keycloak-aplcache
Changes
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyAdminResource.java 69(+0 -69)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java 42(+39 -3)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java 2(+1 -1)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java 2(+1 -1)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java 51(+46 -5)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java 111(+108 -3)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/scope/ScopePolicyProviderFactory.java 17(+11 -6)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java 34(+0 -34)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java 40(+38 -2)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java 98(+88 -10)
authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java 21(+1 -20)
authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java 26(+24 -2)
core/src/main/java/org/keycloak/representations/idm/authorization/AbstractPolicyRepresentation.java 132(+132 -0)
core/src/main/java/org/keycloak/representations/idm/authorization/PolicyRepresentation.java 70(+1 -69)
core/src/main/java/org/keycloak/representations/idm/authorization/ResourcePermissionRepresentation.java 38(+38 -0)
core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java 86(+86 -0)
core/src/main/java/org/keycloak/representations/idm/authorization/ScopePermissionRepresentation.java 28(+28 -0)
core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java 43(+43 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java 4(+4 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PermissionsResource.java 31(+31 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java 12(+12 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionResource.java 69(+69 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionsResource.java 42(+42 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourceScopesResource.java 7(+7 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcesResource.java 5(+5 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java 42(+42 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java 69(+69 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionResource.java 75(+75 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionsResource.java 41(+41 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java 42(+42 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java 69(+69 -0)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java 24(+12 -12)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java 6(+2 -4)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java 22(+11 -11)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java 10(+5 -5)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java 2(+1 -1)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java 23(+10 -13)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java 2(+2 -0)
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java 5(+3 -2)
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/DefaultPermissionEvaluator.java 8(+2 -6)
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java 7(+2 -5)
server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java 5(+4 -1)
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java 9(+2 -7)
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java 32(+30 -2)
server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java 6(+3 -3)
server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java 355(+123 -232)
services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java 13(+0 -13)
testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java 60(+32 -28)
testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/ResourcePermissionManagementTest.java 12(+6 -6)
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authorization/TestPolicyProviderFactory.java 2(+1 -1)
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java 2(+2 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java 125(+58 -67)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java 57(+27 -30)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java 169(+169 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourcePermissionManagementTest.java 165(+165 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java 211(+211 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ScopePermissionManagementTest.java 159(+159 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/UserPolicyManagementTest.java 172(+172 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java 40(+20 -20)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java 229(+229 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java 43(+21 -22)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientBuilder.java 5(+5 -0)
testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/default-keycloak.json 8(+8 -0)
Details
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
index 3e86973..73443d1 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
@@ -17,19 +17,24 @@
*/
package org.keycloak.authorization.policy.provider.aggregated;
+import java.util.ArrayList;
+import java.util.List;
+
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
+public class AggregatePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
private AggregatePolicyProvider provider = new AggregatePolicyProvider();
@@ -49,8 +54,8 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
- return new AggregatePolicyAdminResource(resourceServer);
