServiceAccount(client); AdminEventBuilder adminEvent = new AdminEventBuilder(realm, new AdminAuth(realm, identity.getAccessToken(), serviceAccount, client), keycloakSession, clientConnection); @@ -118,7 +118,7 @@ public class ProtectionService { ResourceServer resourceServer = getResourceServer(identity); KeycloakSession keycloakSession = authorization.getKeycloakSession(); RealmModel realm = keycloakSession.getContext().getRealm(); - ClientModel client = realm.getClientById(resourceServer.getId()); + ClientModel client = realm.getClientById(resourceServer.getClientId()); if (checkProtectionScope) { if (!identity.hasClientRole(client.getClientId(), "uma_protection")) { diff --git a/services/src/main/java/org/keycloak/authorization/protection/permission/AbstractPermissionService.java b/services/src/main/java/org/keycloak/authorization/protection/permission/AbstractPermissionService.java index dd1187a7f6..f8fa8fc8f5 100644 --- a/services/src/main/java/org/keycloak/authorization/protection/permission/AbstractPermissionService.java +++ b/services/src/main/java/org/keycloak/authorization/protection/permission/AbstractPermissionService.java @@ -74,19 +74,19 @@ public class AbstractPermissionService { throw new ErrorResponseException("invalid_resource_id", "Resource id or name not provided.", Response.Status.BAD_REQUEST); } } else { - Resource resource = resourceStore.findById(resourceSetId, resourceServer.getId()); + Resource resource = resourceStore.findById(resourceServer, resourceSetId); if (resource != null) { resources.add(resource); } else { - Resource userResource = resourceStore.findByName(resourceSetId, identity.getId(), this.resourceServer.getId()); + Resource userResource = resourceStore.findByName(this.resourceServer, resourceSetId, identity.getId()); if (userResource != null) { resources.add(userResource); } if (!identity.isResourceServer()) { - Resource serverResource = resourceStore.findByName(resourceSetId, this.resourceServer.getId()); + Resource serverResource = resourceStore.findByName(this.resourceServer, resourceSetId); if (serverResource != null) { resources.add(serverResource); @@ -127,13 +127,13 @@ public class AbstractPermissionService { scope = resource.getScopes().stream().filter(scope1 -> scope1.getName().equals(scopeName)).findFirst().orElse(null); if (scope == null && resource.getType() != null) { - scope = resourceStore.findByType(resource.getType(), resourceServer.getId()).stream() - .filter(baseResource -> baseResource.getOwner().equals(resource.getResourceServer())) + scope = resourceStore.findByType(resourceServer, resource.getType()).stream() + .filter(baseResource -> baseResource.getOwner().equals(resourceServer.getClientId())) .flatMap(resource1 -> resource1.getScopes().stream()) .filter(baseScope -> baseScope.getName().equals(scopeName)).findFirst().orElse(null); } } else { - scope = authorization.getStoreFactory().getScopeStore().findByName(scopeName, resourceServer.getId()); + scope = authorization.getStoreFactory().getScopeStore().findByName(resourceServer, scopeName); } if (scope == null) { diff --git a/services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java b/services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java index ebe4a8044c..a1465a6cd5 100644 --- a/services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java +++ b/services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java @@ -83,7 +83,7 @@ public class PermissionTicketService { throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST); ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore(); - Resource resource = rstore.findById(representation.getResource(), resourceServer.getId()); + Resource resource = rstore.findById(resourceServer, representation.getResource()); if (resource == null ) throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST); if (!resource.getOwner().equals(this.identity.getId())) @@ -102,9 +102,9 @@ public class PermissionTicketService { ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore(); if(representation.getScopeName() != null) - scope = sstore.findByName(representation.getScopeName(), resourceServer.getId()); + scope = sstore.findByName(resourceServer, representation.getScopeName()); else - scope = sstore.findById(representation.getScope(), resourceServer.getId()); + scope = sstore.findById(resourceServer, representation.getScope()); if (scope == null && representation.getScope() !=null ) throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScope() + "] is invalid", Response.Status.BAD_REQUEST); @@ -121,10 +121,10 @@ public class PermissionTicketService { attributes.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId()); attributes.put(PermissionTicket.FilterOption.REQUESTER, user.getId()); - if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty()) + if (!ticketStore.find(resourceServer, attributes, null, null).isEmpty()) throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST); - PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer); + PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, user.getId()); if(representation.isGranted()) ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis()); representation = ModelToRepresentation.toRepresentation(ticket, authorization); @@ -139,7 +139,7 @@ public class PermissionTicketService { } PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - PermissionTicket ticket = ticketStore.findById(representation.getId(), resourceServer.getId()); + PermissionTicket ticket = ticketStore.findById(resourceServer, representation.getId()); if (ticket == null) { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST); @@ -148,7 +148,7 @@ public class PermissionTicketService { if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer()) throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be updated only by the owner or by the resource server", Response.Status.FORBIDDEN); - RepresentationToModel.toModel(representation, resourceServer.getId(), authorization); + RepresentationToModel.toModel(representation, resourceServer, authorization); return Response.noContent().build(); } @@ -163,7 +163,7 @@ public class PermissionTicketService { } PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - PermissionTicket ticket = ticketStore.findById(id, resourceServer.getId()); + PermissionTicket ticket = ticketStore.findById(resourceServer, id); if (ticket == null) { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST); @@ -192,7 +192,7 @@ public class PermissionTicketService { Map filters = getFilters(storeFactory, resourceId, scopeId, owner, requester, granted); - return Response.ok().entity(permissionTicketStore.find(filters, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS) + return Response.ok().entity(permissionTicketStore.find(resourceServer, filters, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS) .stream() .map(permissionTicket -> ModelToRepresentation.toRepresentation(permissionTicket, authorization, returnNames == null ? false : returnNames)) .collect(Collectors.toList())) @@ -211,7 +211,7 @@ public class PermissionTicketService { StoreFactory storeFactory = authorization.getStoreFactory(); PermissionTicketStore permissionTicketStore = storeFactory.getPermissionTicketStore(); Map filters = getFilters(storeFactory, resourceId, scopeId, owner, requester, granted); - long count = permissionTicketStore.count(filters, resourceServer.getId()); + long count = permissionTicketStore.count(resourceServer, filters); return Response.ok().entity(count).build(); } @@ -230,10 +230,10 @@ public class PermissionTicketService { if (scopeId != null) { ScopeStore scopeStore = storeFactory.getScopeStore(); - Scope scope = scopeStore.findById(scopeId, resourceServer.getId()); + Scope scope = scopeStore.findById(resourceServer, scopeId); if (scope == null) { - scope = scopeStore.findByName(scopeId, resourceServer.getId()); + scope = scopeStore.findByName(resourceServer, scopeId); } filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope != null ? scope.getId() : scopeId); diff --git a/services/src/main/java/org/keycloak/authorization/protection/policy/UserManagedPermissionService.java b/services/src/main/java/org/keycloak/authorization/protection/policy/UserManagedPermissionService.java index aceeb9043d..9c8261d60a 100644 --- a/services/src/main/java/org/keycloak/authorization/protection/policy/UserManagedPermissionService.java +++ b/services/src/main/java/org/keycloak/authorization/protection/policy/UserManagedPermissionService.java @@ -132,7 +132,7 @@ public class UserManagedPermissionService { } private Policy getPolicy(@PathParam("policyId") String policyId) { - Policy existing = authorization.getStoreFactory().getPolicyStore().findById(policyId, resourceServer.getId()); + Policy existing = authorization.getStoreFactory().getPolicyStore().findById(resourceServer, policyId); if (existing == null) { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Policy with [" + policyId + "] does not exist", Status.NOT_FOUND); @@ -143,7 +143,7 @@ public class UserManagedPermissionService { private void checkRequest(String resourceId, UmaPermissionRepresentation representation) { ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore(); - Resource resource = resourceStore.findById(resourceId, resourceServer.getId()); + Resource resource = resourceStore.findById(resourceServer, resourceId); if (resource == null) { throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource [" + resourceId + "] cannot be found", Response.Status.BAD_REQUEST); diff --git a/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java b/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java index 3df2391af6..75d59a2ff0 100755 --- a/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java +++ b/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java @@ -309,11 +309,11 @@ public class ExportUtils { representation.setName(null); representation.setClientId(null); - List resources = storeFactory.getResourceStore().findByResourceServer(settingsModel.getId()) + List resources = storeFactory.getResourceStore().findByResourceServer(settingsModel) .stream().map(resource -> { - ResourceRepresentation rep = toRepresentation(resource, settingsModel.getId(), authorization); + ResourceRepresentation rep = toRepresentation(resource, settingsModel, authorization); - if (rep.getOwner().getId().equals(settingsModel.getId())) { + if (rep.getOwner().getId().equals(settingsModel.getClientId())) { rep.setOwner((ResourceOwnerRepresentation) null); } else { rep.getOwner().setId(null); @@ -331,16 +331,16 @@ public class ExportUtils { List policies = new ArrayList<>(); PolicyStore policyStore = storeFactory.getPolicyStore(); - policies.addAll(policyStore.findByResourceServer(settingsModel.getId()) + policies.addAll(policyStore.findByResourceServer(settingsModel) .stream().filter(policy -> !policy.getType().equals("resource") && !policy.getType().equals("scope") && policy.getOwner() == null) .map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList())); - policies.addAll(policyStore.findByResourceServer(settingsModel.getId()) + policies.addAll(policyStore.findByResourceServer(settingsModel) .stream().filter(policy -> (policy.getType().equals("resource") || policy.getType().equals("scope") && policy.getOwner() == null)) .map(policy -> createPolicyRepresentation(authorization, policy)).collect(Collectors.toList())); representation.setPolicies(policies); - List scopes = storeFactory.getScopeStore().findByResourceServer(settingsModel.getId()).stream().map(scope -> { + List scopes = storeFactory.getScopeStore().findByResourceServer(settingsModel).stream().map(scope -> { ScopeRepresentation rep = toRepresentation(scope); rep.setPolicies(null); diff --git a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java b/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java index f5041cd42c..19f6f0cd3f 100755 --- a/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java +++ b/services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java @@ -34,6 +34,7 @@ import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.model.PermissionTicket; import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.PermissionTicketStore; import org.keycloak.common.util.Time; @@ -68,7 +69,7 @@ public class AuthorizationBean { List pathParameters = uriInfo.getPathParameters().get("resource_id"); if (pathParameters != null && !pathParameters.isEmpty()) { - Resource resource = authorization.getStoreFactory().getResourceStore().findById(pathParameters.get(0), null); + Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, pathParameters.get(0)); if (resource != null && !resource.getOwner().equals(user.getId())) { throw new RuntimeException("User [" + user.getUsername() + "] can not access resource [" + resource.getId() + "]"); @@ -104,7 +105,7 @@ public class AuthorizationBean { public List getResources() { if (resources == null) { - resources = authorization.getStoreFactory().getResourceStore().findByOwner(user.getId(), null).stream() + resources = authorization.getStoreFactory().getResourceStore().findByOwner(null, user.getId()).stream() .filter(Resource::isOwnerManagedAccess) .map(ResourceBean::new) .collect(Collectors.toList()); @@ -121,7 +122,7 @@ public class AuthorizationBean { PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - userSharedResources = toResourceRepresentation(ticketStore.find(filters, null, -1, -1)); + userSharedResources = toResourceRepresentation(ticketStore.find(null, filters, null, null)); } return userSharedResources; } @@ -139,7 +140,7 @@ public class AuthorizationBean { } private ResourceBean getResource(String id) { - return new ResourceBean(authorization.getStoreFactory().getResourceStore().findById(id, null)); + return new ResourceBean(authorization.getStoreFactory().getResourceStore().findById(null, id)); } public static class RequesterBean { @@ -235,7 +236,8 @@ public class AuthorizationBean { public ResourceBean(Resource resource) { RealmModel realm = authorization.getRealm(); - resourceServer = new ResourceServerBean(realm.getClientById(resource.getResourceServer())); + ResourceServer resourceServerModel = resource.getResourceServer(); + resourceServer = new ResourceServerBean(realm.getClientById(resourceServerModel.getClientId()), resourceServerModel); this.resource = resource; userOwner = authorization.getKeycloakSession().users().getUserById(realm, resource.getOwner()); if (userOwner == null) { @@ -304,7 +306,7 @@ public class AuthorizationBean { filters.put(Policy.FilterOption.OWNER, new String[] {getClientOwner().getId()}); } - List policies = authorization.getStoreFactory().getPolicyStore().findByResourceServer(filters, getResourceServer().getId(), -1, -1); + List policies = authorization.getStoreFactory().getPolicyStore().findByResourceServer(getResourceServer().getResourceServerModel(), filters, null, null); if (policies.isEmpty()) { return Collections.emptyList(); @@ -316,7 +318,7 @@ public class AuthorizationBean { filters1.put(PermissionTicket.FilterOption.POLICY_ID, policy.getId()); - return authorization.getStoreFactory().getPermissionTicketStore().find(filters1, resourceServer.getId(), -1, 1) + return authorization.getStoreFactory().getPermissionTicketStore().find(resourceServer.getResourceServerModel(), filters1, -1, 1) .isEmpty(); }) .map(ManagedPermissionBean::new).collect(Collectors.toList()); @@ -368,19 +370,21 @@ public class AuthorizationBean { } private List findPermissions(Map filters) { - return authorization.getStoreFactory().getPermissionTicketStore().find(filters, null, -1, -1); + return authorization.getStoreFactory().getPermissionTicketStore().find(null, filters, null, null); } public class ResourceServerBean { private ClientModel clientModel; + private ResourceServer resourceServer; - public ResourceServerBean(ClientModel clientModel) { + public ResourceServerBean(ClientModel clientModel, ResourceServer resourceServer) { this.clientModel = clientModel; + this.resourceServer = resourceServer; } public String getId() { - return clientModel.getId(); + return resourceServer.getId(); } public String getName() { @@ -410,6 +414,10 @@ public class AuthorizationBean { public String getBaseUri() { return ResolveRelative.resolveRelativeUri(session, clientModel.getRootUrl(), clientModel.getBaseUrl()); } + + public ResourceServer getResourceServerModel() { + return resourceServer; + } } public class ManagedPermissionBean { diff --git a/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java b/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java index afa0ca5f76..a9b607df91 100755 --- a/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java +++ b/services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java @@ -25,6 +25,7 @@ import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.store.PermissionTicketStore; import org.keycloak.authorization.store.PolicyStore; +import org.keycloak.authorization.store.ScopeStore; import org.keycloak.common.Profile; import org.keycloak.common.util.Base64Url; import org.keycloak.common.util.Time; @@ -110,6 +111,7 @@ import java.util.Map; import java.util.Objects; import java.util.Set; import java.util.UUID; +import java.util.function.Predicate; import java.util.stream.Collectors; /** @@ -760,7 +762,7 @@ public class AccountFormService extends AbstractSecuredLocalService { AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null); + Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, resourceId); if (resource == null) { return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST); @@ -780,13 +782,14 @@ public class AccountFormService extends AbstractSecuredLocalService { List ids = new ArrayList<>(Arrays.asList(permissionId)); Iterator iterator = ids.iterator(); PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore(); + ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); Policy policy = null; while (iterator.hasNext()) { String id = iterator.next(); if (!id.contains(":")) { - policy = policyStore.findById(id, client.getId()); + policy = policyStore.findById(resourceServer, id); iterator.remove(); break; } @@ -800,7 +803,7 @@ public class AccountFormService extends AbstractSecuredLocalService { } } else { for (String id : ids) { - scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(id.split(":")[1], client.getId())); + scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(resourceServer, id.split(":")[1])); } for (Scope scope : policy.getScopes()) { @@ -829,7 +832,7 @@ public class AccountFormService extends AbstractSecuredLocalService { filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString()); } - List tickets = ticketStore.find(filters, resource.getResourceServer(), -1, -1); + List tickets = ticketStore.find(resource.getResourceServer(), filters, null, null); Iterator iterator = tickets.iterator(); while (iterator.hasNext()) { @@ -884,8 +887,9 @@ public class AccountFormService extends AbstractSecuredLocalService { AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class); PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore(); - Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null); - ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findById(resource.getResourceServer()); + ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore(); + Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, resourceId); + ResourceServer resourceServer = resource.getResourceServer(); if (resource == null) { return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST); @@ -918,38 +922,39 @@ public class AccountFormService extends AbstractSecuredLocalService { filters.put(PermissionTicket.FilterOption.OWNER, auth.getUser().getId()); filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId()); - List tickets = ticketStore.find(filters, resource.getResourceServer(), -1, -1); + List tickets = ticketStore.find(resourceServer, filters, null, null); + final String userId = user.getId(); if (tickets.isEmpty()) { if (scopes != null && scopes.length > 0) { - for (String scope : scopes) { - PermissionTicket ticket = ticketStore.create(resourceId, scope, user.getId(), resourceServer); + for (String scopeId : scopes) { + Scope scope = scopeStore.findById(resourceServer, scopeId); + PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId); ticket.setGrantedTimestamp(System.currentTimeMillis()); } } else { if (resource.getScopes().isEmpty()) { - PermissionTicket ticket = ticketStore.create(resourceId, null, user.getId(), resourceServer); + PermissionTicket ticket = ticketStore.create(resourceServer, resource, null, userId); ticket.setGrantedTimestamp(System.currentTimeMillis()); } else { for (Scope scope : resource.getScopes()) { - PermissionTicket ticket = ticketStore.create(resourceId, scope.getId(), user.getId(), resourceServer); + PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId); ticket.setGrantedTimestamp(System.currentTimeMillis()); } } } } else if (scopes != null && scopes.length > 0) { List grantScopes = new ArrayList<>(Arrays.asList(scopes)); + Set alreadyGrantedScopes = tickets.stream() + .map(PermissionTicket::getScope) + .map(Scope::getId) + .collect(Collectors.toSet()); - for (PermissionTicket ticket : tickets) { - Scope scope = ticket.getScope(); + grantScopes.removeIf(alreadyGrantedScopes::contains); - if (scope != null) { - grantScopes.remove(scope.getId()); - } - } - - for (String grantScope : grantScopes) { - PermissionTicket ticket = ticketStore.create(resourceId, grantScope, user.getId(), resourceServer); + for (String scopeId : grantScopes) { + Scope scope = scopeStore.findById(resourceServer, scopeId); + PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId); ticket.setGrantedTimestamp(System.currentTimeMillis()); } } @@ -978,7 +983,7 @@ public class AccountFormService extends AbstractSecuredLocalService { } for (String resourceId : resourceIds) { - Resource resource = authorization.getStoreFactory().getResourceStore().findById(resourceId, null); + Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, resourceId); if (resource == null) { return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST); @@ -995,7 +1000,7 @@ public class AccountFormService extends AbstractSecuredLocalService { filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString()); } - for (PermissionTicket ticket : ticketStore.find(filters, resource.getResourceServer(), -1, -1)) { + for (PermissionTicket ticket : ticketStore.find(resource.getResourceServer(), filters, null, null)) { ticketStore.delete(ticket.getId()); } } diff --git a/services/src/main/java/org/keycloak/services/resources/account/resources/AbstractResourceService.java b/services/src/main/java/org/keycloak/services/resources/account/resources/AbstractResourceService.java index 5588bc6857..7352dddb26 100644 --- a/services/src/main/java/org/keycloak/services/resources/account/resources/AbstractResourceService.java +++ b/services/src/main/java/org/keycloak/services/resources/account/resources/AbstractResourceService.java @@ -28,6 +28,7 @@ import java.util.stream.Collectors; import org.jboss.resteasy.spi.HttpRequest; import org.keycloak.authorization.AuthorizationProvider; import