libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

Make sure there is always Realm or ResourceServer when searching for authz entities

Browse source 
Closes #11817
This commit is contained in:
Michal Hajas 2022-04-05 14:47:24 +02:00 committed by Pedro Igor
parent bfab03b837
commit d3b43a9f59
65 changed files with 848 additions and 913 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
View file

@ -1,3 +1,20 @@
/*
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization.policy.provider.client;
import java.io.IOException;
@ -123,7 +140,7 @@ public class ClientPolicyProviderFactory implements PolicyProviderFactory<Client
try {
if (clients.isEmpty()) {
policyStore.delete(policy.getId());
policyStore.delete(removedClient.getRealm(), policy.getId());
} else {
policy.putConfig("clients", JsonSerialization.writeValueAsString(clients));
}

8
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProviderFactory.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -13,7 +13,6 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.keycloak.authorization.policy.provider.clientscope;
@ -69,12 +68,13 @@ public class ClientScopePolicyProviderFactory implements PolicyProviderFactory<C
StoreFactory storeFactory = provider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
ClientScopeModel removedClientScope = ((ClientScopeRemovedEvent) event).getClientScope();
RealmModel realm = ((ClientScopeRemovedEvent) event).getClientScope().getRealm();
Map<Policy.FilterOption, String[]> filters = new HashMap<>();
filters.put(Policy.FilterOption.TYPE, new String[] { getId() });
policyStore.findByResourceServer(null, filters, null, null).forEach(new Consumer<Policy>() {
policyStore.find(realm, null, filters, null, null).forEach(new Consumer<Policy>() {
@Override
public void accept(Policy policy) {
@ -93,7 +93,7 @@ public class ClientScopePolicyProviderFactory implements PolicyProviderFactory<C
}
if (clientScopes.isEmpty()) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
} else {
try {
policy.putConfig("clientScopes", JsonSerialization.writeValueAsString(clientScopes));

16
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProviderFactory.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2018 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -125,6 +125,7 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory<UmaPermis
public void onUpdate(Policy policy, UmaPermissionRepresentation representation, AuthorizationProvider authorization) {
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
RealmModel realm = policy.getResourceServer().getRealm();
for (Policy associatedPolicy : associatedPolicies) {
AbstractPolicyRepresentation associatedRep = ModelToRepresentation.toRepresentation(associatedPolicy, authorization, false, false);
@ -143,7 +144,7 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory<UmaPermis
}
if (rep.getRoles().isEmpty()) {
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
} else {
RepresentationToModel.toModel(rep, authorization, associatedPolicy);
}
@ -154,7 +155,7 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory<UmaPermis
rep.setType(representation.getCondition());
RepresentationToModel.toModel(rep, authorization, associatedPolicy);
} else {
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
}
} else if ("group".equals(associatedRep.getType())) {
GroupPolicyRepresentation rep = GroupPolicyRepresentation.class.cast(associatedRep);
@ -170,7 +171,7 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory<UmaPermis
}
if (rep.getGroups().isEmpty()) {
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
} else {
RepresentationToModel.toModel(rep, authorization, associatedPolicy);
}
@ -188,7 +189,7 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory<UmaPermis
}
if (rep.getClients().isEmpty()) {
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
} else {
RepresentationToModel.toModel(rep, authorization, associatedPolicy);
}
@ -206,7 +207,7 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory<UmaPermis
}
if (rep.getUsers().isEmpty()) {
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
} else {
RepresentationToModel.toModel(rep, authorization, associatedPolicy);
}
@ -364,9 +365,10 @@ public class UMAPolicyProviderFactory implements PolicyProviderFactory<UmaPermis
@Override
public void onRemove(Policy policy, AuthorizationProvider authorization) {
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
RealmModel realm = policy.getResourceServer().getRealm();
for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
}
}

8
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -13,7 +13,6 @@
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.keycloak.authorization.policy.provider.role;
@ -140,11 +139,10 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
}
private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
KeycloakSession session = authorization.getKeycloakSession();
RealmModel realm = authorization.getRealm();
Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
if (roles != null) {
RealmModel realm = authorization.getRealm();
for (RolePolicyRepresentation.RoleDefinition definition : roles) {
String roleName = definition.getId();
String clientId = null;
@ -240,7 +238,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePoli
try {
if (roles.isEmpty()) {
policyStore.delete(policy.getId());
policyStore.delete(clientModel.getRealm(), policy.getId());
} else {
policy.putConfig("roles", JsonSerialization.writeValueAsString(roles));
}

10
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/InfinispanCacheStoreFactoryProviderFactory.java vendored
View file

@ -27,6 +27,7 @@ import org.keycloak.cluster.ClusterProvider;
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
import org.keycloak.models.cache.authorization.CachedStoreProviderFactory;
import org.keycloak.models.cache.infinispan.entities.Revisioned;
@ -44,6 +45,15 @@ public class InfinispanCacheStoreFactoryProviderFactory implements CachedStorePr
protected volatile StoreFactoryCacheManager storeCache;
/**
* Legacy store doesn't store realm id for any entity and no method there is using new introduced RealmModel parameter.
* The parameter was introduced for usage only in the new storage. Therefore, in some cases we may break our rule specified in JavaDoc
* and use {@code null} value as parameter that otherwise cannot be {@code null}. We need to be careful and place such value only to a method call
* that cannot end up in the new store because it would end with {@link NullPointerException}. To mark all places where we do this,
* we use this variable so it is easily searchable.
*/
public static final RealmModel NULL_REALM = null;
@Override
public CachedStoreFactoryProvider create(KeycloakSession session) {
lazyInit(session);

19
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PermissionTicketAdapter.java vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -22,6 +22,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.models.cache.infinispan.authorization.entities.CachedPermissionTicket;
/**
@ -42,8 +43,8 @@ public class PermissionTicketAdapter implements PermissionTicket, CachedModel<Pe
@Override
public PermissionTicket getDelegateForUpdate() {
if (updated == null) {
ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(null, cached.getResourceServerId());
updated = cacheSession.getPermissionTicketStoreDelegate().findById(resourceServer, cached.getId());
ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
updated = cacheSession.getPermissionTicketStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
cacheSession.registerPermissionTicketInvalidation(cached.getId(), cached.getOwner(), cached.getRequester(), cached.getResourceId(), updated.getResource().getName(), cached.getScopeId(), cached.getResourceServerId());
}
@ -70,8 +71,8 @@ public class PermissionTicketAdapter implements PermissionTicket, CachedModel<Pe
protected boolean isUpdated() {
if (updated != null) return true;
if (!invalidated) return false;
ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(null, cached.getResourceServerId());
updated = cacheSession.getPermissionTicketStoreDelegate().findById(resourceServer, cached.getId());
ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
updated = cacheSession.getPermissionTicketStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
return true;
}
@ -122,13 +123,13 @@ public class PermissionTicketAdapter implements PermissionTicket, CachedModel<Pe
@Override
public ResourceServer getResourceServer() {
return cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId());
return cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
}
@Override
public Policy getPolicy() {
if (isUpdated()) return updated.getPolicy();
return cacheSession.getPolicyStore().findById(cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId()), cached.getPolicy());
return cacheSession.getPolicyStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId()), cached.getPolicy());
}
@Override
@ -140,12 +141,12 @@ public class PermissionTicketAdapter implements PermissionTicket, CachedModel<Pe
@Override
public Resource getResource() {
return cacheSession.getResourceStore().findById(getResourceServer(), cached.getResourceId());
return cacheSession.getResourceStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getResourceId());
}
@Override
public Scope getScope() {
return cacheSession.getScopeStore().findById(getResourceServer(), cached.getScopeId());
return cacheSession.getScopeStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getScopeId());
}
@Override

15
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -21,6 +21,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
@ -85,7 +86,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
protected boolean isUpdated() {
if (updated != null) return true;
if (!invalidated) return false;
updated = cacheSession.getPolicyStoreDelegate().findById(cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId()), cached.getId());
updated = cacheSession.getPolicyStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId()), cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
return true;
}
@ -112,7 +113,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
@Override
public ResourceServer getResourceServer() {
return cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId());
return cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
}
@Override
@ -208,7 +209,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
PolicyStore policyStore = cacheSession.getPolicyStore();
String resourceServerId = cached.getResourceServerId();
for (String id : cached.getAssociatedPoliciesIds(modelSupplier)) {
Policy policy = policyStore.findById(cacheSession.getResourceServerStore().findById(null, resourceServerId), id);
Policy policy = policyStore.findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServerId), id);
cacheSession.cachePolicy(policy);
associatedPolicies.add(policy);
}
@ -225,7 +226,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
ResourceStore resourceStore = cacheSession.getResourceStore();
ResourceServer resourceServer = getResourceServer();
for (String resourceId : cached.getResourcesIds(modelSupplier)) {
Resource resource = resourceStore.findById(resourceServer, resourceId);
Resource resource = resourceStore.findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resourceId);
cacheSession.cacheResource(resource);
resources.add(resource);
}
@ -290,7 +291,7 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
ResourceServer resourceServer = getResourceServer();
ScopeStore scopeStore = cacheSession.getScopeStore();
for (String scopeId : cached.getScopesIds(modelSupplier)) {
Scope scope = scopeStore.findById(resourceServer, scopeId);
Scope scope = scopeStore.findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, scopeId);
cacheSession.cacheScope(scope);
scopes.add(scope);
}
@ -325,6 +326,6 @@ public class PolicyAdapter implements Policy, CachedModel<Policy> {
}
private Policy getPolicyModel() {
return cacheSession.getPolicyStoreDelegate().findById(cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId()), cached.getId());
return cacheSession.getPolicyStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId()), cached.getId());
}
}

12
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -81,7 +81,7 @@ public class ResourceAdapter implements Resource, CachedModel<Resource> {
protected boolean isUpdated() {
if (updated != null) return true;
if (!invalidated) return false;
updated = cacheSession.getResourceStoreDelegate().findById(getResourceServer(), cached.getId());
updated = cacheSession.getResourceStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
return true;
}
@ -134,7 +134,7 @@ public class ResourceAdapter implements Resource, CachedModel<Resource> {
@Override
public ResourceServer getResourceServer() {
return cacheSession.getResourceServerStoreDelegate().findById(null, cached.getResourceServerId());
return cacheSession.getResourceServerStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
}
@Override
@ -172,7 +172,7 @@ public class ResourceAdapter implements Resource, CachedModel<Resource> {
if (scopes != null) return scopes;
scopes = new LinkedList<>();
for (String scopeId : cached.getScopesIds(modelSupplier)) {
scopes.add(cacheSession.getScopeStore().findById(getResourceServer(), scopeId));
scopes.add(cacheSession.getScopeStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), scopeId));
}
return scopes = Collections.unmodifiableList(scopes);
}
@ -206,7 +206,7 @@ public class ResourceAdapter implements Resource, CachedModel<Resource> {
List<PermissionTicket> permissions = permissionStore.findByScope(getResourceServer(), scope);
for (PermissionTicket permission : permissions) {
permissionStore.delete(permission.getId());
permissionStore.delete(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, permission.getId());
}
}
}
@ -282,6 +282,6 @@ public class ResourceAdapter implements Resource, CachedModel<Resource> {
}
private Resource getResourceModel() {
return cacheSession.getResourceStoreDelegate().findById(getResourceServer(), cached.getId());
return cacheSession.getResourceStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getId());
}
}

7
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceServerAdapter.java vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -18,6 +18,7 @@ package org.keycloak.models.cache.infinispan.authorization;
import org.keycloak.authorization.model.CachedModel;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.cache.infinispan.authorization.entities.CachedResourceServer;
@ -42,7 +43,7 @@ public class ResourceServerAdapter implements ResourceServer, CachedModel<Resour
public ResourceServer getDelegateForUpdate() {
if (updated == null) {
cacheSession.registerResourceServerInvalidation(cached.getId());
updated = cacheSession.getResourceServerStoreDelegate().findById(null, cached.getId());
updated = cacheSession.getResourceServerStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
}
return updated;
@ -69,7 +70,7 @@ public class ResourceServerAdapter implements ResourceServer, CachedModel<Resour
protected boolean isUpdated() {
if (updated != null) return true;
if (!invalidated) return false;
updated = cacheSession.getResourceServerStoreDelegate().findById(null, cached.getId());
updated = cacheSession.getResourceServerStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
return true;
}

9
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -19,6 +19,7 @@ package org.keycloak.models.cache.infinispan.authorization;
import org.keycloak.authorization.model.CachedModel;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.models.cache.infinispan.authorization.entities.CachedScope;
/**
@ -39,7 +40,7 @@ public class ScopeAdapter implements Scope, CachedModel<Scope> {
public Scope getDelegateForUpdate() {
if (updated == null) {
cacheSession.registerScopeInvalidation(cached.getId(), cached.getName(), cached.getResourceServerId());
updated = cacheSession.getScopeStoreDelegate().findById(getResourceServer(), cached.getId());
updated = cacheSession.getScopeStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
}
return updated;
@ -66,7 +67,7 @@ public class ScopeAdapter implements Scope, CachedModel<Scope> {
protected boolean isUpdated() {
if (updated != null) return true;
if (!invalidated) return false;
updated = cacheSession.getScopeStoreDelegate().findById(getResourceServer(), cached.getId());
updated = cacheSession.getScopeStoreDelegate().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, getResourceServer(), cached.getId());
if (updated == null) throw new IllegalStateException("Not found in database");
return true;
}
@ -118,7 +119,7 @@ public class ScopeAdapter implements Scope, CachedModel<Scope> {
@Override
public ResourceServer getResourceServer() {
return cacheSession.getResourceServerStore().findById(null, cached.getResourceServerId());
return cacheSession.getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, cached.getResourceServerId());
}
@Override

