libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Merge pull request #5021 from pedroigor/KEYCLOAK-6621

Browse source 
[KEYCLOAK-6621] - Removing unnecessary code to process scopes from typed resources
This commit is contained in:
Pedro Igor 2018-03-01 09:40:02 -03:00 committed by GitHub
commit 9b1275f182
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 192 additions and 104 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
core/src/main/java/org/keycloak/representations/idm/authorization/ResourceRepresentation.java
View file

@ -51,9 +51,8 @@ public class ResourceRepresentation {
@JsonInclude(JsonInclude.Include.NON_EMPTY) @JsonInclude(JsonInclude.Include.NON_EMPTY)
private List<PolicyRepresentation> policies; private List<PolicyRepresentation> policies;
private List<ScopeRepresentation> typedScopes;
private String displayName;
private String displayName;
/** /**
* Creates a new instance. * Creates a new instance.
* *
@ -187,14 +186,6 @@ public class ResourceRepresentation {
this.ownerManagedAccess = ownerManagedAccess; this.ownerManagedAccess = ownerManagedAccess;
} }
public void setTypedScopes(List<ScopeRepresentation> typedScopes) {
this.typedScopes = typedScopes;
}
public List<ScopeRepresentation> getTypedScopes() {
return typedScopes;
}
public void addScope(String... scopeNames) { public void addScope(String... scopeNames) {
if (scopes == null) { if (scopes == null) {
scopes = new HashSet<>(); scopes = new HashSet<>();

2
examples/authz/servlet-authz/servlet-authz-app-config.json
View file

@ -25,7 +25,6 @@
{ {
"name": "Premium Resource", "name": "Premium Resource",
"uri": "/protected/premium/*", "uri": "/protected/premium/*",
"type": "urn:servlet-authz:protected:resource",
"scopes": [ "scopes": [
{ {
"name": "urn:servlet-authz:protected:premium:access" "name": "urn:servlet-authz:protected:premium:access"
@ -34,7 +33,6 @@
}, },
{ {
"name": "Main Page", "name": "Main Page",
"type": "urn:servlet-authz:protected:resource",
"scopes": [ "scopes": [
{ {
"name": "urn:servlet-authz:page:main:actionForAdmin" "name": "urn:servlet-authz:page:main:actionForAdmin"