org.keycloak.authorization.model.PermissionTicket; +import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.store.PermissionTicketStore; import org.keycloak.authorization.store.ResourceStore; import org.keycloak.authorization.store.ScopeStore; @@ -82,7 +83,8 @@ public abstract class AbstractResourceService { setScopes(resource.getScopes().stream().map(Scope::new).collect(Collectors.toSet())); - this.client = new Client(provider.getRealm().getClientById(resource.getResourceServer())); + ResourceServer resourceServer = resource.getResourceServer(); + this.client = new Client(provider.getRealm().getClientById(resourceServer.getClientId())); } Resource(org.keycloak.authorization.model.Resource resource, AuthorizationProvider provider) { diff --git a/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java b/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java index 2147c9bd05..f9872d5fdf 100644 --- a/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java +++ b/services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java @@ -58,7 +58,7 @@ public class ResourceService extends AbstractResourceService { Auth auth, HttpRequest request) { super(session, user, auth, request); this.resource = resource; - this.resourceServer = provider.getStoreFactory().getResourceServerStore().findByClient(provider.getRealm().getClientById(resource.getResourceServer())); + this.resourceServer = resource.getResourceServer(); } /** @@ -87,7 +87,7 @@ public class ResourceService extends AbstractResourceService { filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId()); - Collection resources = toPermissions(ticketStore.find(filters, null, -1, -1)); + Collection resources = toPermissions(ticketStore.find(null, filters, null, null)); Collection permissions = Collections.EMPTY_LIST; if (!resources.isEmpty()) { @@ -135,7 +135,7 @@ public class ResourceService extends AbstractResourceService { filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId()); - List tickets = ticketStore.find(filters, resource.getResourceServer(), -1, -1); + List tickets = ticketStore.find(resource.getResourceServer(), filters, null, null); // grants all requested permissions if (tickets.isEmpty()) { @@ -196,7 +196,7 @@ public class ResourceService extends AbstractResourceService { Map requests = new HashMap<>(); - for (PermissionTicket ticket : ticketStore.find(filters, null, -1, -1)) { + for (PermissionTicket ticket : ticketStore.find(null, filters, null, null)) { requests.computeIfAbsent(ticket.getRequester(), requester -> new Permission(ticket, provider)).addScope(ticket.getScope().getName()); } @@ -205,15 +205,15 @@ public class ResourceService extends AbstractResourceService { private void grantPermission(UserModel user, String scopeId) { org.keycloak.authorization.model.Scope scope = getScope(scopeId, resourceServer); - PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer); + PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, user.getId()); ticket.setGrantedTimestamp(Calendar.getInstance().getTimeInMillis()); } private org.keycloak.authorization.model.Scope getScope(String scopeId, ResourceServer resourceServer) { - org.keycloak.authorization.model.Scope scope = scopeStore.findByName(scopeId, resourceServer.getId()); + org.keycloak.authorization.model.Scope scope = scopeStore.findByName(resourceServer, scopeId); if (scope == null) { - scope = scopeStore.findById(scopeId, resourceServer.getId()); + scope = scopeStore.findById(resourceServer, scopeId); } return scope; diff --git a/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java b/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java index a602fc2429..bedf60dc5d 100644 --- a/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java +++ b/services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java @@ -73,7 +73,7 @@ public class ResourcesService extends AbstractResourceService { filters.put(org.keycloak.authorization.model.Resource.FilterOption.NAME, new String[] { name }); } - return queryResponse((f, m) -> resourceStore.findByResourceServer(filters, null, f, m).stream() + return queryResponse((f, m) -> resourceStore.findByResourceServer(null, filters, f, m).stream() .map(resource -> new Resource(resource, user, provider)), first, max); } @@ -123,7 +123,7 @@ public class ResourcesService extends AbstractResourceService { filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId()); filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString()); - final List permissionTickets = ticketStore.find(filters, null, -1, -1); + final List permissionTickets = ticketStore.find(null, filters, null, null); final List resourceList = new ArrayList<>(permissionTickets.size()); for (PermissionTicket ticket : permissionTickets) { @@ -138,7 +138,7 @@ public class ResourcesService extends AbstractResourceService { @Path("{id}") public Object getResource(@PathParam("id") String id) { - org.keycloak.authorization.model.Resource resource = resourceStore.findById(id, null); + org.keycloak.authorization.model.Resource resource = resourceStore.findById(null, id); if (resource == null) { throw new NotFoundException("resource_not_found"); @@ -167,9 +167,9 @@ public class ResourcesService extends AbstractResourceService { filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString()); filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId()); - tickets = ticketStore.find(filters, null, -1, -1); + tickets = ticketStore.find(resource.getResourceServer(), filters, null, null); } else { - tickets = ticketStore.findGranted(resource.getName(), user.getId(), null); + tickets = ticketStore.findGranted(resource.getResourceServer(), resource.getName(), user.getId()); } for (PermissionTicket ticket : tickets) { diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java index 6d45ea8077..a456a5ce59 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java @@ -95,15 +95,15 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = root.findOrCreateResourceServer(client); Scope manageScope = manageScope(server); if (manageScope == null) { - manageScope = authz.getStoreFactory().getScopeStore().create(AdminPermissionManagement.MANAGE_SCOPE, server); + manageScope = authz.getStoreFactory().getScopeStore().create(server, AdminPermissionManagement.MANAGE_SCOPE); } Scope viewScope = viewScope(server); if (viewScope == null) { - viewScope = authz.getStoreFactory().getScopeStore().create(AdminPermissionManagement.VIEW_SCOPE, server); + viewScope = authz.getStoreFactory().getScopeStore().create(server, AdminPermissionManagement.VIEW_SCOPE); } Scope mapRoleScope = mapRolesScope(server); if (mapRoleScope == null) { - mapRoleScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLES_SCOPE, server); + mapRoleScope = authz.getStoreFactory().getScopeStore().create(server, MAP_ROLES_SCOPE); } Scope mapRoleClientScope = root.initializeScope(MAP_ROLES_CLIENT_SCOPE, server); Scope mapRoleCompositeScope = root.initializeScope(MAP_ROLES_COMPOSITE_SCOPE, server); @@ -111,9 +111,9 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM Scope exchangeToScope = root.initializeScope(TOKEN_EXCHANGE, server); String resourceName = getResourceName(client); - Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, resourceName); if (resource == null) { - resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getId()); + resource = authz.getStoreFactory().getResourceStore().create(server, resourceName, server.getClientId()); resource.setType("Client"); Set scopeset = new HashSet<>(); scopeset.add(configureScope); @@ -126,44 +126,44 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM resource.updateScopes(scopeset); } String managePermissionName = getManagePermissionName(client); - Policy managePermission = authz.getStoreFactory().getPolicyStore().findByName(managePermissionName, server.getId()); + Policy managePermission = authz.getStoreFactory().getPolicyStore().findByName(server, managePermissionName); if (managePermission == null) { Helper.addEmptyScopePermission(authz, server, managePermissionName, resource, manageScope); } String configurePermissionName = getConfigurePermissionName(client); - Policy configurePermission = authz.getStoreFactory().getPolicyStore().findByName(configurePermissionName, server.getId()); + Policy configurePermission = authz.getStoreFactory().getPolicyStore().findByName(server, configurePermissionName); if (configurePermission == null) { Helper.addEmptyScopePermission(authz, server, configurePermissionName, resource, configureScope); } String viewPermissionName = getViewPermissionName(client); - Policy viewPermission = authz.getStoreFactory().getPolicyStore().findByName(viewPermissionName, server.getId()); + Policy viewPermission = authz.getStoreFactory().getPolicyStore().findByName(server, viewPermissionName); if (viewPermission == null) { Helper.addEmptyScopePermission(authz, server, viewPermissionName, resource, viewScope); } String mapRolePermissionName = getMapRolesPermissionName(client); - Policy mapRolePermission = authz.getStoreFactory().getPolicyStore().findByName(mapRolePermissionName, server.getId()); + Policy mapRolePermission = authz.getStoreFactory().getPolicyStore().findByName(server, mapRolePermissionName); if (mapRolePermission == null) { Helper.addEmptyScopePermission(authz, server, mapRolePermissionName, resource, mapRoleScope); } String mapRoleClientScopePermissionName = getMapRolesClientScopePermissionName(client); - Policy mapRoleClientScopePermission = authz.getStoreFactory().getPolicyStore().findByName(mapRoleClientScopePermissionName, server.getId()); + Policy mapRoleClientScopePermission = authz.getStoreFactory().getPolicyStore().findByName(server, mapRoleClientScopePermissionName); if (mapRoleClientScopePermission == null) { Helper.addEmptyScopePermission(authz, server, mapRoleClientScopePermissionName, resource, mapRoleClientScope); } String mapRoleCompositePermissionName = getMapRolesCompositePermissionName(client); - Policy mapRoleCompositePermission = authz.getStoreFactory().getPolicyStore().findByName(mapRoleCompositePermissionName, server.getId()); + Policy mapRoleCompositePermission = authz.getStoreFactory().getPolicyStore().findByName(server, mapRoleCompositePermissionName); if (mapRoleCompositePermission == null) { Helper.addEmptyScopePermission(authz, server, mapRoleCompositePermissionName, resource, mapRoleCompositeScope); } String exchangeToPermissionName = getExchangeToPermissionName(client); - Policy exchangeToPermission = authz.getStoreFactory().getPolicyStore().findByName(exchangeToPermissionName, server.getId()); + Policy exchangeToPermission = authz.getStoreFactory().getPolicyStore().findByName(server, exchangeToPermissionName); if (exchangeToPermission == null) { Helper.addEmptyScopePermission(authz, server, exchangeToPermissionName, resource, exchangeToScope); } } private void deletePolicy(String name, ResourceServer server) { - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(name, server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, name); if (policy != null) { authz.getStoreFactory().getPolicyStore().delete(policy.getId()); } @@ -180,7 +180,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM deletePolicy(getMapRolesCompositePermissionName(client), server); deletePolicy(getConfigurePermissionName(client), server); deletePolicy(getExchangeToPermissionName(client), server); - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());; + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client));; if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId()); } @@ -189,7 +189,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = resourceServer(client); if (server == null) return false; - return authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()) != null; + return authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)) != null; } @Override @@ -204,22 +204,22 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM private Scope manageScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.MANAGE_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, AdminPermissionManagement.MANAGE_SCOPE); } private Scope exchangeToScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(TOKEN_EXCHANGE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, TOKEN_EXCHANGE); } private Scope configureScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(CONFIGURE_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, CONFIGURE_SCOPE); } private Scope viewScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.VIEW_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, AdminPermissionManagement.VIEW_SCOPE); } private Scope mapRolesScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(MAP_ROLES_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, MAP_ROLES_SCOPE); } @Override @@ -284,7 +284,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM public Resource resource(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)); if (resource == null) return null; return resource; } @@ -313,13 +313,13 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM return false; } - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(to)); if (resource == null) { logger.debug("No resource object set up for target client"); return false; } - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getExchangeToPermissionName(to)); if (policy == null) { logger.debug("No permission object set up for target client"); return false; @@ -366,10 +366,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = resourceServer(client); if (server == null) return false; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)); if (resource == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getManagePermissionName(client), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getManagePermissionName(client)); if (policy == null) { return false; } @@ -394,10 +394,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = resourceServer(client); if (server == null) return false; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)); if (resource == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getConfigurePermissionName(client)); if (policy == null) { return false; } @@ -440,10 +440,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = resourceServer(client); if (server == null) return false; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)); if (resource == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(client), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getViewPermissionName(client)); if (policy == null) { return false; } @@ -519,10 +519,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = resourceServer(client); if (server == null) return false; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)); if (resource == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesPermissionName(client), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getMapRolesPermissionName(client)); if (policy == null) { return false; } @@ -541,49 +541,49 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM public Policy exchangeToPermission(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(client), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getExchangeToPermissionName(client)); } @Override public Policy mapRolesPermission(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getMapRolesPermissionName(client), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getMapRolesPermissionName(client)); } @Override public Policy mapRolesClientScopePermission(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getMapRolesClientScopePermissionName(client), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getMapRolesClientScopePermissionName(client)); } @Override public Policy mapRolesCompositePermission(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getMapRolesCompositePermissionName(client), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getMapRolesCompositePermissionName(client)); } @Override public Policy managePermission(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getManagePermissionName(client), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getManagePermissionName(client)); } @Override public Policy configurePermission(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getConfigurePermissionName(client)); } @Override public Policy viewPermission(ClientModel client) { ResourceServer server = resourceServer(client); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(client), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getViewPermissionName(client)); } @Override @@ -596,10 +596,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = resourceServer(client); if (server == null) return false; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)); if (resource == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesCompositePermissionName(client), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getMapRolesCompositePermissionName(client)); if (policy == null) { return false; } @@ -610,7 +610,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM return false; } - Scope scope = authz.getStoreFactory().getScopeStore().findByName(MAP_ROLES_COMPOSITE_SCOPE, server.getId()); + Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, MAP_ROLES_COMPOSITE_SCOPE); return root.evaluatePermission(resource, server, scope); } @Override @@ -618,10 +618,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM ResourceServer server = resourceServer(client); if (server == null) return false; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client)); if (resource == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolesClientScopePermissionName(client), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getMapRolesClientScopePermissionName(client)); if (policy == null) { return false; } @@ -632,7 +632,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM return false; } - Scope scope = authz.getStoreFactory().getScopeStore().findByName(MAP_ROLES_CLIENT_SCOPE, server.getId()); + Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, MAP_ROLES_CLIENT_SCOPE); return root.evaluatePermission(resource, server, scope); } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java index e94f31c5b7..73256fc967 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java @@ -105,9 +105,9 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag Scope manageMembershipScope = root.initializeRealmScope(MANAGE_MEMBERSHIP_SCOPE); String groupResourceName = getGroupResourceName(group); - Resource groupResource = resourceStore.findByName(groupResourceName, server.getId()); + Resource groupResource = resourceStore.findByName(server, groupResourceName); if (groupResource == null) { - groupResource = resourceStore.create(groupResourceName, server, server.getId()); + groupResource = resourceStore.create(server, groupResourceName, server.getClientId()); Set scopeset = new HashSet<>(); scopeset.add(manageScope); scopeset.add(viewScope); @@ -118,27 +118,27 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag groupResource.setType("Group"); } String managePermissionName = getManagePermissionGroup(group); - Policy managePermission = policyStore.findByName(managePermissionName, server.getId()); + Policy managePermission = policyStore.findByName(server, managePermissionName); if (managePermission == null) { Helper.addEmptyScopePermission(authz, server, managePermissionName, groupResource, manageScope); } String viewPermissionName = getViewPermissionGroup(group); - Policy viewPermission = policyStore.findByName(viewPermissionName, server.getId()); + Policy viewPermission = policyStore.findByName(server, viewPermissionName); if (viewPermission == null) { Helper.addEmptyScopePermission(authz, server, viewPermissionName, groupResource, viewScope); } String manageMembersPermissionName = getManageMembersPermissionGroup(group); - Policy manageMembersPermission = policyStore.findByName(manageMembersPermissionName, server.getId()); + Policy manageMembersPermission = policyStore.findByName(server, manageMembersPermissionName); if (manageMembersPermission == null) { Helper.addEmptyScopePermission(authz, server, manageMembersPermissionName, groupResource, manageMembersScope); } String viewMembersPermissionName = getViewMembersPermissionGroup(group); - Policy viewMembersPermission = policyStore.findByName(viewMembersPermissionName, server.getId()); + Policy viewMembersPermission = policyStore.findByName(server, viewMembersPermissionName); if (viewMembersPermission == null) { Helper.addEmptyScopePermission(authz, server, viewMembersPermissionName, groupResource, viewMembersScope); } String manageMembershipPermissionName = getManageMembershipPermissionGroup(group); - Policy manageMembershipPermission = policyStore.findByName(manageMembershipPermissionName, server.getId()); + Policy manageMembershipPermission = policyStore.findByName(server, manageMembershipPermissionName); if (manageMembershipPermission == null) { Helper.addEmptyScopePermission(authz, server, manageMembershipPermissionName, groupResource, manageMembershipScope); } @@ -162,7 +162,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag ResourceServer server = root.realmResourceServer(); if (server == null) return false; - return resourceStore.findByName(getGroupResourceName(group), server.getId()) != null; + return resourceStore.findByName(server, getGroupResourceName(group)) != null; } @Override @@ -178,42 +178,42 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag public Policy viewMembersPermission(GroupModel group) { ResourceServer server = root.realmResourceServer(); if (server == null) return null; - return policyStore.findByName(getViewMembersPermissionGroup(group), server.getId()); + return policyStore.findByName(server, getViewMembersPermissionGroup(group)); } @Override public Policy manageMembersPermission(GroupModel group) { ResourceServer server = root.realmResourceServer(); if (server == null) return null; - return policyStore.findByName(getManageMembersPermissionGroup(group), server.getId()); + return policyStore.findByName(server, getManageMembersPermissionGroup(group)); } @Override public Policy manageMembershipPermission(GroupModel group) { ResourceServer server = root.realmResourceServer(); if (server == null) return null; - return policyStore.findByName(getManageMembershipPermissionGroup(group), server.getId()); + return policyStore.findByName(server, getManageMembershipPermissionGroup(group)); } @Override public Policy viewPermission(GroupModel group) { ResourceServer server = root.realmResourceServer(); if (server == null) return null; - return policyStore.findByName(getViewPermissionGroup(group), server.getId()); + return policyStore.findByName(server, getViewPermissionGroup(group)); } @Override public Policy managePermission(GroupModel group) { ResourceServer server = root.realmResourceServer(); if (server == null) return null; - return policyStore.findByName(getManagePermissionGroup(group), server.getId()); + return policyStore.findByName(server, getManagePermissionGroup(group)); } @Override public Resource resource(GroupModel group) { ResourceServer server = root.realmResourceServer(); if (server == null) return null; - Resource resource = resourceStore.findByName(getGroupResourceName(group), server.getId()); + Resource resource = resourceStore.findByName(server, getGroupResourceName(group)); if (resource == null) return null; return resource; } @@ -325,7 +325,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag Set granted = new HashSet<>(); - resourceStore.findByType("Group", server.getId(), resource -> { + resourceStore.findByType(server, "Group", resource -> { if (hasPermission(resource, null, VIEW_MEMBERS_SCOPE, MANAGE_MEMBERS_SCOPE)) { granted.add(resource.getName().substring(RESOURCE_NAME_PREFIX.length())); } @@ -400,7 +400,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag return false; } - Resource resource = resourceStore.findByName(getGroupResourceName(group), server.getId()); + Resource resource = resourceStore.findByName(server, getGroupResourceName(group)); if (resource == null) { return false; @@ -437,7 +437,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag ResourceServer server = root.realmResourceServer(); if (server == null) return null; String groupResourceName = getGroupResourceName(group); - return resourceStore.findByName(groupResourceName, server.getId()); + return resourceStore.findByName(server, groupResourceName); } private void deletePermissions(GroupModel group) { diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/Helper.