Merge pull request #346 from stianst/master

KEYCLOAK-347 Link realm and realm-permissions application
This commit is contained in:
Stian Thorgersen 2014-04-25 15:32:47 +01:00
commit ce6652efb1
14 changed files with 100 additions and 42 deletions

View file

@ -25,8 +25,4 @@ public class AdminRoles {
public static String[] ALL_REALM_ROLES = {VIEW_REALM, VIEW_USERS, VIEW_APPLICATIONS, VIEW_CLIENTS, VIEW_AUDIT, MANAGE_REALM, MANAGE_USERS, MANAGE_APPLICATIONS, MANAGE_CLIENTS, MANAGE_AUDIT};
public static String getAdminApp(RealmModel realm) {
return realm.getName() + APP_SUFFIX;
}
}

View file

@ -233,4 +233,9 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
Set<String> getAuditListeners();
void setAuditListeners(Set<String> listeners);
ApplicationModel getAdminApp();
void setAdminApp(ApplicationModel app);
}

View file

@ -260,4 +260,8 @@ public class ApplicationAdapter extends ClientAdapter implements ApplicationMode
public String toString() {
return getName();
}
ApplicationEntity getJpaEntity() {
return applicationEntity;
}
}

View file

@ -1276,4 +1276,16 @@ public class RealmAdapter implements RealmModel {
realm.setAuditListeners(listeners);
em.flush();
}
@Override
public ApplicationModel getAdminApp() {
return new ApplicationAdapter(this, em, realm.getAdminApp());
}
@Override
public void setAdminApp(ApplicationModel app) {
realm.setAdminApp(((ApplicationAdapter) app).getJpaEntity());
em.flush();
}
}

View file

@ -1,6 +1,8 @@
package org.keycloak.models.jpa.entities;
import org.keycloak.models.ApplicationModel;
import javax.persistence.CascadeType;
import javax.persistence.CollectionTable;
import javax.persistence.Column;
@ -13,6 +15,7 @@ import javax.persistence.MapKeyColumn;
import javax.persistence.NamedQueries;
import javax.persistence.NamedQuery;
import javax.persistence.OneToMany;
import javax.persistence.OneToOne;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
@ -114,6 +117,9 @@ public class RealmEntity {
@ElementCollection
private Set<String> auditListeners= new HashSet<String>();
@OneToOne
private ApplicationEntity adminApp;
public String getId() {
return id;
}
@ -432,5 +438,14 @@ public class RealmEntity {
public void setAuditListeners(Set<String> auditListeners) {
this.auditListeners = auditListeners;
}
public ApplicationEntity getAdminApp() {
return adminApp;
}
public void setAdminApp(ApplicationEntity adminApp) {
this.adminApp = adminApp;
}
}

View file

@ -207,4 +207,5 @@ public class ApplicationAdapter extends ClientAdapter<ApplicationEntity> impleme
getMongoEntity().setDefaultRoles(roleNames);
updateMongoEntity();
}
}

View file

@ -15,7 +15,7 @@ import org.keycloak.models.mongo.keycloak.entities.ClientEntity;
*/
public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<T> implements ClientModel {
private final T clientEntity;
protected final T clientEntity;
private final RealmModel realm;
public ClientAdapter(RealmModel realm, T clientEntity, MongoStoreInvocationContext invContext) {
@ -157,4 +157,5 @@ public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<
clientEntity.setNotBefore(notBefore);
updateMongoEntity();
}
}

