[KEYCLOAK-3135] - Role and user policies apis

This commit is contained in:
Pedro Igor 2017-04-12 00:40:03 -03:00
parent 54ebc1918c
commit eec712a259
45 changed files with 1036 additions and 444 deletions

View file

@ -1,63 +0,0 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package org.keycloak.authorization.policy.provider.aggregated;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import java.util.ArrayList;
import java.util.List;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class AggregatePolicyAdminResource implements PolicyProviderAdminService {
@Override
public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
verifyCircularReference(policy, new ArrayList<>());
}
@Override
public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
verifyCircularReference(policy, new ArrayList<>());
}
private void verifyCircularReference(Policy policy, List<String> ids) {
if (!policy.getType().equals("aggregate")) {
return;
}
if (ids.contains(policy.getId())) {
throw new RuntimeException("Circular reference found [" + policy.getName() + "].");
}
ids.add(policy.getId());
for (Policy associated : policy.getAssociatedPolicies()) {
verifyCircularReference(associated, ids);
}
}
@Override
public void onRemove(Policy policy) {
}
}

View file

@ -17,19 +17,24 @@
*/
package org.keycloak.authorization.policy.provider.aggregated;
import java.util.ArrayList;
import java.util.List;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
public class AggregatePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
private AggregatePolicyProvider provider = new AggregatePolicyProvider();
@ -50,7 +55,7 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
@Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new AggregatePolicyAdminResource();
return null;
}
@Override
@ -58,6 +63,37 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
return null;
}
@Override
public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
verifyCircularReference(policy, new ArrayList<>());
}
@Override
public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
verifyCircularReference(policy, new ArrayList<>());
}
private void verifyCircularReference(Policy policy, List<String> ids) {
if (!policy.getType().equals("aggregate")) {
return;
}
if (ids.contains(policy.getId())) {
throw new RuntimeException("Circular reference found [" + policy.getName() + "].");
}
ids.add(policy.getId());
for (Policy associated : policy.getAssociatedPolicies()) {
verifyCircularReference(associated, ids);
}
}
@Override
public void onRemove(Policy policy, AuthorizationProvider authorization) {
}
@Override
public void init(Config.Scope config) {

View file

@ -5,13 +5,10 @@ import java.util.Map;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
/**
@ -48,46 +45,41 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory<Reso
}
@Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new PolicyProviderAdminService() {
@Override
public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
updateResourceType(policy, representation);
}
@Override
public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
updateResourceType(policy, representation);
}
private void updateResourceType(Policy policy, AbstractPolicyRepresentation representation) {
if (representation != null) {
//TODO: remove this check once we migrate to new API
if (ResourcePermissionRepresentation.class.equals(representation.getClass())) {
ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation);
Map<String, String> config = policy.getConfig();
config.compute("defaultResourceType", (key, value) -> {
String resourceType = resourcePermission.getResourceType();
return resourceType != null ? resourcePermission.getResourceType() : null;
});
policy.setConfig(config);
}
}
}
@Override
public void onRemove(Policy policy) {
}
};
public PolicyProvider create(KeycloakSession session) {
return null;
}
@Override
public PolicyProvider create(KeycloakSession session) {
return null;
public void onCreate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
updateResourceType(policy, representation);
}
@Override
public void onUpdate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
updateResourceType(policy, representation);
}
private void updateResourceType(Policy policy, ResourcePermissionRepresentation representation) {
if (representation != null) {
//TODO: remove this check once we migrate to new API
if (ResourcePermissionRepresentation.class.equals(representation.getClass())) {
ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation);
Map<String, String> config = policy.getConfig();
config.compute("defaultResourceType", (key, value) -> {
String resourceType = resourcePermission.getResourceType();
return resourceType != null ? resourcePermission.getResourceType() : null;
});
policy.setConfig(config);
}
}
}
@Override
public void onRemove(Policy policy, AuthorizationProvider authorization) {
}
@Override

View file

@ -35,18 +35,23 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleContainerModel.RoleRemovedEvent;
import org.keycloak.models.RoleModel;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.util.JsonSerialization;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class RolePolicyProviderFactory implements PolicyProviderFactory {
public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePolicyRepresentation> {
private RolePolicyProvider provider = new RolePolicyProvider();
@ -75,6 +80,107 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory {
return new RolePolicyProvider();
}
@Override
public RolePolicyRepresentation toRepresentation(Policy policy, RolePolicyRepresentation representation) {
try {
representation.setRoles(JsonSerialization.readValue(policy.getConfig().get("roles"), Set.class));
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize roles", cause);
}
return representation;
}
@Override
public Class<RolePolicyRepresentation> getRepresentationType() {
return RolePolicyRepresentation.class;
}
@Override
public void onCreate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
updateRoles(policy, representation, authorization);
}
@Override
public void onUpdate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
updateRoles(policy, representation, authorization);
}
@Override
public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
try {
updateRoles(policy, authorization, new HashSet<>(Arrays.asList(JsonSerialization.readValue(representation.getConfig().get("roles"), RolePolicyRepresentation.RoleDefinition[].class))));
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize roles during import", cause);
}
}
private void updateRoles(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
updateRoles(policy, authorization, representation.getRoles());
}
private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
try {
RealmModel realm = authorization.getRealm();
Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
if (roles != null) {
for (RolePolicyRepresentation.RoleDefinition definition : roles) {
String roleName = definition.getId();
String clientId = null;
int clientIdSeparator = roleName.indexOf("/");
if (clientIdSeparator != -1) {
clientId = roleName.substring(0, clientIdSeparator);
roleName = roleName.substring(clientIdSeparator + 1);
}
RoleModel role;
if (clientId == null) {
role = realm.getRole(roleName);
if (role == null) {
role = realm.getRoleById(roleName);
}
} else {
ClientModel client = realm.getClientByClientId(clientId);
if (client == null) {
throw new RuntimeException("Client with id [" + clientId + "] not found.");
}
role = client.getRole(roleName);
}
// fallback to find any client role with the given name
if (role == null) {
String finalRoleName = roleName;
role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
.findFirst().orElse(null);
}
if (role == null) {
throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
}
definition.setId(role.getId());
updatedRoles.add(definition);
}
try {
} catch (Exception e) {
throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
}
}
Map<String, String> config = policy.getConfig();
config.put("roles", JsonSerialization.writeValueAsString(updatedRoles));
policy.setConfig(config);
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize roles", cause);
}
}
@Override
public void init(Config.Scope config) {