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/Helper.java index 2e7942d640..84b5a632fc 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/Helper.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/Helper.java @@ -46,7 +46,7 @@ class Helper { representation.addScope(scope.getName()); representation.addPolicy(policy.getName()); - return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer); + return authz.getStoreFactory().getPolicyStore().create(resourceServer, representation); } public static Policy addEmptyScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope) { @@ -58,7 +58,7 @@ class Helper { representation.addResource(resource.getName()); representation.addScope(scope.getName()); - return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer); + return authz.getStoreFactory().getPolicyStore().create(resourceServer, representation); } public static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) { @@ -78,7 +78,7 @@ class Helper { config.put("roles", roleValues); representation.setConfig(config); - return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer); + return authz.getStoreFactory().getPolicyStore().create(resourceServer, representation); } public static String getRolePolicyName(RoleModel role) { diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java index 8ad6fc10c1..bb1bb59d45 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java @@ -73,23 +73,23 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme Scope exchangeToScope = root.initializeScope(TOKEN_EXCHANGE, server); String resourceName = getResourceName(idp); - Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, resourceName); if (resource == null) { - resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getId()); + resource = authz.getStoreFactory().getResourceStore().create(server, resourceName, server.getClientId()); resource.setType("IdentityProvider"); Set scopeset = new HashSet<>(); scopeset.add(exchangeToScope); resource.updateScopes(scopeset); } String exchangeToPermissionName = getExchangeToPermissionName(idp); - Policy exchangeToPermission = authz.getStoreFactory().getPolicyStore().findByName(exchangeToPermissionName, server.getId()); + Policy exchangeToPermission = authz.getStoreFactory().getPolicyStore().findByName(server, exchangeToPermissionName); if (exchangeToPermission == null) { Helper.addEmptyScopePermission(authz, server, exchangeToPermissionName, resource, exchangeToScope); } } private void deletePolicy(String name, ResourceServer server) { - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(name, server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, name); if (policy != null) { authz.getStoreFactory().getPolicyStore().delete(policy.getId()); } @@ -100,7 +100,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme ResourceServer server = root.initializeRealmResourceServer(); if (server == null) return; deletePolicy(getExchangeToPermissionName(idp), server); - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(idp), server.getId());; + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(idp));; if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId()); } @@ -109,7 +109,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme ResourceServer server = root.initializeRealmResourceServer(); if (server == null) return false; - return authz.getStoreFactory().getResourceStore().findByName(getResourceName(idp), server.getId()) != null; + return authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(idp)) != null; } @Override @@ -124,14 +124,14 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme private Scope exchangeToScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(TOKEN_EXCHANGE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, TOKEN_EXCHANGE); } @Override public Resource resource(IdentityProviderModel idp) { ResourceServer server = root.initializeRealmResourceServer(); if (server == null) return null; - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(idp), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(idp)); if (resource == null) return null; return resource; } @@ -153,13 +153,13 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme return false; } - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(to), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(to)); if (resource == null) { logger.debug("No resource object set up for target idp"); return false; } - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(to), server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, getExchangeToPermissionName(to)); if (policy == null) { logger.debug("No permission object set up for target idp"); return false; @@ -194,7 +194,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme public Policy exchangeToPermission(IdentityProviderModel idp) { ResourceServer server = root.initializeRealmResourceServer(); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getExchangeToPermissionName(idp), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getExchangeToPermissionName(idp)); } } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java index 599132edd7..72a2cdc4dd 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java @@ -283,17 +283,17 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage public Scope initializeRealmScope(String name) { ResourceServer server = initializeRealmResourceServer(); - Scope scope = authz.getStoreFactory().getScopeStore().findByName(name, server.getId()); + Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name); if (scope == null) { - scope = authz.getStoreFactory().getScopeStore().create(name, server); + scope = authz.getStoreFactory().getScopeStore().create(server, name); } return scope; } public Scope initializeScope(String name, ResourceServer server) { - Scope scope = authz.getStoreFactory().getScopeStore().findByName(name, server.getId()); + Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name); if (scope == null) { - scope = authz.getStoreFactory().getScopeStore().create(name, server); + scope = authz.getStoreFactory().getScopeStore().create(server, name); } return scope; } @@ -316,7 +316,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage public Scope realmScope(String scope) { ResourceServer server = realmResourceServer(); if (server == null) return null; - return authz.getStoreFactory().getScopeStore().findByName(scope, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, scope); } public boolean evaluatePermission(Resource resource, ResourceServer resourceServer, Scope... scope) { diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java index 8c13dc0139..fee335122b 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java @@ -81,7 +81,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme policy = mapCompositePermission(role); if (policy != null) authz.getStoreFactory().getPolicyStore().delete(policy.getId()); - Resource resource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(role), server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getRoleResourceName(role)); if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId()); } @@ -99,7 +99,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme public Policy mapRolePermission(RoleModel role) { ResourceServer server = resourceServer(role); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getMapRolePermissionName(role), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getMapRolePermissionName(role)); } @Override @@ -107,7 +107,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme ResourceServer server = resourceServer(role); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getMapCompositePermissionName(role), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getMapCompositePermissionName(role)); } @Override @@ -115,7 +115,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme ResourceServer server = resourceServer(role); if (server == null) return null; - return authz.getStoreFactory().getPolicyStore().findByName(getMapClientScopePermissionName(role), server.getId()); + return authz.getStoreFactory().getPolicyStore().findByName(server, getMapClientScopePermissionName(role)); } @Override @@ -123,7 +123,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme ResourceStore resourceStore = authz.getStoreFactory().getResourceStore(); ResourceServer server = resourceServer(role); if (server == null) return null; - return resourceStore.findByName(getRoleResourceName(role), server.getId()); + return resourceStore.findByName(server, getRoleResourceName(role)); } @Override @@ -300,7 +300,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme ResourceServer resourceServer = resourceServer(role); if (resourceServer == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolePermissionName(role), resourceServer.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapRolePermissionName(role)); if (policy == null || policy.getAssociatedPolicies().isEmpty()) { return false; } @@ -390,7 +390,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme ResourceServer resourceServer = resourceServer(role); if (resourceServer == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapCompositePermissionName(role), resourceServer.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapCompositePermissionName(role)); if (policy == null || policy.getAssociatedPolicies().isEmpty()) { return false; } @@ -429,7 +429,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme ResourceServer resourceServer = resourceServer(role); if (resourceServer == null) return false; - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapClientScopePermissionName(role), resourceServer.