Java Code Examples for org.keycloak.representations.idm.authorization.Permission#getResourceId()

The following examples show how to use org.keycloak.representations.idm.authorization.Permission#getResourceId() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: PermissionTicketAwareDecisionResultCollector.java    From keycloak with Apache License 2.0 6 votes vote down vote up
@Override
protected void onGrant(Permission grantedPermission) {
    // Removes permissions (represented by {@code ticket}) granted by any user-managed policy so we don't create unnecessary permission tickets.
    List<Permission> permissions = ticket.getPermissions();
    Iterator<Permission> itPermissions = permissions.iterator();

    while (itPermissions.hasNext()) {
        Permission permission = itPermissions.next();

        if (permission.getResourceId() == null || permission.getResourceId().equals(grantedPermission.getResourceId())) {
            Set<String> scopes = permission.getScopes();
            Iterator<String> itScopes = scopes.iterator();

            while (itScopes.hasNext()) {
                if (grantedPermission.getScopes().contains(itScopes.next())) {
                    itScopes.remove();
                }
            }

            if (scopes.isEmpty()) {
                itPermissions.remove();
            }
        }
    }
}
 
Example 2
Source File: HttpMethodAuthenticator.java    From keycloak with Apache License 2.0 4 votes vote down vote up
public HttpMethod<R> uma(AuthorizationRequest request) {
    String ticket = request.getTicket();
    PermissionTicketToken permissions = request.getPermissions();

    if (ticket == null && permissions == null) {
        throw new IllegalArgumentException("You must either provide a permission ticket or the permissions you want to request.");
    }

    uma();
    method.param("ticket", ticket);
    method.param("claim_token", request.getClaimToken());
    method.param("claim_token_format", request.getClaimTokenFormat());
    method.param("pct", request.getPct());
    method.param("rpt", request.getRptToken());
    method.param("scope", request.getScope());
    method.param("audience", request.getAudience());
    method.param("subject_token", request.getSubjectToken());

    if (permissions != null) {
        for (Permission permission : permissions.getPermissions()) {
            String resourceId = permission.getResourceId();
            Set<String> scopes = permission.getScopes();
            StringBuilder value = new StringBuilder();

            if (resourceId != null) {
                value.append(resourceId);
            }

            if (scopes != null && !scopes.isEmpty()) {
                value.append("#");
                for (String scope : scopes) {
                    if (!value.toString().endsWith("#")) {
                        value.append(",");
                    }
                    value.append(scope);
                }
            }

            method.params("permission", value.toString());
        }
    }

    Metadata metadata = request.getMetadata();

    if (metadata != null) {
        if (metadata.getIncludeResourceName() != null) {
            method.param("response_include_resource_name", metadata.getIncludeResourceName().toString());
        }

        if (metadata.getLimit() != null) {
            method.param("response_permissions_limit", metadata.getLimit().toString());
        }
    }

    return method;
}
 
Example 3
Source File: AbstractPolicyEnforcer.java    From keycloak with Apache License 2.0 4 votes vote down vote up
protected boolean isAuthorized(PathConfig actualPathConfig, MethodConfig methodConfig, AccessToken accessToken, OIDCHttpFacade httpFacade, Map<String, List<String>> claims) {
    Request request = httpFacade.getRequest();

    if (isDefaultAccessDeniedUri(request)) {
        return true;
    }

    Authorization authorization = accessToken.getAuthorization();

    if (authorization == null) {
        return false;
    }

    boolean hasPermission = false;
    Collection<Permission> grantedPermissions = authorization.getPermissions();

    for (Permission permission : grantedPermissions) {
        if (permission.getResourceId() != null) {
            if (isResourcePermission(actualPathConfig, permission)) {
                hasPermission = true;

                if (actualPathConfig.isInstance() && !matchResourcePermission(actualPathConfig, permission)) {
                    continue;
                }

                if (hasResourceScopePermission(methodConfig, permission)) {
                    if (LOGGER.isDebugEnabled()) {
                        LOGGER.debugf("Authorization GRANTED for path [%s]. Permissions [%s].", actualPathConfig, grantedPermissions);
                    }
                    if (HTTP_METHOD_DELETE.equalsIgnoreCase(request.getMethod()) && actualPathConfig.isInstance()) {
                        policyEnforcer.getPathMatcher().removeFromCache(getPath(request));
                    }

                    return hasValidClaims(permission, claims);
                }
            }
        } else {
            if (hasResourceScopePermission(methodConfig, permission)) {
                hasPermission = true;
                return true;
            }
        }
    }

    if (!hasPermission && EnforcementMode.PERMISSIVE.equals(actualPathConfig.getEnforcementMode())) {
        return true;
    }

    if (LOGGER.isDebugEnabled()) {
        LOGGER.debugf("Authorization FAILED for path [%s]. Not enough permissions [%s].", actualPathConfig, grantedPermissions);
    }

    return false;
}