View file

@ -18,46 +18,11 @@
package org.keycloak.authorization.policy.provider.time;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import java.text.SimpleDateFormat;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class TimePolicyAdminResource implements PolicyProviderAdminService {
@Override
public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
validateConfig(policy);
}
private void validateConfig(Policy policy) {
String nbf = policy.getConfig().get("nbf");
String noa = policy.getConfig().get("noa");
if (nbf != null && noa != null) {
validateFormat(nbf);
validateFormat(noa);
}
}
@Override
public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
validateConfig(policy);
}
@Override
public void onRemove(Policy policy) {
}
private void validateFormat(String date) {
try {
new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
} catch (Exception e) {
throw new RuntimeException("Could not parse a date using format [" + date + "]");
}
}
}

View file

@ -1,18 +1,22 @@
package org.keycloak.authorization.policy.provider.time;
import java.text.SimpleDateFormat;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class TimePolicyProviderFactory implements PolicyProviderFactory {
public class TimePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
private TimePolicyProvider provider = new TimePolicyProvider();
@ -41,6 +45,38 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory {
return null;
}
@Override
public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
validateConfig(policy);
}
private void validateConfig(Policy policy) {
String nbf = policy.getConfig().get("nbf");
String noa = policy.getConfig().get("noa");
if (nbf != null && noa != null) {
validateFormat(nbf);
validateFormat(noa);
}
}
@Override
public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
validateConfig(policy);
}
@Override
public void onRemove(Policy policy, AuthorizationProvider authorization) {
}
private void validateFormat(String date) {
try {
new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
} catch (Exception e) {
throw new RuntimeException("Could not parse a date using format [" + date + "]");
}
}
@Override
public void init(Config.Scope config) {

View file

@ -20,14 +20,16 @@ package org.keycloak.authorization.policy.provider.user;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
@ -37,12 +39,14 @@ import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.UserRemovedEvent;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class UserPolicyProviderFactory implements PolicyProviderFactory {
public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPolicyRepresentation> {
private UserPolicyProvider provider = new UserPolicyProvider();
@ -62,13 +66,80 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
public PolicyProvider create(KeycloakSession session) {
return null;
}
@Override
public PolicyProvider create(KeycloakSession session) {
return null;
public UserPolicyRepresentation toRepresentation(Policy policy, UserPolicyRepresentation representation) {
try {
representation.setUsers(JsonSerialization.readValue(policy.getConfig().get("users"), Set.class));
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize roles", cause);
}
return representation;
}
@Override
public Class<UserPolicyRepresentation> getRepresentationType() {
return UserPolicyRepresentation.class;
}
@Override
public void onCreate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
updateUsers(policy, representation, authorization);
}
@Override
public void onUpdate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
updateUsers(policy, representation, authorization);
}
@Override
public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
try {
updateUsers(policy, authorization, JsonSerialization.readValue(representation.getConfig().get("users"), Set.class));
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize users during import", cause);
}
}
private void updateUsers(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
updateUsers(policy, authorization, representation.getUsers());
}
private void updateUsers(Policy policy, AuthorizationProvider authorization, Set<String> users) {
try {
KeycloakSession session = authorization.getKeycloakSession();
RealmModel realm = authorization.getRealm();
Set<String> updatedRoles = new HashSet<>();
if (users != null) {
for (String userId : users) {
UserModel user = session.users().getUserByUsername(userId, realm);
if (user == null) {
user = session.users().getUserById(userId, realm);
}
if (user == null) {
throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
}
updatedRoles.add(user.getId());
}
try {
} catch (Exception e) {
throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
}
}
Map<String, String> config = policy.getConfig();
config.put("users", JsonSerialization.writeValueAsString(updatedRoles));
policy.setConfig(config);
} catch (IOException cause) {
throw new RuntimeException("Failed to deserialize roles", cause);
}
}
@Override

View file

@ -16,9 +16,7 @@
*/
package org.keycloak.authorization.policy.provider.drools;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.kie.api.runtime.KieContainer;
@ -39,21 +37,6 @@ public class DroolsPolicyAdminResource implements PolicyProviderAdminService {
this.factory = factory;
}
@Override
public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
this.factory.update(policy);
}
@Override
public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
this.factory.update(policy);
}
@Override
public void onRemove(Policy policy) {
this.factory.remove(policy);
}
@Path("/resolveModules")
@POST
@Consumes("application/json")

View file

@ -13,6 +13,8 @@ import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.kie.api.KieServices;
import org.kie.api.KieServices.Factory;
import org.kie.api.runtime.KieContainer;
@ -58,6 +60,26 @@ public class DroolsPolicyProviderFactory implements PolicyProviderFactory {
return null;
}
@Override
public void onCreate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
update(policy);
}
@Override
public void onUpdate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
update(policy);
}
@Override
public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
update(policy);
}
@Override
public void onRemove(Policy policy, AuthorizationProvider authorization) {
remove(policy);
}
@Override
public void init(Config.Scope config) {
this.ks = Factory.get();

View file

@ -0,0 +1,74 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm.authorization;
import java.util.HashSet;
import java.util.Set;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class RolePolicyRepresentation extends AbstractPolicyRepresentation {
private Set<RoleDefinition> roles;
public Set<RoleDefinition> getRoles() {
return roles;
}
public void setRoles(Set<RoleDefinition> roles) {
this.roles = roles;
}
public void addRole(String name, boolean required) {
if (roles == null) {
roles = new HashSet<>();
}
roles.add(new RoleDefinition(name, required));
}
public static class RoleDefinition {
private String id;
private boolean required;
public RoleDefinition() {
this(null, false);
}
public RoleDefinition(String id, boolean required) {
this.id = id;
this.required = required;
}
public String getId() {
return id;
}
public void setId(String id) {
this.id = id;
}
public boolean isRequired() {
return required;
}
public void setRequired(boolean required) {
this.required = required;
}
}
}