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(resourceServer, getMapClientScopePermissionName(role)); if (policy == null || policy.getAssociatedPolicies().isEmpty()) { return false; } @@ -520,21 +520,21 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme @Override public Policy rolePolicy(ResourceServer server, RoleModel role) { String policyName = Helper.getRolePolicyName(role); - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(policyName, server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, policyName); if (policy != null) return policy; return Helper.createRolePolicy(authz, server, role, policyName); } private Scope mapRoleScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(MAP_ROLE_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, MAP_ROLE_SCOPE); } private Scope mapClientScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(MAP_ROLE_CLIENT_SCOPE_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, MAP_ROLE_CLIENT_SCOPE_SCOPE); } private Scope mapCompositeScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(MAP_ROLE_COMPOSITE_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(server, MAP_ROLE_COMPOSITE_SCOPE); } @@ -546,21 +546,21 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme } Scope mapRoleScope = mapRoleScope(server); if (mapRoleScope == null) { - mapRoleScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLE_SCOPE, server); + mapRoleScope = authz.getStoreFactory().getScopeStore().create(server, MAP_ROLE_SCOPE); } Scope mapClientScope = mapClientScope(server); if (mapClientScope == null) { - mapClientScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLE_CLIENT_SCOPE_SCOPE, server); + mapClientScope = authz.getStoreFactory().getScopeStore().create(server, MAP_ROLE_CLIENT_SCOPE_SCOPE); } Scope mapCompositeScope = mapCompositeScope(server); if (mapCompositeScope == null) { - mapCompositeScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLE_COMPOSITE_SCOPE, server); + mapCompositeScope = authz.getStoreFactory().getScopeStore().create(server, MAP_ROLE_COMPOSITE_SCOPE); } String roleResourceName = getRoleResourceName(role); - Resource resource = authz.getStoreFactory().getResourceStore().findByName(roleResourceName, server.getId()); + Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, roleResourceName); if (resource == null) { - resource = authz.getStoreFactory().getResourceStore().create(roleResourceName, server, server.getId()); + resource = authz.getStoreFactory().getResourceStore().create(server, roleResourceName, server.getClientId()); Set scopeset = new HashSet<>(); scopeset.add(mapClientScope); scopeset.add(mapCompositeScope); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java index b0f7d58064..afdf0bee2d 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java @@ -39,10 +39,8 @@ import org.keycloak.models.UserModel; import org.keycloak.representations.idm.authorization.Permission; import org.keycloak.services.ForbiddenException; -import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; -import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.LinkedHashMap; @@ -104,9 +102,9 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme Scope userImpersonatedScope = root.initializeRealmScope(USER_IMPERSONATED_SCOPE); Scope manageGroupMembershipScope = root.initializeRealmScope(MANAGE_GROUP_MEMBERSHIP_SCOPE); - Resource usersResource = resourceStore.findByName(USERS_RESOURCE, server.getId()); + Resource usersResource = resourceStore.findByName(server, USERS_RESOURCE); if (usersResource == null) { - usersResource = resourceStore.create(USERS_RESOURCE, server, server.getId()); + usersResource = resourceStore.create(server, USERS_RESOURCE, server.getClientId()); Set scopeset = new HashSet<>(); scopeset.add(manageScope); scopeset.add(viewScope); @@ -116,27 +114,27 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme scopeset.add(userImpersonatedScope); usersResource.updateScopes(scopeset); } - Policy managePermission = policyStore.findByName(MANAGE_PERMISSION_USERS, server.getId()); + Policy managePermission = policyStore.findByName(server, MANAGE_PERMISSION_USERS); if (managePermission == null) { Helper.addEmptyScopePermission(authz, server, MANAGE_PERMISSION_USERS, usersResource, manageScope); } - Policy viewPermission = policyStore.findByName(VIEW_PERMISSION_USERS, server.getId()); + Policy viewPermission = policyStore.findByName(server, VIEW_PERMISSION_USERS); if (viewPermission == null) { Helper.addEmptyScopePermission(authz, server, VIEW_PERMISSION_USERS, usersResource, viewScope); } - Policy mapRolesPermission = policyStore.findByName(MAP_ROLES_PERMISSION_USERS, server.getId()); + Policy mapRolesPermission = policyStore.findByName(server, MAP_ROLES_PERMISSION_USERS); if (mapRolesPermission == null) { Helper.addEmptyScopePermission(authz, server, MAP_ROLES_PERMISSION_USERS, usersResource, mapRolesScope); } - Policy membershipPermission = policyStore.findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, server.getId()); + Policy membershipPermission = policyStore.findByName(server, MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS); if (membershipPermission == null) { Helper.addEmptyScopePermission(authz, server, MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, usersResource, manageGroupMembershipScope); } - Policy impersonatePermission = policyStore.findByName(ADMIN_IMPERSONATING_PERMISSION, server.getId()); + Policy impersonatePermission = policyStore.findByName(server, ADMIN_IMPERSONATING_PERMISSION); if (impersonatePermission == null) { Helper.addEmptyScopePermission(authz, server, ADMIN_IMPERSONATING_PERMISSION, usersResource, impersonateScope); } - impersonatePermission = policyStore.findByName(USER_IMPERSONATED_PERMISSION, server.getId()); + impersonatePermission = policyStore.findByName(server, USER_IMPERSONATED_PERMISSION); if (impersonatePermission == null) { Helper.addEmptyScopePermission(authz, server, USER_IMPERSONATED_PERMISSION, usersResource, userImpersonatedScope); } @@ -160,7 +158,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme ResourceServer server = root.realmResourceServer(); if (server == null) return false; - Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId()); + Resource resource = resourceStore.findByName(server, USERS_RESOURCE); if (resource == null) return false; Policy policy = managePermission(); @@ -186,38 +184,38 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme ResourceServer server = root.realmResourceServer(); if (server == null) return null; - return resourceStore.findByName(USERS_RESOURCE, server.getId()); + return resourceStore.findByName(server, USERS_RESOURCE); } @Override public Policy managePermission() { - return policyStore.findByName(MANAGE_PERMISSION_USERS, root.realmResourceServer().getId()); + return policyStore.findByName(root.realmResourceServer(), MANAGE_PERMISSION_USERS); } @Override public Policy viewPermission() { - return policyStore.findByName(VIEW_PERMISSION_USERS, root.realmResourceServer().getId()); + return policyStore.findByName(root.realmResourceServer(), VIEW_PERMISSION_USERS); } @Override public Policy manageGroupMembershipPermission() { - return policyStore.findByName(MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS, root.realmResourceServer().getId()); + return policyStore.findByName(root.realmResourceServer(), MANAGE_GROUP_MEMBERSHIP_PERMISSION_USERS); } @Override public Policy mapRolesPermission() { - return policyStore.findByName(MAP_ROLES_PERMISSION_USERS, root.realmResourceServer().getId()); + return policyStore.findByName(root.realmResourceServer(), MAP_ROLES_PERMISSION_USERS); } @Override public Policy adminImpersonatingPermission() { - return policyStore.findByName(ADMIN_IMPERSONATING_PERMISSION, root.realmResourceServer().getId()); + return policyStore.findByName(root.realmResourceServer(), ADMIN_IMPERSONATING_PERMISSION); } @Override public Policy userImpersonatedPermission() { - return policyStore.findByName(USER_IMPERSONATED_PERMISSION, root.realmResourceServer().getId()); + return policyStore.findByName(root.realmResourceServer(), USER_IMPERSONATED_PERMISSION); } /** @@ -373,13 +371,13 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme return true; } - Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId()); + Resource resource = resourceStore.findByName(server, USERS_RESOURCE); if (resource == null) { return true; } - Policy policy = authz.getStoreFactory().getPolicyStore().findByName(USER_IMPERSONATED_PERMISSION, server.getId()); + Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, USER_IMPERSONATED_PERMISSION); if (policy == null) { return true; @@ -481,7 +479,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme return false; } - Resource resource = resourceStore.findByName(USERS_RESOURCE, server.getId()); + Resource resource = resourceStore.findByName(server, USERS_RESOURCE); List expectedScopes = Arrays.asList(scopes); if (resource == null) { @@ -540,7 +538,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme policyStore.delete(policy.getId()); } - Resource usersResource = resourceStore.findByName(USERS_RESOURCE, server.getId()); + Resource usersResource = resourceStore.findByName(server, USERS_RESOURCE); if (usersResource != null) { resourceStore.delete(usersResource.getId()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest.java index 905ff8ffee..4d12c2070e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/BrokerLinkAndTokenExchangeTest.java @@ -290,7 +290,7 @@ public class BrokerLinkAndTokenExchangeTest extends AbstractServletsAdapterTest clientRep.addClient(client.getId()); clientRep.addClient(directExchanger.getId()); ResourceServer server = management.realmResourceServer(); - Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server); + Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientRep); management.idps().exchangeToPermission(idp).addAssociatedPolicy(clientPolicy); @@ -300,7 +300,7 @@ public class BrokerLinkAndTokenExchangeTest extends AbstractServletsAdapterTest clientImpersonateRep.setName("clientImpersonators"); clientImpersonateRep.addClient(directExchanger.getId()); server = management.realmResourceServer(); - Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server); + Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientImpersonateRep); management.users().setPermissionsEnabled(true); management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy); management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java index b31acfcaaf..a87b110483 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java @@ -95,7 +95,7 @@ public class AuthzCleanupTest extends AbstractKeycloakTest { representation.setLogic(Logic.POSITIVE); representation.addRole(roleName, true); - return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer); + return authz.getStoreFactory().getPolicyStore().create(resourceServer, representation); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java index 4423d58f96..ccc6db42c9 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java @@ -40,7 +40,6 @@ import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.RepresentationToModel; import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientScopeRepresentation; -import org.keycloak.representations.idm.GroupRepresentation; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.UserRepresentation; @@ -274,7 +273,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { groupManagerRep.addUser("groupManager"); groupManagerRep.addUser("noMapperGroupManager"); ResourceServer server = permissions.realmResourceServer(); - Policy groupManagerPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupManagerRep, server); + Policy groupManagerPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(server, groupManagerRep); permissions.groups().manageMembersPermission(group).addAssociatedPolicy(groupManagerPolicy); permissions.groups().manageMembershipPermission(group).addAssociatedPolicy(groupManagerPolicy); permissions.groups().viewPermission(group).addAssociatedPolicy(groupManagerPolicy); @@ -288,7 +287,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { UserPolicyRepresentation userRep = new UserPolicyRepresentation(); userRep.setName("userClientMapper"); userRep.addUser("clientMapper"); - Policy userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client)); + Policy userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(permissions.clients().resourceServer(client), userRep); clientMapperPolicy.addAssociatedPolicy(userPolicy); UserModel clientManager = session.users().addUser(realm, "clientManager"); @@ -300,7 +299,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { userRep = new UserPolicyRepresentation(); userRep.setName("clientManager"); userRep.addUser("clientManager"); - userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client)); + userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(permissions.clients().resourceServer(client), userRep); clientManagerPolicy.addAssociatedPolicy(userPolicy); @@ -313,7 +312,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { userRep = new UserPolicyRepresentation(); userRep.setName("clientConfigure"); userRep.addUser("clientConfigurer"); - userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client)); + userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(permissions.clients().resourceServer(client), userRep); clientConfigurePolicy.addAssociatedPolicy(userPolicy); @@ -326,7 +325,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { UserPolicyRepresentation groupViewMembersRep = new UserPolicyRepresentation(); groupViewMembersRep.setName("groupMemberViewers"); groupViewMembersRep.addUser("groupViewer"); - Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(groupViewMembersRep, server); + Policy groupViewMembersPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(server, groupViewMembersRep); Policy groupViewMembersPermission = permissions.groups().viewMembersPermission(group); groupViewMembersPermission.addAssociatedPolicy(groupViewMembersPolicy); @@ -825,7 +824,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { public static void invokeDelete(KeycloakSession session) { RealmModel realm = session.realms().getRealmByName(TEST); AdminPermissionManagement management = AdminPermissions.management(session, realm); - List byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer().getId()); + List byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer()); Assert.assertEquals(5, byResourceServer.size()); RoleModel removedRole = realm.getRole("removedRole"); realm.removeRole(removedRole); @@ -834,15 +833,15 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { client.removeRole(removedClientRole); GroupModel group = KeycloakModelUtils.findGroupByPath(realm, "removedGroup"); realm.removeGroup(group); - byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer().getId()); + byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer()); Assert.assertEquals(2, byResourceServer.size()); realm.removeClient(client.getId()); - byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer().getId()); + byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer()); Assert.assertEquals(1, byResourceServer.size()); management.users().setPermissionsEnabled(false); - Resource userResource = management.authz().getStoreFactory().getResourceStore().findByName("Users", management.realmResourceServer().getId()); + Resource userResource = management.authz().getStoreFactory().getResourceStore().findByName(management.realmResourceServer(), "Users"); Assert.assertNull(userResource); - byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer().getId()); + byResourceServer = management.authz().getStoreFactory().getResourceStore().findByResourceServer(management.realmResourceServer()); Assert.assertEquals(0, byResourceServer.size()); } @@ -1002,7 +1001,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); - Policy userPolicy = provider.getStoreFactory().getPolicyStore().create(userPolicyRepresentation, management.realmResourceServer()); + Policy userPolicy = provider.getStoreFactory().getPolicyStore().create(management.realmResourceServer(), userPolicyRepresentation); policy.addAssociatedPolicy(RepresentationToModel.toModel(userPolicyRepresentation, provider, userPolicy)); @@ -1096,7 +1095,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { Policy policy = clientPermission.viewPermission(clientModel); AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); Policy userPolicy = provider.getStoreFactory().getPolicyStore() - .create(userPolicyRepresentation, management.realmResourceServer()); + .create(management.realmResourceServer(), userPolicyRepresentation); policy.addAssociatedPolicy(RepresentationToModel.toModel(userPolicyRepresentation, provider, userPolicy)); }); @@ -1127,8 +1126,9 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID); + ResourceServer resourceServer = provider.getStoreFactory().getResourceServerStore().findByClient(realmAdminClient); - policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore().findByName("Only regular-admin-user", realmAdminClient.getId())); + policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore().findByName(resourceServer, "Only regular-admin-user")); }); try (Keycloak client = Keycloak.getInstance(getAuthServerContextRoot() + "/auth", @@ -1194,9 +1194,10 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID); + ResourceServer resourceServer = provider.getStoreFactory().getResourceServerStore().findByClient(realmAdminClient); policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore() - .findByName("Only regular-admin-user", realmAdminClient.getId())); + .findByName(resourceServer, "Only regular-admin-user")); } }); @@ -1275,11 +1276,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { if (i == 15) { provider.getStoreFactory().getPolicyStore() - .create(userPolicyRepresentation, management.realmResourceServer()); + .create(management.realmResourceServer(), userPolicyRepresentation); } policy.addAssociatedPolicy(provider.getStoreFactory().getPolicyStore() - .findByName("Only regular-admin-user", realmAdminClient.getId())); + .findByName(management.realmResourceServer(), "Only regular-admin-user")); } }); @@ -1362,7 +1363,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest { clientRep.setName("to"); clientRep.addClient(tokenexclient.getId()); ResourceServer server = management.realmResourceServer(); - Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server); + Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientRep); management.clients().exchangeToPermission(adminCli).addAssociatedPolicy(clientPolicy); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java index 18c132fc18..af91ada125 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java @@ -78,8 +78,8 @@ public class PolicyEvaluationCompositeRoleTest extends AbstractAuthzTest { ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client); Policy policy = createRolePolicy(authz, resourceServer, role1); - Scope scope = authz.getStoreFactory().getScopeStore().create("myscope", resourceServer); - Resource resource = authz.getStoreFactory().getResourceStore().create("myresource", resourceServer, resourceServer.getId()); + Scope scope = authz.getStoreFactory().getScopeStore().create(resourceServer, "myscope"); + Resource resource = authz.getStoreFactory().getResourceStore().create(resourceServer, "myresource", resourceServer.getClientId()); addScopePermission(authz, resourceServer, "mypermission", resource, scope, policy); RoleModel composite = realm.addRole("composite"); @@ -100,7 +100,7 @@ public class PolicyEvaluationCompositeRoleTest extends AbstractAuthzTest { representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS); representation.setLogic(Logic.POSITIVE); - return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer); + return authz.getStoreFactory().getPolicyStore().create(resourceServer, representation); } @@ -116,7 +116,7 @@ public class PolicyEvaluationCompositeRoleTest extends AbstractAuthzTest { config.put("roles", roleValues); representation.setConfig(config); - return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer); + return authz.getStoreFactory().getPolicyStore().create(resourceServer, representation); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationTest.java index a5f3bbfbbb..e1123da8dd 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationTest.java @@ -145,7 +145,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setNotOnOrAfter(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(notOnOrAfterDate)); // evaluation should succeed with the default context as it uses the current time as the date to be compared. - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); provider.evaluate(evaluation); @@ -181,7 +181,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -340,7 +340,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -387,7 +387,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -434,7 +434,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -482,7 +482,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -514,7 +514,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -546,7 +546,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -584,7 +584,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); DefaultEvaluation evaluation = createEvaluation(session, authorization, resourceServer, policy); @@ -617,9 +617,9 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); PolicyProvider provider = authorization.getProvider(policy.getType()); - Resource resource = storeFactory.getResourceStore().create("testCheckResourceAttributesResource", resourceServer, resourceServer.getId()); + Resource resource = storeFactory.getResourceStore().create(resourceServer, "testCheckResourceAttributesResource", resourceServer.getClientId()); resource.setAttribute("a1", Arrays.asList("1", "2")); resource.setAttribute("a2", Arrays.asList("3")); @@ -651,10 +651,10 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policyRepresentation.setCode(builder.toString()); - Policy policy = storeFactory.getPolicyStore().create(policyRepresentation, resourceServer); + Policy policy = storeFactory.getPolicyStore().create(resourceServer, policyRepresentation); - Resource resource = storeFactory.getResourceStore().create("Resource A", resourceServer, resourceServer.getId()); - Scope scope = storeFactory.getScopeStore().create("Scope A", resourceServer); + Resource resource = storeFactory.getResourceStore().create(resourceServer, "Resource A", resourceServer.getClientId()); + Scope scope = storeFactory.getScopeStore().create(resourceServer, "Scope A"); resource.updateScopes(new HashSet<>(Arrays.asList(scope))); @@ -664,7 +664,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { permission.addPolicy(policy.getId()); permission.addResource(resource.getId()); - storeFactory.getPolicyStore().create(permission, resourceServer); + storeFactory.getPolicyStore().create(resourceServer, permission); session.getTransactionManager().commit(); @@ -689,8 +689,8 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { StoreFactory storeFactory = authorization.getStoreFactory(); ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(clientModel); - Scope readScope = storeFactory.getScopeStore().create("read", resourceServer); - Scope writeScope = storeFactory.getScopeStore().create("write", resourceServer); + Scope readScope = storeFactory.getScopeStore().create(resourceServer, "read"); + Scope writeScope = storeFactory.getScopeStore().create(resourceServer, "write"); JSPolicyRepresentation policy = new JSPolicyRepresentation(); @@ -698,7 +698,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { policy.setCode("$evaluation.grant()"); policy.setLogic(Logic.NEGATIVE); - storeFactory.getPolicyStore().create(policy, resourceServer); + storeFactory.getPolicyStore().create(resourceServer, policy); ScopePermissionRepresentation