View file

@ -642,7 +642,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
.and("name").is(name)
.get();
ApplicationEntity appEntity = getMongoStore().loadSingleEntity(ApplicationEntity.class, query, invocationContext);
return appEntity==null ? null : new ApplicationAdapter(this, appEntity, invocationContext);
return appEntity == null ? null : new ApplicationAdapter(this, appEntity, invocationContext);
}
@Override
@ -697,7 +697,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
@Override
public void grantRole(UserModel user, RoleModel role) {
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
getMongoStore().pushItemToList(userEntity, "roleIds", role.getId(), true, invocationContext);
}
@ -724,7 +724,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
// Filter to retrieve just realm roles TODO: Maybe improve to avoid filter programmatically... Maybe have separate fields for realmRoles and appRoles on user?
Set<RoleModel> realmRoles = new HashSet<RoleModel>();
for (RoleModel role : allRoles) {
RoleEntity roleEntity = ((RoleAdapter)role).getRole();
RoleEntity roleEntity = ((RoleAdapter) role).getRole();
if (getId().equals(roleEntity.getRealmId())) {
realmRoles.add(role);
@ -737,7 +737,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
public void deleteRoleMapping(UserModel user, RoleModel role) {
if (user == null || role == null) return;
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
getMongoStore().pullItemFromList(userEntity, "roleIds", role.getId(), invocationContext);
}
@ -764,7 +764,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
// Filter to retrieve just realm roles TODO: Maybe improve to avoid filter programmatically... Maybe have separate fields for realmRoles and appRoles on user?
Set<RoleModel> realmRoles = new HashSet<RoleModel>();
for (RoleModel role : allScopes) {
RoleEntity roleEntity = ((RoleAdapter)role).getRole();
RoleEntity roleEntity = ((RoleAdapter) role).getRole();
if (getId().equals(roleEntity.getRealmId())) {
realmRoles.add(role);
@ -787,12 +787,12 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
@Override
public void addScopeMapping(ClientModel client, RoleModel role) {
getMongoStore().pushItemToList(((AbstractMongoAdapter)client).getMongoEntity(), "scopeIds", role.getId(), true, invocationContext);
getMongoStore().pushItemToList(((AbstractMongoAdapter) client).getMongoEntity(), "scopeIds", role.getId(), true, invocationContext);
}
@Override
public void deleteScopeMapping(ClientModel client, RoleModel role) {
getMongoStore().pullItemFromList(((AbstractMongoAdapter)client).getMongoEntity(), "scopeIds", role.getId(), invocationContext);
getMongoStore().pullItemFromList(((AbstractMongoAdapter) client).getMongoEntity(), "scopeIds", role.getId(), invocationContext);
}
@Override
@ -911,7 +911,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
@Override
public boolean validatePassword(UserModel user, String password) {
for (CredentialEntity cred : ((UserAdapter)user).getUser().getCredentials()) {
for (CredentialEntity cred : ((UserAdapter) user).getUser().getCredentials()) {
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
return new Pbkdf2PasswordEncoder(cred.getSalt()).verify(password, cred.getValue());
}
@ -922,7 +922,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
@Override
public boolean validateTOTP(UserModel user, String password, String token) {
if (!validatePassword(user, password)) return false;
for (CredentialEntity cred : ((UserAdapter)user).getUser().getCredentials()) {
for (CredentialEntity cred : ((UserAdapter) user).getUser().getCredentials()) {
if (cred.getType().equals(UserCredentialModel.TOTP)) {
return new TimeBasedOTP().validate(token, cred.getValue().getBytes());
}
@ -967,12 +967,12 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
.and("realmId").is(getId())
.get();
UserEntity userEntity = getMongoStore().loadSingleEntity(UserEntity.class, query, invocationContext);
return userEntity==null ? null : new UserAdapter(userEntity, invocationContext);
return userEntity == null ? null : new UserAdapter(userEntity, invocationContext);
}
@Override
public Set<SocialLinkModel> getSocialLinks(UserModel user) {
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
List<SocialLinkEntity> linkEntities = userEntity.getSocialLinks();
if (linkEntities == null) {
@ -990,12 +990,12 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
@Override
public SocialLinkModel getSocialLink(UserModel user, String socialProvider) {
SocialLinkEntity socialLinkEntity = findSocialLink(user, socialProvider);
return socialLinkEntity!=null ? new SocialLinkModel(socialLinkEntity.getSocialProvider(), socialLinkEntity.getSocialUserId(), socialLinkEntity.getSocialUsername()) : null;
return socialLinkEntity != null ? new SocialLinkModel(socialLinkEntity.getSocialProvider(), socialLinkEntity.getSocialUserId(), socialLinkEntity.getSocialUsername()) : null;
}
@Override
public void addSocialLink(UserModel user, SocialLinkModel socialLink) {
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
SocialLinkEntity socialLinkEntity = new SocialLinkEntity();
socialLinkEntity.setSocialProvider(socialLink.getSocialProvider());
socialLinkEntity.setSocialUserId(socialLink.getSocialUserId());
@ -1005,18 +1005,18 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
}
@Override
public boolean removeSocialLink(UserModel user,String socialProvider) {
public boolean removeSocialLink(UserModel user, String socialProvider) {
SocialLinkEntity socialLinkEntity = findSocialLink(user, socialProvider);
if (socialLinkEntity == null) {
return false;
}
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
return getMongoStore().pullItemFromList(userEntity, "socialLinks", socialLinkEntity, invocationContext);
}
private SocialLinkEntity findSocialLink(UserModel user, String socialProvider) {
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
List<SocialLinkEntity> linkEntities = userEntity.getSocialLinks();
if (linkEntities == null) {
return null;
@ -1032,19 +1032,19 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
@Override
public AuthenticationLinkModel getAuthenticationLink(UserModel user) {
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
AuthenticationLinkEntity authLinkEntity = userEntity.getAuthenticationLink();
if (authLinkEntity == null) {
return null;
} else {
} else {
return new AuthenticationLinkModel(authLinkEntity.getAuthProvider(), authLinkEntity.getAuthUserId());
}
}
@Override
public void setAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink) {
UserEntity userEntity = ((UserAdapter)user).getUser();
UserEntity userEntity = ((UserAdapter) user).getUser();
AuthenticationLinkEntity authLinkEntity = new AuthenticationLinkEntity();
authLinkEntity.setAuthProvider(authenticationLink.getAuthProvider());
authLinkEntity.setAuthUserId(authenticationLink.getAuthUserId());
@ -1086,8 +1086,8 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
if (spaceInd != -1) {
String firstName = search.substring(0, spaceInd);
String lastName = search.substring(spaceInd + 1);
Pattern firstNamePattern = Pattern.compile("(?i:" + firstName + "$)");
Pattern lastNamePattern = Pattern.compile("(?i:^" + lastName + ")");
Pattern firstNamePattern = Pattern.compile("(?i:" + firstName + "$)");
Pattern lastNamePattern = Pattern.compile("(?i:^" + lastName + ")");
nameBuilder = new QueryBuilder().and(
new QueryBuilder().put("firstName").regex(firstNamePattern).get(),
new QueryBuilder().put("lastName").regex(lastNamePattern).get()
@ -1240,6 +1240,16 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
updateRealm();
}
@Override
public ApplicationModel getAdminApp() {
return new ApplicationAdapter(this, realm.getAdminApp(), invocationContext);
}
@Override
public void setAdminApp(ApplicationModel app) {
realm.setAdminApp(((ApplicationAdapter) app).getMongoEntity());
}
@Override
public RealmEntity getMongoEntity() {
return realm;