147
model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/StoreFactoryCacheSession.java vendored
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -310,9 +310,9 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
return Collections.emptySet();
}
ResourceServer resourceServer = getResourceServerStore().findById(null, serverId);
ResourceServer resourceServer = getResourceServerStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, serverId);
return resources.stream().map(resourceId -> {
Resource resource = getResourceStore().findById(resourceServer, resourceId);
Resource resource = getResourceStore().findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resourceId);
String type = resource.getType();
if (type != null) {
@ -451,7 +451,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
public void delete(ClientModel client) {
String id = client.getId();
if (id == null) return;
ResourceServer server = findById(null, id);
ResourceServer server = findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, id);
if (server == null) return;
cache.invalidateObject(id);
@ -492,7 +492,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
@Override
public ResourceServer findByClient(ClientModel client) {
return findById(null, client.getId());
return findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, client.getId());
}
}
@ -510,19 +510,19 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
if (id == null) return;
Scope scope = findById(null, id);
Scope scope = findById(realm, null, id);
if (scope == null) return;
cache.invalidateObject(id);
invalidationEvents.add(ScopeRemovedEvent.create(id, scope.getName(), scope.getResourceServer().getId()));
cache.scopeRemoval(id, scope.getName(), scope.getResourceServer().getId(), invalidations);
getScopeStoreDelegate().delete(id);
getScopeStoreDelegate().delete(realm, id);
}
@Override
public Scope findById(ResourceServer resourceServer, String id) {
public Scope findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) return null;
CachedScope cached = cache.get(id, CachedScope.class);
if (cached != null) {
@ -531,7 +531,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
if (! modelMightExist(id)) return null;
Scope model = getScopeStoreDelegate().findById(resourceServer, id);
Scope model = getScopeStoreDelegate().findById(realm, resourceServer, id);
if (model == null) {
setModelDoesNotExists(id, loaded);
return null;
@ -540,7 +540,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
cached = new CachedScope(loaded, model);
cache.addRevisioned(cached, startupRevision);
} else if (invalidations.contains(id)) {
return getScopeStoreDelegate().findById(resourceServer, id);
return getScopeStoreDelegate().findById(realm, resourceServer, id);
} else if (managedScopes.containsKey(id)) {
return managedScopes.get(id);
}
@ -573,7 +573,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
if (invalidations.contains(id)) {
return getScopeStoreDelegate().findByName(resourceServer, name);
}
return findById(resourceServer, id);
return findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, id);
}
}
@ -593,29 +593,29 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
@Override
public Resource create(ResourceServer resourceServer, String id, String name, String owner) {
Resource resource = getResourceStoreDelegate().create(resourceServer, id, name, owner);
Resource cached = findById(resourceServer, resource.getId());
Resource cached = findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resource.getId());
registerResourceInvalidation(resource.getId(), resource.getName(), resource.getType(), resource.getUris(), resource.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()), resourceServer.getId(), resource.getOwner());
if (cached == null) {
cached = findById(resourceServer, resource.getId());
cached = findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resource.getId());
}
return cached;
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
if (id == null) return;
Resource resource = findById(null, id);
Resource resource = findById(realm, null, id);
if (resource == null) return;
cache.invalidateObject(id);
invalidationEvents.add(ResourceRemovedEvent.create(id, resource.getName(), resource.getType(), resource.getUris(), resource.getOwner(), resource.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()), resource.getResourceServer().getId()));
cache.resourceRemoval(id, resource.getName(), resource.getType(), resource.getUris(), resource.getOwner(), resource.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()), resource.getResourceServer().getId(), invalidations);
getResourceStoreDelegate().delete(id);
getResourceStoreDelegate().delete(realm, id);
}
@Override
public Resource findById(ResourceServer resourceServer, String id) {
public Resource findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) return null;
CachedResource cached = cache.get(id, CachedResource.class);
if (cached != null) {
@ -624,7 +624,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
if (! modelMightExist(id)) return null;
Resource model = getResourceStoreDelegate().findById(resourceServer, id);
Resource model = getResourceStoreDelegate().findById(realm, resourceServer, id);
if (model == null) {
setModelDoesNotExists(id, loaded);
return null;
@ -633,7 +633,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
cached = new CachedResource(loaded, model);
cache.addRevisioned(cached, startupRevision);
} else if (invalidations.contains(id)) {
return getResourceStoreDelegate().findById(resourceServer, id);
return getResourceStoreDelegate().findById(realm, resourceServer, id);
} else if (managedResources.containsKey(id)) {
return managedResources.get(id);
}
@ -666,20 +666,20 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
}
@Override
public List<Resource> findByOwner(ResourceServer resourceServer, String ownerId) {
public List<Resource> findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId) {
String resourceServerId = resourceServer == null ? null : resourceServer.getId();
String cacheKey = getResourceByOwnerCacheKey(ownerId, resourceServerId);
return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByOwner(resourceServer, ownerId),
return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByOwner(realm, resourceServer, ownerId),
(revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer);
}
@Override
public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
public void findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
String resourceServerId = resourceServer == null ? null : resourceServer.getId();
String cacheKey = getResourceByOwnerCacheKey(ownerId, resourceServerId);
cacheQuery(cacheKey, ResourceListQuery.class, () -> {
List<Resource> resources = new ArrayList<>();
getResourceStoreDelegate().findByOwner(resourceServer, ownerId, new Consumer<Resource>() {
getResourceStoreDelegate().findByOwner(realm, resourceServer, ownerId, new Consumer<Resource>() {
@Override
public void accept(Resource resource) {
consumer.andThen(resources::add)
@ -692,28 +692,14 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
(revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer);
}
@Override
public List<Resource> findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) {
return getResourceStoreDelegate().findByOwner(resourceServer, ownerId, firstResult, maxResults);
}
@Override
public List<Resource> findByUri(ResourceServer resourceServer, String uri) {
if (uri == null) return null;
String resourceServerId = resourceServer == null ? null : resourceServer.getId();
String cacheKey = getResourceByUriCacheKey(uri, resourceServerId);
return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByUri(resourceServer, uri),
(revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer);
}
@Override
public List<Resource> findByResourceServer(ResourceServer resourceServer) {
return getResourceStoreDelegate().findByResourceServer(resourceServer);
}
@Override
public List<Resource> findByResourceServer(ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return getResourceStoreDelegate().findByResourceServer(resourceServer, attributes, firstResult, maxResults);
public List<Resource> find(RealmModel realm, ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return getResourceStoreDelegate().find(realm, resourceServer, attributes, firstResult, maxResults);
}
@Override
@ -782,19 +768,6 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
(revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer);
}
@Override
public List<Resource> findByType(ResourceServer resourceServer, String type, String owner) {
if (resourceServer != null && resourceServer.getId().equals(owner)) {
return findByType(resourceServer, type);
} else {
if (type == null) return Collections.emptyList();
String resourceServerId = resourceServer == null ? null : resourceServer.getId();
String cacheKey = getResourceByTypeCacheKey(type, owner, resourceServerId);
return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByType(resourceServer, type, owner),
(revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer);
}
}
@Override
public void findByType(ResourceServer resourceServer, String type, String owner, Consumer<Resource> consumer) {
if (type == null) return;
@ -815,15 +788,6 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
(revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer, consumer);
}
@Override
public List<Resource> findByTypeInstance(ResourceServer resourceServer, String type) {
if (type == null) return Collections.emptyList();
String resourceServerId = resourceServer == null ? null : resourceServer.getId();
String cacheKey = getResourceByTypeInstanceCacheKey(type, resourceServerId);
return cacheQuery(cacheKey, ResourceListQuery.class, () -> getResourceStoreDelegate().findByTypeInstance(resourceServer, type),
(revision, resources) -> new ResourceListQuery(revision, cacheKey, resources.stream().map(Resource::getId).collect(Collectors.toSet()), resourceServerId), resourceServer);
}
@Override
public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer<Resource> consumer) {
if (type == null) return;
@ -873,9 +837,9 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
Set<String> resources = query.getResources();
if (consumer != null) {
resources.stream().map(resourceId -> (R) findById(resourceServer, resourceId)).forEach(consumer);
resources.stream().map(resourceId -> (R) findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resourceId)).forEach(consumer);
} else {
model = resources.stream().map(resourceId -> (R) findById(resourceServer, resourceId)).collect(Collectors.toList());
model = resources.stream().map(resourceId -> (R) findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resourceId)).collect(Collectors.toList());
}
}
@ -891,18 +855,18 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
@Override
public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) {
Policy policy = getPolicyStoreDelegate().create(resourceServer, representation);
Policy cached = findById(resourceServer, policy.getId());
Policy cached = findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, policy.getId());
registerPolicyInvalidation(policy.getId(), representation.getName(), representation.getResources(), representation.getScopes(), null, resourceServer.getId());
if (cached == null) {
cached = findById(resourceServer, policy.getId());
cached = findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, policy.getId());
}
return cached;
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
if (id == null) return;
Policy policy = findById(null, id);
Policy policy = findById(realm, null, id);
if (policy == null) return;
cache.invalidateObject(id);
@ -916,12 +880,12 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
Set<String> scopes = policy.getScopes().stream().map(Scope::getId).collect(Collectors.toSet());
invalidationEvents.add(PolicyRemovedEvent.create(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId()));
cache.policyRemoval(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId(), invalidations);
getPolicyStoreDelegate().delete(id);
getPolicyStoreDelegate().delete(realm, id);
}
@Override
public Policy findById(ResourceServer resourceServer, String id) {
public Policy findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) return null;
CachedPolicy cached = cache.get(id, CachedPolicy.class);
@ -930,7 +894,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
}
if (cached == null) {
if (! modelMightExist(id)) return null;
Policy model = getPolicyStoreDelegate().findById(resourceServer, id);
Policy model = getPolicyStoreDelegate().findById(realm, resourceServer, id);
Long loaded = cache.getCurrentRevision(id);
if (model == null) {
setModelDoesNotExists(id, loaded);
@ -940,7 +904,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
cached = new CachedPolicy(loaded, model);
cache.addRevisioned(cached, startupRevision);
} else if (invalidations.contains(id)) {
return getPolicyStoreDelegate().findById(resourceServer, id);
return getPolicyStoreDelegate().findById(realm, resourceServer, id);
} else if (managedPolicies.containsKey(id)) {
return managedPolicies.get(id);
}
@ -977,8 +941,8 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
}
@Override
public List<Policy> findByResourceServer(ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return getPolicyStoreDelegate().findByResourceServer(resourceServer, attributes, firstResult, maxResults);
public List<Policy> find(RealmModel realm, ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return getPolicyStoreDelegate().find(realm, resourceServer, attributes, firstResult, maxResults);
}
@Override
@ -1122,10 +1086,10 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
if (consumer != null) {
for (String id : policies) {
consumer.accept((R) findById(resourceServer, id));
consumer.accept((R) findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, id));
}
} else {
model = policies.stream().map(resourceId -> (R) findById(resourceServer, resourceId))
model = policies.stream().map(resourceId -> (R) findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resourceId))
.filter(Objects::nonNull).collect(Collectors.toList());
}
}
@ -1150,9 +1114,9 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
if (id == null) return;
PermissionTicket permission = findById(null, id);
PermissionTicket permission = findById(realm, null, id);
if (permission == null) return;
cache.invalidateObject(id);
@ -1162,13 +1126,13 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
}
invalidationEvents.add(PermissionTicketRemovedEvent.create(id, permission.getOwner(), permission.getRequester(), permission.getResource().getId(), permission.getResource().getName(), scopeId, permission.getResourceServer().getId()));
cache.permissionTicketRemoval(id, permission.getOwner(), permission.getRequester(), permission.getResource().getId(), permission.getResource().getName(),scopeId, permission.getResourceServer().getId(), invalidations);
getPermissionTicketStoreDelegate().delete(id);
getPermissionTicketStoreDelegate().delete(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, id);
UserManagedPermissionUtil.removePolicy(permission, StoreFactoryCacheSession.this);
}
@Override
public PermissionTicket findById(ResourceServer resourceServer, String id) {
public PermissionTicket findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) return null;
CachedPermissionTicket cached = cache.get(id, CachedPermissionTicket.class);
@ -1178,7 +1142,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
if (cached == null) {
Long loaded = cache.getCurrentRevision(id);
if (! modelMightExist(id)) return null;
PermissionTicket model = getPermissionTicketStoreDelegate().findById(resourceServer, id);
PermissionTicket model = getPermissionTicketStoreDelegate().findById(realm, resourceServer, id);
if (model == null) {
setModelDoesNotExists(id, loaded);
return null;
@ -1187,7 +1151,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
cached = new CachedPermissionTicket(loaded, model);
cache.addRevisioned(cached, startupRevision);
} else if (invalidations.contains(id)) {
return getPermissionTicketStoreDelegate().findById(resourceServer, id);
return getPermissionTicketStoreDelegate().findById(realm, resourceServer, id);
} else if (managedPermissionTickets.containsKey(id)) {
return managedPermissionTickets.get(id);
}
@ -1196,11 +1160,6 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
return adapter;
}
@Override
public List<PermissionTicket> findByResourceServer(ResourceServer resourceServer) {
return getPermissionTicketStoreDelegate().findByResourceServer(resourceServer);
}
@Override
public List<PermissionTicket> findByResource(ResourceServer resourceServer, Resource resource) {
String resourceServerId = resourceServer == null ? null : resourceServer.getId();
@ -1218,8 +1177,8 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
}
@Override
public List<PermissionTicket> find(ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResult) {
return getPermissionTicketStoreDelegate().find(resourceServer, attributes, firstResult, maxResult);
public List<PermissionTicket> find(RealmModel realm, ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResult) {
return getPermissionTicketStoreDelegate().find(realm, resourceServer, attributes, firstResult, maxResult);
}
@Override
@ -1248,14 +1207,6 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
return getPermissionTicketStoreDelegate().findGrantedOwnerResources(realm, owner, firstResult, maxResults);
}
@Override
public List<PermissionTicket> findByOwner(ResourceServer resourceServer, String owner) {
String resourceServerId = resourceServer == null ? null : resourceServer.getId();
String cacheKey = getPermissionTicketByOwner(owner, resourceServerId);
return cacheQuery(cacheKey, PermissionTicketListQuery.class, () -> getPermissionTicketStoreDelegate().findByOwner(resourceServer, owner),
(revision, permissions) -> new PermissionTicketListQuery(revision, cacheKey, permissions.stream().map(PermissionTicket::getId).collect(Collectors.toSet()), resourceServerId), resourceServer);
}
private <R, Q extends PermissionTicketQuery> List<R> cacheQuery(String cacheKey, Class<Q> queryType, Supplier<List<R>> resultSupplier, BiFunction<Long, List<R>, Q> querySupplier, ResourceServer resourceServer) {
Q query = cache.get(cacheKey, queryType);
if (query != null) {
@ -1272,7 +1223,7 @@ public class StoreFactoryCacheSession implements CachedStoreFactoryProvider {
} else if (query.isInvalid(invalidations)) {
return resultSupplier.get();
} else {
return query.getPermissions().stream().map(resourceId -> (R) findById(resourceServer, resourceId)).collect(Collectors.toList());
return query.getPermissions().stream().map(resourceId -> (R) findById(InfinispanCacheStoreFactoryProviderFactory.NULL_REALM, resourceServer, resourceId)).collect(Collectors.toList());
}
}
}

12
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
View file

@ -26,12 +26,24 @@ import org.keycloak.authorization.store.AuthorizationStoreFactory;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.connections.jpa.JpaConnectionProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import static org.keycloak.models.jpa.JpaRealmProviderFactory.PROVIDER_PRIORITY;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
/**
* Legacy store doesn't store realm id for any entity and no method there is using new introduced RealmModel parameter.
* The parameter was introduced for usage only in the new storage. Therefore, in some cases we may break our rule specified in JavaDoc
* and use {@code null} value as parameter that otherwise cannot be {@code null}. We need to be careful and place such value only to a method call
* that cannot end up in the new store because it would end with {@link NullPointerException}. To mark all places where we do this,
* we use this variable so it is easily searchable.
*/
public static final RealmModel NULL_REALM = null;
@Override
public StoreFactory create(KeycloakSession session) {
AuthorizationProvider provider = session.getProvider(AuthorizationProvider.class);

63
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPermissionTicketStore.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -152,7 +152,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
PermissionTicketEntity policy = entityManager.find(PermissionTicketEntity.class, id, LockModeType.PESSIMISTIC_WRITE);
if (policy != null) {
this.entityManager.remove(policy);
@ -161,7 +161,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
@Override
public PermissionTicket findById(ResourceServer resourceServer, String id) {
public PermissionTicket findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) {
return null;
}
@ -172,26 +172,6 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
return new PermissionTicketAdapter(entity, entityManager, provider.getStoreFactory());
}
@Override
public List<PermissionTicket> findByResourceServer(final ResourceServer resourceServer) {
TypedQuery<String> query = entityManager.createNamedQuery("findPolicyIdByServerId", String.class);
query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId());
List<String> result = query.getResultList();
List<PermissionTicket> list = new LinkedList<>();
PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore();
for (String id : result) {
PermissionTicket ticket = ticketStore.findById(resourceServer, id);
if (Objects.nonNull(ticket)) {
list.add(ticket);
}
}
return list;
}
@Override
public List<PermissionTicket> findByResource(ResourceServer resourceServer, final Resource resource) {
TypedQuery<String> query = entityManager.createNamedQuery("findPermissionIdByResource", String.class);
@ -205,7 +185,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore();
for (String id : result) {
PermissionTicket ticket = ticketStore.findById(resourceServer, id);
PermissionTicket ticket = ticketStore.findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (Objects.nonNull(ticket)) {
list.add(ticket);
}
@ -232,7 +212,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore();
for (String id : result) {
PermissionTicket ticket = ticketStore.findById(resourceServer, id);
PermissionTicket ticket = ticketStore.findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (Objects.nonNull(ticket)) {
list.add(ticket);
}
@ -242,7 +222,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
}
@Override
public List<PermissionTicket> find(ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResult) {
public List<PermissionTicket> find(RealmModel realm, ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResult) {
CriteriaBuilder builder = entityManager.getCriteriaBuilder();
CriteriaQuery<PermissionTicketEntity> querybuilder = builder.createQuery(PermissionTicketEntity.class);
Root<PermissionTicketEntity> root = querybuilder.from(PermissionTicketEntity.class);
@ -260,7 +240,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore();
for (String id : result) {
PermissionTicket ticket = ticketStore.findById(resourceServer, id);
PermissionTicket ticket = ticketStore.findById(realm, resourceServer, id);
if (Objects.nonNull(ticket)) {
list.add(ticket);
}
@ -276,7 +256,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
filters.put(PermissionTicket.FilterOption.REQUESTER, userId);
return find(resourceServer, filters, null, null);
return find(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, filters, null, null);
}
@Override
@ -287,7 +267,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
filters.put(PermissionTicket.FilterOption.REQUESTER, userId);
return find(resourceServer, filters, null, null);
return find(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, filters, null, null);
}
@Override
@ -308,7 +288,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(null, id);
Resource resource = resourceStore.findById(realm, null, id);
if (Objects.nonNull(resource)) {
list.add(resource);
@ -330,7 +310,7 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(null, id);
Resource resource = resourceStore.findById(realm, null, id);
if (Objects.nonNull(resource)) {
list.add(resource);
@ -340,25 +320,4 @@ public class JPAPermissionTicketStore implements PermissionTicketStore {
return list;
}
@Override
public List<PermissionTicket> findByOwner(ResourceServer resourceServer, String owner) {
TypedQuery<String> query = entityManager.createNamedQuery("findPolicyIdByType", String.class);
query.setFlushMode(FlushModeType.COMMIT);
query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId());
query.setParameter("owner", owner);
List<String> result = query.getResultList();
List<PermissionTicket> list = new LinkedList<>();
PermissionTicketStore ticketStore = provider.getStoreFactory().getPermissionTicketStore();
for (String id : result) {
PermissionTicket ticket = ticketStore.findById(resourceServer, id);
if (Objects.nonNull(ticket)) {
list.add(ticket);
}
}
return list;
}
}

25
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -41,8 +40,10 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import javax.persistence.LockModeType;
@ -83,7 +84,7 @@ public class JPAPolicyStore implements PolicyStore {
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
PolicyEntity policy = entityManager.find(PolicyEntity.class, id, LockModeType.PESSIMISTIC_WRITE);
if (policy != null) {
this.entityManager.remove(policy);
@ -92,7 +93,7 @@ public class JPAPolicyStore implements PolicyStore {
@Override
public Policy findById(ResourceServer resourceServer, String id) {
public Policy findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) {
return null;
}
@ -130,7 +131,7 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>();
for (String id : result) {
Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id);
Policy policy = provider.getStoreFactory().getPolicyStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (Objects.nonNull(policy)) {
list.add(policy);
}
@ -139,7 +140,7 @@ public class JPAPolicyStore implements PolicyStore {
}
@Override
public List<Policy> findByResourceServer(ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
public List<Policy> find(RealmModel realm, ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
CriteriaBuilder builder = entityManager.getCriteriaBuilder();
CriteriaQuery<PolicyEntity> querybuilder = builder.createQuery(PolicyEntity.class);
Root<PolicyEntity> root = querybuilder.from(PolicyEntity.class);
@ -199,7 +200,7 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = paginateQuery(query, firstResult, maxResults).getResultList();
List<Policy> list = new LinkedList<>();
for (String id : result) {
Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id);
Policy policy = provider.getStoreFactory().getPolicyStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (Objects.nonNull(policy)) {
list.add(policy);
}
@ -218,7 +219,7 @@ public class JPAPolicyStore implements PolicyStore {
PolicyStore storeFactory = provider.getStoreFactory().getPolicyStore();
closing(query.getResultStream()
.map(entity -> storeFactory.findById(resourceServer, entity.getId()))
.map(entity -> storeFactory.findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, entity.getId()))
.filter(Objects::nonNull))
.forEach(consumer::accept);
}
@ -254,7 +255,7 @@ public class JPAPolicyStore implements PolicyStore {
PolicyStore storeFactory = provider.getStoreFactory().getPolicyStore();
for (PolicyEntity entity : query.getResultList()) {
list.add(storeFactory.findById(resourceServer, entity.getId()));
list.add(storeFactory.findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, entity.getId()));
}
return list;
@ -295,7 +296,7 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>();
for (String id : result) {
Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id);
Policy policy = provider.getStoreFactory().getPolicyStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (Objects.nonNull(policy)) {
list.add(policy);
}
@ -315,7 +316,7 @@ public class JPAPolicyStore implements PolicyStore {
List<String> result = query.getResultList();
List<Policy> list = new LinkedList<>();
for (String id : result) {
Policy policy = provider.getStoreFactory().getPolicyStore().findById(resourceServer, id);
Policy policy = provider.getStoreFactory().getPolicyStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (Objects.nonNull(policy)) {
list.add(policy);
}

8
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceServerStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -24,6 +23,7 @@ import org.keycloak.authorization.jpa.entities.ResourceEntity;
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
import org.keycloak.authorization.jpa.entities.ScopeEntity;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.models.ModelException;
import org.keycloak.models.RealmModel;
@ -131,6 +131,6 @@ public class JPAResourceServerStore implements ResourceServerStore {
@Override
public ResourceServer findByClient(ClientModel client) {
return findById(null, client.getId());
return findById(JPAAuthorizationStoreFactory.NULL_REALM, client.getId());
}
}

53
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAResourceStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -22,8 +21,10 @@ import org.keycloak.authorization.jpa.entities.ResourceEntity;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import javax.persistence.EntityManager;
@ -80,7 +81,7 @@ public class JPAResourceStore implements ResourceStore {
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
ResourceEntity resource = entityManager.getReference(ResourceEntity.class, id);
if (resource == null) return;
@ -89,7 +90,7 @@ public class JPAResourceStore implements ResourceStore {
}
@Override
public Resource findById(ResourceServer resourceServer, String id) {
public Resource findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) {
return null;
}
@ -100,19 +101,10 @@ public class JPAResourceStore implements ResourceStore {
}
@Override
public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
public void findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
findByOwnerFilter(ownerId, resourceServer, consumer, -1, -1);
}
@Override
public List<Resource> findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) {
List<Resource> list = new LinkedList<>();
findByOwnerFilter(ownerId, resourceServer, list::add, firstResult, maxResults);
return list;
}
private void findByOwnerFilter(String ownerId, ResourceServer resourceServer, Consumer<Resource> consumer, int firstResult, int maxResult) {
boolean pagination = firstResult > -1 && maxResult > -1;
String queryName = pagination ? "findResourceIdByOwnerOrdered" : "findResourceIdByOwner";
@ -136,30 +128,7 @@ public class JPAResourceStore implements ResourceStore {
}
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
closing(query.getResultStream().map(id -> resourceStore.findById(resourceServer, id.getId()))).forEach(consumer);
}
@Override
public List<Resource> findByUri(ResourceServer resourceServer, String uri) {
TypedQuery<String> query = entityManager.createNamedQuery("findResourceIdByUri", String.class);
query.setFlushMode(FlushModeType.COMMIT);
query.setParameter("uri", uri);
query.setParameter("serverId", resourceServer == null ? null : resourceServer.getId());
List<String> result = query.getResultList();
List<Resource> list = new LinkedList<>();
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(resourceServer, id);
if (resource != null) {
list.add(resource);
}
}
return list;
closing(query.getResultStream().map(id -> resourceStore.findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id.getId()))).forEach(consumer);
}
@Override
@ -173,7 +142,7 @@ public class JPAResourceStore implements ResourceStore {
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(resourceServer, id);
Resource resource = resourceStore.findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (resource != null) {
list.add(resource);
@ -184,7 +153,7 @@ public class JPAResourceStore implements ResourceStore {
}
@Override
public List<Resource> findByResourceServer(ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
public List<Resource> find(RealmModel realm, ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
CriteriaBuilder builder = entityManager.getCriteriaBuilder();
CriteriaQuery<ResourceEntity> querybuilder = builder.createQuery(ResourceEntity.class);
Root<ResourceEntity> root = querybuilder.from(ResourceEntity.class);
@ -237,7 +206,7 @@ public class JPAResourceStore implements ResourceStore {
ResourceStore resourceStore = provider.getStoreFactory().getResourceStore();
for (String id : result) {
Resource resource = resourceStore.findById(resourceServer, id);
Resource resource = resourceStore.findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
if (resource != null) {
list.add(resource);

17
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAScopeStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -35,7 +34,9 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.jpa.entities.ScopeEntity;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import javax.persistence.LockModeType;
@ -79,7 +80,7 @@ public class JPAScopeStore implements ScopeStore {
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
ScopeEntity scope = entityManager.find(ScopeEntity.class, id, LockModeType.PESSIMISTIC_WRITE);
if (scope != null) {
@ -88,7 +89,7 @@ public class JPAScopeStore implements ScopeStore {
}
@Override
public Scope findById(ResourceServer resourceServer, String id) {
public Scope findById(RealmModel realm, ResourceServer resourceServer, String id) {
if (id == null) {
return null;
}
@ -109,7 +110,7 @@ public class JPAScopeStore implements ScopeStore {
query.setParameter("name", name);
String id = query.getSingleResult();
return provider.getStoreFactory().getScopeStore().findById(resourceServer, id);
return provider.getStoreFactory().getScopeStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id);
} catch (NoResultException nre) {
return null;
}
@ -125,7 +126,7 @@ public class JPAScopeStore implements ScopeStore {
List<String> result = query.getResultList();
List<Scope> list = new LinkedList<>();
for (String id : result) {
list.add(provider.getStoreFactory().getScopeStore().findById(resourceServer, id));
list.add(provider.getStoreFactory().getScopeStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, id));
}
return list;
}
@ -160,7 +161,7 @@ public class JPAScopeStore implements ScopeStore {
List result = paginateQuery(query, firstResult, maxResults).getResultList();
List<Scope> list = new LinkedList<>();
for (Object id : result) {
list.add(provider.getStoreFactory().getScopeStore().findById(resourceServer, (String)id));
list.add(provider.getStoreFactory().getScopeStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, (String)id));
}
return list;