24
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java vendored
View file

@ -48,8 +48,9 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
@Override @Override
public Policy getDelegateForUpdate() { public Policy getDelegateForUpdate() {
if (updated == null) { if (updated == null) {
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), cached.getScopesIds(), cached.getResourceServerId());
updated = cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId()); updated = cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
String defaultResourceType = updated.getConfig().get("defaultResourceType");
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), cached.getScopesIds(), defaultResourceType, cached.getResourceServerId());
if (updated == null) throw new IllegalStateException("Not found in database"); if (updated == null) throw new IllegalStateException("Not found in database");
} }
return updated; return updated;
@ -97,7 +98,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
@Override @Override
public void setName(String name) { public void setName(String name) {
getDelegateForUpdate(); getDelegateForUpdate();
cacheSession.registerPolicyInvalidation(cached.getId(), name, cached.getResourcesIds(), cached.getScopesIds(), cached.getResourceServerId()); cacheSession.registerPolicyInvalidation(cached.getId(), name, cached.getResourcesIds(), cached.getScopesIds(), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
updated.setName(name); updated.setName(name);
} }
@ -148,6 +149,10 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
@Override @Override
public void setConfig(Map<String, String> config) { public void setConfig(Map<String, String> config) {
getDelegateForUpdate(); getDelegateForUpdate();
if (config.containsKey("defaultResourceType") || cached.getConfig().containsKey("defaultResourceType")) {
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), cached.getScopesIds(), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), cached.getScopesIds(), config.get("defaultResourceType"), cached.getResourceServerId());
}
updated.setConfig(config); updated.setConfig(config);
} }
@ -155,6 +160,9 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
@Override @Override
public void removeConfig(String name) { public void removeConfig(String name) {
getDelegateForUpdate(); getDelegateForUpdate();
if (name.equals("defaultResourceType")) {
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), cached.getScopesIds(), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
}
updated.removeConfig(name); updated.removeConfig(name);
} }
@ -162,6 +170,10 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
@Override @Override
public void putConfig(String name, String value) { public void putConfig(String name, String value) {
getDelegateForUpdate(); getDelegateForUpdate();
if (name.equals("defaultResourceType")) {
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), cached.getScopesIds(), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), cached.getScopesIds(), value, cached.getResourceServerId());
}
updated.putConfig(name, value); updated.putConfig(name, value);
} }
@ -207,14 +219,14 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
@Override @Override
public void addScope(Scope scope) { public void addScope(Scope scope) {
getDelegateForUpdate(); getDelegateForUpdate();
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), new HashSet<>(Arrays.asList(scope.getId())), cached.getResourceServerId()); cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), new HashSet<>(Arrays.asList(scope.getId())), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
updated.addScope(scope); updated.addScope(scope);
} }
@Override @Override
public void removeScope(Scope scope) { public void removeScope(Scope scope) {
getDelegateForUpdate(); getDelegateForUpdate();
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), new HashSet<>(Arrays.asList(scope.getId())), cached.getResourceServerId()); cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), cached.getResourcesIds(), new HashSet<>(Arrays.asList(scope.getId())), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
updated.removeScope(scope); updated.removeScope(scope);
} }
@ -237,7 +249,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
getDelegateForUpdate(); getDelegateForUpdate();
HashSet<String> resources = new HashSet<>(); HashSet<String> resources = new HashSet<>();
resources.add(resource.getId()); resources.add(resource.getId());
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), resources, cached.getScopesIds(), cached.getResourceServerId()); cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), resources, cached.getScopesIds(), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
updated.addResource(resource); updated.addResource(resource);
} }
@ -247,7 +259,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
getDelegateForUpdate(); getDelegateForUpdate();
HashSet<String> resources = new HashSet<>(); HashSet<String> resources = new HashSet<>();
resources.add(resource.getId()); resources.add(resource.getId());
cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), resources, cached.getScopesIds(), cached.getResourceServerId()); cacheSession.registerPolicyInvalidation(cached.getId(), cached.getName(), resources, cached.getScopesIds(), cached.getConfig().get("defaultResourceType"), cached.getResourceServerId());
updated.removeResource(resource); updated.removeResource(resource);
} }

7
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheManager.java vendored
View file

@ -27,6 +27,7 @@ import org.keycloak.models.cache.infinispan.authorization.stream.InScopePredicat
import org.keycloak.models.cache.infinispan.entities.Revisioned; import org.keycloak.models.cache.infinispan.entities.Revisioned;
import org.keycloak.models.cache.infinispan.events.InvalidationEvent; import org.keycloak.models.cache.infinispan.events.InvalidationEvent;
import java.util.Objects;
import java.util.Set; import java.util.Set;
/** /**
@ -112,6 +113,11 @@ public class StoreFactoryCacheManager extends CacheManager {
if (resources != null) { if (resources != null) {
for (String resource : resources) { for (String resource : resources) {
invalidations.add(StoreFactoryCacheSession.getPolicyByResource(resource, serverId)); invalidations.add(StoreFactoryCacheSession.getPolicyByResource(resource, serverId));
if (Objects.nonNull(scopes)) {
for (String scope : scopes) {
invalidations.add(StoreFactoryCacheSession.getPolicyByResourceScope(scope, resource, serverId));
}
}
} }
} }
@ -124,6 +130,7 @@ public class StoreFactoryCacheManager extends CacheManager {
if (scopes != null) { if (scopes != null) {
for (String scope : scopes) { for (String scope : scopes) {
invalidations.add(StoreFactoryCacheSession.getPolicyByScope(scope, serverId)); invalidations.add(StoreFactoryCacheSession.getPolicyByScope(scope, serverId));
invalidations.add(StoreFactoryCacheSession.getPolicyByResourceScope(scope, null, serverId));
} }
} }
} }

