keycloak-uncached
Changes
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/DefaultPermissionEvaluator.java 38(+0 -38)
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java 2(+1 -1)
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/IterablePermissionEvaluator.java 27(+25 -2)
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/PermissionEvaluator.java 4(+4 -0)
Details
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
index 00e1191..2eda4ac 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
@@ -42,6 +42,6 @@ public final class Evaluators {
}
public PermissionEvaluator schedule(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
- return new DefaultPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator));
+ return new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator);
}
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/IterablePermissionEvaluator.java b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/IterablePermissionEvaluator.java
index dfda6a7..f2da3a5 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/IterablePermissionEvaluator.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/IterablePermissionEvaluator.java
@@ -17,12 +17,16 @@
*/
package org.keycloak.authorization.permission.evaluator;
+import java.util.Iterator;
+import java.util.List;
+import java.util.concurrent.atomic.AtomicReference;
+
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.permission.ResourcePermission;
+import org.keycloak.authorization.policy.evaluation.DecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.PolicyEvaluator;
-
-import java.util.Iterator;
+import org.keycloak.authorization.policy.evaluation.Result;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@@ -50,4 +54,23 @@ class IterablePermissionEvaluator implements PermissionEvaluator {
decision.onError(cause);
}
}
+
+ @Override
+ public List<Result> evaluate() {
+ AtomicReference<List<Result>> result = new AtomicReference<>();
+
+ evaluate(new DecisionResultCollector() {
+ @Override
+ public void onError(Throwable cause) {
+ throw new RuntimeException("Failed to evaluate permissions", cause);
+ }
+
+ @Override
+ protected void onComplete(List<Result> results) {
+ result.set(results);
+ }
+ });
+
+ return result.get();
+ }
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/PermissionEvaluator.java b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/PermissionEvaluator.java
index c129caf..587856f 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/PermissionEvaluator.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/PermissionEvaluator.java
@@ -17,7 +17,10 @@
*/
package org.keycloak.authorization.permission.evaluator;
+import java.util.List;
+
import org.keycloak.authorization.Decision;
+import org.keycloak.authorization.policy.evaluation.Result;
/**
* An {@link PermissionEvaluator} represents a source of {@link org.keycloak.authorization.permission.ResourcePermission}, responsible for emitting these permissions
@@ -28,4 +31,5 @@ import org.keycloak.authorization.Decision;
public interface PermissionEvaluator {
void evaluate(Decision decision);
+ List<Result> evaluate();
}
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
index 24e1a89..5d9114f 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
@@ -35,12 +35,11 @@ import javax.ws.rs.POST;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
import org.jboss.resteasy.spi.HttpRequest;
+import org.keycloak.OAuthErrorException;
import org.keycloak.authorization.AuthorizationProvider;
-import org.keycloak.authorization.util.Permissions;
-import org.keycloak.protocol.oidc.OIDCLoginProtocol;
-import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder;
import org.keycloak.authorization.attribute.Attributes;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
@@ -54,6 +53,7 @@ import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
+import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
@@ -61,13 +61,14 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
-import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.models.utils.KeycloakModelUtils;
-import org.keycloak.protocol.ProtocolMapper;
-import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
+import org.keycloak.protocol.oidc.OIDCLoginProtocol;
+import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
+import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.resources.admin.RealmAuth;
@@ -120,18 +121,18 @@ public class PolicyEvaluationService {
this.auth.requireView();
CloseableKeycloakIdentity identity = createIdentity(evaluationRequest);
try {
- EvaluationContext evaluationContext = createEvaluationContext(evaluationRequest, identity);
- Decision decisionCollector = new Decision();
- authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate(decisionCollector);
- if (decisionCollector.error != null) {
- throw decisionCollector.error;
- }
- return Response.ok(PolicyEvaluationResponseBuilder.build(decisionCollector.results, resourceServer, authorization, identity)).build();
+ return Response.ok(PolicyEvaluationResponseBuilder.build(evaluate(evaluationRequest, createEvaluationContext(evaluationRequest, identity)), resourceServer, authorization, identity)).build();
+ } catch (Exception e) {
+ throw new ErrorResponseException(OAuthErrorException.SERVER_ERROR, "Error while evaluating permissions.", Status.INTERNAL_SERVER_ERROR);
} finally {
identity.close();
}
}
+ private List<Result> evaluate(PolicyEvaluationRequest evaluationRequest, EvaluationContext evaluationContext) {
+ return authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization), evaluationContext).evaluate();
+ }
+
private EvaluationContext createEvaluationContext(PolicyEvaluationRequest representation, KeycloakIdentity identity) {
return new KeycloakEvaluationContext(identity, this.authorization.getKeycloakSession()) {