13
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PermissionTicketAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -28,6 +28,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.jpa.JpaModel;
@ -90,7 +91,7 @@ public class PermissionTicketAdapter implements PermissionTicket, JpaModel<Permi
@Override
public ResourceServer getResourceServer() {
return storeFactory.getResourceServerStore().findById(null, entity.getResourceServer().getId());
return storeFactory.getResourceServerStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, entity.getResourceServer().getId());
}
@Override
@ -101,8 +102,8 @@ public class PermissionTicketAdapter implements PermissionTicket, JpaModel<Permi
return null;
}
ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(null, entity.getResourceServer().getId());
return storeFactory.getPolicyStore().findById(resourceServer, policy.getId());
ResourceServer resourceServer = storeFactory.getResourceServerStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, entity.getResourceServer().getId());
return storeFactory.getPolicyStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, policy.getId());
}
@Override
@ -114,7 +115,7 @@ public class PermissionTicketAdapter implements PermissionTicket, JpaModel<Permi
@Override
public Resource getResource() {
return storeFactory.getResourceStore().findById(getResourceServer(), entity.getResource().getId());
return storeFactory.getResourceStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, getResourceServer(), entity.getResource().getId());
}
@Override
@ -125,7 +126,7 @@ public class PermissionTicketAdapter implements PermissionTicket, JpaModel<Permi
return null;
}
return storeFactory.getScopeStore().findById(getResourceServer(), scope.getId());
return storeFactory.getScopeStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, getResourceServer(), scope.getId());
}
@Override

9
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/PolicyAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -24,6 +24,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.jpa.JpaModel;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
@ -153,7 +154,7 @@ public class PolicyAdapter extends AbstractAuthorizationModel implements Policy,
@Override
public ResourceServer getResourceServer() {
return storeFactory.getResourceServerStore().findById(null, entity.getResourceServer().getId());
return storeFactory.getResourceServerStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, entity.getResourceServer().getId());
}
@Override
@ -170,7 +171,7 @@ public class PolicyAdapter extends AbstractAuthorizationModel implements Policy,
Set<Resource> set = new HashSet<>();
ResourceServer resourceServer = getResourceServer();
for (ResourceEntity res : entity.getResources()) {
set.add(storeFactory.getResourceStore().findById(resourceServer, res.getId()));
set.add(storeFactory.getResourceStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, res.getId()));
}
return Collections.unmodifiableSet(set);
}
@ -180,7 +181,7 @@ public class PolicyAdapter extends AbstractAuthorizationModel implements Policy,
Set<Scope> set = new HashSet<>();
ResourceServer resourceServer = getResourceServer();
for (ScopeEntity res : entity.getScopes()) {
set.add(storeFactory.getScopeStore().findById(resourceServer, res.getId()));
set.add(storeFactory.getScopeStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, res.getId()));
}
return Collections.unmodifiableSet(set);
}

7
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ResourceAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -23,6 +23,7 @@ import org.keycloak.authorization.model.AbstractAuthorizationModel;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.models.jpa.JpaModel;
@ -118,7 +119,7 @@ public class ResourceAdapter extends AbstractAuthorizationModel implements Resou
List<Scope> scopes = new LinkedList<>();
ResourceServer resourceServer = getResourceServer();
for (ScopeEntity scope : entity.getScopes()) {
scopes.add(storeFactory.getScopeStore().findById(resourceServer, scope.getId()));
scopes.add(storeFactory.getScopeStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, resourceServer, scope.getId()));
}
return Collections.unmodifiableList(scopes);
@ -138,7 +139,7 @@ public class ResourceAdapter extends AbstractAuthorizationModel implements Resou
@Override
public ResourceServer getResourceServer() {
return storeFactory.getResourceServerStore().findById(null, entity.getResourceServer());
return storeFactory.getResourceServerStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, entity.getResourceServer());
}
@Override

5
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/ScopeAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -20,6 +20,7 @@ import org.keycloak.authorization.jpa.entities.ScopeEntity;
import org.keycloak.authorization.model.AbstractAuthorizationModel;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.jpa.JpaModel;
@ -88,7 +89,7 @@ public class ScopeAdapter extends AbstractAuthorizationModel implements Scope, J
@Override
public ResourceServer getResourceServer() {
return storeFactory.getResourceServerStore().findById(null, entity.getResourceServer().getId());
return storeFactory.getResourceServerStore().findById(JPAAuthorizationStoreFactory.NULL_REALM, entity.getResourceServer().getId());
}
public static ScopeEntity toEntity(EntityManager em, Scope scope) {

91
model/map/src/main/java/org/keycloak/models/map/authorization/MapPermissionTicketStore.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -60,26 +60,20 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
private static final Logger LOG = Logger.getLogger(MapPermissionTicketStore.class);
private final AuthorizationProvider authorizationProvider;
final MapKeycloakTransaction<MapPermissionTicketEntity, PermissionTicket> tx;
private final KeycloakSession session;
public MapPermissionTicketStore(KeycloakSession session, MapStorage<MapPermissionTicketEntity, PermissionTicket> permissionTicketStore, AuthorizationProvider provider) {
this.authorizationProvider = provider;
this.tx = permissionTicketStore.createTransaction(session);
session.getTransactionManager().enlist(tx);
this.session = session;
}
private Function<MapPermissionTicketEntity, PermissionTicket> entityToAdapterFunc(ResourceServer resourceServer) {
return origEntity -> new MapPermissionTicketAdapter(resourceServer == null ? findResourceServer(origEntity) : resourceServer, origEntity, authorizationProvider.getStoreFactory());
private Function<MapPermissionTicketEntity, PermissionTicket> entityToAdapterFunc(RealmModel realm, ResourceServer resourceServer) {
return origEntity -> new MapPermissionTicketAdapter(realm, resourceServer, origEntity, authorizationProvider.getStoreFactory());
}
private ResourceServer findResourceServer(MapPermissionTicketEntity entity) {
RealmModel realm = session.realms().getRealm(entity.getRealmId());
return authorizationProvider.getStoreFactory().getResourceServerStore().findById(realm, entity.getResourceServerId());
}
private DefaultModelCriteria<PermissionTicket> forResourceServer(ResourceServer resourceServer) {
DefaultModelCriteria<PermissionTicket> mcb = criteria();
private DefaultModelCriteria<PermissionTicket> forRealmAndResourceServer(RealmModel realm, ResourceServer resourceServer) {
final DefaultModelCriteria<PermissionTicket> mcb = DefaultModelCriteria.<PermissionTicket>criteria()
.compare(PermissionTicket.SearchableFields.REALM_ID, Operator.EQ, realm.getId());
return resourceServer == null
? mcb
@ -89,7 +83,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
@Override
public long count(ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes) {
DefaultModelCriteria<PermissionTicket> mcb = forResourceServer(resourceServer).and(
DefaultModelCriteria<PermissionTicket> mcb = forRealmAndResourceServer(resourceServer.getRealm(), resourceServer).and(
attributes.entrySet().stream()
.map(this::filterEntryToDefaultModelCriteria)
.toArray(DefaultModelCriteria[]::new)
@ -101,11 +95,13 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
@Override
public PermissionTicket create(ResourceServer resourceServer, Resource resource, Scope scope, String requester) {
LOG.tracef("create(%s, %s, %s, %s)%s", resource, scope, requester, resourceServer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
String owner = authorizationProvider.getStoreFactory().getResourceStore().findById(realm, resourceServer, resource.getId()).getOwner();
String owner = authorizationProvider.getStoreFactory().getResourceStore().findById(resourceServer, resource.getId()).getOwner();
// @UniqueConstraint(columnNames = {"OWNER", "REQUESTER", "RESOURCE_SERVER_ID", "RESOURCE_ID", "SCOPE_ID"})
DefaultModelCriteria<PermissionTicket> mcb = forResourceServer(resourceServer)
DefaultModelCriteria<PermissionTicket> mcb = forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.OWNER, Operator.EQ, owner)
.compare(SearchableFields.RESOURCE_ID, Operator.EQ, resource.getId())
.compare(SearchableFields.REQUESTER, Operator.EQ, requester);
@ -130,18 +126,18 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
entity.setOwner(owner);
entity.setResourceServerId(resourceServer.getId());
entity.setRealmId(resourceServer.getRealm().getId());
entity.setRealmId(realm.getId());
entity = tx.create(entity);
return entity == null ? null : entityToAdapterFunc(resourceServer).apply(entity);
return entity == null ? null : entityToAdapterFunc(realm, resourceServer).apply(entity);
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
LOG.tracef("delete(%s)%s", id, getShortStackTrace());
PermissionTicket permissionTicket = findById((ResourceServer) null, id);
PermissionTicket permissionTicket = findById(realm, null, id);
if (permissionTicket == null) return;
tx.delete(id);
@ -149,42 +145,25 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
}
@Override
public PermissionTicket findById(ResourceServer resourceServer, String id) {
public PermissionTicket findById(RealmModel realm, ResourceServer resourceServer, String id) {
LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.ID, Operator.EQ, id)))
.findFirst()
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.orElse(null);
}
@Override
public List<PermissionTicket> findByResourceServer(ResourceServer resourceServer) {
LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)))
.map(entityToAdapterFunc(resourceServer))
.collect(Collectors.toList());
}
@Override
public List<PermissionTicket> findByOwner(ResourceServer resourceServer, String owner) {
LOG.tracef("findByOwner(%s, %s)%s", owner, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
.compare(SearchableFields.OWNER, Operator.EQ, owner)))
.map(entityToAdapterFunc(resourceServer))
.collect(Collectors.toList());
}
@Override
public List<PermissionTicket> findByResource(ResourceServer resourceServer, Resource resource) {
LOG.tracef("findByResource(%s, %s)%s", resource, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.RESOURCE_ID, Operator.EQ, resource.getId())))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@ -192,15 +171,17 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
public List<PermissionTicket> findByScope(ResourceServer resourceServer, Scope scope) {
LOG.tracef("findByScope(%s, %s)%s", scope, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.SCOPE_ID, Operator.EQ, scope.getId())))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@Override
public List<PermissionTicket> find(ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResult) {
DefaultModelCriteria<PermissionTicket> mcb = forResourceServer(resourceServer);
public List<PermissionTicket> find(RealmModel realm, ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResult) {
DefaultModelCriteria<PermissionTicket> mcb = forRealmAndResourceServer(realm, resourceServer);
if (attributes.containsKey(PermissionTicket.FilterOption.RESOURCE_NAME)) {
String expectedResourceName = attributes.remove(PermissionTicket.FilterOption.RESOURCE_NAME);
@ -209,7 +190,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
filterOptionStringMap.put(Resource.FilterOption.EXACT_NAME, new String[]{expectedResourceName});
List<Resource> r = authorizationProvider.getStoreFactory().getResourceStore().findByResourceServer(resourceServer, filterOptionStringMap, null, null);
List<Resource> r = authorizationProvider.getStoreFactory().getResourceStore().find(realm, resourceServer, filterOptionStringMap, null, null);
if (r == null || r.isEmpty()) {
return Collections.emptyList();
}
@ -223,7 +204,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
);
return tx.read(withCriteria(mcb).pagination(firstResult, maxResult, SearchableFields.ID))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@ -264,7 +245,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
filters.put(PermissionTicket.FilterOption.REQUESTER, userId);
return find(resourceServer, filters, null, null);
return find(resourceServer.getRealm(), resourceServer, filters, null, null);
}
@Override
@ -275,7 +256,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
filters.put(PermissionTicket.FilterOption.REQUESTER, userId);
return find(resourceServer, filters, null, null);
return find(resourceServer.getRealm(), resourceServer, filters, null, null);
}
@Override
@ -296,13 +277,13 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
filterOptionMap.put(Resource.FilterOption.ID, new String[] {ticket.getResourceId()});
filterOptionMap.put(Resource.FilterOption.NAME, new String[] {name});
List<Resource> resource = resourceStore.findByResourceServer(resourceServerStore.findById(realm, ticket.getResourceServerId()), filterOptionMap, -1, 1);
List<Resource> resource = resourceStore.find(realm, resourceServerStore.findById(realm, ticket.getResourceServerId()), filterOptionMap, -1, 1);
return resource.isEmpty() ? null : resource.get(0);
};
} else {
ticketResourceMapper = ticket -> resourceStore
.findById(resourceServerStore.findById(realm, ticket.getResourceServerId()), ticket.getResourceId());
.findById(realm, resourceServerStore.findById(realm, ticket.getResourceServerId()), ticket.getResourceId());
}
return paginatedStream(tx.read(withCriteria(mcb).orderBy(SearchableFields.RESOURCE_ID, ASCENDING))
@ -323,7 +304,7 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
return paginatedStream(tx.read(withCriteria(mcb).orderBy(SearchableFields.RESOURCE_ID, ASCENDING))
.filter(distinctByKey(MapPermissionTicketEntity::getResourceId)), firstResult, maxResults)
.map(ticket -> resourceStore.findById(resourceServerStore.findById(realm, ticket.getResourceServerId()), ticket.getResourceId()))
.map(ticket -> resourceStore.findById(realm, resourceServerStore.findById(realm, ticket.getResourceServerId()), ticket.getResourceId()))
.collect(Collectors.toList());
}
@ -339,6 +320,6 @@ public class MapPermissionTicketStore implements PermissionTicketStore {
public void preRemove(ResourceServer resourceServer) {
LOG.tracef("preRemove(%s)%s", resourceServer, getShortStackTrace());
tx.delete(withCriteria(forResourceServer(resourceServer)));
tx.delete(withCriteria(forRealmAndResourceServer(resourceServer.getRealm(), resourceServer)));
}
}

91
model/map/src/main/java/org/keycloak/models/map/authorization/MapPolicyStore.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -54,26 +54,20 @@ public class MapPolicyStore implements PolicyStore {
private static final Logger LOG = Logger.getLogger(MapPolicyStore.class);
private final AuthorizationProvider authorizationProvider;
final MapKeycloakTransaction<MapPolicyEntity, Policy> tx;
private final KeycloakSession session;
public MapPolicyStore(KeycloakSession session, MapStorage<MapPolicyEntity, Policy> policyStore, AuthorizationProvider provider) {
this.authorizationProvider = provider;
this.tx = policyStore.createTransaction(session);
session.getTransactionManager().enlist(tx);
this.session = session;
}
private Function<MapPolicyEntity, Policy> entityToAdapterFunc(ResourceServer resourceServer) {
return origEntity -> new MapPolicyAdapter(resourceServer == null ? findResourceServer(origEntity) : resourceServer, origEntity, authorizationProvider.getStoreFactory());
private Function<MapPolicyEntity, Policy> entityToAdapterFunc(RealmModel realm, ResourceServer resourceServer) {
return origEntity -> new MapPolicyAdapter(realm, resourceServer, origEntity, authorizationProvider.getStoreFactory());
}
private ResourceServer findResourceServer(MapPolicyEntity entity) {
RealmModel realm = session.realms().getRealm(entity.getRealmId());
return authorizationProvider.getStoreFactory().getResourceServerStore().findById(realm, entity.getResourceServerId());
}
private DefaultModelCriteria<Policy> forResourceServer(ResourceServer resourceServer) {
DefaultModelCriteria<Policy> mcb = criteria();
private DefaultModelCriteria<Policy> forRealmAndResourceServer(RealmModel realm, ResourceServer resourceServer) {
DefaultModelCriteria<Policy> mcb = DefaultModelCriteria.<Policy>criteria()
.compare(Policy.SearchableFields.REALM_ID, Operator.EQ, realm.getId());
return resourceServer == null
? mcb
@ -84,9 +78,10 @@ public class MapPolicyStore implements PolicyStore {
@Override
public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) {
LOG.tracef("create(%s, %s, %s)%s", representation.getId(), resourceServer.getId(), resourceServer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
// @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID"})
DefaultModelCriteria<Policy> mcb = forResourceServer(resourceServer)
DefaultModelCriteria<Policy> mcb = forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.NAME, Operator.EQ, representation.getName());
if (tx.getCount(withCriteria(mcb)) > 0) {
@ -103,51 +98,57 @@ public class MapPolicyStore implements PolicyStore {
entity = tx.create(entity);
return entity == null ? null : entityToAdapterFunc(resourceServer).apply(entity);
return entity == null ? null : entityToAdapterFunc(realm, resourceServer).apply(entity);
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
LOG.tracef("delete(%s)%s", id, getShortStackTrace());
Policy policyEntity = findById(realm, null, id);
if (policyEntity == null) return;
tx.delete(id);
}
@Override
public Policy findById(ResourceServer resourceServer, String id) {
public Policy findById(RealmModel realm, ResourceServer resourceServer, String id) {
LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.ID, Operator.EQ, id)))
.findFirst()
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.orElse(null);
}
@Override
public Policy findByName(ResourceServer resourceServer, String name) {
LOG.tracef("findByName(%s, %s)%s", name, resourceServer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forResourceServer(resourceServer)
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.NAME, Operator.EQ, name)))
.findFirst()
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.orElse(null);
}
@Override
public List<Policy> findByResourceServer(ResourceServer resourceServer) {
LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forResourceServer(resourceServer)))
.map(entityToAdapterFunc(resourceServer))
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@Override
public List<Policy> findByResourceServer(ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
public List<Policy> find(RealmModel realm, ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
LOG.tracef("findByResourceServer(%s, %s, %d, %d)%s", attributes, resourceServer, firstResult, maxResults, getShortStackTrace());
DefaultModelCriteria<Policy> mcb = forResourceServer(resourceServer).and(
DefaultModelCriteria<Policy> mcb = forRealmAndResourceServer(realm, resourceServer).and(
attributes.entrySet().stream()
.map(this::filterEntryToDefaultModelCriteria)
.filter(Objects::nonNull)
@ -161,7 +162,7 @@ public class MapPolicyStore implements PolicyStore {
return tx.read(withCriteria(mcb).pagination(firstResult, maxResults, SearchableFields.NAME))
.map(MapPolicyEntity::getId)
// We need to go through cache
.map(id -> authorizationProvider.getStoreFactory().getPolicyStore().findById(resourceServer, id))
.map(id -> authorizationProvider.getStoreFactory().getPolicyStore().findById(realm, resourceServer, id))
.collect(Collectors.toList());
}
@ -206,32 +207,40 @@ public class MapPolicyStore implements PolicyStore {
@Override
public void findByResource(ResourceServer resourceServer, Resource resource, Consumer<Policy> consumer) {
LOG.tracef("findByResource(%s, %s, %s)%s", resourceServer, resource, consumer, getShortStackTrace());
tx.read(withCriteria(forResourceServer(resourceServer)
RealmModel realm = resourceServer.getRealm();
tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.RESOURCE_ID, Operator.EQ, resource.getId())))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.forEach(consumer);
}
@Override
public void findByResourceType(ResourceServer resourceServer, String type, Consumer<Policy> policyConsumer) {
tx.read(withCriteria(forResourceServer(resourceServer)
LOG.tracef("findByResourceType(%s, %s)%s", resourceServer, type, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.CONFIG, Operator.LIKE, (Object[]) new String[]{"defaultResourceType", type})))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.forEach(policyConsumer);
}
@Override
public List<Policy> findByScopes(ResourceServer resourceServer, List<Scope> scopes) {
return tx.read(withCriteria(forResourceServer(resourceServer)
LOG.tracef("findByScopes(%s, %s)%s", resourceServer, scopes, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.SCOPE_ID, Operator.IN, scopes.stream().map(Scope::getId))))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@Override
public void findByScopes(ResourceServer resourceServer, Resource resource, List<Scope> scopes, Consumer<Policy> consumer) {
DefaultModelCriteria<Policy> mcb = forResourceServer(resourceServer)
LOG.tracef("findByResourceType(%s, %s, %s)%s", resourceServer, resource, scopes, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
DefaultModelCriteria<Policy> mcb = forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.TYPE, Operator.EQ, "scope")
.compare(SearchableFields.SCOPE_ID, Operator.IN, scopes.stream().map(Scope::getId));
@ -243,22 +252,26 @@ public class MapPolicyStore implements PolicyStore {
.compare(SearchableFields.CONFIG, Operator.NOT_EXISTS, (Object[]) new String[] {"defaultResourceType"});
}
tx.read(withCriteria(mcb)).map(entityToAdapterFunc(resourceServer)).forEach(consumer);
tx.read(withCriteria(mcb)).map(entityToAdapterFunc(realm, resourceServer)).forEach(consumer);
}
@Override
public List<Policy> findByType(ResourceServer resourceServer, String type) {
return tx.read(withCriteria(forResourceServer(resourceServer)
LOG.tracef("findByType(%s, %s)%s", resourceServer, type, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.TYPE, Operator.EQ, type)))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@Override
public List<Policy> findDependentPolicies(ResourceServer resourceServer, String id) {
return tx.read(withCriteria(forResourceServer(resourceServer)
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.ASSOCIATED_POLICY_ID, Operator.EQ, id)))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@ -274,6 +287,6 @@ public class MapPolicyStore implements PolicyStore {
public void preRemove(ResourceServer resourceServer) {
LOG.tracef("preRemove(%s)%s", resourceServer, getShortStackTrace());
tx.delete(withCriteria(forResourceServer(resourceServer)));
tx.delete(withCriteria(forRealmAndResourceServer(resourceServer.getRealm(), resourceServer)));
}
}