31
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java vendored
View file

@ -271,8 +271,11 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
invalidationEvents.add(ResourceUpdatedEvent.create(id, name, type, uri, scopes, serverId, owner)); invalidationEvents.add(ResourceUpdatedEvent.create(id, name, type, uri, scopes, serverId, owner));
} }
public void registerPolicyInvalidation(String id, String name, Set<String> resources, Set<String> scopes, String serverId) { public void registerPolicyInvalidation(String id, String name, Set<String> resources, Set<String> scopes, String defaultResourceType, String serverId) {
Set<String> resourceTypes = getResourceTypes(resources, serverId); Set<String> resourceTypes = getResourceTypes(resources, serverId);
if (Objects.nonNull(defaultResourceType)) {
resourceTypes.add(defaultResourceType);
}
cache.policyUpdated(id, name, resources, resourceTypes, scopes, serverId, invalidations); cache.policyUpdated(id, name, resources, resourceTypes, scopes, serverId, invalidations);
PolicyAdapter adapter = managedPolicies.get(id); PolicyAdapter adapter = managedPolicies.get(id);
if (adapter != null) adapter.invalidateFlag(); if (adapter != null) adapter.invalidateFlag();
@ -369,6 +372,10 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
return "policy.scope." + scope + "." + serverId; return "policy.scope." + scope + "." + serverId;
} }
public static String getPolicyByResourceScope(String scope, String resourceId, String serverId) {
return "policy.resource. " + resourceId + ".scope." + scope + "." + serverId;
}
public static String getPermissionTicketByResource(String resourceId, String serverId) { public static String getPermissionTicketByResource(String resourceId, String serverId) {
return "permission.ticket.resource." + resourceId + "." + serverId; return "permission.ticket.resource." + resourceId + "." + serverId;
} }
@ -664,8 +671,9 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
@Override @Override
public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) { public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
Policy policy = getPolicyStoreDelegate().create(representation, resourceServer); Policy policy = getPolicyStoreDelegate().create(representation, resourceServer);
registerPolicyInvalidation(policy.getId(), representation.getName(), representation.getResources(), representation.getScopes(), resourceServer.getId()); Policy cached = findById(policy.getId(), resourceServer.getId());
return policy; registerPolicyInvalidation(policy.getId(), representation.getName(), representation.getResources(), representation.getScopes(), null, resourceServer.getId());
return cached;
} }
@Override @Override
@ -678,6 +686,10 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
Set<String> resources = policy.getResources().stream().map(resource -> resource.getId()).collect(Collectors.toSet()); Set<String> resources = policy.getResources().stream().map(resource -> resource.getId()).collect(Collectors.toSet());
ResourceServer resourceServer = policy.getResourceServer(); ResourceServer resourceServer = policy.getResourceServer();
Set<String> resourceTypes = getResourceTypes(resources, resourceServer.getId()); Set<String> resourceTypes = getResourceTypes(resources, resourceServer.getId());
String defaultResourceType = policy.getConfig().get("defaultResourceType");
if (Objects.nonNull(defaultResourceType)) {
resourceTypes.add(defaultResourceType);
}
Set<String> scopes = policy.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toSet()); Set<String> scopes = policy.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toSet());
invalidationEvents.add(PolicyRemovedEvent.create(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId())); invalidationEvents.add(PolicyRemovedEvent.create(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId()));
cache.policyRemoval(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId(), invalidations); cache.policyRemoval(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId(), invalidations);
@ -771,6 +783,19 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
return result; return result;
} }
@Override
public List<Policy> findByScopeIds(List<String> scopeIds, String resourceId, String resourceServerId) {
if (scopeIds == null) return null;
List<Policy> result = new ArrayList<>();
for (String id : scopeIds) {
String cacheKey = getPolicyByResourceScope(id, resourceId, resourceServerId);
result.addAll(cacheQuery(cacheKey, PolicyScopeListQuery.class, () -> getPolicyStoreDelegate().findByScopeIds(Arrays.asList(id), resourceId, resourceServerId), (revision, resources) -> new PolicyScopeListQuery(revision, cacheKey, id, resources.stream().map(resource -> resource.getId()).collect(Collectors.toSet()), resourceServerId), resourceServerId));
}
return result;
}
@Override @Override
public List<Policy> findByType(String type, String resourceServerId) { public List<Policy> findByType(String type, String resourceServerId) {
return getPolicyStoreDelegate().findByType(type, resourceServerId); return getPolicyStoreDelegate().findByType(type, resourceServerId);