+ public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
+ return null;
}
@Override
@@ -59,6 +64,37 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ verifyCircularReference(policy, new ArrayList<>());
+ }
+
+ @Override
+ public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ verifyCircularReference(policy, new ArrayList<>());
+ }
+
+ private void verifyCircularReference(Policy policy, List<String> ids) {
+ if (!policy.getType().equals("aggregate")) {
+ return;
+ }
+
+ if (ids.contains(policy.getId())) {
+ throw new RuntimeException("Circular reference found [" + policy.getName() + "].");
+ }
+
+ ids.add(policy.getId());
+
+ for (Policy associated : policy.getAssociatedPolicies()) {
+ verifyCircularReference(associated, ids);
+ }
+ }
+
+ @Override
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+
+ }
+
+ @Override
public void init(Config.Scope config) {
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
index 8cb0029..8f7e631 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
@@ -40,7 +40,7 @@ public class ClientPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
+ public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null;
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java
index b4a5099..617727f 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/JSPolicyProviderFactory.java
@@ -42,7 +42,7 @@ public class JSPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
+ public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null;
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
index d7a6b2b..6ea7230 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
@@ -1,18 +1,20 @@
package org.keycloak.authorization.policy.provider.resource;
+import java.util.Map;
+
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
-import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProvider;
-import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class ResourcePolicyProviderFactory implements PolicyProviderFactory {
+public class ResourcePolicyProviderFactory implements PolicyProviderFactory<ResourcePermissionRepresentation> {
private ResourcePolicyProvider provider = new ResourcePolicyProvider();
@@ -32,8 +34,14 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
- return null;
+ public Class<ResourcePermissionRepresentation> getRepresentationType() {
+ return ResourcePermissionRepresentation.class;
+ }
+
+ @Override
+ public ResourcePermissionRepresentation toRepresentation(Policy policy, ResourcePermissionRepresentation representation) {
+ representation.setResourceType(policy.getConfig().get("defaultResourceType"));
+ return representation;
}
@Override
@@ -42,6 +50,39 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public void onCreate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
+ updateResourceType(policy, representation);
+ }
+
+ @Override
+ public void onUpdate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
+ updateResourceType(policy, representation);
+ }
+
+ private void updateResourceType(Policy policy, ResourcePermissionRepresentation representation) {
+ if (representation != null) {
+ //TODO: remove this check once we migrate to new API
+ if (ResourcePermissionRepresentation.class.equals(representation.getClass())) {
+ ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation);
+ Map<String, String> config = policy.getConfig();
+
+ config.compute("defaultResourceType", (key, value) -> {
+ String resourceType = resourcePermission.getResourceType();
+ return resourceType != null ? resourcePermission.getResourceType() : null;
+ });
+
+ policy.setConfig(config);
+
+ }
+ }
+ }
+
+ @Override
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+
+ }
+
+ @Override
public void init(Config.Scope config) {
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
index 33db2d5..90047bb 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
@@ -35,19 +35,23 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleContainerModel.RoleRemovedEvent;
import org.keycloak.models.RoleModel;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.util.JsonSerialization;
import java.io.IOException;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
-import java.util.function.Consumer;
+import java.util.Set;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class RolePolicyProviderFactory implements PolicyProviderFactory {
+public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePolicyRepresentation> {
private RolePolicyProvider provider = new RolePolicyProvider();
@@ -67,7 +71,7 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
+ public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null;
}
@@ -77,6 +81,107 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public RolePolicyRepresentation toRepresentation(Policy policy, RolePolicyRepresentation representation) {
+ try {
+ representation.setRoles(JsonSerialization.readValue(policy.getConfig().get("roles"), Set.class));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
+ return representation;
+ }
+
+ @Override
+ public Class<RolePolicyRepresentation> getRepresentationType() {
+ return RolePolicyRepresentation.class;
+ }
+
+ @Override
+ public void onCreate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateRoles(policy, representation, authorization);
+ }
+
+ @Override
+ public void onUpdate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateRoles(policy, representation, authorization);
+ }
+
+ @Override
+ public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ try {