readPermission = new ScopePermissionRepresentation(); @@ -706,7 +706,7 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { readPermission.addScope(readScope.getId()); readPermission.addPolicy(policy.getName()); - storeFactory.getPolicyStore().create(readPermission, resourceServer); + storeFactory.getPolicyStore().create(resourceServer, readPermission); ScopePermissionRepresentation writePermission = new ScopePermissionRepresentation(); @@ -714,9 +714,9 @@ public class PolicyEvaluationTest extends AbstractAuthzTest { writePermission.addScope(writeScope.getId()); writePermission.addPolicy(policy.getName()); - storeFactory.getPolicyStore().create(writePermission, resourceServer); + storeFactory.getPolicyStore().create(resourceServer, writePermission); - Resource resource = storeFactory.getResourceStore().create(KeycloakModelUtils.generateId(), resourceServer, resourceServer.getId()); + Resource resource = storeFactory.getResourceStore().create(resourceServer, KeycloakModelUtils.generateId(), resourceServer.getClientId()); PermissionEvaluator evaluator = authorization.evaluators().from(Arrays.asList(new ResourcePermission(resource, Arrays.asList(readScope, writeScope), resourceServer)), createEvaluationContext(session, Collections.emptyMap())); Collection permissions = evaluator.evaluate(resourceServer, null); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java index a4747c9bbe..f502842833 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java @@ -16,6 +16,7 @@ import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude; import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer; import java.util.List; +import org.keycloak.authorization.model.ResourceServer; @AuthServerContainerExclude(AuthServer.REMOTE) public class UmaRepresentationTest extends AbstractResourceServerTest { @@ -139,9 +140,10 @@ public class UmaRepresentationTest extends AbstractResourceServerTest { AuthorizationBean authorizationBean = new AuthorizationBean(session, null, session.getContext().getUri()); ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test"); UserModel user = session.userStorageManager().getUserByUsername(session.getContext().getRealm(), "marta"); + ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); ResourceBean resourceBean = authorizationBean.new ResourceBean( authorization.getStoreFactory().getResourceStore().findByName( - "Resource A", user.getId(), client.getId() + resourceServer, "Resource A", user.getId() ) ); @@ -164,9 +166,10 @@ public class UmaRepresentationTest extends AbstractResourceServerTest { AuthorizationBean authorizationBean = new AuthorizationBean(session, null, session.getContext().getUri()); ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test"); + ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client); ResourceBean resourceBean = authorizationBean.new ResourceBean( authorization.getStoreFactory().getResourceStore().findByName( - "Resource A", client.getId(), client.getId() + resourceServer, "Resource A", client.getId() ) ); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java index 3e59aaf5e7..d48c1e5ae4 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java @@ -41,6 +41,7 @@ import org.keycloak.authorization.client.resource.ProtectionResource; import org.keycloak.authorization.client.util.HttpResponseException; import org.keycloak.authorization.model.Policy; import org.keycloak.authorization.model.Resource; +import org.keycloak.authorization.model.ResourceServer; import org.keycloak.common.Profile; import org.keycloak.models.ClientModel; import org.keycloak.models.KeycloakSession; @@ -916,13 +917,14 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest ClientModel client = realm.getClientByClientId("resource-server-test"); AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); UserModel user = session.users().getUserByUsername(realm, "marta"); + ResourceServer resourceServer = provider.getStoreFactory().getResourceServerStore().findByClient(client); Map filters = new HashMap<>(); filters.put(Policy.FilterOption.TYPE, new String[] {"uma"}); filters.put(OWNER, new String[] {user.getId()}); List policies = provider.getStoreFactory().getPolicyStore() - .findByResourceServer(filters, client.getId(), -1, -1); + .findByResourceServer(resourceServer, filters, null, null); assertEquals(1, policies.size()); Policy policy = policies.get(0); @@ -937,7 +939,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest filters.put(OWNER, new String[] {user.getId()}); policies = provider.getStoreFactory().getPolicyStore() - .findByResourceServer(filters, client.getId(), -1, -1); + .findByResourceServer(resourceServer, filters, null, null); assertTrue(policies.isEmpty()); } @@ -969,13 +971,14 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest ClientModel client = realm.getClientByClientId("resource-server-test"); AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); UserModel user = session.users().getUserByUsername(realm, "marta"); + ResourceServer resourceServer = provider.getStoreFactory().getResourceServerStore().findByClient(client); Map filters = new HashMap<>(); filters.put(Policy.FilterOption.TYPE, new String[] {"uma"}); filters.put(OWNER, new String[] {user.getId()}); List policies = provider.getStoreFactory().getPolicyStore() - .findByResourceServer(filters, client.getId(), -1, -1); + .findByResourceServer(resourceServer, filters, null, null); assertEquals(1, policies.size()); Policy policy = policies.get(0); @@ -991,7 +994,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest filters.put(OWNER, new String[] {user.getId()}); policies = provider.getStoreFactory().getPolicyStore() - .findByResourceServer(filters, client.getId(), -1, -1); + .findByResourceServer(resourceServer, filters, null, null); assertTrue(policies.isEmpty()); } @@ -1023,13 +1026,14 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest ClientModel client = realm.getClientByClientId("resource-server-test"); AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class); UserModel user = session.users().getUserByUsername(realm, "marta"); + ResourceServer resourceServer = provider.getStoreFactory().getResourceServerStore().findByClient(client); Map filters = new HashMap<>(); filters.put(Policy.FilterOption.TYPE, new String[] {"uma"}); filters.put(OWNER, new String[] {user.getId()}); List policies = provider.getStoreFactory().getPolicyStore() - .findByResourceServer(filters, client.getId(), -1, -1); + .findByResourceServer(resourceServer, filters, null, null); assertEquals(1, policies.size()); Policy policy = policies.get(0); @@ -1045,7 +1049,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest filters.put(OWNER, new String[] {user.getId()}); policies = provider.getStoreFactory().getPolicyStore() - .findByResourceServer(filters, client.getId(), -1, -1); + .findByResourceServer(resourceServer, filters, null, null); assertTrue(policies.isEmpty()); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java index 071f3fdfde..f956575225 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/SocialLoginTest.java @@ -232,7 +232,7 @@ public class SocialLoginTest extends AbstractKeycloakTest { AdminPermissionManagement management = AdminPermissions.management(session, realm); management.users().setPermissionsEnabled(true); ResourceServer server = management.realmResourceServer(); - Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientPolicyRep, server); + Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientPolicyRep); management.users().adminImpersonatingPermission().addAssociatedPolicy(clientPolicy); management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE); realm.getIdentityProvidersStream().forEach(idp -> { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeSAML2Test.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeSAML2Test.java index 2f138c438d..5ec090de32 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeSAML2Test.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeSAML2Test.java @@ -203,7 +203,7 @@ public class ClientTokenExchangeSAML2Test extends AbstractKeycloakTest { assertNotNull(samlUnsignedAndUnencryptedTarget); ResourceServer server = management.realmResourceServer(); - Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server); + Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientRep); management.clients().exchangeToPermission(samlSignedTarget).addAssociatedPolicy(clientPolicy); management.clients().exchangeToPermission(samlEncryptedTarget).addAssociatedPolicy(clientPolicy); management.clients().exchangeToPermission(samlSignedAndEncryptedTarget).addAssociatedPolicy(clientPolicy); @@ -217,7 +217,7 @@ public class ClientTokenExchangeSAML2Test extends AbstractKeycloakTest { clientImpersonateRep.addClient(directPublic.getId()); clientImpersonateRep.addClient(directNoSecret.getId()); server = management.realmResourceServer(); - Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server); + Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientImpersonateRep); management.users().setPermissionsEnabled(true); management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy); management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE); @@ -697,7 +697,7 @@ public class ClientTokenExchangeSAML2Test extends AbstractKeycloakTest { clientImpersonateRep.addClient(directExchanger.getId()); ResourceServer server = management.realmResourceServer(); - Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server); + Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientImpersonateRep); management.users().setPermissionsEnabled(true); management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy); management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java index bd175bb1ba..813b3e1613 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientTokenExchangeTest.java @@ -203,7 +203,7 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest { clientRep.addClient(noRefreshToken.getId()); ResourceServer server = management.realmResourceServer(); - Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(clientRep, server); + Policy clientPolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientRep); management.clients().exchangeToPermission(target).addAssociatedPolicy(clientPolicy); // permission for user impersonation for a client @@ -214,7 +214,7 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest { clientImpersonateRep.addClient(directPublic.getId()); clientImpersonateRep.addClient(directNoSecret.getId()); server = management.realmResourceServer(); - Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server); + Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientImpersonateRep); management.users().setPermissionsEnabled(true); management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy); management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE); @@ -559,7 +559,7 @@ public class ClientTokenExchangeTest extends AbstractKeycloakTest { clientImpersonateRep.addClient(directExchanger.getId()); ResourceServer server = management.realmResourceServer(); - Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(clientImpersonateRep, server); + Policy clientImpersonatePolicy = management.authz().getStoreFactory().getPolicyStore().create(server, clientImpersonateRep); management.users().setPermissionsEnabled(true); management.users().adminImpersonatingPermission().addAssociatedPolicy(clientImpersonatePolicy); management.users().adminImpersonatingPermission().setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);