2
model/jpa/src/main/java/org/keycloak/authorization/jpa/entities/PolicyEntity.java
View file

@ -57,6 +57,8 @@ import org.keycloak.representations.idm.authorization.Logic;
@NamedQuery(name="findPolicyIdByName", query="select p.id from PolicyEntity p where p.resourceServer.id = :serverId and p.name = :name"), @NamedQuery(name="findPolicyIdByName", query="select p.id from PolicyEntity p where p.resourceServer.id = :serverId and p.name = :name"),
@NamedQuery(name="findPolicyIdByResource", query="select p.id from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)"), @NamedQuery(name="findPolicyIdByResource", query="select p.id from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)"),
@NamedQuery(name="findPolicyIdByScope", query="select pe.id from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))"), @NamedQuery(name="findPolicyIdByScope", query="select pe.id from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))"),
@NamedQuery(name="findPolicyIdByResourceScope", query="select pe.id from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds))) and pe.id IN (select p.id from ResourceEntity r inner join r.policies p where r.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and r.id in (:resourceId))))"),
@NamedQuery(name="findPolicyIdByNullResourceScope", query="select pe.id from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds))) and pe.resources is empty"),
@NamedQuery(name="findPolicyIdByType", query="select p.id from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type"), @NamedQuery(name="findPolicyIdByType", query="select p.id from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type"),
@NamedQuery(name="findPolicyIdByResourceType", query="select p.id from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type"), @NamedQuery(name="findPolicyIdByResourceType", query="select p.id from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type"),
@NamedQuery(name="findPolicyIdByDependentPolices", query="select p.id from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)"), @NamedQuery(name="findPolicyIdByDependentPolices", query="select p.id from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)"),

67
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
View file

@ -22,6 +22,7 @@ import java.util.Collections;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Objects;
import javax.persistence.EntityManager; import javax.persistence.EntityManager;
import javax.persistence.FlushModeType; import javax.persistence.FlushModeType;
@ -114,7 +115,10 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList(); List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>(); List<Policy> list = new LinkedList<>();
for (String id : result) { for (String id : result) {
list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
} }
return list; return list;
} }
@ -157,7 +161,10 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList(); List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>(); List<Policy> list = new LinkedList<>();
for (String id : result) { for (String id : result) {
list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
} }
return list; return list;
} }
@ -173,7 +180,10 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList(); List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>(); List<Policy> list = new LinkedList<>();
for (String id : result) { for (String id : result) {
list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
} }
return list; return list;
} }
@ -189,7 +199,10 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList(); List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>(); List<Policy> list = new LinkedList<>();
for (String id : result) { for (String id : result) {
list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
} }
return list; return list;
} }
@ -210,7 +223,41 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList(); List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>(); List<Policy> list = new LinkedList<>();
for (String id : result) { for (String id : result) {
list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
}
return list;
}
@Override
public List<Policy> findByScopeIds(List<String> scopeIds, String resourceId, String resourceServerId) {
if (scopeIds==null || scopeIds.isEmpty()) {
return Collections.emptyList();
}
// Use separate subquery to handle DB2 and MSSSQL
TypedQuery<String> query;
if (resourceId == null) {
query = entityManager.createNamedQuery("findPolicyIdByNullResourceScope", String.class);
} else {
query = entityManager.createNamedQuery("findPolicyIdByResourceScope", String.class);
query.setParameter("resourceId", resourceId);
}
query.setFlushMode(FlushModeType.COMMIT);
query.setParameter("scopeIds", scopeIds);
query.setParameter("serverId", resourceServerId);
List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>();
for (String id : result) {
Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
} }
return list; return list;
} }
@ -226,7 +273,10 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList(); List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>(); List<Policy> list = new LinkedList<>();
for (String id : result) { for (String id : result) {
list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
} }
return list; return list;
} }
@ -243,7 +293,10 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList(); List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>(); List<Policy> list = new LinkedList<>();
for (String id : result) { for (String id : result) {
list.add(provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId)); Policy policy = provider.getStoreFactory().getPolicyStore().findById(id, resourceServerId);
if (Objects.nonNull(policy)) {
list.add(policy);
}
} }
return list; return list;
} }