+ updateRoles(policy, authorization, new HashSet<>(Arrays.asList(JsonSerialization.readValue(representation.getConfig().get("roles"), RolePolicyRepresentation.RoleDefinition[].class))));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles during import", cause);
+ }
+ }
+
+ private void updateRoles(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateRoles(policy, authorization, representation.getRoles());
+ }
+
+ private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
+ try {
+ RealmModel realm = authorization.getRealm();
+ Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
+
+ if (roles != null) {
+ for (RolePolicyRepresentation.RoleDefinition definition : roles) {
+ String roleName = definition.getId();
+ String clientId = null;
+ int clientIdSeparator = roleName.indexOf("/");
+
+ if (clientIdSeparator != -1) {
+ clientId = roleName.substring(0, clientIdSeparator);
+ roleName = roleName.substring(clientIdSeparator + 1);
+ }
+
+ RoleModel role;
+
+ if (clientId == null) {
+ role = realm.getRole(roleName);
+
+ if (role == null) {
+ role = realm.getRoleById(roleName);
+ }
+ } else {
+ ClientModel client = realm.getClientByClientId(clientId);
+
+ if (client == null) {
+ throw new RuntimeException("Client with id [" + clientId + "] not found.");
+ }
+
+ role = client.getRole(roleName);
+ }
+
+ // fallback to find any client role with the given name
+ if (role == null) {
+ String finalRoleName = roleName;
+ role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
+ .findFirst().orElse(null);
+ }
+
+ if (role == null) {
+ throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
+ }
+
+ definition.setId(role.getId());
+
+ updatedRoles.add(definition);
+ }
+ try {
+ } catch (Exception e) {
+ throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
+ }
+ }
+
+ Map<String, String> config = policy.getConfig();
+ config.put("roles", JsonSerialization.writeValueAsString(updatedRoles));
+ policy.setConfig(config);
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
+ }
+
+ @Override
public void init(Config.Scope config) {
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/scope/ScopePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/scope/ScopePolicyProviderFactory.java
index 0678eb3..e677a9e 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/scope/ScopePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/scope/ScopePolicyProviderFactory.java
@@ -2,17 +2,17 @@ package org.keycloak.authorization.policy.provider.scope;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
-import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProvider;
-import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class ScopePolicyProviderFactory implements PolicyProviderFactory {
+public class ScopePolicyProviderFactory implements PolicyProviderFactory<ScopePermissionRepresentation> {
private ScopePolicyProvider provider = new ScopePolicyProvider();
@@ -32,13 +32,18 @@ public class ScopePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
+ public PolicyProvider create(KeycloakSession session) {
return null;
}
@Override
- public PolicyProvider create(KeycloakSession session) {
- return null;
+ public Class<ScopePermissionRepresentation> getRepresentationType() {
+ return ScopePermissionRepresentation.class;
+ }
+
+ @Override
+ public ScopePermissionRepresentation toRepresentation(Policy policy, ScopePermissionRepresentation representation) {
+ return representation;
}
@Override
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
index 96c1d24..7c2206a 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
@@ -18,45 +18,11 @@
package org.keycloak.authorization.policy.provider.time;
-import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
-import java.text.SimpleDateFormat;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class TimePolicyAdminResource implements PolicyProviderAdminService {
- @Override
- public void onCreate(Policy policy) {
- validateConfig(policy);
- }
-
- private void validateConfig(Policy policy) {
- String nbf = policy.getConfig().get("nbf");
- String noa = policy.getConfig().get("noa");
-
- if (nbf != null && noa != null) {
- validateFormat(nbf);
- validateFormat(noa);
- }
- }
-
- @Override
- public void onUpdate(Policy policy) {
- validateConfig(policy);
- }
-
- @Override
- public void onRemove(Policy policy) {
- }
-
- private void validateFormat(String date) {
- try {
- new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
- } catch (Exception e) {
- throw new RuntimeException("Could not parse a date using format [" + date + "]");
- }
- }
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
index 94c5aad..920cf45 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
@@ -1,18 +1,22 @@
package org.keycloak.authorization.policy.provider.time;
+import java.text.SimpleDateFormat;
+
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class TimePolicyProviderFactory implements PolicyProviderFactory {
+public class TimePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
private TimePolicyProvider provider = new TimePolicyProvider();
@@ -32,7 +36,7 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
+ public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return new TimePolicyAdminResource();
}
@@ -42,6 +46,38 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ validateConfig(policy);
+ }
+
+ private void validateConfig(Policy policy) {
+ String nbf = policy.getConfig().get("nbf");
+ String noa = policy.getConfig().get("noa");