View file

@ -0,0 +1,43 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm.authorization;
import java.util.HashSet;
import java.util.Set;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class UserPolicyRepresentation extends AbstractPolicyRepresentation {
private Set<String> users;
public Set<String> getUsers() {
return users;
}
public void setUsers(Set<String> users) {
this.users= users;
}
public void addUser(String name) {
if (users == null) {
users = new HashSet<>();
}
users.add(name);
}
}

View file

@ -69,4 +69,9 @@ public interface PoliciesResource {
@Path("evaluate")
PolicyEvaluationResponse evaluate(PolicyEvaluationRequest evaluationRequest);
@Path("role")
RolePoliciesResource roles();
@Path("user")
UserPoliciesResource users();
}

View file

@ -0,0 +1,42 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.admin.client.resource;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public interface RolePoliciesResource {
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
Response create(RolePolicyRepresentation representation);
@Path("{id}")
RolePolicyResource findById(@PathParam("id") String id);
}

View file

@ -0,0 +1,69 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.admin.client.resource;
import java.util.List;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public interface RolePolicyResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
RolePolicyRepresentation toRepresentation();
@PUT
@Consumes(MediaType.APPLICATION_JSON)
void update(RolePolicyRepresentation representation);
@DELETE
void remove();
@Path("/associatedPolicies")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
List<PolicyRepresentation> associatedPolicies();
@Path("/dependentPolicies")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
List<PolicyRepresentation> dependentPolicies();
@Path("/resources")
@GET
@Produces("application/json")
@NoCache
List<ResourceRepresentation> resources();
}

View file

@ -0,0 +1,42 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.admin.client.resource;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public interface UserPoliciesResource {
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
Response create(UserPolicyRepresentation representation);
@Path("{id}")
UserPolicyResource findById(@PathParam("id") String id);
}

View file

@ -0,0 +1,69 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.admin.client.resource;
import java.util.List;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public interface UserPolicyResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
UserPolicyRepresentation toRepresentation();
@PUT
@Consumes(MediaType.APPLICATION_JSON)
void update(UserPolicyRepresentation representation);
@DELETE
void remove();
@Path("/associatedPolicies")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
List<PolicyRepresentation> associatedPolicies();
@Path("/dependentPolicies")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
List<PolicyRepresentation> dependentPolicies();
@Path("/resources")
@GET
@Produces("application/json")
@NoCache
List<ResourceRepresentation> resources();
}

View file

@ -54,15 +54,14 @@ public class CachedPolicyStore implements PolicyStore {
private static final String POLICY_ID_CACHE_PREFIX = "policy-id-";
private final Cache<String, Map<String, List<CachedPolicy>>> cache;
private final KeycloakSession session;
private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private final List<String> cacheKeys;
private StoreFactory storeFactory;
private final StoreFactory storeFactory;
private PolicyStore delegate;
private CachedStoreFactoryProvider cachedStoreFactory;
public CachedPolicyStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
this.session = session;
public CachedPolicyStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
this.cacheStoreFactory = cacheStoreFactory;
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
@ -71,7 +70,7 @@ public class CachedPolicyStore implements PolicyStore {
cacheKeys.add("findByResourceType");
cacheKeys.add("findByScopeIds");
cacheKeys.add("findByType");
this.storeFactory = storeFactory;
this.storeFactory = delegate;
}
@Override
@ -405,10 +404,7 @@ public class CachedPolicyStore implements PolicyStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
if (cachedStoreFactory == null) {
cachedStoreFactory = session.getProvider(CachedStoreFactoryProvider.class);
}
return cachedStoreFactory;
return cacheStoreFactory;
}
private void invalidateCache(String resourceServerId) {

View file

@ -41,18 +41,16 @@ public class CachedResourceServerStore implements ResourceServerStore {
private static final String RS_ID_CACHE_PREFIX = "rs-id-";
private static final String RS_CLIENT_ID_CACHE_PREFIX = "rs-client-id-";
private final KeycloakSession session;
private final CacheTransaction transaction;
private StoreFactory storeFactory;
private ResourceServerStore delegate;
private final Cache<String, Map<String, List<CachedResourceServer>>> cache;
public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
this.session = session;
public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory delegate) {
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
this.storeFactory = storeFactory;
this.storeFactory = delegate;
}
@Override

View file

@ -50,14 +50,16 @@ public class CachedResourceStore implements ResourceStore {
private static final String RESOURCE_NAME_CACHE_PREFIX = "rsc-name-";
private final KeycloakSession session;
private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private final List<String> cacheKeys;
private StoreFactory storeFactory;
private ResourceStore delegate;
private final Cache<String, Map<String, List<CachedResource>>> cache;
public CachedResourceStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
public CachedResourceStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
this.session = session;
this.cacheStoreFactory = cacheStoreFactory;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
this.transaction = transaction;
@ -65,7 +67,7 @@ public class CachedResourceStore implements ResourceStore {
cacheKeys.add("findByOwner");
cacheKeys.add("findByUri");
cacheKeys.add("findByName");
this.storeFactory = storeFactory;
this.storeFactory = delegate;
}
@Override
@ -293,7 +295,7 @@ public class CachedResourceStore implements ResourceStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
return session.getProvider(CachedStoreFactoryProvider.class);
return cacheStoreFactory;
}
private List<Resource> cacheResult(String resourceServerId, String key, Supplier<List<Resource>> provider) {

View file

@ -44,17 +44,17 @@ public class CachedScopeStore implements ScopeStore {
private static final String SCOPE_NAME_CACHE_PREFIX = "scp-name-";
private final Cache<String, Map<String, List<CachedScope>>> cache;
private final KeycloakSession session;
private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private ScopeStore delegate;
private StoreFactory storeFactory;
public CachedScopeStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
this.session = session;
public CachedScopeStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
this.cacheStoreFactory = cacheStoreFactory;
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
this.storeFactory = storeFactory;
this.storeFactory = delegate;
}
@Override
@ -220,7 +220,7 @@ public class CachedScopeStore implements ScopeStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
return session.getProvider(CachedStoreFactoryProvider.class);
return cacheStoreFactory;
}
private void invalidateCache(String resourceServerId) {