5
server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
View file

@ -385,6 +385,11 @@ public final class AuthorizationProvider implements Provider {
return policyStore.findByScopeIds(scopeIds, resourceServerId); return policyStore.findByScopeIds(scopeIds, resourceServerId);
} }
@Override
public List<Policy> findByScopeIds(List<String> scopeIds, String resourceId, String resourceServerId) {
return policyStore.findByScopeIds(scopeIds, resourceId, resourceServerId);
}
@Override @Override
public List<Policy> findByType(String type, String resourceServerId) { public List<Policy> findByType(String type, String resourceServerId) {
return policyStore.findByType(type, resourceServerId); return policyStore.findByType(type, resourceServerId);

13
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
View file

@ -79,22 +79,19 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
evaluatePolicies(() -> { evaluatePolicies(() -> {
List<Policy> policies = policyStore.findByResourceType(resource.getType(), resourceServer.getId()); List<Policy> policies = policyStore.findByResourceType(resource.getType(), resourceServer.getId());
for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) { if (!resource.getOwner().equals(resourceServer.getId())) {
policies.addAll(policyStore.findByResource(typedResource.getId(), resourceServer.getId())); for (Resource typedResource : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
policies.addAll(policyStore.findByResource(typedResource.getId(), resourceServer.getId()));
}
} }
return policies; return policies;
}, consumer); }, consumer);
} }
if (scopes.isEmpty() && !resource.getScopes().isEmpty()) {
scopes.removeAll(resource.getScopes());
evaluatePolicies(() -> policyStore.findByScopeIds(resource.getScopes().stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId()), consumer);
}
} }
if (!scopes.isEmpty()) { if (!scopes.isEmpty()) {
evaluatePolicies(() -> policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId()), consumer); evaluatePolicies(() -> policyStore.findByScopeIds(scopes.stream().map(Scope::getId).collect(Collectors.toList()), null, resourceServer.getId()), consumer);
} }
if (PolicyEnforcementMode.PERMISSIVE.equals(enforcementMode) && !verified.get()) { if (PolicyEnforcementMode.PERMISSIVE.equals(enforcementMode) && !verified.get()) {

10
server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java
View file

@ -111,6 +111,16 @@ public interface PolicyStore {
*/ */
List<Policy> findByScopeIds(List<String> scopeIds, String resourceServerId); List<Policy> findByScopeIds(List<String> scopeIds, String resourceServerId);
/**
* Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.core.model.Scope} with the given <code>resourceId</code> and <code>scopeIds</code>.
*
* @param scopeIds the id of the scopes
* @param resourceId the id of the resource
* @param resourceServerId the resource server id
* @return a list of policies associated with the given scopes
*/
List<Policy> findByScopeIds(List<String> scopeIds, String resourceId, String resourceServerId);
/** /**
* Returns a list of {@link Policy} with the given <code>type</code>. * Returns a list of {@link Policy} with the given <code>type</code>.
* *