@Override
diff --git a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
index 875a0e0..e4a2634 100644
--- a/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
+++ b/services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java
@@ -25,11 +25,11 @@ import org.keycloak.authorization.authorization.representation.AuthorizationRequ
import org.keycloak.authorization.authorization.representation.AuthorizationResponse;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
+import org.keycloak.authorization.entitlement.representation.EntitlementResponse;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
-import org.keycloak.authorization.policy.evaluation.DecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.protection.permission.PermissionTicket;
import org.keycloak.authorization.store.ResourceStore;
@@ -47,14 +47,11 @@ import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.Cors;
-import org.keycloak.services.resources.RealmsResource;
import javax.ws.rs.Consumes;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Produces;
-import javax.ws.rs.container.AsyncResponse;
-import javax.ws.rs.container.Suspended;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
@@ -97,7 +94,7 @@ public class AuthorizationTokenService {
@POST
@Consumes("application/json")
@Produces("application/json")
- public void authorize(AuthorizationRequest authorizationRequest, @Suspended AsyncResponse asyncResponse) {
+ public Response authorize(AuthorizationRequest authorizationRequest) {
KeycloakEvaluationContext evaluationContext = new KeycloakEvaluationContext(this.authorization.getKeycloakSession());
KeycloakIdentity identity = (KeycloakIdentity) evaluationContext.getIdentity();
@@ -109,40 +106,40 @@ public class AuthorizationTokenService {
throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Invalid authorization request.", Status.BAD_REQUEST);
}
- PermissionTicket ticket = verifyPermissionTicket(authorizationRequest);
-
- authorization.evaluators().from(createPermissions(ticket, authorizationRequest, authorization), evaluationContext).evaluate(new DecisionResultCollector() {
- @Override
- public void onComplete(List<Result> results) {
- List<Permission> entitlements = Permissions.permits(results, authorization, ticket.getResourceServerId());
-
- if (entitlements.isEmpty()) {
- HashMap<Object, Object> error = new HashMap<>();
+ try {
+ PermissionTicket ticket = verifyPermissionTicket(authorizationRequest);
+ List<Result> result = authorization.evaluators().from(createPermissions(ticket, authorizationRequest, authorization), evaluationContext).evaluate();
+ List<Permission> entitlements = Permissions.permits(result, authorization, ticket.getResourceServerId());
+
+ if (!entitlements.isEmpty()) {
+ AuthorizationResponse response = new AuthorizationResponse(createRequestingPartyToken(entitlements, identity.getAccessToken()));
+ return Cors.add(httpRequest, Response.status(Status.CREATED).entity(response)).allowedOrigins(identity.getAccessToken())
+ .allowedMethods("POST")
+ .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
+ }
+ } catch (Exception cause) {
+ logger.error(cause);
+ throw new ErrorResponseException(OAuthErrorException.SERVER_ERROR, "Error while evaluating permissions.", Status.INTERNAL_SERVER_ERROR);
+ }
- error.put(OAuth2Constants.ERROR, "not_authorized");
+ HashMap<Object, Object> error = new HashMap<>();
- asyncResponse.resume(Cors.add(httpRequest, Response.status(Status.FORBIDDEN)
- .entity(error))
- .allowedOrigins(identity.getAccessToken())
- .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
- } else {
- AuthorizationResponse response = new AuthorizationResponse(createRequestingPartyToken(entitlements, identity.getAccessToken()));
- asyncResponse.resume(Cors.add(httpRequest, Response.status(Status.CREATED).entity(response)).allowedOrigins(identity.getAccessToken())
- .allowedMethods("POST")
- .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
- }
- }
+ error.put(OAuth2Constants.ERROR, "not_authorized");
- @Override
- public void onError(Throwable cause) {
- logger.error("failed authorize", cause);
- asyncResponse.resume(cause);
- }
- });
+ return Cors.add(httpRequest, Response.status(Status.FORBIDDEN)
+ .entity(error))
+ .allowedOrigins(identity.getAccessToken())
+ .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
}
private List<ResourcePermission> createPermissions(PermissionTicket ticket, AuthorizationRequest request, AuthorizationProvider authorization) {
StoreFactory storeFactory = authorization.getStoreFactory();
+ ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findById(ticket.getResourceServerId());
+
+ if (resourceServer == null) {
+ throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.FORBIDDEN);
+ }
+
Map<String, Set<String>> permissionsToEvaluate = new HashMap<>();
ticket.getResources().forEach(requestedResource -> {
@@ -231,8 +228,6 @@ public class AuthorizationTokenService {
}
}
- ResourceServer resourceServer = authorization.getStoreFactory().getResourceServerStore().findById(ticket.getResourceServerId());
-
return permissionsToEvaluate.entrySet().stream()
.flatMap((Function<Entry<String, Set<String>>, Stream<ResourcePermission>>) entry -> {
String key = entry.getKey();
diff --git a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
index 71058ac..98f38af 100644
--- a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
+++ b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
@@ -26,7 +26,6 @@ import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
-import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@@ -37,8 +36,6 @@ import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
-import javax.ws.rs.container.AsyncResponse;
-import javax.ws.rs.container.Suspended;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