View file

@ -18,6 +18,11 @@
package org.keycloak.models.authorization.infinispan;
import java.util.ArrayList;
import java.util.List;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.AuthorizationStoreFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@ -27,9 +32,6 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
import java.util.ArrayList;
import java.util.List;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
@ -37,21 +39,22 @@ public class InfinispanStoreFactoryProvider implements CachedStoreFactoryProvide
private final KeycloakSession session;
private final CacheTransaction transaction;
private final StoreFactory storeFactory;
private final StoreFactory delegate;
private final CachedResourceStore resourceStore;
private final CachedScopeStore scopeStore;
private final CachedPolicyStore policyStore;
private ResourceServerStore resourceServerStore;
InfinispanStoreFactoryProvider(KeycloakSession delegate) {
this.session = delegate;
public InfinispanStoreFactoryProvider(AuthorizationProvider authorizationProvider) {
this.session = authorizationProvider.getKeycloakSession();
this.transaction = new CacheTransaction();
this.session.getTransactionManager().enlistAfterCompletion(transaction);
storeFactory = this.session.getProvider(StoreFactory.class);
resourceStore = new CachedResourceStore(this.session, this.transaction, storeFactory);
resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, storeFactory);
scopeStore = new CachedScopeStore(this.session, this.transaction, storeFactory);
policyStore = new CachedPolicyStore(this.session, this.transaction, storeFactory);
AuthorizationStoreFactory providerFactory = (AuthorizationStoreFactory) this.session.getKeycloakSessionFactory().getProviderFactory(StoreFactory.class);
delegate = providerFactory.create(authorizationProvider);
resourceStore = new CachedResourceStore(this.session, this, this.transaction, delegate);
resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, delegate);
scopeStore = new CachedScopeStore(this.session, this, this.transaction, delegate);
policyStore = new CachedPolicyStore(this.session, this, this.transaction, delegate);
}
@Override

View file

@ -19,6 +19,8 @@
package org.keycloak.models.authorization.infinispan;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
@ -31,7 +33,7 @@ import org.keycloak.provider.EnvironmentDependentProviderFactory;
public class InfinispanStoreProviderFactory implements CachedStoreProviderFactory, EnvironmentDependentProviderFactory {
@Override
public CachedStoreFactoryProvider create(KeycloakSession session) {
return new InfinispanStoreFactoryProvider(session);
return null;
}
@Override
@ -58,4 +60,9 @@ public class InfinispanStoreProviderFactory implements CachedStoreProviderFactor
public boolean isSupported() {
return true;
}
@Override
public StoreFactory create(AuthorizationProvider authorizationProvider) {
return new InfinispanStoreFactoryProvider(authorizationProvider);
}
}

View file

@ -18,21 +18,22 @@
package org.keycloak.authorization.jpa.store;
import javax.persistence.EntityManager;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.AuthorizationStoreFactory;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.connections.jpa.JpaConnectionProvider;
import org.keycloak.models.KeycloakSession;
import javax.persistence.EntityManager;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
@Override
public StoreFactory create(KeycloakSession session) {
return new JPAStoreFactory(getEntityManager(session));
return null;
}
@Override
@ -53,4 +54,9 @@ public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
private EntityManager getEntityManager(KeycloakSession session) {
return session.getProvider(JpaConnectionProvider.class).getEntityManager();
}
@Override
public StoreFactory create(AuthorizationProvider authorizationProvider) {
return new JPAStoreFactory(getEntityManager(authorizationProvider.getKeycloakSession()), authorizationProvider);
}
}

View file

@ -17,15 +17,18 @@
*/
package org.keycloak.authorization.jpa.store;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.jpa.entities.PolicyEntity;
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import javax.persistence.EntityManager;
import javax.persistence.NoResultException;
@ -46,10 +49,12 @@ public class JPAPolicyStore implements PolicyStore {
private final EntityManager entityManager;
private final StoreFactory storeFactory;
private final AuthorizationProvider authorization;
public JPAPolicyStore(EntityManager entityManager, StoreFactory storeFactory) {
public JPAPolicyStore(EntityManager entityManager, JPAStoreFactory jpaStoreFactory, AuthorizationProvider authorization) {
this.entityManager = entityManager;
this.storeFactory = storeFactory;
this.storeFactory = jpaStoreFactory;
this.authorization = authorization;
}
@Override
@ -59,10 +64,20 @@ public class JPAPolicyStore implements PolicyStore {
entity.setId(KeycloakModelUtils.generateId());
entity.setResourceServer((ResourceServerEntity) resourceServer);
entity.setType(representation.getType());
entity.setName(representation.getName());
this.entityManager.persist(entity);
entity = (PolicyEntity) RepresentationToModel.toModel(representation, storeFactory, entity);
this.entityManager.persist(entity);
PolicyProviderFactory provider = authorization.getProviderFactory(entity.getType());
if (representation instanceof PolicyRepresentation) {
provider.onImport(entity, PolicyRepresentation.class.cast(representation), authorization);
} else {
provider.onCreate(entity, representation, authorization);
}
return entity;
}

View file

@ -18,6 +18,7 @@
package org.keycloak.authorization.jpa.store;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@ -32,14 +33,16 @@ import javax.persistence.EntityManager;
public class JPAStoreFactory implements StoreFactory {
private final EntityManager entityManager;
private final AuthorizationProvider authorization;
public JPAStoreFactory(EntityManager entityManager) {
public JPAStoreFactory(EntityManager entityManager, AuthorizationProvider authorizationProvider) {
this.entityManager = entityManager;
this.authorization = authorizationProvider;
}
@Override
public PolicyStore getPolicyStore() {
return new JPAPolicyStore(this.entityManager, this);
return new JPAPolicyStore(entityManager, this, authorization);
}
@Override