110
model/map/src/main/java/org/keycloak/models/map/authorization/MapResourceStore.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -36,7 +36,6 @@ import org.keycloak.models.map.storage.ModelCriteriaBuilder.Operator;
import org.keycloak.models.map.storage.criteria.DefaultModelCriteria;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
@ -62,17 +61,13 @@ public class MapResourceStore implements ResourceStore {
this.session = session;
}
private Function<MapResourceEntity, Resource> entityToAdapterFunc(final ResourceServer resourceServer) {
return origEntity -> new MapResourceAdapter(resourceServer == null ? findResourceServer(origEntity) : resourceServer, origEntity, authorizationProvider.getStoreFactory());
private Function<MapResourceEntity, Resource> entityToAdapterFunc(RealmModel realm, final ResourceServer resourceServer) {
return origEntity -> new MapResourceAdapter(realm, resourceServer, origEntity, authorizationProvider.getStoreFactory());
}
private ResourceServer findResourceServer(MapResourceEntity entity) {
RealmModel realm = session.realms().getRealm(entity.getRealmId());
return authorizationProvider.getStoreFactory().getResourceServerStore().findById(realm, entity.getResourceServerId());
}
private DefaultModelCriteria<Resource> forResourceServer(ResourceServer resourceServer) {
DefaultModelCriteria<Resource> mcb = criteria();
private DefaultModelCriteria<Resource> forRealmAndResourceServer(RealmModel realm, ResourceServer resourceServer) {
DefaultModelCriteria<Resource> mcb = DefaultModelCriteria.<Resource>criteria()
.compare(Resource.SearchableFields.REALM_ID, Operator.EQ, realm.getId());
return resourceServer == null
? mcb
@ -84,7 +79,9 @@ public class MapResourceStore implements ResourceStore {
public Resource create(ResourceServer resourceServer, String id, String name, String owner) {
LOG.tracef("create(%s, %s, %s, %s)%s", id, name, resourceServer, owner, getShortStackTrace());
// @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID", "OWNER"})
DefaultModelCriteria<Resource> mcb = forResourceServer(resourceServer)
RealmModel realm = resourceServer.getRealm();
DefaultModelCriteria<Resource> mcb = forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.NAME, Operator.EQ, name)
.compare(SearchableFields.OWNER, Operator.EQ, owner);
@ -97,84 +94,64 @@ public class MapResourceStore implements ResourceStore {
entity.setName(name);
entity.setResourceServerId(resourceServer.getId());
entity.setOwner(owner);
entity.setRealmId(resourceServer.getRealm().getId());
entity.setRealmId(realm.getId());
entity = tx.create(entity);
return entity == null ? null : entityToAdapterFunc(resourceServer).apply(entity);
return entity == null ? null : entityToAdapterFunc(realm, resourceServer).apply(entity);
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
LOG.tracef("delete(%s)%s", id, getShortStackTrace());
Resource resource = findById(realm, null, id);
if (resource == null) return;
tx.delete(id);
}
@Override
public Resource findById(ResourceServer resourceServer, String id) {
public Resource findById(RealmModel realm, ResourceServer resourceServer, String id) {
LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.ID, Operator.EQ, id)))
.findFirst()
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.orElse(null);
}
@Override
public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
findByOwnerFilter(ownerId, resourceServer, consumer, -1, -1);
}
public void findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
LOG.tracef("findByOwner(%s, %s, %s)%s", realm, resourceServer, resourceServer, ownerId, getShortStackTrace());
private void findByOwnerFilter(String ownerId, ResourceServer resourceServer, Consumer<Resource> consumer, int firstResult, int maxResult) {
LOG.tracef("findByOwnerFilter(%s, %s, %s, %d, %d)%s", ownerId, resourceServer, consumer, firstResult, maxResult, getShortStackTrace());
tx.read(withCriteria(forResourceServer(resourceServer).compare(SearchableFields.OWNER, Operator.EQ, ownerId))
.pagination(firstResult, maxResult, SearchableFields.ID)
).map(entityToAdapterFunc(resourceServer))
tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.OWNER, Operator.EQ, ownerId)))
.map(entityToAdapterFunc(realm, resourceServer))
.forEach(consumer);
}
@Override
public List<Resource> findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) {
List<Resource> resourceList = new LinkedList<>();
findByOwnerFilter(ownerId, resourceServer, resourceList::add, firstResult, maxResults);
return resourceList;
}
@Override
public List<Resource> findByUri(ResourceServer resourceServer, String uri) {
LOG.tracef("findByUri(%s, %s)%s", uri, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
.compare(SearchableFields.URI, Operator.EQ, uri)))
.map(entityToAdapterFunc(resourceServer))
.collect(Collectors.toList());
}
@Override
public List<Resource> findByResourceServer(ResourceServer resourceServer) {
LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forResourceServer(resourceServer)))
.map(entityToAdapterFunc(resourceServer))
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@Override
public List<Resource> findByResourceServer(ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
LOG.tracef("findByResourceServer(%s, %s, %d, %d)%s", attributes, resourceServer, firstResult, maxResults, getShortStackTrace());
DefaultModelCriteria<Resource> mcb = forResourceServer(resourceServer).and(
public List<Resource> find(RealmModel realm, ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
LOG.tracef("findByResourceServer(%s, %s, %s, %d, %d)%s", realm, resourceServer, attributes, firstResult, maxResults, getShortStackTrace());
DefaultModelCriteria<Resource> mcb = forRealmAndResourceServer(realm, resourceServer).and(
attributes.entrySet().stream()
.map(this::filterEntryToDefaultModelCriteria)
.toArray(DefaultModelCriteria[]::new)
);
return tx.read(withCriteria(mcb).pagination(firstResult, maxResults, SearchableFields.NAME))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@ -208,38 +185,44 @@ public class MapResourceStore implements ResourceStore {
@Override
public void findByScopes(ResourceServer resourceServer, Set<Scope> scopes, Consumer<Resource> consumer) {
LOG.tracef("findByScope(%s, %s, %s)%s", scopes, resourceServer, consumer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
tx.read(withCriteria(forResourceServer(resourceServer)
tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.SCOPE_ID, Operator.IN, scopes.stream().map(Scope::getId))))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.forEach(consumer);
}
@Override
public Resource findByName(ResourceServer resourceServer, String name, String ownerId) {
LOG.tracef("findByName(%s, %s, %s)%s", name, ownerId, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.OWNER, Operator.EQ, ownerId)
.compare(SearchableFields.NAME, Operator.EQ, name)))
.findFirst()
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.orElse(null);
}
@Override
public void findByType(ResourceServer resourceServer, String type, Consumer<Resource> consumer) {
LOG.tracef("findByType(%s, %s, %s)%s", type, resourceServer, consumer, getShortStackTrace());
tx.read(withCriteria(forResourceServer(resourceServer)
RealmModel realm = authorizationProvider.getRealm();
tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.TYPE, Operator.EQ, type)))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.forEach(consumer);
}
@Override
public void findByType(ResourceServer resourceServer, String type, String owner, Consumer<Resource> consumer) {
LOG.tracef("findByType(%s, %s, %s, %s)%s", type, owner, resourceServer, consumer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
DefaultModelCriteria<Resource> mcb = forResourceServer(resourceServer)
DefaultModelCriteria<Resource> mcb = forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.TYPE, Operator.EQ, type);
if (owner != null) {
@ -247,17 +230,18 @@ public class MapResourceStore implements ResourceStore {
}
tx.read(withCriteria(mcb))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.forEach(consumer);
}
@Override
public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer<Resource> consumer) {
LOG.tracef("findByTypeInstance(%s, %s, %s)%s", type, resourceServer, consumer, getShortStackTrace());
tx.read(withCriteria(forResourceServer(resourceServer)
RealmModel realm = resourceServer.getRealm();
tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.OWNER, Operator.NE, resourceServer.getClientId())
.compare(SearchableFields.TYPE, Operator.EQ, type)))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.forEach(consumer);
}
@ -273,6 +257,6 @@ public class MapResourceStore implements ResourceStore {
public void preRemove(ResourceServer resourceServer) {
LOG.tracef("preRemove(%s)%s", resourceServer, getShortStackTrace());
tx.delete(withCriteria(forResourceServer(resourceServer)));
tx.delete(withCriteria(forRealmAndResourceServer(resourceServer.getRealm(), resourceServer)));
}
}

51
model/map/src/main/java/org/keycloak/models/map/authorization/MapScopeStore.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -58,17 +58,13 @@ public class MapScopeStore implements ScopeStore {
this.session = session;
}
private Function<MapScopeEntity, Scope> entityToAdapterFunc(ResourceServer resourceServer) {
return origEntity -> new MapScopeAdapter(resourceServer == null ? findResourceServer(origEntity) : resourceServer, origEntity, authorizationProvider.getStoreFactory());
private Function<MapScopeEntity, Scope> entityToAdapterFunc(RealmModel realm, ResourceServer resourceServer) {
return origEntity -> new MapScopeAdapter(realm, resourceServer, origEntity, authorizationProvider.getStoreFactory());
}
private ResourceServer findResourceServer(MapScopeEntity entity) {
RealmModel realm = session.realms().getRealm(entity.getRealmId());
return authorizationProvider.getStoreFactory().getResourceServerStore().findById(realm, entity.getResourceServerId());
}
private DefaultModelCriteria<Scope> forResourceServer(ResourceServer resourceServer) {
DefaultModelCriteria<Scope> mcb = criteria();
private DefaultModelCriteria<Scope> forRealmAndResourceServer(RealmModel realm, ResourceServer resourceServer) {
DefaultModelCriteria<Scope> mcb = DefaultModelCriteria.<Scope>criteria()
.compare(Scope.SearchableFields.REALM_ID, Operator.EQ, realm.getId());
return resourceServer == null
? mcb
@ -80,9 +76,9 @@ public class MapScopeStore implements ScopeStore {
public Scope create(ResourceServer resourceServer, String id, String name) {
LOG.tracef("create(%s, %s, %s)%s", id, name, resourceServer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
// @UniqueConstraint(columnNames = {"NAME", "RESOURCE_SERVER_ID"})
DefaultModelCriteria<Scope> mcb = forResourceServer(resourceServer)
DefaultModelCriteria<Scope> mcb = forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.NAME, Operator.EQ, name);
if (tx.getCount(withCriteria(mcb)) > 0) {
@ -97,49 +93,54 @@ public class MapScopeStore implements ScopeStore {
entity = tx.create(entity);
return entity == null ? null : entityToAdapterFunc(resourceServer).apply(entity);
return entity == null ? null : entityToAdapterFunc(realm, resourceServer).apply(entity);
}
@Override
public void delete(String id) {
public void delete(RealmModel realm, String id) {
LOG.tracef("delete(%s)%s", id, getShortStackTrace());
Scope scope = findById(realm, null, id);
if (scope == null) return;
tx.delete(id);
}
@Override
public Scope findById(ResourceServer resourceServer, String id) {
public Scope findById(RealmModel realm, ResourceServer resourceServer, String id) {
LOG.tracef("findById(%s, %s)%s", id, resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)
.compare(SearchableFields.ID, Operator.EQ, id)))
.findFirst()
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.orElse(null);
}
@Override
public Scope findByName(ResourceServer resourceServer, String name) {
LOG.tracef("findByName(%s, %s)%s", name, resourceServer, getShortStackTrace());
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forResourceServer(resourceServer).compare(SearchableFields.NAME,
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer).compare(SearchableFields.NAME,
Operator.EQ, name)))
.findFirst()
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.orElse(null);
}
@Override
public List<Scope> findByResourceServer(ResourceServer resourceServer) {
LOG.tracef("findByResourceServer(%s)%s", resourceServer, getShortStackTrace());
return tx.read(withCriteria(forResourceServer(resourceServer)))
.map(entityToAdapterFunc(resourceServer))
RealmModel realm = resourceServer.getRealm();
return tx.read(withCriteria(forRealmAndResourceServer(realm, resourceServer)))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@Override
public List<Scope> findByResourceServer(ResourceServer resourceServer, Map<Scope.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
DefaultModelCriteria<Scope> mcb = forResourceServer(resourceServer);
RealmModel realm = resourceServer.getRealm();
DefaultModelCriteria<Scope> mcb = forRealmAndResourceServer(realm, resourceServer);
for (Scope.FilterOption filterOption : attributes.keySet()) {
String[] value = attributes.get(filterOption);
@ -157,7 +158,7 @@ public class MapScopeStore implements ScopeStore {
}
return tx.read(withCriteria(mcb).pagination(firstResult, maxResults, SearchableFields.NAME))
.map(entityToAdapterFunc(resourceServer))
.map(entityToAdapterFunc(realm, resourceServer))
.collect(Collectors.toList());
}
@ -173,6 +174,6 @@ public class MapScopeStore implements ScopeStore {
public void preRemove(ResourceServer resourceServer) {
LOG.tracef("preRemove(%s)%s", resourceServer, getShortStackTrace());
tx.delete(withCriteria(forResourceServer(resourceServer)));
tx.delete(withCriteria(forRealmAndResourceServer(resourceServer.getRealm(), resourceServer)));
}
}

22
model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapPermissionTicketAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -26,16 +26,21 @@ import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.map.authorization.entity.MapPermissionTicketEntity;
import static org.keycloak.authorization.UserManagedPermissionUtil.updatePolicy;
public class MapPermissionTicketAdapter extends AbstractPermissionTicketModel<MapPermissionTicketEntity> {
private final ResourceServer resourceServer;
private final RealmModel realm;
private ResourceServer resourceServer;
public MapPermissionTicketAdapter(ResourceServer resourceServer, MapPermissionTicketEntity entity, StoreFactory storeFactory) {
public MapPermissionTicketAdapter(RealmModel realm, ResourceServer resourceServer, MapPermissionTicketEntity entity, StoreFactory storeFactory) {
super(entity, storeFactory);
Objects.requireNonNull(resourceServer);
Objects.requireNonNull(realm, "realm");
this.realm = realm;
this.resourceServer = resourceServer;
}
@ -56,13 +61,13 @@ public class MapPermissionTicketAdapter extends AbstractPermissionTicketModel<Ma
@Override
public Resource getResource() {
return storeFactory.getResourceStore().findById(resourceServer, entity.getResourceId());
return storeFactory.getResourceStore().findById(realm, getResourceServer(), entity.getResourceId());
}
@Override
public Scope getScope() {
if (entity.getScopeId() == null) return null;
return storeFactory.getScopeStore().findById(resourceServer, entity.getScopeId());
return storeFactory.getScopeStore().findById(realm, getResourceServer(), entity.getScopeId());
}
@Override
@ -88,13 +93,16 @@ public class MapPermissionTicketAdapter extends AbstractPermissionTicketModel<Ma
@Override
public ResourceServer getResourceServer() {
if (resourceServer == null) {
resourceServer = storeFactory.getResourceServerStore().findById(realm, entity.getResourceServerId());
}
return resourceServer;
}
@Override
public Policy getPolicy() {
if (entity.getPolicyId() == null) return null;
return storeFactory.getPolicyStore().findById(resourceServer, entity.getPolicyId());
return storeFactory.getPolicyStore().findById(realm, getResourceServer(), entity.getPolicyId());
}
@Override

21
model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapPolicyAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -22,6 +22,7 @@ import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.map.authorization.entity.MapPolicyEntity;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
@ -34,11 +35,13 @@ import java.util.stream.Collectors;
public class MapPolicyAdapter extends AbstractPolicyModel<MapPolicyEntity> {
private final ResourceServer resourceServer;
private final RealmModel realm;
private ResourceServer resourceServer;
public MapPolicyAdapter(ResourceServer resourceServer, MapPolicyEntity entity, StoreFactory storeFactory) {
public MapPolicyAdapter(RealmModel realm, ResourceServer resourceServer, MapPolicyEntity entity, StoreFactory storeFactory) {
super(entity, storeFactory);
Objects.requireNonNull(resourceServer);
Objects.requireNonNull(realm);
this.realm = realm;
this.resourceServer = resourceServer;
}
@ -124,14 +127,18 @@ public class MapPolicyAdapter extends AbstractPolicyModel<MapPolicyEntity> {
@Override
public ResourceServer getResourceServer() {
if (resourceServer == null) {
resourceServer = storeFactory.getResourceServerStore().findById(realm, entity.getResourceServerId());
}
return resourceServer;
}
@Override
public Set<Policy> getAssociatedPolicies() {
Set<String> ids = entity.getAssociatedPolicyIds();
ResourceServer resourceServer = getResourceServer();
return ids == null ? Collections.emptySet() : ids.stream()
.map(policyId -> storeFactory.getPolicyStore().findById(resourceServer, policyId))
.map(policyId -> storeFactory.getPolicyStore().findById(realm, resourceServer, policyId))
.collect(Collectors.toSet());
}
@ -139,7 +146,7 @@ public class MapPolicyAdapter extends AbstractPolicyModel<MapPolicyEntity> {
public Set<Resource> getResources() {
Set<String> ids = entity.getResourceIds();
return ids == null ? Collections.emptySet() : ids.stream()
.map(resourceId -> storeFactory.getResourceStore().findById(resourceServer, resourceId))
.map(resourceId -> storeFactory.getResourceStore().findById(realm, getResourceServer(), resourceId))
.collect(Collectors.toSet());
}
@ -147,7 +154,7 @@ public class MapPolicyAdapter extends AbstractPolicyModel<MapPolicyEntity> {
public Set<Scope> getScopes() {
Set<String> ids = entity.getScopeIds();
return ids == null ? Collections.emptySet() : ids.stream()
.map(scopeId -> storeFactory.getScopeStore().findById(resourceServer, scopeId))
.map(scopeId -> storeFactory.getScopeStore().findById(realm, getResourceServer(), scopeId))
.collect(Collectors.toSet());
}

22
model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapResourceAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -24,6 +24,7 @@ import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.map.authorization.entity.MapResourceEntity;
import java.util.Collections;
import java.util.HashMap;
@ -35,11 +36,13 @@ import java.util.stream.Collectors;
public class MapResourceAdapter extends AbstractResourceModel<MapResourceEntity> {
private final ResourceServer resourceServer;
private final RealmModel realm;
private ResourceServer resourceServer;
public MapResourceAdapter(ResourceServer resourceServer, MapResourceEntity entity, StoreFactory storeFactory) {
public MapResourceAdapter(RealmModel realm, ResourceServer resourceServer, MapResourceEntity entity, StoreFactory storeFactory) {
super(entity, storeFactory);
Objects.requireNonNull(resourceServer);
Objects.requireNonNull(realm);
this.realm = realm;
this.resourceServer = resourceServer;
}
@ -99,7 +102,7 @@ public class MapResourceAdapter extends AbstractResourceModel<MapResourceEntity>
ResourceServer resourceServer = getResourceServer();
return ids == null ? Collections.emptyList() : ids.stream()
.map(id -> storeFactory
.getScopeStore().findById(resourceServer, id))
.getScopeStore().findById(realm, resourceServer, id))
.collect(Collectors.toList());
}
@ -116,6 +119,9 @@ public class MapResourceAdapter extends AbstractResourceModel<MapResourceEntity>
@Override
public ResourceServer getResourceServer() {
if (resourceServer == null) {
resourceServer = storeFactory.getResourceServerStore().findById(realm, entity.getResourceServerId());
}
return resourceServer;
}
@ -148,13 +154,13 @@ public class MapResourceAdapter extends AbstractResourceModel<MapResourceEntity>
// The scope^ was removed from the Resource
// Remove permission tickets based on the scope
List<PermissionTicket> permissions = permissionStore.findByScope(resourceServer, scope);
List<PermissionTicket> permissions = permissionStore.findByScope(getResourceServer(), scope);
for (PermissionTicket permission : permissions) {
permissionStore.delete(permission.getId());
permissionStore.delete(realm, permission.getId());
}
// Remove the scope from each Policy for this Resource
policyStore.findByResource(resourceServer, this, policy -> policy.removeScope(scope));
policyStore.findByResource(getResourceServer(), this, policy -> policy.removeScope(scope));
}
}

14
model/map/src/main/java/org/keycloak/models/map/authorization/adapter/MapScopeAdapter.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2021 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -21,15 +21,18 @@ package org.keycloak.models.map.authorization.adapter;
import java.util.Objects;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.map.authorization.entity.MapScopeEntity;
public class MapScopeAdapter extends AbstractScopeModel<MapScopeEntity> {
private final ResourceServer resourceServer;
private final RealmModel realm;
private ResourceServer resourceServer;
public MapScopeAdapter(ResourceServer resourceServer, MapScopeEntity entity, StoreFactory storeFactory) {
public MapScopeAdapter(RealmModel realm, ResourceServer resourceServer, MapScopeEntity entity, StoreFactory storeFactory) {
super(entity, storeFactory);
Objects.requireNonNull(resourceServer);
Objects.requireNonNull(realm);
this.realm = realm;
this.resourceServer = resourceServer;
}
@ -73,6 +76,9 @@ public class MapScopeAdapter extends AbstractScopeModel<MapScopeEntity> {
@Override
public ResourceServer getResourceServer() {
if (resourceServer == null) {
resourceServer = storeFactory.getResourceServerStore().findById(realm, entity.getResourceServerId());
}
return resourceServer;
}