18
server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
View file

@ -841,24 +841,6 @@ public class ModelToRepresentation {
} }
return scope; return scope;
}).collect(Collectors.toSet())); }).collect(Collectors.toSet()));
if (resource.getType() != null) {
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
for (Resource typed : resourceStore.findByType(resource.getType(), resourceServer.getId())) {
if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(resource.getId())) {
resource.setTypedScopes(typed.getScopes().stream().map(model1 -> {
ScopeRepresentation scope = new ScopeRepresentation();
scope.setId(model1.getId());
scope.setName(model1.getName());
String iconUri = model1.getIconUri();
if (iconUri != null) {
scope.setIconUri(iconUri);
}
return scope;
}).filter(scopeRepresentation -> !resource.getScopes().contains(scopeRepresentation)).collect(Collectors.toList()));
}
}
}
} }
return resource; return resource;

5
services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
View file

@ -234,7 +234,7 @@ public class ResourceSetService {
return representation; return representation;
}).collect(Collectors.toList()); }).collect(Collectors.toList());
if (model.getType() != null) { if (model.getType() != null && !model.getOwner().equals(resourceServer.getId())) {
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore(); ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
for (Resource typed : resourceStore.findByType(model.getType(), resourceServer.getId())) { for (Resource typed : resourceStore.findByType(model.getType(), resourceServer.getId())) {
if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(model.getId())) { if (typed.getOwner().equals(resourceServer.getId()) && !typed.getId().equals(model.getId())) {
@ -273,7 +273,8 @@ public class ResourceSetService {
policies.addAll(policyStore.findByResource(model.getId(), resourceServer.getId())); policies.addAll(policyStore.findByResource(model.getId(), resourceServer.getId()));
policies.addAll(policyStore.findByResourceType(model.getType(), resourceServer.getId())); policies.addAll(policyStore.findByResourceType(model.getType(), resourceServer.getId()));
policies.addAll(policyStore.findByScopeIds(model.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toList()), resourceServer.getId())); policies.addAll(policyStore.findByScopeIds(model.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toList()), id, resourceServer.getId()));
policies.addAll(policyStore.findByScopeIds(model.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toList()), null, resourceServer.getId()));
List<PolicyRepresentation> representation = new ArrayList<>(); List<PolicyRepresentation> representation = new ArrayList<>();

2
testsuite/integration-arquillian/test-apps/servlet-authz/servlet-authz-app-authz-service.json
View file

@ -25,7 +25,6 @@
{ {
"name": "Premium Resource", "name": "Premium Resource",
"uri": "/protected/premium/*", "uri": "/protected/premium/*",
"type": "urn:servlet-authz:protected:resource",
"scopes": [ "scopes": [
{ {
"name": "urn:servlet-authz:protected:premium:access" "name": "urn:servlet-authz:protected:premium:access"
@ -34,7 +33,6 @@
}, },
{ {
"name": "Main Page", "name": "Main Page",
"type": "urn:servlet-authz:protected:resource",
"scopes": [ "scopes": [
{ {
"name": "urn:servlet-authz:page:main:actionForAdmin" "name": "urn:servlet-authz:page:main:actionForAdmin"

39
testsuite/integration-arquillian/test-apps/servlet-policy-enforcer/servlet-policy-enforcer-authz-realm.json
View file