View file

@ -2,6 +2,7 @@ package org.keycloak.models.mongo.keycloak.entities;
import com.mongodb.DBObject;
import com.mongodb.QueryBuilder;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.mongo.api.AbstractMongoIdentifiableEntity;
import org.keycloak.models.mongo.api.MongoCollection;
import org.keycloak.models.mongo.api.MongoEntity;
@ -69,6 +70,8 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
private long auditExpiration;
private List<String> auditListeners = new ArrayList<String>();
private ApplicationEntity adminApp;
@MongoField
public String getName() {
return name;
@ -393,6 +396,15 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
this.auditListeners = auditListeners;
}
@MongoField
public ApplicationEntity getAdminApp() {
return adminApp;
}
public void setAdminApp(ApplicationEntity adminApp) {
this.adminApp = adminApp;
}
@Override
public void afterRemove(MongoStoreInvocationContext context) {
DBObject query = new QueryBuilder()

View file

@ -1,5 +1,6 @@
package org.keycloak.services.managers;
import org.keycloak.models.ApplicationModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
@ -72,16 +73,16 @@ public class Auth {
return false;
}
public boolean hasAppRole(String app, String role) {
public boolean hasAppRole(ApplicationModel app, String role) {
if (cookie) {
return realm.hasRole(user, realm.getApplicationByName(app).getRole(role));
return realm.hasRole(user, app.getRole(role));
} else {
AccessToken.Access access = token.getResourceAccess(app);
AccessToken.Access access = token.getResourceAccess(app.getName());
return access != null && access.isUserInRole(role);
}
}
public boolean hasOneOfAppRole(String app, String... roles) {
public boolean hasOneOfAppRole(ApplicationModel app, String... roles) {
for (String r : roles) {
if (hasAppRole(app, r)) {
return true;