4
model/map/src/main/java/org/keycloak/models/map/user/MapUserProvider.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -686,7 +686,7 @@ public class MapUserProvider implements UserProvider.Streams, UserCredentialStor
authorizedGroups.removeIf(id -> {
Map<Resource.FilterOption, String[]> values = new EnumMap<>(Resource.FilterOption.class);
values.put(Resource.FilterOption.EXACT_NAME, new String[] {"group.resource." + id});
return resourceStore.findByResourceServer(null, values, 0, 1).isEmpty();
return resourceStore.find(realm, null, values, 0, 1).isEmpty();
});
criteria = criteria.compare(SearchableFields.ASSIGNED_GROUP, Operator.IN, authorizedGroups);

88
server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -251,21 +250,21 @@ public final class AuthorizationProvider implements Provider {
}
@Override
public void delete(String id) {
Scope scope = findById(null, id);
public void delete(RealmModel realm, String id) {
Scope scope = findById(realm, null, id);
PermissionTicketStore ticketStore = AuthorizationProvider.this.getStoreFactory().getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByScope(scope.getResourceServer(), scope);
for (PermissionTicket permission : permissions) {
ticketStore.delete(permission.getId());
ticketStore.delete(realm, permission.getId());
}
delegate.delete(id);
delegate.delete(realm, id);
}
@Override
public Scope findById(ResourceServer resourceServer, String id) {
return delegate.findById(resourceServer, id);
public Scope findById(RealmModel realm, ResourceServer resourceServer, String id) {
return delegate.findById(realm, resourceServer, id);
}
@Override
@ -293,10 +292,11 @@ public final class AuthorizationProvider implements Provider {
@Override
public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) {
Set<String> resources = representation.getResources();
RealmModel realm = resourceServer.getRealm();
if (resources != null) {
representation.setResources(resources.stream().map(id -> {
Resource resource = storeFactory.getResourceStore().findById(resourceServer, id);
Resource resource = storeFactory.getResourceStore().findById(realm, resourceServer, id);
if (resource == null) {
resource = storeFactory.getResourceStore().findByName(resourceServer, id);
@ -314,7 +314,7 @@ public final class AuthorizationProvider implements Provider {
if (scopes != null) {
representation.setScopes(scopes.stream().map(id -> {
Scope scope = storeFactory.getScopeStore().findById(resourceServer, id);
Scope scope = storeFactory.getScopeStore().findById(realm, resourceServer, id);
if (scope == null) {
scope = storeFactory.getScopeStore().findByName(resourceServer, id);
@ -333,7 +333,7 @@ public final class AuthorizationProvider implements Provider {
if (policies != null) {
representation.setPolicies(policies.stream().map(id -> {
Policy policy = storeFactory.getPolicyStore().findById(resourceServer, id);
Policy policy = storeFactory.getPolicyStore().findById(realm, resourceServer, id);
if (policy == null) {
policy = storeFactory.getPolicyStore().findByName(resourceServer, id);
@ -351,8 +351,8 @@ public final class AuthorizationProvider implements Provider {
}
@Override
public void delete(String id) {
Policy policy = findById(null, id);
public void delete(RealmModel realm, String id) {
Policy policy = findById(realm, null, id);
if (policy != null) {
ResourceServer resourceServer = policy.getResourceServer();
@ -363,7 +363,7 @@ public final class AuthorizationProvider implements Provider {
// only remove associated policies created from the policy being deleted
if (associatedPolicy.getOwner() != null) {
policy.removeAssociatedPolicy(associatedPolicy);
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
}
}
}
@ -371,17 +371,17 @@ public final class AuthorizationProvider implements Provider {
findDependentPolicies(resourceServer, policy.getId()).forEach(dependentPolicy -> {
dependentPolicy.removeAssociatedPolicy(policy);
if (dependentPolicy.getAssociatedPolicies().isEmpty()) {
delete(dependentPolicy.getId());
delete(realm, dependentPolicy.getId());
}
});
policyStore.delete(id);
policyStore.delete(realm, id);
}
}
@Override
public Policy findById(ResourceServer resourceServer, String id) {
return policyStore.findById(resourceServer, id);
public Policy findById(RealmModel realm, ResourceServer resourceServer, String id) {
return policyStore.findById(realm, resourceServer, id);
}
@Override
@ -395,8 +395,8 @@ public final class AuthorizationProvider implements Provider {
}
@Override
public List<Policy> findByResourceServer(ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return policyStore.findByResourceServer(resourceServer, attributes, firstResult, maxResults);
public List<Policy> find(RealmModel realm, ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return policyStore.find(realm, resourceServer, attributes, firstResult, maxResults);
}
@Override
@ -461,14 +461,14 @@ public final class AuthorizationProvider implements Provider {
}
@Override
public void delete(String id) {
Resource resource = findById(null, id);
public void delete(RealmModel realm, String id) {
Resource resource = findById(realm, null, id);
StoreFactory storeFactory = AuthorizationProvider.this.getStoreFactory();
PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByResource(resource.getResourceServer(), resource);
for (PermissionTicket permission : permissions) {
ticketStore.delete(permission.getId());
ticketStore.delete(realm, permission.getId());
}
PolicyStore policyStore = storeFactory.getPolicyStore();
@ -476,38 +476,28 @@ public final class AuthorizationProvider implements Provider {
for (Policy policyModel : policies) {
if (policyModel.getResources().size() == 1) {
policyStore.delete(policyModel.getId());
policyStore.delete(realm, policyModel.getId());
} else {
policyModel.removeResource(resource);
}
}
delegate.delete(id);
delegate.delete(realm, id);
}
@Override
public Resource findById(ResourceServer resourceServer, String id) {
return delegate.findById(resourceServer, id);
public Resource findById(RealmModel realm, ResourceServer resourceServer, String id) {
return delegate.findById(realm, resourceServer, id);
}
@Override
public List<Resource> findByOwner(ResourceServer resourceServer, String ownerId) {
return delegate.findByOwner(resourceServer, ownerId);
public List<Resource> findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId) {
return delegate.findByOwner(realm, resourceServer, ownerId);
}
@Override
public void findByOwner(ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
delegate.findByOwner(resourceServer, ownerId, consumer);
}
@Override
public List<Resource> findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults) {
return delegate.findByOwner(resourceServer, ownerId, firstResult, maxResults);
}
@Override
public List<Resource> findByUri(ResourceServer resourceServer, String uri) {
return delegate.findByUri(resourceServer, uri);
public void findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
delegate.findByOwner(realm, resourceServer, ownerId, consumer);
}
@Override
@ -516,8 +506,8 @@ public final class AuthorizationProvider implements Provider {
}
@Override
public List<Resource> findByResourceServer(ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return delegate.findByResourceServer(resourceServer, attributes, firstResult, maxResults);
public List<Resource> find(RealmModel realm, ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return delegate.find(realm, resourceServer, attributes, firstResult, maxResults);
}
@Override
@ -550,16 +540,6 @@ public final class AuthorizationProvider implements Provider {
delegate.findByType(resourceServer, type, owner, consumer);
}
@Override
public List<Resource> findByType(ResourceServer resourceServer, String type, String owner) {
return delegate.findByType(resourceServer, type);
}
@Override
public List<Resource> findByTypeInstance(ResourceServer resourceServer, String type) {
return delegate.findByTypeInstance(resourceServer, type);
}
@Override
public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer<Resource> consumer) {
delegate.findByTypeInstance(resourceServer, type, consumer);

14
server-spi-private/src/main/java/org/keycloak/authorization/UserManagedPermissionUtil.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2018 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -22,9 +22,11 @@ import java.util.Map;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
@ -37,6 +39,7 @@ public class UserManagedPermissionUtil {
public static void updatePolicy(PermissionTicket ticket, StoreFactory storeFactory) {
Scope scope = ticket.getScope();
Policy policy = ticket.getPolicy();
ResourceServer resourceServer = ticket.getResourceServer();
if (policy == null) {
Map<PermissionTicket.FilterOption, String> filter = new EnumMap<>(PermissionTicket.FilterOption.class);
@ -46,7 +49,7 @@ public class UserManagedPermissionUtil {
filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId());
filter.put(PermissionTicket.FilterOption.POLICY_IS_NOT_NULL, Boolean.TRUE.toString());
List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(ticket.getResourceServer(), filter, null, null);
List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(resourceServer.getRealm(), resourceServer, filter, null, null);
if (!tickets.isEmpty()) {
policy = tickets.iterator().next().getPolicy();
@ -71,6 +74,7 @@ public class UserManagedPermissionUtil {
public static void removePolicy(PermissionTicket ticket, StoreFactory storeFactory) {
Policy policy = ticket.getPolicy();
RealmModel realm = ticket.getResourceServer().getRealm();
if (policy != null) {
Map<PermissionTicket.FilterOption, String> filter = new EnumMap<>(PermissionTicket.FilterOption.class);
@ -80,16 +84,16 @@ public class UserManagedPermissionUtil {
filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId());
filter.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(ticket.getResourceServer(), filter, null, null);
List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(realm, ticket.getResourceServer(), filter, null, null);
if (tickets.isEmpty()) {
PolicyStore policyStore = storeFactory.getPolicyStore();
for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
policyStore.delete(associatedPolicy.getId());
policyStore.delete(realm, associatedPolicy.getId());
}
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
} else if (ticket.getScope() != null) {
policy.removeScope(ticket.getScope());
}

9
server-spi-private/src/main/java/org/keycloak/authorization/permission/Permissions.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -74,7 +73,7 @@ public final class Permissions {
}
// obtain all resources where owner is the resource server
resourceStore.findByOwner(resourceServer, resourceServer.getClientId(), resource -> {
resourceStore.findByOwner(resourceServer.getRealm(), resourceServer, resourceServer.getClientId(), resource -> {
if (limit.decrementAndGet() >= 0) {
evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request));
}
@ -83,7 +82,7 @@ public final class Permissions {
// resource server isn't current user
if (!Objects.equals(resourceServer.getClientId(), identity.getId())) {
// obtain all resources where owner is the current user
resourceStore.findByOwner(resourceServer, identity.getId(), resource -> {
resourceStore.findByOwner(resourceServer.getRealm(), resourceServer, identity.getId(), resource -> {
if (limit.decrementAndGet() >= 0) {
evaluator.accept(createResourcePermissions(resource, resourceServer, resource.getScopes(), authorization, request));
}

12
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -32,6 +32,7 @@ import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionTicketToken;
@ -90,10 +91,11 @@ public class PermissionTicketAwareDecisionResultCollector extends DecisionPermis
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
List<Permission> permissions = ticket.getPermissions();
RealmModel realm = resourceServer.getRealm();
if (permissions != null) {
for (Permission permission : permissions) {
Resource resource = resourceStore.findById(resourceServer, permission.getResourceId());
Resource resource = resourceStore.findById(realm, resourceServer, permission.getResourceId());
if (resource == null) {
resource = resourceStore.findByName(resourceServer, permission.getResourceId(), identity.getId());
@ -116,7 +118,7 @@ public class PermissionTicketAwareDecisionResultCollector extends DecisionPermis
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_IS_NULL, Boolean.TRUE.toString());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(resource.getResourceServer(), filters, null, null);
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(realm, resourceServer, filters, null, null);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resourceServer, resource, null, identity.getId());
@ -128,7 +130,7 @@ public class PermissionTicketAwareDecisionResultCollector extends DecisionPermis
Scope scope = scopeStore.findByName(resourceServer, scopeId);
if (scope == null) {
scope = scopeStore.findById(resourceServer, scopeId);
scope = scopeStore.findById(realm, resourceServer, scopeId);
}
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
@ -137,7 +139,7 @@ public class PermissionTicketAwareDecisionResultCollector extends DecisionPermis
filters.put(PermissionTicket.FilterOption.REQUESTER, identity.getId());
filters.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(resource.getResourceServer(), filters, null, null);
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(realm, resourceServer, filters, null, null);
if (tickets.isEmpty()) {
authorization.getStoreFactory().getPermissionTicketStore().create(resourceServer, resource, scope, identity.getId());

64
server-spi-private/src/main/java/org/keycloak/authorization/store/PermissionTicketStore.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -36,7 +36,8 @@ public interface PermissionTicketStore {
/**
* Returns count of {@link PermissionTicket}, filtered by the given attributes.
*
* @param resourceServer the resource server
*
* @param resourceServer the resource server. Cannot be {@code null}.
* @param attributes permission tickets that do not match the attributes are not included with the count; possible filter options are given by {@link PermissionTicket.FilterOption}
* @return an integer indicating the amount of permission tickets
* @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map
@ -46,10 +47,10 @@ public interface PermissionTicketStore {
/**
* Creates a new {@link PermissionTicket} instance.
*
* @param resourceServer the resource server to which this policy belongs
* @param resource resource id
* @param scope scope id
* @param requester the policy representation
* @param resourceServer the resource server to which this permission ticket belongs. Cannot be {@code null}.
* @param resource resource. Cannot be {@code null}.
* @param scope scope. Cannot be {@code null}
* @param requester requester of the permission
* @return a new instance of {@link PermissionTicket}
*/
PermissionTicket create(ResourceServer resourceServer, Resource resource, Scope scope, String requester);
@ -57,61 +58,48 @@ public interface PermissionTicketStore {
/**
* Deletes a permission from the underlying persistence mechanism.
*
* @param realm realm. Cannot be {@code null}.
* @param id the id of the policy to delete
*/
void delete(String id);
void delete(RealmModel realm, String id);
/**
* Returns a {@link PermissionTicket} with the given <code>id</code>
*
* @param resourceServer the resource server
*
*
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer the resource server. Ignored if {@code null}.
* @param id the identifier of the permission
* @return a permission with the given identifier.
*/
PermissionTicket findById(ResourceServer resourceServer, String id);
/**
* Returns a list of {@link PermissionTicket} associated with a {@link ResourceServer}.
*
* @param resourceServer the resource server
* @return a list of permissions belonging to the given resource server
*/
List<PermissionTicket> findByResourceServer(ResourceServer resourceServer);
/**
* Returns a list of {@link PermissionTicket} associated with the given <code>owner</code>.
*
* @param resourceServer the resource server
* @param owner the identifier of a resource server
* @return a list of permissions belonging to the given owner
*/
List<PermissionTicket> findByOwner(ResourceServer resourceServer, String owner);
PermissionTicket findById(RealmModel realm, ResourceServer resourceServer, String id);
/**
* Returns a list of {@link PermissionTicket} associated with the {@link org.keycloak.authorization.model.Resource resource}.
*
* @param resourceServer the resource server
* @param resource the resource
* @param resourceServer the resource server. Cannot be {@code null}.
* @param resource the resource. Cannot be {@code null}
* @return a list of permissions associated with the given resource
* TODO: maybe we can get rid of reosourceServer param here as resource has method getResourceServer()
*/
List<PermissionTicket> findByResource(ResourceServer resourceServer, Resource resource);
/**
* Returns a list of {@link PermissionTicket} associated with the {@link org.keycloak.authorization.model.Scope scope}.
*
* @param resourceServer the resource server
* @param scope the scope
* @return a list of permissions associated with the given scopes
*
* TODO: maybe we can get rid of reosourceServer param here as resource has method getResourceServer()
* @param resourceServer the resource server. Cannot be {@code null}.
* @param scope the scope. Cannot be {@code null}.
* @return a list of permissions associated with the given scopes
*/
List<PermissionTicket> findByScope(ResourceServer resourceServer, Scope scope);
/**
* Returns a list of {@link PermissionTicket}, filtered by the given attributes.
*
* @param resourceServer a resource server that resulting tickets should belong to. Ignored if {@code null}
*
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer a resource server that resulting tickets should belong to. Ignored if {@code null}.
* @param attributes a map of keys and values to filter on; possible filter options are given by {@link PermissionTicket.FilterOption}
* @param firstResult first result to return. Ignored if negative or {@code null}.
* @param maxResults maximum number of results to return. Ignored if negative or {@code null}.
@ -120,12 +108,12 @@ public interface PermissionTicketStore {
* @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map
*
*/
List<PermissionTicket> find(ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResults);
List<PermissionTicket> find(RealmModel realm, ResourceServer resourceServer, Map<PermissionTicket.FilterOption, String> attributes, Integer firstResult, Integer maxResults);
/**
* Returns a list of {@link PermissionTicket} granted to the given {@code userId}.
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}
* @param userId the user id
* @return a list of permissions granted for a particular user
*/
@ -134,7 +122,7 @@ public interface PermissionTicketStore {
/**
* Returns a list of {@link PermissionTicket} with name equal to {@code resourceName} granted to the given {@code userId}.
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}.
* @param resourceName the name of a resource
* @param userId the user id
* @return a list of permissions granted for a particular user
@ -147,7 +135,7 @@ public interface PermissionTicketStore {
* Returns a list of {@link Resource} granted to the given {@code requester}
*
*
* @param realm
* @param realm realm that is searched. Cannot be {@code null}
* @param requester the requester
* @param name the keyword to query resources by name or null if any resource
* @param firstResult first result to return. Ignored if negative or {@code null}.

51
server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -27,6 +26,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
@ -40,7 +40,7 @@ public interface PolicyStore {
* Creates a new {@link Policy} instance. The new instance is not necessarily persisted though, which may require
* a call to the {#save} method to actually make it persistent.
*
* @param resourceServer the resource server to which this policy belongs
* @param resourceServer the resource server to which this policy belongs. Cannot be {@code null}.
* @param representation the policy representation
* @return a new instance of {@link Policy}
*/
@ -49,32 +49,35 @@ public interface PolicyStore {
/**
* Deletes a policy from the underlying persistence mechanism.
*
* @param realm the realm that the removed policy belongs to. Cannot be {@code null}
* @param id the id of the policy to delete
*/
void delete(String id);
void delete(RealmModel realm, String id);
/**
* Returns a {@link Policy} with the given <code>id</code>
*
* @param resourceServer the resource server
*
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer the resource server. Ignored if {@code null}.
* @param id the identifier of the policy
* @return a policy with the given identifier.
*/
Policy findById(ResourceServer resourceServer, String id);
Policy findById(RealmModel realm, ResourceServer resourceServer, String id);
/**
* Returns a {@link Policy} with the given <code>name</code>
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}
* @param name the name of the policy
* @return a policy with the given name.
* @return a policy with the given name or {@code null} if no such policy exists.
*/
Policy findByName(ResourceServer resourceServer, String name);
/**
* Returns a list of {@link Policy} associated with a {@link ResourceServer} with the given <code>resourceServerId</code>.
* Returns a list of {@link Policy} associated with the {@link ResourceServer}
*
* @param resourceServer the identifier of a resource server
* @param resourceServer the resource server. Cannot be {@code null}.
* @return a list of policies that belong to the given resource server
*/
List<Policy> findByResourceServer(ResourceServer resourceServer);
@ -82,7 +85,9 @@ public interface PolicyStore {
/**
* Returns a list of {@link Policy} associated with a {@link ResourceServer} with the given <code>resourceServerId</code>.
*
* @param resourceServer the identifier of a resource server
*
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer the identifier of a resource server. Ignored if {@code null}.
* @param attributes a map holding the attributes that will be used as a filter; possible filter options are given by {@link Policy.FilterOption}
* @param firstResult first result to return. Ignored if negative or {@code null}.
* @param maxResults maximum number of results to return. Ignored if negative or {@code null}.
@ -90,13 +95,13 @@ public interface PolicyStore {
*
* @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map
*/
List<Policy> findByResourceServer(ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults);
List<Policy> find(RealmModel realm, ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults);
/**
* Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.Resource} with the given <code>resourceId</code>.
* Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.Resource}
*
* @param resourceServer the resource server
* @param resource the resource
* @param resourceServer the resource server. Cannot be {@code null}.
* @param resource the resource. Cannot be {@code null}.
* @return a list of policies associated with the given resource
*/
default List<Policy> findByResource(ResourceServer resourceServer, Resource resource) {
@ -110,8 +115,8 @@ public interface PolicyStore {
/**
* Searches for all policies associated with the {@link org.keycloak.authorization.model.Resource} and passes the result to the {@code consumer}
*
* @param resourceServer the resourceServer
* @param resource the resource
* @param resourceServer the resourceServer. Cannot be {@code null}.
* @param resource the resource. Cannot be {@code null}.
* @param consumer consumer of policies resulted from the search
*/
void findByResource(ResourceServer resourceServer, Resource resource, Consumer<Policy> consumer);
@ -119,7 +124,7 @@ public interface PolicyStore {
/**
* Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.ResourceServer} with the given <code>type</code>.
*
* @param resourceServer the resource server id
* @param resourceServer the resource server id. Cannot be {@code null}.
* @param resourceType the type of a resource
* @return a list of policies associated with the given resource type
*/
@ -134,7 +139,7 @@ public interface PolicyStore {
/**
* Searches for policies associated with a {@link org.keycloak.authorization.model.ResourceServer} and passes the result to the consumer
*
* @param resourceServer the resourceServer
* @param resourceServer the resourceServer. Cannot be {@code null}.
* @param type the type of a resource
* @param policyConsumer consumer of policies resulted from the search
*/
@ -143,7 +148,7 @@ public interface PolicyStore {
/**
* Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.Scope} within the given <code>scope</code>.
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}.
* @param scopes the scopes
* @return a list of policies associated with the given scopes
*/
@ -152,7 +157,7 @@ public interface PolicyStore {
/**
* Returns a list of {@link Policy} associated with a {@link org.keycloak.authorization.model.Scope} with the given <code>resource</code> and <code>scopes</code>.
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}.
* @param resource the resource. Ignored if {@code null}.
* @param scopes the scopes
* @return a list of policies associated with the given scopes
@ -175,7 +180,7 @@ public interface PolicyStore {
/**
* Returns a list of {@link Policy} with the given <code>type</code>.
*
* @param resourceServer the resource server id
* @param resourceServer the resource server id. Cannot be {@code null}.
* @param type the type of the policy
* @return a list of policies with the given type
*/