View file

@ -21,8 +21,6 @@ package org.keycloak.authorization;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Executor;
import java.util.function.Supplier;
import org.keycloak.authorization.permission.evaluator.Evaluators;
import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
@ -31,6 +29,8 @@ import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
import org.keycloak.models.cache.authorization.CachedStoreProviderFactory;
import org.keycloak.provider.Provider;
/**
@ -62,25 +62,20 @@ import org.keycloak.provider.Provider;
public final class AuthorizationProvider implements Provider {
private final DefaultPolicyEvaluator policyEvaluator;
private final Executor scheduller;
private final Supplier<StoreFactory> storeFactory;
private StoreFactory storeFactory;
private final Map<String, PolicyProviderFactory> policyProviderFactories;
private final KeycloakSession keycloakSession;
private final RealmModel realm;
public AuthorizationProvider(KeycloakSession session, RealmModel realm, Supplier<StoreFactory> storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories, Executor scheduller) {
public AuthorizationProvider(KeycloakSession session, RealmModel realm, Map<String, PolicyProviderFactory> policyProviderFactories) {
this.keycloakSession = session;
this.realm = realm;
this.storeFactory = storeFactory;
this.scheduller = scheduller;
CachedStoreProviderFactory providerFactory = (CachedStoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CachedStoreFactoryProvider.class);
storeFactory = providerFactory.create(this);
this.policyProviderFactories = policyProviderFactories;
this.policyEvaluator = new DefaultPolicyEvaluator(this);
}
public AuthorizationProvider(KeycloakSession session, RealmModel realm, StoreFactory storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories) {
this(session, realm, () -> storeFactory, policyProviderFactories, Runnable::run);
}
/**
* Returns a {@link Evaluators} instance from where {@link org.keycloak.authorization.policy.evaluation.PolicyEvaluator} instances
* can be obtained.
@ -88,7 +83,7 @@ public final class AuthorizationProvider implements Provider {
* @return a {@link Evaluators} instance
*/
public Evaluators evaluators() {
return new Evaluators(this.policyEvaluator, this.scheduller);
return new Evaluators(policyEvaluator);
}
/**
@ -97,7 +92,7 @@ public final class AuthorizationProvider implements Provider {
* @return the {@link StoreFactory}
*/
public StoreFactory getStoreFactory() {
return this.storeFactory.get();
return this.storeFactory;
}
/**

View file

@ -17,22 +17,18 @@
*/
package org.keycloak.authorization.permission.evaluator;
import java.util.concurrent.Executor;
import org.keycloak.authorization.Decision;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
* @see PermissionEvaluator
*/
class ScheduledPermissionEvaluator implements PermissionEvaluator {
class DefaultPermissionEvaluator implements PermissionEvaluator {
private final PermissionEvaluator publisher;
private final Executor scheduler;
ScheduledPermissionEvaluator(PermissionEvaluator publisher, Executor scheduler) {
DefaultPermissionEvaluator(PermissionEvaluator publisher) {
this.publisher = publisher;
this.scheduler = scheduler;
}
@Override

View file

@ -19,7 +19,6 @@
package org.keycloak.authorization.permission.evaluator;
import java.util.List;
import java.util.concurrent.Executor;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
@ -33,11 +32,9 @@ import org.keycloak.authorization.policy.evaluation.EvaluationContext;
public final class Evaluators {
private final DefaultPolicyEvaluator policyEvaluator;
private final Executor scheduler;
public Evaluators(DefaultPolicyEvaluator policyEvaluator, Executor scheduler) {
public Evaluators(DefaultPolicyEvaluator policyEvaluator) {
this.policyEvaluator = policyEvaluator;
this.scheduler = scheduler;
}
public PermissionEvaluator from(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
@ -45,6 +42,6 @@ public final class Evaluators {
}
public PermissionEvaluator schedule(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
return new ScheduledPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator), this.scheduler);
return new DefaultPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator));
}
}

View file

@ -18,7 +18,6 @@
package org.keycloak.authorization.policy.provider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
@ -26,15 +25,4 @@ import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentati
*/
public interface PolicyProviderAdminService<R extends AbstractPolicyRepresentation> {
default void onCreate(Policy policy, R representation) {
}
default void onUpdate(Policy policy, R representation) {
}
default void onRemove(Policy policy) {
}
}

View file

@ -44,6 +44,22 @@ public interface PolicyProviderFactory<R extends AbstractPolicyRepresentation> e
return (Class<R>) PolicyRepresentation.class;
}
default void onCreate(Policy policy, R representation, AuthorizationProvider authorization) {
}
default void onUpdate(Policy policy, R representation, AuthorizationProvider authorization) {
}
default void onRemove(Policy policy, AuthorizationProvider authorization) {
}
default void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
}
default PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null;
}

View file

@ -18,6 +18,7 @@
package org.keycloak.authorization.store;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.syncronization.ClientApplicationSynchronizer;
import org.keycloak.authorization.store.syncronization.RealmSynchronizer;
import org.keycloak.authorization.store.syncronization.Synchronizer;
@ -61,4 +62,6 @@ public interface AuthorizationStoreFactory extends ProviderFactory<StoreFactory>
}
});
}
StoreFactory create(AuthorizationProvider authorizationProvider);
}

View file

@ -18,10 +18,13 @@
package org.keycloak.models.cache.authorization;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.provider.ProviderFactory;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public interface CachedStoreProviderFactory extends ProviderFactory<CachedStoreFactoryProvider> {
StoreFactory create(AuthorizationProvider authorizationProvider);
}

View file

@ -36,6 +36,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@ -1941,81 +1942,6 @@ public class RepresentationToModel {
Map<String, String> config = policyRepresentation.getConfig();
String roles = config.get("roles");
if (roles != null && !roles.isEmpty()) {
try {
List<Map> rolesMap = (List<Map>) JsonSerialization.readValue(roles, List.class);
config.put("roles", JsonSerialization.writeValueAsString(rolesMap.stream().map(roleConfig -> {
String roleName = roleConfig.get("id").toString();
String clientId = null;
int clientIdSeparator = roleName.indexOf("/");
if (clientIdSeparator != -1) {
clientId = roleName.substring(0, clientIdSeparator);
roleName = roleName.substring(clientIdSeparator + 1);
}
RoleModel role;
if (clientId == null) {
role = realm.getRole(roleName);
} else {
role = realm.getClientByClientId(clientId).getRole(roleName);
}
// fallback to find any client role with the given name
if (role == null) {
String finalRoleName = roleName;
role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
.findFirst().orElse(null);
}
if (role == null) {
role = realm.getRoleById(roleName);
if (role == null) {
String finalRoleName1 = roleName;
role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName1)).filter(roleModel -> roleModel != null)
.findFirst().orElse(null);
}
}
if (role == null) {
throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
}
roleConfig.put("id", role.getId());
return roleConfig;
}).collect(Collectors.toList())));
} catch (Exception e) {
throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
}
}
String users = config.get("users");
if (users != null && !users.isEmpty()) {
try {
List<String> usersMap = (List<String>) JsonSerialization.readValue(users, List.class);
config.put("users", JsonSerialization.writeValueAsString(usersMap.stream().map(userId -> {
UserModel user = session.users().getUserByUsername(userId, realm);
if (user == null) {
user = session.users().getUserById(userId, realm);
}
if (user == null) {
throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
}
return user.getId();
}).collect(Collectors.toList())));
} catch (Exception e) {
throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
}
}
String scopes = config.get("scopes");
if (scopes != null && !scopes.isEmpty()) {
@ -2098,12 +2024,16 @@ public class RepresentationToModel {
policy = policyStore.findByName(policyRepresentation.getName(), resourceServer.getId());
}
PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyRepresentation.getType());
if (policy == null) {
policy = policyStore.create(policyRepresentation, resourceServer);
} else {
toModel(policyRepresentation, storeFactory, policy);
}
providerFactory.onImport(policy, policyRepresentation, authorization);
if (parentPolicyName != null && parentPolicyName.equals(policyRepresentation.getName())) {
return policy;
}