+
+ if (nbf != null && noa != null) {
+ validateFormat(nbf);
+ validateFormat(noa);
+ }
+ }
+
+ @Override
+ public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ validateConfig(policy);
+ }
+
+ @Override
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+ }
+
+ private void validateFormat(String date) {
+ try {
+ new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
+ } catch (Exception e) {
+ throw new RuntimeException("Could not parse a date using format [" + date + "]");
+ }
+ }
+
+ @Override
public void init(Config.Scope config) {
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
index 09345ec..2d3c219 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
@@ -20,14 +20,16 @@ package org.keycloak.authorization.policy.provider.user;
import java.io.IOException;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.List;
+import java.util.Map;
+import java.util.Set;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
-import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
@@ -37,12 +39,15 @@ import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.UserRemovedEvent;
+import org.keycloak.models.UserProvider;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class UserPolicyProviderFactory implements PolicyProviderFactory {
+public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPolicyRepresentation> {
private UserPolicyProvider provider = new UserPolicyProvider();
@@ -62,13 +67,86 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
+ public PolicyProvider create(KeycloakSession session) {
return null;
}
@Override
- public PolicyProvider create(KeycloakSession session) {
- return null;
+ public UserPolicyRepresentation toRepresentation(Policy policy, UserPolicyRepresentation representation) {
+ try {
+ representation.setUsers(JsonSerialization.readValue(policy.getConfig().get("users"), Set.class));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
+ return representation;
+ }
+
+ @Override
+ public Class<UserPolicyRepresentation> getRepresentationType() {
+ return UserPolicyRepresentation.class;
+ }
+
+ @Override
+ public void onCreate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateUsers(policy, representation, authorization);
+ }
+
+ @Override
+ public void onUpdate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateUsers(policy, representation, authorization);
+ }
+
+ @Override
+ public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ try {
+ updateUsers(policy, authorization, JsonSerialization.readValue(representation.getConfig().get("users"), Set.class));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize users during import", cause);
+ }
+ }
+
+ private void updateUsers(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateUsers(policy, authorization, representation.getUsers());
+ }
+
+ private void updateUsers(Policy policy, AuthorizationProvider authorization, Set<String> users) {
+ try {
+ KeycloakSession session = authorization.getKeycloakSession();
+ RealmModel realm = authorization.getRealm();
+ UserProvider userProvider = session.users();
+ Set<String> updatedUsers = new HashSet<>();
+
+ if (users != null) {
+ try {
+ for (String userId : users) {
+ UserModel user = null;
+
+ try {
+ user = userProvider.getUserByUsername(userId, realm);
+ } catch (Exception ignore) {
+ }
+
+ if (user == null) {
+ user = userProvider.getUserById(userId, realm);
+ }
+
+ if (user == null) {
+ throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
+ }
+
+ updatedUsers.add(user.getId());
+ }
+ } catch (Exception e) {
+ throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
+ }
+ }
+
+ Map<String, String> config = policy.getConfig();
+ config.put("users", JsonSerialization.writeValueAsString(updatedUsers));
+ policy.setConfig(config);
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
}
@Override
@@ -133,16 +211,16 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory {
}
static String[] getUsers(Policy policy) {
- String roles = policy.getConfig().get("users");
+ String users = policy.getConfig().get("users");
- if (roles != null) {
+ if (users != null) {
try {
- return JsonSerialization.readValue(roles.getBytes(), String[].class);
+ return JsonSerialization.readValue(users.getBytes(), String[].class);
} catch (IOException e) {
- throw new RuntimeException("Could not parse roles [" + roles + "] from policy config [" + policy.getName() + ".", e);
+ throw new RuntimeException("Could not parse users [" + users + "] from policy config [" + policy.getName() + ".", e);
}
}
- return new String[]{};
+ return new String[0];
}
}
diff --git a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
index c6e5701..a9bdbb0 100644
--- a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
+++ b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
@@ -16,8 +16,6 @@
*/
package org.keycloak.authorization.policy.provider.drools;
-import org.keycloak.authorization.model.Policy;
-import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.kie.api.runtime.KieContainer;
@@ -33,29 +31,12 @@ import javax.ws.rs.core.Response;
*/
public class DroolsPolicyAdminResource implements PolicyProviderAdminService {
- private final ResourceServer resourceServer;
private final DroolsPolicyProviderFactory factory;
- public DroolsPolicyAdminResource(ResourceServer resourceServer, DroolsPolicyProviderFactory factory) {
- this.resourceServer = resourceServer;
+ public DroolsPolicyAdminResource(DroolsPolicyProviderFactory factory) {
this.factory = factory;
}