13
server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceServerStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -32,7 +31,7 @@ public interface ResourceServerStore {
/**
* <p>Creates a {@link ResourceServer} instance backed by this persistent storage implementation.
*
* @param client the client acting as a resource server
* @param client the client acting as a resource server. Cannot be {@code null}.
*
* @return an instance backed by the underlying storage implementation
*/
@ -41,7 +40,7 @@ public interface ResourceServerStore {
/**
* Removes a {@link ResourceServer} instance, with the given client from the persistent storage.
*
* @param client the client acting as a resource server
* @param client the client acting as a resource server. Cannot be {@code null}.
*/
void delete(ClientModel client);
@ -49,7 +48,7 @@ public interface ResourceServerStore {
* Returns a {@link ResourceServer} instance based on its identifier.
*
*
* @param realm
* @param realm the realm. Cannot be {@code null}.
* @param id the identifier of an existing resource server instance
*
* @return the resource server instance with the given identifier or null if no instance was found
@ -59,7 +58,7 @@ public interface ResourceServerStore {
/**
* Returns a {@link ResourceServer} instance based on a client.
*
* @param client the client acting as a resource server
* @param client the client acting as a resource server. Cannot be {@code null}.
*
* @return the resource server instance or null if no instance was found
*/

101
server-spi-private/src/main/java/org/keycloak/authorization/store/ResourceStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -20,6 +19,7 @@ package org.keycloak.authorization.store;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.RealmModel;
import java.util.ArrayList;
import java.util.LinkedList;
@ -38,7 +38,7 @@ public interface ResourceStore {
/**
* <p>Creates a {@link Resource} instance backed by this persistent storage implementation.
*
* @param resourceServer the resource server to where the given resource belongs to
* @param resourceServer the resource server to where the given resource belongs to. Cannot be {@code null}.
* @param name the name of this resource. It must be unique.
* @param owner the owner of this resource or null if the resource server is the owner
* @return an instance backed by the underlying storage implementation
@ -50,7 +50,7 @@ public interface ResourceStore {
/**
* <p>Creates a {@link Resource} instance backed by this persistent storage implementation.
*
* @param resourceServer the resource server to where the given resource belongs to
* @param resourceServer the resource server to where the given resource belongs to. Cannot be {@code null}.
* @param id the id of this resource. It must be unique. Will be randomly generated if null.
* @param name the name of this resource. It must be unique.
* @param owner the owner of this resource or null if the resource server is the owner
@ -61,53 +61,45 @@ public interface ResourceStore {
/**
* Removes a {@link Resource} instance, with the given {@code id} from the persistent storage.
*
* @param realm the realm. Cannot be {@code null}.
* @param id the identifier of an existing resource instance
*/
void delete(String id);
void delete(RealmModel realm, String id);
/**
* Returns a {@link Resource} instance based on its identifier.
*
* @param resourceServer the resource server
*
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer the resource server. Ignored if {@code null}
* @param id the identifier of an existing resource instance
* @return the resource instance with the given identifier or null if no instance was found
*/
Resource findById(ResourceServer resourceServer, String id);
Resource findById(RealmModel realm, ResourceServer resourceServer, String id);
/**
* Finds all {@link Resource} instances with the given {@code ownerId}.
*
*
* @param resourceServer
*
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer resource server. Ignored if {@code null}
* @param ownerId the identifier of the owner
* @return a list with all resource instances owned by the given owner
*/
default List<Resource> findByOwner(ResourceServer resourceServer, String ownerId) {
default List<Resource> findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId) {
List<Resource> list = new LinkedList<>();
findByOwner(resourceServer, ownerId, list::add);
findByOwner(realm, resourceServer, ownerId, list::add);
return list;
}
void findByOwner(ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer);
List<Resource> findByOwner(ResourceServer resourceServer, String ownerId, Integer firstResult, Integer maxResults);
/**
* Finds all {@link Resource} instances with the given uri.
*
*
* @param resourceServer
* @param uri the identifier of the uri
* @return a list with all resource instances owned by the given owner
*/
List<Resource> findByUri(ResourceServer resourceServer, String uri);
void findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer);
/**
* Finds all {@link Resource} instances associated with a given resource server.
*
* @param resourceServer the identifier of the resource server
* @param resourceServer the identifier of the resource server. Cannot be {@code null}.
* @return a list with all resources associated with the given resource server
*/
List<Resource> findByResourceServer(ResourceServer resourceServer);
@ -115,7 +107,9 @@ public interface ResourceStore {
/**
* Finds all {@link Resource} instances associated with a given resource server.
*
* @param resourceServer the identifier of the resource server
*
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer the identifier of the resource server. Ignored if {@code null}.
* @param attributes a map holding the attributes that will be used as a filter; possible filter options are given by {@link Resource.FilterOption}
* @param firstResult first result to return. Ignored if negative or {@code null}.
* @param maxResults maximum number of results to return. Ignored if negative or {@code null}.
@ -123,13 +117,13 @@ public interface ResourceStore {
*
* @throws IllegalArgumentException when there is an unknown attribute in the {@code attributes} map
*/
List<Resource> findByResourceServer(ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults);
List<Resource> find(RealmModel realm, ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults);
/**
* Finds all {@link Resource} associated with a given scope.
*
*
* @param resourceServer
* @param resourceServer the resource server. Cannot be {@code null}.
* @param scopes one or more scope identifiers
* @return a list of resources associated with the given scope(s)
*/
@ -140,13 +134,12 @@ public interface ResourceStore {
return result;
}
void findByScopes(ResourceServer resourceServer, Set<Scope> scopes, Consumer<Resource> consumer);
/**
* Find a {@link Resource} by its name where the owner is the resource server itself.
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}.
* @param name the name of the resource
* @return a resource with the given name
*/
@ -157,7 +150,7 @@ public interface ResourceStore {
/**
* Find a {@link Resource} by its name where the owner is the given <code>ownerId</code>.
*
* @param resourceServer the identifier of the resource server
* @param resourceServer the identifier of the resource server. Cannot be {@code null}.
* @param name the name of the resource
* @param ownerId the owner id
* @return a resource with the given name
@ -165,10 +158,10 @@ public interface ResourceStore {
Resource findByName(ResourceServer resourceServer, String name, String ownerId);
/**
* Finds all {@link Resource} with the given type.
* Finds all {@link Resource} from {@link ResourceServer} with the given type.
*
*
* @param resourceServer
* @param resourceServer the resource server. Cannot be {@code null}.
* @param type the type of the resource
* @return a list of resources with the given type
*/
@ -181,26 +174,9 @@ public interface ResourceStore {
}
/**
* Finds all {@link Resource} with the given type.
* Finds all {@link Resource} from {@link ResourceServer} with the given type.
*
*
* @param resourceServer
* @param type the type of the resource
* @param owner the resource owner or null for any resource with a given type
* @return a list of resources with the given type
*/
default List<Resource> findByType(ResourceServer resourceServer, String type, String owner) {
List<Resource> list = new LinkedList<>();
findByType(resourceServer, type, owner, list::add);
return list;
}
/**
* Finds all {@link Resource} with the given type.
*
* @param resourceServer the resource server id
* @param resourceServer the resource server id. Cannot be {@code null}.
* @param type the type of the resource
* @param consumer the result consumer
* @return a list of resources with the given type
@ -210,7 +186,7 @@ public interface ResourceStore {
/**
* Finds all {@link Resource} with the given type.
*
* @param resourceServer the resource server id
* @param resourceServer the resource server id. Cannot be {@code null}
* @param type the type of the resource
* @param owner the resource owner or null for any resource with a given type
* @param consumer the result consumer
@ -218,13 +194,12 @@ public interface ResourceStore {
*/
void findByType(ResourceServer resourceServer, String type, String owner, Consumer<Resource> consumer);
default List<Resource> findByTypeInstance(ResourceServer resourceServer, String type) {
List<Resource> list = new LinkedList<>();
findByTypeInstance(resourceServer, type, list::add);
return list;
}
void findByTypeInstance(ResourceServer resourceServerId, String type, Consumer<Resource> consumer);
/**
* Finds all {@link Resource} by type where client represented by the {@code resourceServer} is not the owner
*
* @param resourceServer the resourceServer. Cannot be {@code null}.
* @param type searched type
* @param consumer a consumer that will be fed with the resulting resources
*/
void findByTypeInstance(ResourceServer resourceServer, String type, Consumer<Resource> consumer);
}

28
server-spi-private/src/main/java/org/keycloak/authorization/store/ScopeStore.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -20,6 +19,7 @@ package org.keycloak.authorization.store;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.models.RealmModel;
import java.util.List;
import java.util.Map;
@ -35,8 +35,7 @@ public interface ScopeStore {
* Creates a new {@link Scope} instance. The new instance is not necessarily persisted though, which may require
* a call to the {#save} method to actually make it persistent.
*
* @param resourceServer the resource server to which this scope belongs
*
* @param resourceServer the resource server to which this scope belongs. Cannot be {@code null}.
* @param name the name of the scope
* @return a new instance of {@link Scope}
*/
@ -48,8 +47,7 @@ public interface ScopeStore {
* Creates a new {@link Scope} instance. The new instance is not necessarily persisted though, which may require
* a call to the {#save} method to actually make it persistent.
*
* @param resourceServer the resource server to which this scope belongs
*
* @param resourceServer the resource server to which this scope belongs. Cannot be {@code null}.
* @param id the id of the scope. Is generated randomly when null
* @param name the name of the scope
* @return a new instance of {@link Scope}
@ -59,23 +57,25 @@ public interface ScopeStore {
/**
* Deletes a scope from the underlying persistence mechanism.
*
* @param realm the realm. Cannot be {@code null}.
* @param id the id of the scope to delete
*/
void delete(String id);
void delete(RealmModel realm, String id);
/**
* Returns a {@link Scope} with the given <code>id</code>
*
* @param resourceServer the resource server id
* @param realm the realm. Cannot be {@code null}.
* @param resourceServer the resource server id. Ignored if {@code null}.
* @param id the identifier of the scope
* @return a scope with the given identifier.
*/
Scope findById(ResourceServer resourceServer, String id);
Scope findById(RealmModel realm, ResourceServer resourceServer, String id);
/**
* Returns a {@link Scope} with the given <code>name</code>
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}.
* @param name the name of the scope
*
* @return a scope with the given name.
@ -83,9 +83,9 @@ public interface ScopeStore {
Scope findByName(ResourceServer resourceServer, String name);
/**
* Returns a list of {@link Scope} associated with a {@link ResourceServer} with the given <code>resourceServer</code>.
* Returns a list of {@link Scope} associated with the {@link ResourceServer}.
*
* @param resourceServer the identifier of a resource server
* @param resourceServer the resource server. Cannot be {@code null}.
*
* @return a list of scopes that belong to the given resource server
*/
@ -94,7 +94,7 @@ public interface ScopeStore {
/**
* Returns a list of {@link Scope} associated with a {@link ResourceServer} with the given <code>resourceServerId</code>.
*
* @param resourceServer the resource server
* @param resourceServer the resource server. Cannot be {@code null}.
* @param attributes a map holding the attributes that will be used as a filter; possible filter options are given by {@link Scope.FilterOption}
* @param firstResult first result to return. Ignored if negative or {@code null}.
* @param maxResults maximum number of results to return. Ignored if negative or {@code null}.

11
server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/ClientApplicationSynchronizer.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -31,6 +30,7 @@ import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.ClientModel.ClientRemovedEvent;
import org.keycloak.models.RealmModel;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.representations.idm.authorization.ClientPolicyRepresentation;
@ -51,6 +51,7 @@ public class ClientApplicationSynchronizer implements Synchronizer<ClientRemoved
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
ResourceServerStore store = storeFactory.getResourceServerStore();
ResourceServer resourceServer = store.findByClient(event.getClient());
RealmModel realm = event.getClient().getRealm();
if (resourceServer != null) {
storeFactory.getResourceServerStore().delete(event.getClient());
@ -62,7 +63,7 @@ public class ClientApplicationSynchronizer implements Synchronizer<ClientRemoved
attributes.put(Policy.FilterOption.CONFIG, new String[] {"clients", event.getClient().getId()});
attributes.put(Policy.FilterOption.ANY_OWNER, Policy.FilterOption.EMPTY_FILTER);
List<Policy> search = storeFactory.getPolicyStore().findByResourceServer(null, attributes, null, null);
List<Policy> search = storeFactory.getPolicyStore().find(realm, null, attributes, null, null);
for (Policy policy : search) {
PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
@ -73,7 +74,7 @@ public class ClientApplicationSynchronizer implements Synchronizer<ClientRemoved
if (clients.isEmpty()) {
policyFactory.onRemove(policy, authorizationProvider);
authorizationProvider.getStoreFactory().getPolicyStore().delete(policy.getId());
authorizationProvider.getStoreFactory().getPolicyStore().delete(realm, policy.getId());
} else {
policyFactory.onUpdate(policy, representation, authorizationProvider);
}

8
server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/GroupSynchronizer.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -29,6 +29,7 @@ import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.GroupModel;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.provider.ProviderFactory;
import org.keycloak.representations.idm.authorization.GroupPolicyRepresentation;
@ -45,13 +46,14 @@ public class GroupSynchronizer implements Synchronizer<GroupModel.GroupRemovedEv
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
GroupModel group = event.getGroup();
RealmModel realm = event.getRealm();
Map<Policy.FilterOption, String[]> attributes = new EnumMap<>(Policy.FilterOption.class);
attributes.put(Policy.FilterOption.TYPE, new String[] {"group"});
attributes.put(Policy.FilterOption.CONFIG, new String[] {"groups", group.getId()});
attributes.put(Policy.FilterOption.ANY_OWNER, Policy.FilterOption.EMPTY_FILTER);
List<Policy> search = policyStore.findByResourceServer(null, attributes, null, null);
List<Policy> search = policyStore.find(realm, null, attributes, null, null);
for (Policy policy : search) {
PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
@ -62,7 +64,7 @@ public class GroupSynchronizer implements Synchronizer<GroupModel.GroupRemovedEv
if (groups.isEmpty()) {
policyFactory.onRemove(policy, authorizationProvider);
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
} else {
policyFactory.onUpdate(policy, representation, authorizationProvider);
}

24
server-spi-private/src/main/java/org/keycloak/authorization/store/syncronization/UserSynchronizer.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -31,6 +31,7 @@ import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.UserRemovedEvent;
import org.keycloak.provider.ProviderFactory;
@ -55,13 +56,14 @@ public class UserSynchronizer implements Synchronizer<UserRemovedEvent> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
UserModel userModel = event.getUser();
RealmModel realm = event.getRealm();
Map<Policy.FilterOption, String[]> attributes = new EnumMap<>(Policy.FilterOption.class);
attributes.put(Policy.FilterOption.TYPE, new String[] {"user"});
attributes.put(Policy.FilterOption.CONFIG, new String[] {"users", userModel.getId()});
attributes.put(Policy.FilterOption.ANY_OWNER, new String[] {Boolean.TRUE.toString()});
List<Policy> search = policyStore.findByResourceServer(null, attributes, null, null);
List<Policy> search = policyStore.find(realm, null, attributes, null, null);
for (Policy policy : search) {
PolicyProviderFactory policyFactory = authorizationProvider.getProviderFactory(policy.getType());
@ -72,7 +74,7 @@ public class UserSynchronizer implements Synchronizer<UserRemovedEvent> {
if (users.isEmpty()) {
policyFactory.onRemove(policy, authorizationProvider);
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
} else {
policyFactory.onUpdate(policy, representation, authorizationProvider);
}
@ -84,17 +86,18 @@ public class UserSynchronizer implements Synchronizer<UserRemovedEvent> {
PolicyStore policyStore = storeFactory.getPolicyStore();
ResourceStore resourceStore = storeFactory.getResourceStore();
UserModel userModel = event.getUser();
RealmModel realm = event.getRealm();
resourceStore.findByOwner(null, userModel.getId(), resource -> {
resourceStore.findByOwner(realm, null, userModel.getId(), resource -> {
String resourceId = resource.getId();
policyStore.findByResource(resource.getResourceServer(), resource).forEach(policy -> {
if (policy.getResources().size() == 1) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
} else {
policy.removeResource(resource);
}
});
resourceStore.delete(resourceId);
resourceStore.delete(realm, resourceId);
});
}
@ -102,20 +105,21 @@ public class UserSynchronizer implements Synchronizer<UserRemovedEvent> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
UserModel userModel = event.getUser();
RealmModel realm = event.getRealm();
Map<PermissionTicket.FilterOption, String> attributes = new EnumMap<>(PermissionTicket.FilterOption.class);
attributes.put(PermissionTicket.FilterOption.OWNER, userModel.getId());
for (PermissionTicket ticket : ticketStore.find(null, attributes, null, null)) {
ticketStore.delete(ticket.getId());
for (PermissionTicket ticket : ticketStore.find(realm, null, attributes, null, null)) {
ticketStore.delete(realm, ticket.getId());
}
attributes.clear();
attributes.put(PermissionTicket.FilterOption.REQUESTER, userModel.getId());
for (PermissionTicket ticket : ticketStore.find(null, attributes, null, null)) {
ticketStore.delete(ticket.getId());
for (PermissionTicket ticket : ticketStore.find(realm, null, attributes, null, null)) {
ticketStore.delete(realm, ticket.getId());
}
}
}