View file

@ -26,11 +26,9 @@ import java.util.concurrent.Executor;
import org.keycloak.Config;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
import org.keycloak.provider.ProviderFactory;
/**
@ -76,13 +74,7 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide
@Override
public AuthorizationProvider create(KeycloakSession session, RealmModel realm) {
StoreFactory storeFactory = session.getProvider(CachedStoreFactoryProvider.class);
if (storeFactory == null) {
storeFactory = session.getProvider(StoreFactory.class);
}
return new AuthorizationProvider(session, realm, storeFactory, policyProviderFactories);
return new AuthorizationProvider(session, realm, policyProviderFactories);
}
private Map<String, PolicyProviderFactory> configurePolicyProviderFactories(KeycloakSessionFactory keycloakSessionFactory) {

View file

@ -34,6 +34,7 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.utils.ModelToRepresentation;
@ -79,14 +80,12 @@ public class PolicyResourceService {
Policy updated = RepresentationToModel.toModel(representation, authorization.getStoreFactory(), policy);
PolicyProviderAdminService resource = getPolicyProviderAdminResource(updated.getType());
PolicyProviderFactory resource = getProviderFactory(updated.getType());
if (resource != null) {
try {
resource.onUpdate(updated, representation);
} catch (Exception e) {
throw new RuntimeException(e);
}
if (representation instanceof PolicyRepresentation) {
resource.onImport(updated, PolicyRepresentation.class.cast(representation), authorization);
} else {
resource.onUpdate(updated, representation, authorization);
}
return Response.status(Status.CREATED).build();
@ -102,15 +101,9 @@ public class PolicyResourceService {
StoreFactory storeFactory = authorization.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
PolicyProviderFactory resource = getProviderFactory(policy.getType());
if (resource != null) {
try {
resource.onRemove(policy);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
resource.onRemove(policy, authorization);
policyStore.findDependentPolicies(policy.getId(), resourceServer.getId()).forEach(dependentPolicy -> {
if (dependentPolicy.getAssociatedPolicies().size() == 1) {
@ -242,8 +235,8 @@ public class PolicyResourceService {
return representation;
}
protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
return authorization.getProviderFactory(policyType).getAdminResource(resourceServer, authorization);
private PolicyProviderFactory getProviderFactory(String policyType) {
return authorization.getProviderFactory(policyType);
}
protected Policy getPolicy() {

View file

@ -96,16 +96,6 @@ public class PolicyService {
AbstractPolicyRepresentation representation = doCreateRepresentation(payload);
Policy policy = create(representation);
PolicyProviderAdminService provider = getPolicyProviderAdminResource(representation.getType());
if (provider != null) {
try {
provider.onCreate(policy, representation);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
representation.setId(policy.getId());
@ -133,14 +123,12 @@ public class PolicyService {
}
Policy policy = policyStore.create(representation, resourceServer);
PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
PolicyProviderFactory provider = getPolicyProviderFactory(policy.getType());
if (resource != null) {
try {
resource.onCreate(policy, null);
} catch (Exception e) {
throw new RuntimeException(e);
}
if (representation instanceof PolicyRepresentation) {
provider.onImport(policy, PolicyRepresentation.class.cast(representation), authorization);
} else {
provider.onCreate(policy, representation, authorization);
}
return policy;

View file

@ -50,6 +50,7 @@ import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
@ -183,21 +184,15 @@ public class ResourceServerService {
}
private void createDefaultPermission(ResourceRepresentation resource, PolicyRepresentation policy) {
PolicyRepresentation defaultPermission = new PolicyRepresentation();
ResourcePermissionRepresentation defaultPermission = new ResourcePermissionRepresentation();
defaultPermission.setName("Default Permission");
defaultPermission.setType("resource");
defaultPermission.setDescription("A permission that applies to the default resource type");
defaultPermission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
defaultPermission.setLogic(Logic.POSITIVE);
HashMap<String, String> defaultPermissionConfig = new HashMap<>();
defaultPermissionConfig.put("default", "true");
defaultPermissionConfig.put("defaultResourceType", resource.getType());
defaultPermissionConfig.put("applyPolicies", "[\"" + policy.getName() + "\"]");
defaultPermission.setConfig(defaultPermissionConfig);
defaultPermission.setResourceType(resource.getType());
defaultPermission.addPolicy(policy.getName());
getPolicyResource().create(defaultPermission);
}

View file

@ -139,12 +139,19 @@ public class KeycloakIdentity implements Identity {
if (this.accessToken.getClientSession() != null) {
ClientSessionModel clientSession = this.keycloakSession.sessions().getClientSession(this.accessToken.getClientSession());
clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
} else if (this.accessToken.getIssuedFor() != null) {
ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
if (clientSession != null) {
clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
}
}
if (this.accessToken.getIssuedFor() != null) {
ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
if (clientModel != null) {
clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
}
}
if (clientUser == null) {
return false;