- @Override
- public void onCreate(Policy policy) {
- this.factory.update(policy);
- }
-
- @Override
- public void onUpdate(Policy policy) {
- this.factory.update(policy);
- }
-
- @Override
- public void onRemove(Policy policy) {
- this.factory.remove(policy);
- }
-
@Path("/resolveModules")
@POST
@Consumes("application/json")
diff --git a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
index ce0f834..8bbed33 100644
--- a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
+++ b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
@@ -13,6 +13,8 @@ import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.kie.api.KieServices;
import org.kie.api.KieServices.Factory;
import org.kie.api.runtime.KieContainer;
@@ -49,8 +51,8 @@ public class DroolsPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
- return new DroolsPolicyAdminResource(resourceServer, this);
+ public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
+ return new DroolsPolicyAdminResource(this);
}
@Override
@@ -59,6 +61,26 @@ public class DroolsPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public void onCreate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
+ update(policy);
+ }
+
+ @Override
+ public void onUpdate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
+ update(policy);
+ }
+
+ @Override
+ public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ update(policy);
+ }
+
+ @Override
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+ remove(policy);
+ }
+
+ @Override
public void init(Config.Scope config) {
this.ks = Factory.get();
}
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/AbstractPolicyRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/AbstractPolicyRepresentation.java
new file mode 100644
index 0000000..e0be800
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/AbstractPolicyRepresentation.java
@@ -0,0 +1,132 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.representations.idm.authorization;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Objects;
+import java.util.Set;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class AbstractPolicyRepresentation {
+
+ private String id;
+ private String name;
+ private String description;
+ private String type;
+ private Set<String> policies;
+ private Set<String> resources;
+ private Set<String> scopes;
+ private Logic logic = Logic.POSITIVE;
+ private DecisionStrategy decisionStrategy = DecisionStrategy.UNANIMOUS;
+
+ public String getId() {
+ return this.id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public String getType() {
+ return this.type;
+ }
+
+ public void setType(String type) {
+ this.type = type;
+ }
+
+ public DecisionStrategy getDecisionStrategy() {
+ return this.decisionStrategy;
+ }
+
+ public void setDecisionStrategy(DecisionStrategy decisionStrategy) {
+ this.decisionStrategy = decisionStrategy;
+ }
+
+ public Logic getLogic() {
+ return logic;
+ }
+
+ public void setLogic(Logic logic) {
+ this.logic = logic;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public void setName(String name) {
+ this.name = name;
+ }
+
+ public String getDescription() {
+ return this.description;
+ }
+
+ public void setDescription(String description) {
+ this.description = description;
+ }
+
+ public Set<String> getPolicies() {
+ return policies;
+ }
+
+ public void addPolicy(String... id) {
+ if (this.policies == null) {
+ this.policies = new HashSet<>();
+ }
+ this.policies.addAll(Arrays.asList(id));
+ }
+
+ public Set<String> getResources() {
+ return resources;
+ }
+
+ public void addResource(String id) {
+ if (this.resources == null) {
+ this.resources = new HashSet<>();
+ }
+ this.resources.add(id);
+ }
+
+ public Set<String> getScopes() {
+ return scopes;
+ }
+
+ public void addScope(String... id) {
+ if (this.scopes == null) {
+ this.scopes = new HashSet<>();
+ }
+ this.scopes.addAll(Arrays.asList(id));
+ }
+
+ @Override
+ public boolean equals(final Object o) {
+ if (this == o) return true;
+ if (o == null || getClass() != o.getClass()) return false;
+ final AbstractPolicyRepresentation policy = (AbstractPolicyRepresentation) o;
+ return Objects.equals(getId(), policy.getId());
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(getId());
+ }
+}
\ No newline at end of file
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/PolicyRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/PolicyRepresentation.java
index dc04991..e36d7af 100644
--- a/core/src/main/java/org/keycloak/representations/idm/authorization/PolicyRepresentation.java
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/PolicyRepresentation.java
@@ -18,53 +18,14 @@ package org.keycloak.representations.idm.authorization;
import java.util.HashMap;
import java.util.Map;
-import java.util.Objects;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class PolicyRepresentation {
+public class PolicyRepresentation extends AbstractPolicyRepresentation {
- private String id;
- private String name;
- private String description;
- private String type;
- private Logic logic = Logic.POSITIVE;
- private DecisionStrategy decisionStrategy = DecisionStrategy.UNANIMOUS;
private Map<String, String> config = new HashMap();
- public String getId() {
- return this.id;
- }
-
- public void setId(String id) {
- this.id = id;
- }
-
- public String getType() {
- return this.type;
- }
-
- public void setType(String type) {
- this.type = type;
- }
-
- public DecisionStrategy getDecisionStrategy() {
- return this.decisionStrategy;
- }
-