33
server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -2357,6 +2357,8 @@ public class RepresentationToModel {
private static Policy importPolicies(AuthorizationProvider authorization, ResourceServer resourceServer, List<PolicyRepresentation> policiesToImport, String parentPolicyName) {
StoreFactory storeFactory = authorization.getStoreFactory();
RealmModel realm = resourceServer.getRealm();
for (PolicyRepresentation policyRepresentation : policiesToImport) {
if (parentPolicyName != null && !parentPolicyName.equals(policyRepresentation.getName())) {
continue;
@ -2375,7 +2377,7 @@ public class RepresentationToModel {
Policy policy = policyStore.findByName(resourceServer, policyName);
if (policy == null) {
policy = policyStore.findById(resourceServer, policyName);
policy = policyStore.findById(realm, resourceServer, policyName);
}
if (policy == null) {
@ -2395,7 +2397,7 @@ public class RepresentationToModel {
}
PolicyStore policyStore = storeFactory.getPolicyStore();
Policy policy = policyStore.findById(resourceServer, policyRepresentation.getId());
Policy policy = policyStore.findById(realm, resourceServer, policyRepresentation.getId());
if (policy == null) {
policy = policyStore.findByName(resourceServer, policyRepresentation.getName());
@ -2501,6 +2503,8 @@ public class RepresentationToModel {
}
return;
}
ResourceServer resourceServer = policy.getResourceServer();
RealmModel realm = resourceServer.getRealm();
for (String scopeId : scopeIds) {
boolean hasScope = false;
@ -2510,8 +2514,7 @@ public class RepresentationToModel {
}
}
if (!hasScope) {
ResourceServer resourceServer = policy.getResourceServer();
Scope scope = storeFactory.getScopeStore().findById(resourceServer, scopeId);
Scope scope = storeFactory.getScopeStore().findById(realm, resourceServer, scopeId);
if (scope == null) {
scope = storeFactory.getScopeStore().findByName(resourceServer, scopeId);
@ -2543,6 +2546,7 @@ public class RepresentationToModel {
private static void updateAssociatedPolicies(Set<String> policyIds, Policy policy, StoreFactory storeFactory) {
ResourceServer resourceServer = policy.getResourceServer();
RealmModel realm = resourceServer.getRealm();
if (policyIds != null) {
if (policyIds.isEmpty()) {
@ -2564,7 +2568,7 @@ public class RepresentationToModel {
}
if (!hasPolicy) {
Policy associatedPolicy = policyStore.findById(resourceServer, policyId);
Policy associatedPolicy = policyStore.findById(realm, resourceServer, policyId);
if (associatedPolicy == null) {
associatedPolicy = policyStore.findByName(resourceServer, policyId);
@ -2601,6 +2605,9 @@ public class RepresentationToModel {
policy.removeResource(resource);
}
}
ResourceServer resourceServer = policy.getResourceServer();
RealmModel realm = resourceServer.getRealm();
for (String resourceId : resourceIds) {
boolean hasResource = false;
for (Resource resourceModel : new HashSet<>(policy.getResources())) {
@ -2609,10 +2616,10 @@ public class RepresentationToModel {
}
}
if (!hasResource && !"".equals(resourceId)) {
Resource resource = storeFactory.getResourceStore().findById(policy.getResourceServer(), resourceId);
Resource resource = storeFactory.getResourceStore().findById(realm, resourceServer, resourceId);
if (resource == null) {
resource = storeFactory.getResourceStore().findByName(policy.getResourceServer(), resourceId);
resource = storeFactory.getResourceStore().findByName(resourceServer, resourceId);
if (resource == null) {
throw new RuntimeException("Resource with id or name [" + resourceId + "] does not exist or is not owned by the resource server");
}
@ -2642,6 +2649,7 @@ public class RepresentationToModel {
public static Resource toModel(ResourceRepresentation resource, ResourceServer resourceServer, AuthorizationProvider authorization) {
ResourceStore resourceStore = authorization.getStoreFactory().getResourceStore();
RealmModel realm = authorization.getRealm();
ResourceOwnerRepresentation owner = resource.getOwner();
if (owner == null) {
@ -2656,7 +2664,6 @@ public class RepresentationToModel {
}
if (!resourceServer.getClientId().equals(ownerId)) {
RealmModel realm = authorization.getRealm();
KeycloakSession keycloakSession = authorization.getKeycloakSession();
UserProvider users = keycloakSession.users();
UserModel ownerModel = users.getUserById(realm, ownerId);
@ -2675,7 +2682,7 @@ public class RepresentationToModel {
Resource existing;
if (resource.getId() != null) {
existing = resourceStore.findById(resourceServer, resource.getId());
existing = resourceStore.findById(realm, resourceServer, resource.getId());
} else {
existing = resourceStore.findByName(resourceServer, resource.getName(), ownerId);
}
@ -2749,7 +2756,7 @@ public class RepresentationToModel {
Scope existing;
if (scope.getId() != null) {
existing = scopeStore.findById(resourceServer, scope.getId());
existing = scopeStore.findById(resourceServer.getRealm(), resourceServer, scope.getId());
} else {
existing = scopeStore.findByName(resourceServer, scope.getName());
}
@ -2775,13 +2782,13 @@ public class RepresentationToModel {
public static PermissionTicket toModel(PermissionTicketRepresentation representation, ResourceServer resourceServer, AuthorizationProvider authorization) {
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(resourceServer, representation.getId());
PermissionTicket ticket = ticketStore.findById(resourceServer.getRealm(), resourceServer, representation.getId());
boolean granted = representation.isGranted();
if (granted && !ticket.isGranted()) {
ticket.setGrantedTimestamp(System.currentTimeMillis());
} else if (!granted) {
ticketStore.delete(ticket.getId());
ticketStore.delete(resourceServer.getRealm(), ticket.getId());
}
return ticket;

7
services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -175,7 +174,7 @@ public class PolicyEvaluationService {
Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(resourceServer, scopeRepresentation.getName())).collect(Collectors.toSet());
if (resource.getId() != null) {
Resource resourceModel = storeFactory.getResourceStore().findById(resourceServer, resource.getId());
Resource resourceModel = storeFactory.getResourceStore().findById(resourceServer.getRealm(), resourceServer, resource.getId());
return new ArrayList<>(Arrays.asList(
Permissions.createResourcePermissions(resourceModel, resourceServer, scopes, authorization, request))).stream();
} else if (resource.getType() != null) {

4
services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -111,7 +111,7 @@ public class PolicyResourceService {
resource.onRemove(policy, authorization);
}
policyStore.delete(policy.getId());
policyStore.delete(resourceServer.getRealm(), policy.getId());
audit(toRepresentation(policy, authorization), OperationType.DELETE);

15
services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -88,7 +87,7 @@ public class PolicyService {
return doCreatePolicyTypeResource(type);
}
Policy policy = authorization.getStoreFactory().getPolicyStore().findById(resourceServer, type);
Policy policy = authorization.getStoreFactory().getPolicyStore().findById(resourceServer.getRealm(), resourceServer, type);
return doCreatePolicyResource(policy);
}
@ -206,7 +205,7 @@ public class PolicyService {
if (resource != null && !"".equals(resource.trim())) {
ResourceStore resourceStore = storeFactory.getResourceStore();
Resource resourceModel = resourceStore.findById(resourceServer, resource);
Resource resourceModel = resourceStore.findById(resourceServer.getRealm(), resourceServer, resource);
if (resourceModel == null) {
Map<Resource.FilterOption, String[]> resourceFilters = new EnumMap<>(Resource.FilterOption.class);
@ -217,7 +216,7 @@ public class PolicyService {
resourceFilters.put(Resource.FilterOption.OWNER, new String[]{owner});
}
Set<String> resources = resourceStore.findByResourceServer(resourceServer, resourceFilters, -1, 1).stream().map(Resource::getId).collect(Collectors.toSet());
Set<String> resources = resourceStore.find(resourceServer.getRealm(), resourceServer, resourceFilters, -1, 1).stream().map(Resource::getId).collect(Collectors.toSet());
if (resources.isEmpty()) {
return Response.noContent().build();
@ -231,7 +230,7 @@ public class PolicyService {
if (scope != null && !"".equals(scope.trim())) {
ScopeStore scopeStore = storeFactory.getScopeStore();
Scope scopeModel = scopeStore.findById(resourceServer, scope);
Scope scopeModel = scopeStore.findById(resourceServer.getRealm(), resourceServer, scope);
if (scopeModel == null) {
Map<Scope.FilterOption, String[]> scopeFilters = new EnumMap<>(Scope.FilterOption.class);
@ -265,7 +264,7 @@ public class PolicyService {
protected List<Object> doSearch(Integer firstResult, Integer maxResult, String fields, Map<Policy.FilterOption, String[]> filters) {
PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
return policyStore.findByResourceServer(resourceServer, filters, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream()
return policyStore.find(resourceServer.getRealm(), resourceServer, filters, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream()
.map(policy -> toRepresentation(policy, fields, authorization))
.collect(Collectors.toList());
}

25
services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -141,7 +140,7 @@ public class ResourceSetService {
resource.setId(id);
StoreFactory storeFactory = this.authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
Resource model = resourceStore.findById(resourceServer, resource.getId());
Resource model = resourceStore.findById(resourceServer.getRealm(), resourceServer, resource.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -159,13 +158,13 @@ public class ResourceSetService {
public Response delete(@PathParam("id") String id) {
requireManage();
StoreFactory storeFactory = authorization.getStoreFactory();
Resource resource = storeFactory.getResourceStore().findById(resourceServer, id);
Resource resource = storeFactory.getResourceStore().findById(resourceServer.getRealm(), resourceServer, id);
if (resource == null) {
return Response.status(Status.NOT_FOUND).build();
}
storeFactory.getResourceStore().delete(id);
storeFactory.getResourceStore().delete(resourceServer.getRealm(), id);
audit(toRepresentation(resource, resourceServer, authorization), OperationType.DELETE);
@ -183,7 +182,7 @@ public class ResourceSetService {
public Response findById(String id, Function<Resource, ? extends ResourceRepresentation> toRepresentation) {
requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Resource model = storeFactory.getResourceStore().findById(resourceServer, id);
Resource model = storeFactory.getResourceStore().findById(resourceServer.getRealm(), resourceServer, id);
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -199,7 +198,7 @@ public class ResourceSetService {
public Response getScopes(@PathParam("id") String id) {
requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Resource model = storeFactory.getResourceStore().findById(resourceServer, id);
Resource model = storeFactory.getResourceStore().findById(resourceServer.getRealm(), resourceServer, id);
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -243,7 +242,7 @@ public class ResourceSetService {
requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore();
Resource model = resourceStore.findById(resourceServer, id);
Resource model = resourceStore.findById(resourceServer.getRealm(), resourceServer, id);
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -264,7 +263,7 @@ public class ResourceSetService {
resourceFilter.put(Resource.FilterOption.OWNER, new String[]{resourceServer.getClientId()});
resourceFilter.put(Resource.FilterOption.TYPE, new String[]{model.getType()});
for (Resource resourceType : resourceStore.findByResourceServer(resourceServer, resourceFilter, null, null)) {
for (Resource resourceType : resourceStore.find(resourceServer.getRealm(), resourceServer, resourceFilter, null, null)) {
policies.addAll(policyStore.findByResource(resourceServer, resourceType));
}
}
@ -300,7 +299,7 @@ public class ResourceSetService {
public Response getAttributes(@PathParam("id") String id) {
requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
Resource model = storeFactory.getResourceStore().findById(resourceServer, id);
Resource model = storeFactory.getResourceStore().findById(resourceServer.getRealm(), resourceServer, id);
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -416,7 +415,7 @@ public class ResourceSetService {
search.put(Resource.FilterOption.SCOPE_ID, scopes.stream().map(Scope::getId).toArray(String[]::new));
}
List<Resource> resources = storeFactory.getResourceStore().findByResourceServer(this.resourceServer, search, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS);
List<Resource> resources = storeFactory.getResourceStore().find(resourceServer.getRealm(), this.resourceServer, search, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS);
if (matchingUri != null && matchingUri && resources.isEmpty()) {
Map<Resource.FilterOption, String[]> attributes = new EnumMap<>(Resource.FilterOption.class);
@ -424,7 +423,7 @@ public class ResourceSetService {
attributes.put(Resource.FilterOption.URI_NOT_NULL, new String[] {"true"});
attributes.put(Resource.FilterOption.OWNER, new String[] {resourceServer.getClientId()});
List<Resource> serverResources = storeFactory.getResourceStore().findByResourceServer(this.resourceServer, attributes, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : -1);
List<Resource> serverResources = storeFactory.getResourceStore().find(resourceServer.getRealm(), this.resourceServer, attributes, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : -1);
PathMatcher<Map.Entry<String, Resource>> pathMatcher = new PathMatcher<Map.Entry<String, Resource>>() {
@Override

22
services/src/main/java/org/keycloak/authorization/admin/ScopeService.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -29,6 +28,7 @@ import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
@ -49,7 +49,6 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import java.util.Arrays;
import java.util.Collections;
import java.util.EnumMap;
import java.util.List;
@ -101,7 +100,7 @@ public class ScopeService {
this.auth.realm().requireManageAuthorization();
scope.setId(id);
StoreFactory storeFactory = authorization.getStoreFactory();
Scope model = storeFactory.getScopeStore().findById(resourceServer, scope.getId());
Scope model = storeFactory.getScopeStore().findById(resourceServer.getRealm(), resourceServer, scope.getId());
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -119,7 +118,8 @@ public class ScopeService {
public Response delete(@PathParam("id") String id) {
this.auth.realm().requireManageAuthorization();
StoreFactory storeFactory = authorization.getStoreFactory();
Scope scope = storeFactory.getScopeStore().findById(resourceServer, id);
RealmModel realm = resourceServer.getRealm();
Scope scope = storeFactory.getScopeStore().findById(realm, resourceServer, id);
if (scope == null) {
return Response.status(Status.NOT_FOUND).build();
}
@ -135,13 +135,13 @@ public class ScopeService {
for (Policy policyModel : policies) {
if (policyModel.getScopes().size() == 1) {
policyStore.delete(policyModel.getId());
policyStore.delete(realm, policyModel.getId());
} else {
policyModel.removeScope(scope);
}
}
storeFactory.getScopeStore().delete(id);
storeFactory.getScopeStore().delete(realm, id);
audit(toRepresentation(scope), OperationType.DELETE);
@ -154,7 +154,7 @@ public class ScopeService {
@Produces(MediaType.APPLICATION_JSON)
public Response findById(@PathParam("id") String id) {
this.auth.realm().requireViewAuthorization();
Scope model = this.authorization.getStoreFactory().getScopeStore().findById(resourceServer, id);
Scope model = this.authorization.getStoreFactory().getScopeStore().findById(resourceServer.getRealm(), resourceServer, id);
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -170,7 +170,7 @@ public class ScopeService {
public Response getResources(@PathParam("id") String id) {
this.auth.realm().requireViewAuthorization();
StoreFactory storeFactory = this.authorization.getStoreFactory();
Scope model = storeFactory.getScopeStore().findById(resourceServer, id);
Scope model = storeFactory.getScopeStore().findById(resourceServer.getRealm(), resourceServer, id);
if (model == null) {
return Response.status(Status.NOT_FOUND).build();
@ -193,7 +193,7 @@ public class ScopeService {
public Response getPermissions(@PathParam("id") String id) {
this.auth.realm().requireViewAuthorization();
StoreFactory storeFactory = this.authorization.getStoreFactory();
Scope model = storeFactory.getScopeStore().findById(resourceServer, id);
Scope model = storeFactory.getScopeStore().findById(resourceServer.getRealm(), resourceServer, id);
if (model == null) {
return Response.status(Status.NOT_FOUND).build();

5
services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponseBuilder.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -182,6 +182,7 @@ public class PolicyEvaluationResponseBuilder {
PolicyRepresentation representation = new PolicyRepresentation();
Policy policy = result.getPolicy();
ResourceServer resourceServer = policy.getResourceServer();
representation.setId(policy.getId());
representation.setName(policy.getName());
@ -194,7 +195,7 @@ public class PolicyEvaluationResponseBuilder {
filters.put(PermissionTicket.FilterOption.POLICY_ID, policy.getId());
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(policy.getResourceServer(), filters, -1, 1);
List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(resourceServer.getRealm(), resourceServer, filters, -1, 1);
if (!tickets.isEmpty()) {
KeycloakSession keycloakSession = authorization.getKeycloakSession();

7
services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -503,6 +503,7 @@ public class AuthorizationTokenService {
Map<String, ResourcePermission> permissionsToEvaluate, ResourceStore resourceStore, ScopeStore scopeStore,
AtomicInteger limit) {
AccessToken rpt = request.getRpt();
RealmModel realm = resourceServer.getRealm();
if (rpt != null && rpt.isActive()) {
Authorization authorizationData = rpt.getAuthorization();
@ -516,7 +517,7 @@ public class AuthorizationTokenService {
break;
}
Resource resource = resourceStore.findById(resourceServer, grantedPermission.getResourceId());
Resource resource = resourceStore.findById(realm, resourceServer, grantedPermission.getResourceId());
if (resource != null) {
ResourcePermission permission = permissionsToEvaluate.get(resource.getId());
@ -600,7 +601,7 @@ public class AuthorizationTokenService {
Resource resource;
if (resourceId.indexOf('-') != -1) {
resource = resourceStore.findById(resourceServer, resourceId);
resource = resourceStore.findById(resourceServer.getRealm(), resourceServer, resourceId);
} else {
resource = null;
}

4
services/src/main/java/org/keycloak/authorization/protection/permission/AbstractPermissionService.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -74,7 +74,7 @@ public class AbstractPermissionService {
throw new ErrorResponseException("invalid_resource_id", "Resource id or name not provided.", Response.Status.BAD_REQUEST);
}
} else {
Resource resource = resourceStore.findById(resourceServer, resourceSetId);
Resource resource = resourceStore.findById(resourceServer.getRealm(), resourceServer, resourceSetId);
if (resource != null) {
resources.add(resource);

21
services/src/main/java/org/keycloak/authorization/protection/permission/PermissionTicketService.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -83,7 +82,7 @@ public class PermissionTicketService {
throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore();
Resource resource = rstore.findById(resourceServer, representation.getResource());
Resource resource = rstore.findById(resourceServer.getRealm(), resourceServer, representation.getResource());
if (resource == null ) throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
if (!resource.getOwner().equals(this.identity.getId()))
@ -104,7 +103,7 @@ public class PermissionTicketService {
if(representation.getScopeName() != null)
scope = sstore.findByName(resourceServer, representation.getScopeName());
else
scope = sstore.findById(resourceServer, representation.getScope());
scope = sstore.findById(resourceServer.getRealm(), resourceServer, representation.getScope());
if (scope == null && representation.getScope() !=null )
throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScope() + "] is invalid", Response.Status.BAD_REQUEST);
@ -121,7 +120,7 @@ public class PermissionTicketService {
attributes.put(PermissionTicket.FilterOption.SCOPE_ID, scope.getId());
attributes.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
if (!ticketStore.find(resourceServer, attributes, null, null).isEmpty())
if (!ticketStore.find(resourceServer.getRealm(), resourceServer, attributes, null, null).isEmpty())
throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, user.getId());
@ -139,7 +138,7 @@ public class PermissionTicketService {
}
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(resourceServer, representation.getId());
PermissionTicket ticket = ticketStore.findById(resourceServer.getRealm(), resourceServer, representation.getId());
if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
@ -163,7 +162,7 @@ public class PermissionTicketService {
}
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
PermissionTicket ticket = ticketStore.findById(resourceServer, id);
PermissionTicket ticket = ticketStore.findById(resourceServer.getRealm(), resourceServer, id);
if (ticket == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
@ -172,7 +171,7 @@ public class PermissionTicketService {
if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer() && !ticket.getRequester().equals(this.identity.getId()))
throw new ErrorResponseException("not_authorised", "permissions for [" + ticket.getResource() + "] can be deleted only by the owner, the requester, or the resource server", Response.Status.FORBIDDEN);
ticketStore.delete(id);
ticketStore.delete(resourceServer.getRealm(), id);
return Response.noContent().build();
}
@ -192,7 +191,7 @@ public class PermissionTicketService {
Map<PermissionTicket.FilterOption, String> filters = getFilters(storeFactory, resourceId, scopeId, owner, requester, granted);
return Response.ok().entity(permissionTicketStore.find(resourceServer, filters, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS)
return Response.ok().entity(permissionTicketStore.find(resourceServer.getRealm(), resourceServer, filters, firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS)
.stream()
.map(permissionTicket -> ModelToRepresentation.toRepresentation(permissionTicket, authorization, returnNames == null ? false : returnNames))
.collect(Collectors.toList()))
@ -230,7 +229,7 @@ public class PermissionTicketService {
if (scopeId != null) {
ScopeStore scopeStore = storeFactory.getScopeStore();
Scope scope = scopeStore.findById(resourceServer, scopeId);
Scope scope = scopeStore.findById(resourceServer.getRealm(), resourceServer, scopeId);
if (scope == null) {
scope = scopeStore.findByName(resourceServer, scopeId);

9
services/src/main/java/org/keycloak/authorization/protection/policy/UserManagedPermissionService.java
View file

@ -1,7 +1,6 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -132,7 +131,7 @@ public class UserManagedPermissionService {
}
private Policy getPolicy(@PathParam("policyId") String policyId) {
Policy existing = authorization.getStoreFactory().getPolicyStore().findById(resourceServer, policyId);
Policy existing = authorization.getStoreFactory().getPolicyStore().findById(resourceServer.getRealm(), resourceServer, policyId);
if (existing == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Policy with [" + policyId + "] does not exist", Status.NOT_FOUND);
@ -143,7 +142,7 @@ public class UserManagedPermissionService {
private void checkRequest(String resourceId, UmaPermissionRepresentation representation) {
ResourceStore resourceStore = this.authorization.getStoreFactory().getResourceStore();
Resource resource = resourceStore.findById(resourceServer, resourceId);
Resource resource = resourceStore.findById(resourceServer.getRealm(), resourceServer, resourceId);
if (resource == null) {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Resource [" + resourceId + "] cannot be found", Response.Status.BAD_REQUEST);

6
services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -186,12 +186,12 @@ public class FreeMarkerAccountProvider implements AccountProvider {
if (!realm.isUserManagedAccessAllowed()) {
return Response.status(Status.FORBIDDEN).build();
}
attributes.put("authorization", new AuthorizationBean(session, user, uriInfo));
attributes.put("authorization", new AuthorizationBean(session, realm, user, uriInfo));
case RESOURCE_DETAIL:
if (!realm.isUserManagedAccessAllowed()) {
return Response.status(Status.FORBIDDEN).build();
}
attributes.put("authorization", new AuthorizationBean(session, user, uriInfo));
attributes.put("authorization", new AuthorizationBean(session, realm, user, uriInfo));
}
return processTemplate(theme, page, attributes, locale);