@ -62,64 +62,51 @@
"resources": [ "resources": [
{ {
"name": "Welcome Resource", "name": "Welcome Resource",
"uri": "", "uri": ""
"typedScopes": []
}, },
{ {
"name": "Pattern 1", "name": "Pattern 1",
"uri": "", "uri": ""
"typedScopes": []
}, },
{ {
"name": "Pattern 2", "name": "Pattern 2",
"uri": "/resource/resource-a", "uri": "/resource/resource-a"
"typedScopes": []
}, },
{ {
"name": "Pattern 3", "name": "Pattern 3",
"uri": "/resource/resource-b/test", "uri": "/resource/resource-b/test"
"typedScopes": []
}, },
{ {
"name": "Pattern 4", "name": "Pattern 4",
"uri": "/resource-c", "uri": "/resource-c"
"typedScopes": []
}, },
{ {
"name": "Pattern 5", "name": "Pattern 5",
"uri": "/resource/d/resource-d", "uri": "/resource/d/resource-d"
"typedScopes": []
}, },
{ {
"name": "Pattern 6", "name": "Pattern 6",
"uri": "", "uri": ""
"typedScopes": []
}, },
{ {
"name": "Pattern 7", "name": "Pattern 7",
"uri": "", "uri": ""
"typedScopes": []
}, },
{ {
"name": "Pattern 8", "name": "Pattern 8"
"typedScopes": []
}, },
{ {
"name": "Pattern 9", "name": "Pattern 9"
"typedScopes": []
}, },
{ {
"name": "Pattern 10", "name": "Pattern 10"
"typedScopes": []
}, },
{ {
"name": "Pattern 11", "name": "Pattern 11"
"typedScopes": []
}, },
{ {
"name": "Pattern 12", "name": "Pattern 12",
"uri": "/realm_uri", "uri": "/realm_uri"
"typedScopes": []
} }
], ],
"policies": [ "policies": [

12
testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/acme-resource-server-cleanup-test.json
View file

@ -13,8 +13,7 @@
{ {
"name": "urn:acme.com:scopes:admin:view" "name": "urn:acme.com:scopes:admin:view"
} }
], ]
"typedScopes": []
}, },
{ {
"name": "Role resource", "name": "Role resource",
@ -24,8 +23,7 @@
{ {
"name": "urn:acme.com:scopes:role:view" "name": "urn:acme.com:scopes:role:view"
} }
], ]
"typedScopes": []
}, },
{ {
"name": "User profile resource", "name": "User profile resource",
@ -38,8 +36,7 @@
{ {
"name": "urn:acme.com:scopes:userprofile:view" "name": "urn:acme.com:scopes:userprofile:view"
} }
], ]
"typedScopes": []
}, },
{ {
"name": "Account resource", "name": "Account resource",
@ -49,8 +46,7 @@
{ {
"name": "urn:acme.com:scopes:account:manage" "name": "urn:acme.com:scopes:account:manage"
} }
], ]
"typedScopes": []
} }
], ],
"policies": [ "policies": [

9
testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-2.2.1.Final.json
View file

@ -134,8 +134,7 @@
{ {
"name": "urn:photoz.com:scopes:profile:view" "name": "urn:photoz.com:scopes:profile:view"
} }
], ]
"typedScopes": []
}, },
{ {
"name": "Album Resource", "name": "Album Resource",
@ -151,8 +150,7 @@
{ {
"name": "urn:photoz.com:scopes:album:delete" "name": "urn:photoz.com:scopes:album:delete"
} }
], ]
"typedScopes": []
}, },
{ {
"name": "Admin Resources", "name": "Admin Resources",
@ -162,8 +160,7 @@
{ {
"name": "urn:photoz.com:scopes:album:admin:manage" "name": "urn:photoz.com:scopes:album:admin:manage"
} }
], ]
"typedScopes": []
} }
], ],
"policies": [ "policies": [

2
testsuite/integration-arquillian/tests/other/console/src/main/java/org/keycloak/testsuite/console/page/clients/authorization/permission/ScopePermissionForm.java
View file

@ -44,6 +44,7 @@ import org.keycloak.testsuite.console.page.fragment.ModalDialog;
import org.keycloak.testsuite.console.page.fragment.MultipleStringSelect2; import org.keycloak.testsuite.console.page.fragment.MultipleStringSelect2;
import org.keycloak.testsuite.console.page.fragment.SingleStringSelect2; import org.keycloak.testsuite.console.page.fragment.SingleStringSelect2;
import org.keycloak.testsuite.page.Form; import org.keycloak.testsuite.page.Form;
import org.openqa.selenium.By;
import org.openqa.selenium.WebElement; import org.openqa.selenium.WebElement;
import org.openqa.selenium.support.FindBy; import org.openqa.selenium.support.FindBy;
import org.openqa.selenium.support.ui.Select; import org.openqa.selenium.support.ui.Select;
@ -115,6 +116,7 @@ public class ScopePermissionForm extends Form {
resourceSelect.update(resources); resourceSelect.update(resources);
resourceScopeSelect.update(expected.getScopes()); resourceScopeSelect.update(expected.getScopes());
} else { } else {
driver.findElement(By.className("select2-search-choice-close")).click();
scopeSelect.update(expected.getScopes()); scopeSelect.update(expected.getScopes());
} }