- public void setDecisionStrategy(DecisionStrategy decisionStrategy) {
- this.decisionStrategy = decisionStrategy;
- }
-
- public Logic getLogic() {
- return logic;
- }
-
- public void setLogic(Logic logic) {
- this.logic = logic;
- }
-
public Map<String, String> getConfig() {
return this.config;
}
@@ -72,33 +33,4 @@ public class PolicyRepresentation {
public void setConfig(Map<String, String> config) {
this.config = config;
}
-
- public String getName() {
- return name;
- }
-
- public void setName(String name) {
- this.name = name;
- }
-
- public String getDescription() {
- return this.description;
- }
-
- public void setDescription(String description) {
- this.description = description;
- }
-
- @Override
- public boolean equals(final Object o) {
- if (this == o) return true;
- if (o == null || getClass() != o.getClass()) return false;
- final PolicyRepresentation policy = (PolicyRepresentation) o;
- return Objects.equals(getId(), policy.getId());
- }
-
- @Override
- public int hashCode() {
- return Objects.hash(getId());
- }
}
\ No newline at end of file
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/ResourcePermissionRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/ResourcePermissionRepresentation.java
new file mode 100644
index 0000000..80f7106
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/ResourcePermissionRepresentation.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.representations.idm.authorization;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class ResourcePermissionRepresentation extends AbstractPolicyRepresentation {
+
+ private String resourceType;
+
+ @Override
+ public String getType() {
+ return "resource";
+ }
+
+ public void setResourceType(String resourceType) {
+ this.resourceType = resourceType;
+ }
+
+ public String getResourceType() {
+ return resourceType;
+ }
+}
\ No newline at end of file
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java
new file mode 100644
index 0000000..2a89710
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.representations.idm.authorization;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class RolePolicyRepresentation extends AbstractPolicyRepresentation {
+
+ private Set<RoleDefinition> roles;
+
+ public Set<RoleDefinition> getRoles() {
+ return roles;
+ }
+
+ public void setRoles(Set<RoleDefinition> roles) {
+ this.roles = roles;
+ }
+
+ public void addRole(String name, boolean required) {
+ if (roles == null) {
+ roles = new HashSet<>();
+ }
+ roles.add(new RoleDefinition(name, required));
+ }
+
+ public void addRole(String name) {
+ addRole(name, false);
+ }
+
+ public void addClientRole(String clientId, String name) {
+ addRole(clientId + "/" +name, false);
+ }
+
+ public void addClientRole(String clientId, String name, boolean required) {
+ addRole(clientId + "/" + name, required);
+ }
+
+ public static class RoleDefinition {
+
+ private String id;
+ private boolean required;
+
+ public RoleDefinition() {
+ this(null, false);
+ }
+
+ public RoleDefinition(String id, boolean required) {
+ this.id = id;
+ this.required = required;
+ }
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public boolean isRequired() {
+ return required;
+ }
+
+ public void setRequired(boolean required) {
+ this.required = required;
+ }
+ }
+}
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/ScopePermissionRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/ScopePermissionRepresentation.java
new file mode 100644
index 0000000..b6a02b4
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/ScopePermissionRepresentation.java
@@ -0,0 +1,28 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.representations.idm.authorization;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class ScopePermissionRepresentation extends AbstractPolicyRepresentation {
+
+ @Override
+ public String getType() {
+ return "scope";
+ }
+}
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java
new file mode 100644
index 0000000..dc38e65
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.representations.idm.authorization;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class UserPolicyRepresentation extends AbstractPolicyRepresentation {
+
+ private Set<String> users;
+
+ public Set<String> getUsers() {
+ return users;
+ }
+
+ public void setUsers(Set<String> users) {
+ this.users= users;
+ }
+
+ public void addUser(String name) {
+ if (users == null) {
+ users = new HashSet<>();
+ }
+ users.add(name);
+ }
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java
index 07276ec..de8d958 100644
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/AuthorizationResource.java
@@ -23,6 +23,7 @@ import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
@@ -58,4 +59,7 @@ public interface AuthorizationResource {
@Path("/policy")
PoliciesResource policies();
+
+ @Path("/permission")
+ PermissionsResource permissions();
}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PermissionsResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PermissionsResource.java
new file mode 100644
index 0000000..679137b
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PermissionsResource.java
@@ -0,0 +1,31 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import javax.ws.rs.Path;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface PermissionsResource {
+
+ @Path("resource")
+ ResourcePermissionsResource resource();
+
+ @Path("scope")
+ ScopePermissionsResource scope();
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