View file

@ -139,7 +139,7 @@ public class EntitlementService {
.allowedOrigins(identity.getAccessToken())
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
} else {
asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
}
}
});
@ -192,7 +192,7 @@ public class EntitlementService {
.allowedOrigins(identity.getAccessToken())
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
} else {
asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
}
}
});
@ -207,8 +207,7 @@ public class EntitlementService {
}
}
private String createRequestingPartyToken(List<Permission> permissions) {
AccessToken accessToken = Tokens.getAccessToken(this.authorization.getKeycloakSession());
private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken) {
RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
AccessToken.Authorization authorization = new AccessToken.Authorization();

View file

@ -108,11 +108,13 @@ public class PhotozClientAuthzTestApp extends AbstractPageWithInjectedUrl {
public void requestEntitlement() {
entitlement.click();
pause(WAIT_AFTER_OPERATION);
pause(WAIT_AFTER_OPERATION);
}
public void requestEntitlements() {
entitlements.click();
pause(WAIT_AFTER_OPERATION);
pause(WAIT_AFTER_OPERATION);
}
public void login(String username, String password, String... scopes) throws InterruptedException {

View file

@ -18,6 +18,7 @@ package org.keycloak.testsuite.admin;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Ignore;
import org.junit.Test;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
@ -29,13 +30,11 @@ import org.keycloak.models.RoleModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
@ -43,6 +42,7 @@ import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
@Ignore
public class AuthzCleanupTest extends AbstractKeycloakTest {
@Deployment
@ -60,12 +60,12 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
}
public static void setup(KeycloakSession session) {
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = session.realms().addClient(realm, "myclient");
RoleModel role1 = client.addRole("client-role1");
RoleModel role2 = client.addRole("client-role2");
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
createRolePolicy(authz, resourceServer, role1);
createRolePolicy(authz, resourceServer, role2);
@ -74,17 +74,13 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
PolicyRepresentation representation = new PolicyRepresentation();
RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName(role.getName());
representation.setType("role");
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
representation.setConfig(config);
representation.addRole(role.getName(), true);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}

View file

@ -23,10 +23,8 @@ import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
@ -34,27 +32,30 @@ import org.junit.Before;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public abstract class AbstractPermissionManagementTest extends AbstractKeycloakTest {
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
testRealms.add(RealmBuilder.create().name("authz-test")
testRealms.add(createTestRealm().build());
}
protected RealmBuilder createTestRealm() {
return RealmBuilder.create().name("authz-test")
.user(UserBuilder.create().username("marta").password("password"))
.user(UserBuilder.create().username("kolo").password("password"))
.client(ClientBuilder.create().clientId("resource-server-test")
@ -62,8 +63,7 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
.authorizationServicesEnabled(true)
.redirectUris("http://localhost/resource-server-test")
.defaultRoles("uma_protection")
.directAccessGrants())
.build());
.directAccessGrants());
}
@Before
@ -88,18 +88,31 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
assertNull(actual.getPolicies());
assertNull(actual.getScopes());
assertEquals(expected.getPolicies().size(), policies.get().stream().map(representation1 -> representation1.getName()).filter(policyName -> expected.getPolicies().contains(policyName)).count());
List<PolicyRepresentation> associatedPolicies = policies.get();
if (expected.getResources() != null) {
assertEquals(expected.getResources().size(), resources.get().stream().map(representation1 -> representation1.getName()).filter(resourceName -> expected.getResources().contains(resourceName)).count());
if (expected.getPolicies() != null) {
assertEquals(expected.getPolicies().size(), associatedPolicies.size());
assertEquals(0, associatedPolicies.stream().map(representation1 -> representation1.getName()).filter(policyName -> !expected.getPolicies().contains(policyName)).count());
} else {
assertTrue(resources.get().isEmpty());
assertTrue(associatedPolicies.isEmpty());
}
if (expected.getScopes() != null) {
assertEquals(expected.getScopes().size(), scopes.get().stream().map(representation1 -> representation1.getName()).filter(scopeName -> expected.getScopes().contains(scopeName)).count());
List<ResourceRepresentation> associatedResources = resources.get();
if (expected.getResources() != null) {
assertEquals(expected.getResources().size(), associatedResources.size());
assertEquals(0, associatedResources.stream().map(representation1 -> representation1.getName()).filter(resourceName -> !expected.getResources().contains(resourceName)).count());
} else {
assertTrue(scopes.get().isEmpty());
assertTrue(associatedResources.isEmpty());
}
List<ScopeRepresentation> associatedScopes = scopes.get();
if (expected.getScopes() != null) {
assertEquals(expected.getScopes().size(), associatedScopes.size());
assertEquals(expected.getScopes().size(), associatedScopes.stream().map(representation1 -> representation1.getName()).filter(scopeName -> !expected.getScopes().contains(scopeName)).count());
} else {
assertTrue(associatedScopes.isEmpty());
}
expected.setId(actual.getId());
@ -129,18 +142,12 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
private void createUserPolicy(String name, RealmResource realm, ClientResource client, String username) throws IOException {
String userId = realm.users().search(username).stream().map(representation -> representation.getId()).findFirst().orElseThrow(() -> new RuntimeException("Expected user [userId]"));
PolicyRepresentation representation = new PolicyRepresentation();
UserPolicyRepresentation representation = new UserPolicyRepresentation();
representation.setName(name);
representation.setType("user");
representation.addUser(userId);
Map<String, String> config = new HashMap<>();
config.put("users", JsonSerialization.writeValueAsString(new String[]{userId}));
representation.setConfig(config);
client.authorization().policies().create(representation);
client.authorization().policies().users().create(representation);
}
protected ClientResource getClient() {
@ -159,12 +166,4 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
throw new RuntimeException("Failed to create admin client", cause);
}
}
private AuthzClient getAuthzClient() {
try {
return AuthzClient.create(JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"), Configuration.class));
} catch (IOException cause) {
throw new RuntimeException("Failed to create authz client", cause);
}
}
}