35
testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/authorization/ScopePermissionManagementTest.java
View file

@ -88,7 +88,7 @@ public class ScopePermissionManagementTest extends AbstractAuthorizationSettings
} }
@Test @Test
public void testCreateWithoutPolicies() throws InterruptedException { public void testCreateWithoutPolicies() {
authorizationPage.navigateTo(); authorizationPage.navigateTo();
ScopePermissionRepresentation expected = new ScopePermissionRepresentation(); ScopePermissionRepresentation expected = new ScopePermissionRepresentation();
@ -105,7 +105,7 @@ public class ScopePermissionManagementTest extends AbstractAuthorizationSettings
} }
@Test @Test
public void testUpdateResourceScope() throws InterruptedException { public void testUpdateResourceScope() {
authorizationPage.navigateTo(); authorizationPage.navigateTo();
ScopePermissionRepresentation expected = new ScopePermissionRepresentation(); ScopePermissionRepresentation expected = new ScopePermissionRepresentation();
@ -149,7 +149,32 @@ public class ScopePermissionManagementTest extends AbstractAuthorizationSettings
} }
@Test @Test
public void testUpdateScopeOnly() throws InterruptedException { public void testUpdateWithoutResource() {
authorizationPage.navigateTo();
ScopePermissionRepresentation expected = new ScopePermissionRepresentation();
expected.setName("testUpdateWithoutResource Permission");
expected.setDescription("description");
expected.addResource("Resource A");
expected.addScope("Scope A");
expected.addPolicy("Policy C");
expected = createPermission(expected);
expected.getResources().clear();
expected.addScope("Scope B");
authorizationPage.navigateTo();
authorizationPage.authorizationTabs().permissions().update(expected.getName(), expected);
assertAlertSuccess();
authorizationPage.navigateTo();
ScopePermission actual = authorizationPage.authorizationTabs().permissions().name(expected.getName());
assertPolicy(expected, actual);
}
@Test
public void testUpdateScopeOnly() {
authorizationPage.navigateTo(); authorizationPage.navigateTo();
ScopePermissionRepresentation expected = new ScopePermissionRepresentation(); ScopePermissionRepresentation expected = new ScopePermissionRepresentation();
@ -180,7 +205,7 @@ public class ScopePermissionManagementTest extends AbstractAuthorizationSettings
} }
@Test @Test
public void testDelete() throws InterruptedException { public void testDelete() {
authorizationPage.navigateTo(); authorizationPage.navigateTo();
ScopePermissionRepresentation expected = new ScopePermissionRepresentation(); ScopePermissionRepresentation expected = new ScopePermissionRepresentation();
@ -198,7 +223,7 @@ public class ScopePermissionManagementTest extends AbstractAuthorizationSettings
} }
@Test @Test
public void testDeleteFromList() throws InterruptedException { public void testDeleteFromList() {
authorizationPage.navigateTo(); authorizationPage.navigateTo();
ScopePermissionRepresentation expected = new ScopePermissionRepresentation(); ScopePermissionRepresentation expected = new ScopePermissionRepresentation();

2
themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
View file

@ -1292,7 +1292,7 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
if ($scope.selectedResource != null) { if ($scope.selectedResource != null) {
$scope.policy.resources = [$scope.selectedResource._id]; $scope.policy.resources = [$scope.selectedResource._id];
} else { } else {
delete $scope.policy.resources; $scope.policy.resources = [];
} }
var scopes = []; var scopes = [];