@@ -48,7 +45,6 @@ import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.authorization.AuthorizationProvider;
-import org.keycloak.authorization.authorization.AuthorizationTokenService;
import org.keycloak.authorization.common.KeycloakEvaluationContext;
import org.keycloak.authorization.common.KeycloakIdentity;
import org.keycloak.authorization.entitlement.representation.EntitlementRequest;
@@ -57,7 +53,6 @@ import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
-import org.keycloak.authorization.policy.evaluation.DecisionResultCollector;
import org.keycloak.authorization.policy.evaluation.Result;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
@@ -74,7 +69,6 @@ import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
-import org.keycloak.services.ErrorResponse;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.Cors;
@@ -106,7 +100,7 @@ public class EntitlementService {
@GET()
@Produces("application/json")
@Consumes("application/json")
- public void getAll(@PathParam("resource_server_id") String resourceServerId, @Suspended AsyncResponse asyncResponse) {
+ public Response getAll(@PathParam("resource_server_id") String resourceServerId) {
KeycloakIdentity identity = new KeycloakIdentity(this.authorization.getKeycloakSession());
if (resourceServerId == null) {
@@ -123,39 +117,18 @@ public class EntitlementService {
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(client.getId());
- authorization.evaluators().from(Permissions.all(resourceServer, identity, authorization), new KeycloakEvaluationContext(this.authorization.getKeycloakSession())).evaluate(new DecisionResultCollector() {
-
- @Override
- public void onError(Throwable cause) {
- logger.error("failed", cause);
- asyncResponse.resume(cause);
- }
-
- @Override
- protected void onComplete(List<Result> results) {
- List<Permission> entitlements = Permissions.permits(results, authorization, resourceServer.getId());
-
- if (entitlements.isEmpty()) {
- HashMap<Object, Object> error = new HashMap<>();
-
- error.put(OAuth2Constants.ERROR, "not_authorized");
+ if (resourceServer == null) {
+ throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.FORBIDDEN);
+ }
- asyncResponse.resume(Cors.add(request, Response.status(Status.FORBIDDEN)
- .entity(error))
- .allowedOrigins(identity.getAccessToken())
- .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
- } else {
- asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
- }
- }
- });
+ return evaluate(Permissions.all(resourceServer, identity, authorization), identity, resourceServer);
}
@Path("{resource_server_id}")
@POST
@Consumes("application/json")
@Produces("application/json")
- public void get(@PathParam("resource_server_id") String resourceServerId, EntitlementRequest entitlementRequest, @Suspended AsyncResponse asyncResponse) {
+ public Response get(@PathParam("resource_server_id") String resourceServerId, EntitlementRequest entitlementRequest) {
KeycloakIdentity identity = new KeycloakIdentity(this.authorization.getKeycloakSession());
if (entitlementRequest == null) {
@@ -177,41 +150,34 @@ public class EntitlementService {
StoreFactory storeFactory = authorization.getStoreFactory();
ResourceServer resourceServer = storeFactory.getResourceServerStore().findByClient(client.getId());
- try {
- authorization.evaluators().from(createPermissions(entitlementRequest, resourceServer, authorization), new KeycloakEvaluationContext(this.authorization.getKeycloakSession())).evaluate(new DecisionResultCollector() {
- @Override
- public void onError(Throwable cause) {
- logger.error("failed", cause);
- asyncResponse.resume(cause);
- }
+ if (resourceServer == null) {
+ throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "Client does not support permissions", Status.FORBIDDEN);
+ }
- @Override
- protected void onComplete(List<Result> results) {
- List<Permission> entitlements = Permissions.permits(results, authorization, resourceServer.getId());
+ return evaluate(createPermissions(entitlementRequest, resourceServer, authorization), identity, resourceServer);
+ }
- if (entitlements.isEmpty()) {
- HashMap<Object, Object> error = new HashMap<>();
+ private Response evaluate(List<ResourcePermission> permissions, KeycloakIdentity identity, ResourceServer resourceServer) {
+ try {
+ List<Result> result = authorization.evaluators().from(permissions, new KeycloakEvaluationContext(this.authorization.getKeycloakSession())).evaluate();
+ List<Permission> entitlements = Permissions.permits(result, authorization, resourceServer.getId());
- error.put(OAuth2Constants.ERROR, "not_authorized");
+ if (!entitlements.isEmpty()) {
+ return Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
+ }
+ } catch (Exception cause) {
+ logger.error(cause);
+ throw new ErrorResponseException(OAuthErrorException.SERVER_ERROR, "Error while evaluating permissions.", Status.INTERNAL_SERVER_ERROR);
+ }
- asyncResponse.resume(Cors.add(request, Response.status(Status.FORBIDDEN)
- .entity(error))
- .allowedOrigins(identity.getAccessToken())
- .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
- } else {
- asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
- }
- }
- });
- } catch (Exception e) {
- String message = e.getMessage();
+ HashMap<Object, Object> error = new HashMap<>();
- if (message == null) {
- message = "Could not process authorization request";
- }
+ error.put(OAuth2Constants.ERROR, "not_authorized");
- asyncResponse.resume(ErrorResponse.error(message, Status.BAD_REQUEST));
- }
+ return Cors.add(request, Response.status(Status.FORBIDDEN)
+ .entity(error))
+ .allowedOrigins(identity.getAccessToken())
+ .exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build();
}
private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken) {