View file

@ -108,7 +108,7 @@ public class RealmManager {
RealmModel adminRealm = getKeycloakAdminstrationRealm();
RoleModel adminRole = adminRealm.getRole(AdminRoles.ADMIN);
ApplicationModel realmAdminApp = adminRealm.getApplicationByName(AdminRoles.getAdminApp(realm));
ApplicationModel realmAdminApp = realm.getAdminApp();
for (RoleModel r : realmAdminApp.getRoles()) {
adminRole.removeCompositeRole(r);
}
@ -214,7 +214,9 @@ public class RealmManager {
}
ApplicationManager applicationManager = new ApplicationManager(new RealmManager(identitySession));
ApplicationModel realmAdminApp = applicationManager.createApplication(adminRealm, AdminRoles.getAdminApp(realm));
ApplicationModel realmAdminApp = applicationManager.createApplication(adminRealm, realm.getName() + "-realm");
realm.setAdminApp(realmAdminApp);
for (String r : AdminRoles.ALL_REALM_ROLES) {
RoleModel role = realmAdminApp.addRole(r);

View file

@ -539,7 +539,7 @@ public class AccountService {
throw new ForbiddenException();
}
if (!auth.hasAppRole(application.getName(), role)) {
if (!auth.hasAppRole(application, role)) {
throw new ForbiddenException();
}
}
@ -549,7 +549,7 @@ public class AccountService {
throw new ForbiddenException();
}
if (!auth.hasOneOfAppRole(application.getName(), roles)) {
if (!auth.hasOneOfAppRole(application, roles)) {
throw new ForbiddenException();
}
}

View file

@ -1,6 +1,7 @@
package org.keycloak.services.resources.admin;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ApplicationModel;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.Auth;
@ -19,9 +20,9 @@ public class RealmAuth {
}
private Auth auth;
private String realmAdminApp;
private ApplicationModel realmAdminApp;
public RealmAuth(Auth auth, String realmAdminApp) {
public RealmAuth(Auth auth, ApplicationModel realmAdminApp) {
this.auth = auth;
this.realmAdminApp = realmAdminApp;
}

View file

@ -69,11 +69,9 @@ public class RealmsAdminResource {
List<RealmModel> realms = session.getRealms();
List<RealmRepresentation> reps = new ArrayList<RealmRepresentation>();
for (RealmModel realm : realms) {
String realmAdminApp = AdminRoles.getAdminApp(realm);
if (auth.hasAppRole(realmAdminApp, AdminRoles.MANAGE_REALM)) {
if (auth.hasAppRole(realm.getAdminApp(), AdminRoles.MANAGE_REALM)) {
reps.add(ModelToRepresentation.toRepresentation(realm));
} else if (auth.hasOneOfAppRole(realmAdminApp, AdminRoles.ALL_REALM_ROLES)) {
} else if (auth.hasOneOfAppRole(realm.getAdminApp(), AdminRoles.ALL_REALM_ROLES)) {
RealmRepresentation rep = new RealmRepresentation();
rep.setRealm(realm.getName());
reps.add(rep);
@ -144,7 +142,7 @@ public class RealmsAdminResource {
}
RealmModel adminRealm = new RealmManager(session).getKeycloakAdminstrationRealm();
ApplicationModel realmAdminApp = adminRealm.getApplicationByName(AdminRoles.getAdminApp(realm));
ApplicationModel realmAdminApp = realm.getAdminApp();
for (String r : AdminRoles.ALL_REALM_ROLES) {
RoleModel role = realmAdminApp.getRole(r);
adminRealm.grantRole(auth.getUser(), role);
@ -159,7 +157,7 @@ public class RealmsAdminResource {
RealmModel realm = realmManager.getRealmByName(name);
if (realm == null) throw new NotFoundException("{realm} = " + name);
RealmAuth realmAuth = new RealmAuth(auth, AdminRoles.getAdminApp(realm));
RealmAuth realmAuth = new RealmAuth(auth, realm.getAdminApp());
RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager);
ResteasyProviderFactory.getInstance().injectProperties(adminResource);