22
services/src/main/java/org/keycloak/forms/account/freemarker/model/AuthorizationBean.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -52,6 +52,7 @@ import org.keycloak.services.util.ResolveRelative;
public class AuthorizationBean {
private final KeycloakSession session;
private final RealmModel realm;
private final UserModel user;
private final AuthorizationProvider authorization;
private final UriInfo uriInfo;
@ -61,15 +62,16 @@ public class AuthorizationBean {
private Collection<ResourceBean> requestsWaitingPermission;
private Collection<ResourceBean> resourcesWaitingOthersApproval;
public AuthorizationBean(KeycloakSession session, UserModel user, UriInfo uriInfo) {
public AuthorizationBean(KeycloakSession session, RealmModel realm, UserModel user, UriInfo uriInfo) {
this.session = session;
this.realm = realm;
this.user = user;
this.uriInfo = uriInfo;
authorization = session.getProvider(AuthorizationProvider.class);
List<String> pathParameters = uriInfo.getPathParameters().get("resource_id");
if (pathParameters != null && !pathParameters.isEmpty()) {
Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, pathParameters.get(0));
Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, pathParameters.get(0));
if (resource != null && !resource.getOwner().equals(user.getId())) {
throw new RuntimeException("User [" + user.getUsername() + "] can not access resource [" + resource.getId() + "]");
@ -105,7 +107,7 @@ public class AuthorizationBean {
public List<ResourceBean> getResources() {
if (resources == null) {
resources = authorization.getStoreFactory().getResourceStore().findByOwner(null, user.getId()).stream()
resources = authorization.getStoreFactory().getResourceStore().findByOwner(realm, null, user.getId()).stream()
.filter(Resource::isOwnerManagedAccess)
.map(ResourceBean::new)
.collect(Collectors.toList());
@ -122,7 +124,7 @@ public class AuthorizationBean {
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
userSharedResources = toResourceRepresentation(ticketStore.find(null, filters, null, null));
userSharedResources = toResourceRepresentation(ticketStore.find(realm,null, filters, null, null));
}
return userSharedResources;
}
@ -140,7 +142,7 @@ public class AuthorizationBean {
}
private ResourceBean getResource(String id) {
return new ResourceBean(authorization.getStoreFactory().getResourceStore().findById(null, id));
return new ResourceBean(authorization.getStoreFactory().getResourceStore().findById(realm, null, id));
}
public static class RequesterBean {
@ -296,6 +298,8 @@ public class AuthorizationBean {
}
public Collection<ManagedPermissionBean> getPolicies() {
ResourceServer resourceServer = getResourceServer().getResourceServerModel();
RealmModel realm = resourceServer.getRealm();
Map<Policy.FilterOption, String[]> filters = new EnumMap<>(Policy.FilterOption.class);
filters.put(Policy.FilterOption.TYPE, new String[] {"uma"});
@ -306,7 +310,7 @@ public class AuthorizationBean {
filters.put(Policy.FilterOption.OWNER, new String[] {getClientOwner().getId()});
}
List<Policy> policies = authorization.getStoreFactory().getPolicyStore().findByResourceServer(getResourceServer().getResourceServerModel(), filters, null, null);
List<Policy> policies = authorization.getStoreFactory().getPolicyStore().find(realm, resourceServer, filters, null, null);
if (policies.isEmpty()) {
return Collections.emptyList();
@ -318,7 +322,7 @@ public class AuthorizationBean {
filters1.put(PermissionTicket.FilterOption.POLICY_ID, policy.getId());
return authorization.getStoreFactory().getPermissionTicketStore().find(resourceServer.getResourceServerModel(), filters1, -1, 1)
return authorization.getStoreFactory().getPermissionTicketStore().find(realm, resourceServer, filters1, -1, 1)
.isEmpty();
})
.map(ManagedPermissionBean::new).collect(Collectors.toList());
@ -370,7 +374,7 @@ public class AuthorizationBean {
}
private List<PermissionTicket> findPermissions(Map<PermissionTicket.FilterOption, String> filters) {
return authorization.getStoreFactory().getPermissionTicketStore().find(null, filters, null, null);
return authorization.getStoreFactory().getPermissionTicketStore().find(realm, null, filters, null, null);
}
public class ResourceServerBean {

32
services/src/main/java/org/keycloak/services/resources/account/AccountFormService.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -115,7 +115,6 @@ import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.function.Predicate;
import java.util.stream.Collectors;
/**
@ -772,7 +771,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, resourceId);
Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, resourceId);
if (resource == null) {
return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
@ -799,7 +798,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
String id = iterator.next();
if (!id.contains(":")) {
policy = policyStore.findById(resourceServer, id);
policy = policyStore.findById(realm, resourceServer, id);
iterator.remove();
break;
}
@ -813,7 +812,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
}
} else {
for (String id : ids) {
scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(resourceServer, id.split(":")[1]));
scopesToKeep.add(authorization.getStoreFactory().getScopeStore().findById(realm, resourceServer, id.split(":")[1]));
}
for (Scope scope : policy.getScopes()) {
@ -825,10 +824,10 @@ public class AccountFormService extends AbstractSecuredLocalService {
if (policy.getScopes().isEmpty()) {
for (Policy associated : policy.getAssociatedPolicies()) {
policyStore.delete(associated.getId());
policyStore.delete(realm, associated.getId());
}
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
}
} else {
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
@ -842,7 +841,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
}
List<PermissionTicket> tickets = ticketStore.find(resource.getResourceServer(), filters, null, null);
List<PermissionTicket> tickets = ticketStore.find(realm, resource.getResourceServer(), filters, null, null);
Iterator<PermissionTicket> iterator = tickets.iterator();
while (iterator.hasNext()) {
@ -865,7 +864,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
}
for (PermissionTicket ticket : tickets) {
ticketStore.delete(ticket.getId());
ticketStore.delete(client.getRealm(), ticket.getId());
}
}
@ -898,7 +897,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore();
Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, resourceId);
Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, resourceId);
ResourceServer resourceServer = resource.getResourceServer();
if (resource == null) {
@ -932,13 +931,13 @@ public class AccountFormService extends AbstractSecuredLocalService {
filters.put(PermissionTicket.FilterOption.OWNER, auth.getUser().getId());
filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
List<PermissionTicket> tickets = ticketStore.find(resourceServer, filters, null, null);
List<PermissionTicket> tickets = ticketStore.find(realm, resourceServer, filters, null, null);
final String userId = user.getId();
if (tickets.isEmpty()) {
if (scopes != null && scopes.length > 0) {
for (String scopeId : scopes) {
Scope scope = scopeStore.findById(resourceServer, scopeId);
Scope scope = scopeStore.findById(realm, resourceServer, scopeId);
PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId);
ticket.setGrantedTimestamp(System.currentTimeMillis());
}
@ -963,7 +962,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
grantScopes.removeIf(alreadyGrantedScopes::contains);
for (String scopeId : grantScopes) {
Scope scope = scopeStore.findById(resourceServer, scopeId);
Scope scope = scopeStore.findById(realm, resourceServer, scopeId);
PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, userId);
ticket.setGrantedTimestamp(System.currentTimeMillis());
}
@ -993,7 +992,7 @@ public class AccountFormService extends AbstractSecuredLocalService {
}
for (String resourceId : resourceIds) {
Resource resource = authorization.getStoreFactory().getResourceStore().findById(null, resourceId);
Resource resource = authorization.getStoreFactory().getResourceStore().findById(realm, null, resourceId);
if (resource == null) {
return ErrorResponse.error("Invalid resource", Response.Status.BAD_REQUEST);
@ -1010,8 +1009,9 @@ public class AccountFormService extends AbstractSecuredLocalService {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
}
for (PermissionTicket ticket : ticketStore.find(resource.getResourceServer(), filters, null, null)) {
ticketStore.delete(ticket.getId());
RealmModel realm = resource.getResourceServer().getRealm();
for (PermissionTicket ticket : ticketStore.find(realm, resource.getResourceServer(), filters, null, null)) {
ticketStore.delete(realm, ticket.getId());
}
}

15
services/src/main/java/org/keycloak/services/resources/account/resources/ResourceService.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -39,6 +39,7 @@ import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.services.managers.Auth;
@ -87,7 +88,7 @@ public class ResourceService extends AbstractResourceService {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
Collection<ResourcePermission> resources = toPermissions(ticketStore.find(null, filters, null, null));
Collection<ResourcePermission> resources = toPermissions(ticketStore.find(resourceServer.getRealm(), resourceServer, filters, null, null));
Collection<Permission> permissions = Collections.EMPTY_LIST;
if (!resources.isEmpty()) {
@ -127,15 +128,17 @@ public class ResourceService extends AbstractResourceService {
}
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
RealmModel realm = resourceServer.getRealm();
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
for (Permission permission : permissions) {
UserModel user = getUser(permission.getUsername());
filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
List<PermissionTicket> tickets = ticketStore.find(resource.getResourceServer(), filters, null, null);
List<PermissionTicket> tickets = ticketStore.find(realm, resourceServer, filters, null, null);
// grants all requested permissions
if (tickets.isEmpty()) {
@ -171,7 +174,7 @@ public class ResourceService extends AbstractResourceService {
// remove all tickets that are not within the requested permissions
for (PermissionTicket ticket : tickets) {
ticketStore.delete(ticket.getId());
ticketStore.delete(realm, ticket.getId());
}
}
}
@ -196,7 +199,7 @@ public class ResourceService extends AbstractResourceService {
Map<String, Permission> requests = new HashMap<>();
for (PermissionTicket ticket : ticketStore.find(null, filters, null, null)) {
for (PermissionTicket ticket : ticketStore.find(resourceServer.getRealm(), resourceServer, filters, null, null)) {
requests.computeIfAbsent(ticket.getRequester(), requester -> new Permission(ticket, provider)).addScope(ticket.getScope().getName());
}
@ -213,7 +216,7 @@ public class ResourceService extends AbstractResourceService {
org.keycloak.authorization.model.Scope scope = scopeStore.findByName(resourceServer, scopeId);
if (scope == null) {
scope = scopeStore.findById(resourceServer, scopeId);
scope = scopeStore.findById(resourceServer.getRealm(), resourceServer, scopeId);
}
return scope;

10
services/src/main/java/org/keycloak/services/resources/account/resources/ResourcesService.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -73,7 +73,7 @@ public class ResourcesService extends AbstractResourceService {
filters.put(org.keycloak.authorization.model.Resource.FilterOption.NAME, new String[] { name });
}
return queryResponse((f, m) -> resourceStore.findByResourceServer(null, filters, f, m).stream()
return queryResponse((f, m) -> resourceStore.find(auth.getRealm(), null, filters, f, m).stream()
.map(resource -> new Resource(resource, user, provider)), first, max);
}
@ -123,7 +123,7 @@ public class ResourcesService extends AbstractResourceService {
filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
final List<PermissionTicket> permissionTickets = ticketStore.find(null, filters, null, null);
final List<PermissionTicket> permissionTickets = ticketStore.find(auth.getRealm(), null, filters, null, null);
final List<ResourcePermission> resourceList = new ArrayList<>(permissionTickets.size());
for (PermissionTicket ticket : permissionTickets) {
@ -138,7 +138,7 @@ public class ResourcesService extends AbstractResourceService {
@Path("{id}")
public Object getResource(@PathParam("id") String id) {
org.keycloak.authorization.model.Resource resource = resourceStore.findById(null, id);
org.keycloak.authorization.model.Resource resource = resourceStore.findById(auth.getRealm(), null, id);
if (resource == null) {
throw new NotFoundException("resource_not_found");
@ -167,7 +167,7 @@ public class ResourcesService extends AbstractResourceService {
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
tickets = ticketStore.find(resource.getResourceServer(), filters, null, null);
tickets = ticketStore.find(auth.getRealm(), resource.getResourceServer(), filters, null, null);
} else {
tickets = ticketStore.findGranted(resource.getResourceServer(), resource.getName(), user.getId());
}

6
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -165,7 +165,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM
private void deletePolicy(String name, ResourceServer server) {
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, name);
if (policy != null) {
authz.getStoreFactory().getPolicyStore().delete(policy.getId());
authz.getStoreFactory().getPolicyStore().delete(server.getRealm(), policy.getId());
}
}
@ -181,7 +181,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM
deletePolicy(getConfigurePermissionName(client), server);
deletePolicy(getExchangeToPermissionName(client), server);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(client));;
if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
if (resource != null) authz.getStoreFactory().getResourceStore().delete(server.getRealm(), resource.getId());
}
@Override

18
services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -28,6 +28,7 @@ import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.common.Profile;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.GroupModel;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.ForbiddenException;
@ -443,27 +444,30 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
private void deletePermissions(GroupModel group) {
ResourceServer server = root.realmResourceServer();
if (server == null) return;
RealmModel realm = server.getRealm();
Policy managePermission = managePermission(group);
if (managePermission != null) {
policyStore.delete(managePermission.getId());
policyStore.delete(realm, managePermission.getId());
}
Policy viewPermission = viewPermission(group);
if (viewPermission != null) {
policyStore.delete(viewPermission.getId());
policyStore.delete(realm, viewPermission.getId());
}
Policy manageMembersPermission = manageMembersPermission(group);
if (manageMembersPermission != null) {
policyStore.delete(manageMembersPermission.getId());
policyStore.delete(realm, manageMembersPermission.getId());
}
Policy viewMembersPermission = viewMembersPermission(group);
if (viewMembersPermission != null) {
policyStore.delete(viewMembersPermission.getId());
policyStore.delete(realm, viewMembersPermission.getId());
}
Policy manageMembershipPermission = manageMembershipPermission(group);
if (manageMembershipPermission != null) {
policyStore.delete(manageMembershipPermission.getId());
policyStore.delete(realm, manageMembershipPermission.getId());
}
Resource resource = groupResource(group);
if (resource != null) resourceStore.delete(resource.getId());
if (resource != null) resourceStore.delete(realm, resource.getId());
}
}

6
services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -91,7 +91,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme
private void deletePolicy(String name, ResourceServer server) {
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(server, name);
if (policy != null) {
authz.getStoreFactory().getPolicyStore().delete(policy.getId());
authz.getStoreFactory().getPolicyStore().delete(server.getRealm(), policy.getId());
}
}
@ -101,7 +101,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme
if (server == null) return;
deletePolicy(getExchangeToPermissionName(idp), server);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getResourceName(idp));;
if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
if (resource != null) authz.getStoreFactory().getResourceStore().delete(server.getRealm(), resource.getId());
}
@Override

13
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -74,15 +74,18 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
private void disablePermissions(RoleModel role) {
ResourceServer server = resourceServer(role);
if (server == null) return;
RealmModel realm = server.getRealm();
Policy policy = mapRolePermission(role);
if (policy != null) authz.getStoreFactory().getPolicyStore().delete(policy.getId());
if (policy != null) authz.getStoreFactory().getPolicyStore().delete(realm, policy.getId());
policy = mapClientScopePermission(role);
if (policy != null) authz.getStoreFactory().getPolicyStore().delete(policy.getId());
if (policy != null) authz.getStoreFactory().getPolicyStore().delete(realm, policy.getId());
policy = mapCompositePermission(role);
if (policy != null) authz.getStoreFactory().getPolicyStore().delete(policy.getId());
if (policy != null) authz.getStoreFactory().getPolicyStore().delete(realm, policy.getId());
Resource resource = authz.getStoreFactory().getResourceStore().findByName(server, getRoleResourceName(role));
if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
if (resource != null) authz.getStoreFactory().getResourceStore().delete(realm, resource.getId());
}
@Override

20
services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -35,6 +35,7 @@ import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.services.ForbiddenException;
@ -526,39 +527,42 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
private void deletePermissionSetup() {
ResourceServer server = root.realmResourceServer();
if (server == null) return;
RealmModel realm = server.getRealm();
Policy policy = managePermission();
if (policy != null) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
}
policy = viewPermission();
if (policy != null) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
}
policy = mapRolesPermission();
if (policy != null) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
}
policy = manageGroupMembershipPermission();
if (policy != null) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
}
policy = adminImpersonatingPermission();
if (policy != null) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
}
policy = userImpersonatedPermission();
if (policy != null) {
policyStore.delete(policy.getId());
policyStore.delete(realm, policy.getId());
}
Resource usersResource = resourceStore.findByName(server, USERS_RESOURCE);
if (usersResource != null) {
resourceStore.delete(usersResource.getId());
resourceStore.delete(realm, usersResource.getId());
}
}

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UmaRepresentationTest.java
View file

@ -1,3 +1,20 @@
/*
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.authz;
import org.junit.Assert;
@ -9,6 +26,7 @@ import org.keycloak.forms.account.freemarker.model.AuthorizationBean;
import org.keycloak.forms.account.freemarker.model.AuthorizationBean.ResourceBean;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.*;
@ -134,10 +152,11 @@ public class UmaRepresentationTest extends AbstractResourceServerTest {
}
public static void testCanRepresentResourceBeanOfResourceOwnedByUser(KeycloakSession session) {
session.getContext().setRealm(session.realms().getRealmByName("authz-test"));
RealmModel realm = session.realms().getRealmByName("authz-test");
session.getContext().setRealm(realm);
AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
AuthorizationBean authorizationBean = new AuthorizationBean(session, null, session.getContext().getUri());
AuthorizationBean authorizationBean = new AuthorizationBean(session, realm, null, session.getContext().getUri());
ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test");
UserModel user = session.userStorageManager().getUserByUsername(session.getContext().getRealm(), "marta");
ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client);
@ -161,10 +180,11 @@ public class UmaRepresentationTest extends AbstractResourceServerTest {
}
public static void testCanRepresentResourceBeanOfResourceOwnedByClient(KeycloakSession session) {
session.getContext().setRealm(session.realms().getRealmByName("authz-test"));
RealmModel realm = session.realms().getRealmByName("authz-test");
session.getContext().setRealm(realm);
AuthorizationProvider authorization = session.getProvider(AuthorizationProvider.class);
AuthorizationBean authorizationBean = new AuthorizationBean(session, null, session.getContext().getUri());
AuthorizationBean authorizationBean = new AuthorizationBean(session, realm, null, session.getContext().getUri());
ClientModel client = session.getContext().getRealm().getClientByClientId("resource-server-test");
ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findByClient(client);
ResourceBean resourceBean = authorizationBean.new ResourceBean(

20
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/UserManagedPermissionServiceTest.java
View file

@ -1,5 +1,5 @@
/*
* Copyright 2018 Red Hat, Inc. and/or its affiliates
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -580,11 +580,11 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
PolicyStore policyStore = provider.getStoreFactory().getPolicyStore();
List<Policy> policies = policyStore
.findByResourceServer(resourceServer, filters, null, null);
.find(realm, resourceServer, filters, null, null);
assertTrue(policies.isEmpty());
policies = policyStore
.findByResourceServer(resourceServer, Collections.emptyMap(), null, null);
.find(realm, resourceServer, Collections.emptyMap(), null, null);
assertTrue(policies.isEmpty());
}
@ -1007,7 +1007,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
filters.put(OWNER, new String[] {user.getId()});
List<Policy> policies = provider.getStoreFactory().getPolicyStore()
.findByResourceServer(resourceServer, filters, null, null);
.find(realm, resourceServer, filters, null, null);
assertEquals(1, policies.size());
Policy policy = policies.get(0);
@ -1016,13 +1016,13 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
Resource resource = policy.getResources().iterator().next();
assertEquals("Resource A", resource.getName());
provider.getStoreFactory().getResourceStore().delete(resource.getId());
provider.getStoreFactory().getResourceStore().delete(realm, resource.getId());
filters = new HashMap<>();
filters.put(OWNER, new String[] {user.getId()});
policies = provider.getStoreFactory().getPolicyStore()
.findByResourceServer(resourceServer, filters, null, null);
.find(realm, resourceServer, filters, null, null);
assertTrue(policies.isEmpty());
}
@ -1061,7 +1061,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
filters.put(OWNER, new String[] {user.getId()});
List<Policy> policies = provider.getStoreFactory().getPolicyStore()
.findByResourceServer(resourceServer, filters, null, null);
.find(realm, resourceServer, filters, null, null);
assertEquals(1, policies.size());
Policy policy = policies.get(0);
@ -1077,7 +1077,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
filters.put(OWNER, new String[] {user.getId()});
policies = provider.getStoreFactory().getPolicyStore()
.findByResourceServer(resourceServer, filters, null, null);
.find(realm, resourceServer, filters, null, null);
assertTrue(policies.isEmpty());
}
@ -1116,7 +1116,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
filters.put(OWNER, new String[] {user.getId()});
List<Policy> policies = provider.getStoreFactory().getPolicyStore()
.findByResourceServer(resourceServer, filters, null, null);
.find(realm, resourceServer, filters, null, null);
assertEquals(1, policies.size());
Policy policy = policies.get(0);
@ -1132,7 +1132,7 @@ public class UserManagedPermissionServiceTest extends AbstractResourceServerTest
filters.put(OWNER, new String[] {user.getId()});
policies = provider.getStoreFactory().getPolicyStore()
.findByResourceServer(resourceServer, filters, null, null);
.find(realm, resourceServer, filters, null, null);
assertTrue(policies.isEmpty());
}