View file

@ -0,0 +1,183 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.admin.client.authorization;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
import java.util.Collections;
import java.util.stream.Collectors;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.core.Response;
import org.junit.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.RolePoliciesResource;
import org.keycloak.admin.client.resource.RolePolicyResource;
import org.keycloak.admin.client.resource.RolesResource;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.RolesBuilder;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class RolePolicyManagementTest extends AbstractPermissionManagementTest {
@Override
protected RealmBuilder createTestRealm() {
return super.createTestRealm().roles(
RolesBuilder.create()
.realmRole(new RoleRepresentation("Role A", "Role A description", false))
.realmRole(new RoleRepresentation("Role B", "Role B description", false))
.realmRole(new RoleRepresentation("Role C", "Role C description", false))
);
}
@Test
public void testCreateRealmRolePolicy() {
AuthorizationResource authorization = getClient().authorization();
RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName("Realm Role Policy");
representation.setDescription("description");
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
representation.addRole("Role A", false);
representation.addRole("Role B", true);
assertCreated(authorization, representation);
}
@Test
public void testCreateClientRolePolicy() {
ClientResource client = getClient();
AuthorizationResource authorization = client.authorization();
RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName("Realm Client Role Policy");
representation.setDescription("description");
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
RolesResource roles = client.roles();
roles.create(new RoleRepresentation("Client Role A", "desc", false));
ClientRepresentation clientRep = client.toRepresentation();
roles.create(new RoleRepresentation("Client Role B", "desc", false));
representation.addRole("Client Role A", true);
representation.addRole(clientRep.getClientId() + "/Client Role B", true);
assertCreated(authorization, representation);
}
@Test
public void testUpdate() {
AuthorizationResource authorization = getClient().authorization();
RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName("Update Test Role Policy");
representation.setDescription("description");
representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
representation.setLogic(Logic.NEGATIVE);
representation.addRole("Role A", false);
representation.addRole("Role B", true);
representation.addRole("Role C", false);
assertCreated(authorization, representation);
representation.setName("changed");
representation.setDescription("changed");
representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
representation.setLogic(Logic.POSITIVE);
representation.setRoles(representation.getRoles().stream().filter(roleDefinition -> !roleDefinition.getId().equals("Resource A")).collect(Collectors.toSet()));
RolePoliciesResource policies = authorization.policies().roles();
RolePolicyResource permission = policies.findById(representation.getId());
permission.update(representation);
assertRepresentation(representation, permission);
for (RolePolicyRepresentation.RoleDefinition roleDefinition : representation.getRoles()) {
if (roleDefinition.getId().equals("Role B")) {
roleDefinition.setRequired(false);
}
if (roleDefinition.getId().equals("Role C")) {
roleDefinition.setRequired(true);
}
}
permission.update(representation);
assertRepresentation(representation, permission);
}
@Test
public void testDelete() {
AuthorizationResource authorization = getClient().authorization();
RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName("Test Delete Permission");
representation.addRole("Role A", false);
RolePoliciesResource policies = authorization.policies().roles();
Response response = policies.create(representation);
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
policies.findById(created.getId()).remove();
RolePolicyResource removed = policies.findById(created.getId());
try {
removed.toRepresentation();
fail("Permission not removed");
} catch (NotFoundException ignore) {
}
}
private void assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
RolePoliciesResource permissions = authorization.policies().roles();
Response response = permissions.create(representation);
RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
RolePolicyResource permission = permissions.findById(created.getId());
assertRepresentation(representation, permission);
}
private void assertRepresentation(RolePolicyRepresentation representation, RolePolicyResource permission) {
RolePolicyRepresentation actual = permission.toRepresentation();
assertRepresentation(representation, actual, () -> permission.resources(), () -> Collections.emptyList(), () -> permission.associatedPolicies());
assertEquals(representation.getRoles().size(), actual.getRoles().size());
ClientRepresentation clientRep = getClient().toRepresentation();
assertEquals(0, actual.getRoles().stream().filter(actualDefinition -> !representation.getRoles().stream()
.filter(roleDefinition -> (getRoleName(actualDefinition.getId()).equals(roleDefinition.getId()) || (clientRep.getClientId() + "/" + getRoleName(actualDefinition.getId())).equals(roleDefinition.getId())) && actualDefinition.isRequired() == roleDefinition.isRequired())
.findFirst().isPresent())
.count());
}
private String getRoleName(String id) {
return getRealm().rolesById().getRole(id).getName();
}
}

View file

@ -40,6 +40,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.util.JsonSerialization;
@ -287,26 +288,11 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
PolicyRepresentation representation = new PolicyRepresentation();
RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName("Any Admin Policy");
representation.setType("role");
HashedMap config = new HashedMap();
RealmModel realm = authorizationProvider.getKeycloakSession().realms().getRealmByName(TEST_REALM_NAME);
RoleModel adminRole = realm.getRole("admin");
Map role = new HashMap();
role.put("id", adminRole.getId());
try {
config.put("roles", JsonSerialization.writeValueAsString(new Map[] {role}));
} catch (IOException e) {
throw new RuntimeException(e);
}
representation.setConfig(config);
representation.addRole("admin", false);
return policyStore.create(representation, resourceServer);
});

View file

@ -1326,8 +1326,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
onInitUpdate : function(policy) {
var selectedUsers = [];
if (policy.config.users) {
var users = eval(policy.config.users);
if (policy.users) {
var users = policy.users;
for (i = 0; i < users.length; i++) {
User.get({realm: $route.current.params.realm, userId: users[i]}, function(data) {
@ -1351,7 +1351,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
users.push($scope.selectedUsers[i].id);
}
$scope.policy.config.users = JSON.stringify(users);
$scope.policy.users = users;
delete $scope.policy.config;
},
onCreate : function() {
@ -1361,7 +1362,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
users.push($scope.selectedUsers[i].id);
}
$scope.policy.config.users = JSON.stringify(users);
$scope.policy.users = users;
delete $scope.policy.config;
}
}, realm, client, $scope);
});
@ -1545,8 +1547,8 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
onInitUpdate : function(policy) {
var selectedRoles = [];
if (policy.config.roles) {
var roles = eval(policy.config.roles);
if (policy.roles) {
var roles = policy.roles;
for (i = 0; i < roles.length; i++) {
RoleById.get({realm: $route.current.params.realm, role: roles[i].id}, function(data) {
@ -1586,7 +1588,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
roles.push(role);
}
$scope.policy.config.roles = JSON.stringify(roles);
$scope.policy.roles = roles;
},
onCreate : function() {
@ -1601,7 +1603,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
roles.push(role);
}
$scope.policy.config.roles = JSON.stringify(roles);
$scope.policy.roles = roles;
}
}, realm, client, $scope);