index e5120c6..433a112 100644
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
@@ -28,6 +28,7 @@ import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.util.List;
@@ -45,6 +46,12 @@ public interface PoliciesResource {
@Path("{id}")
PolicyResource policy(@PathParam("id") String id);
+ @Path("/search")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ PolicyRepresentation findByName(@QueryParam("name") String name);
+
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
@@ -62,4 +69,9 @@ public interface PoliciesResource {
@Path("evaluate")
PolicyEvaluationResponse evaluate(PolicyEvaluationRequest evaluationRequest);
+ @Path("role")
+ RolePoliciesResource roles();
+
+ @Path("user")
+ UserPoliciesResource users();
}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionResource.java
new file mode 100644
index 0000000..ec49ec8
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionResource.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import java.util.List;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface ResourcePermissionResource {
+
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ ResourcePermissionRepresentation toRepresentation();
+
+ @PUT
+ @Consumes(MediaType.APPLICATION_JSON)
+ void update(ResourcePermissionRepresentation representation);
+
+ @DELETE
+ void remove();
+
+ @Path("/associatedPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> associatedPolicies();
+
+ @Path("/dependentPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> dependentPolicies();
+
+ @Path("/resources")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ List<ResourceRepresentation> resources();
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionsResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionsResource.java
new file mode 100644
index 0000000..d4dd0ed
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcePermissionsResource.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface ResourcePermissionsResource {
+
+ @POST
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
+ Response create(ResourcePermissionRepresentation representation);
+
+ @Path("{id}")
+ ResourcePermissionResource findById(@PathParam("id") String id);
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourceScopesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourceScopesResource.java
index 3a48114..ddcaf53 100644
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourceScopesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourceScopesResource.java
@@ -25,6 +25,7 @@ import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import java.util.List;
@@ -46,4 +47,10 @@ public interface ResourceScopesResource {
@NoCache
@Produces(MediaType.APPLICATION_JSON)
List<ScopeRepresentation> scopes();
+
+ @Path("/search")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ ScopeRepresentation findByName(@QueryParam("name") String name);
}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcesResource.java
index 07438d0..e7daaa1 100644
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ResourcesResource.java
@@ -57,5 +57,10 @@ public interface ResourcesResource {
@GET
@NoCache
@Produces(MediaType.APPLICATION_JSON)
+ List<ResourceRepresentation> findByName(@QueryParam("name") String name);
+
+ @GET
+ @NoCache
+ @Produces(MediaType.APPLICATION_JSON)
List<ResourceRepresentation> resources();
}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java
new file mode 100644
index 0000000..9ed6226
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface RolePoliciesResource {
+
+ @POST
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
+ Response create(RolePolicyRepresentation representation);
+
+ @Path("{id}")
+ RolePolicyResource findById(@PathParam("id") String id);
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java
new file mode 100644
index 0000000..824554f
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import java.util.List;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface RolePolicyResource {
+
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ RolePolicyRepresentation toRepresentation();
+
+ @PUT
+ @Consumes(MediaType.APPLICATION_JSON)
+ void update(RolePolicyRepresentation representation);
+
+ @DELETE
+ void remove();
+
+ @Path("/associatedPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> associatedPolicies();
+
+ @Path("/dependentPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> dependentPolicies();
+
+ @Path("/resources")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ List<ResourceRepresentation> resources();
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionResource.java
new file mode 100644
index 0000000..199e412
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionResource.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import java.util.List;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
+import org.keycloak.representations.idm.authorization.ScopeRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface ScopePermissionResource {
+
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ ScopePermissionRepresentation toRepresentation();
+
+ @PUT
+ @Consumes(MediaType.APPLICATION_JSON)
+ void update(ScopePermissionRepresentation representation);
+
+ @DELETE
+ void remove();
+
+ @Path("/associatedPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> associatedPolicies();
+
+ @Path("/dependentPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> dependentPolicies();
+
+ @Path("/resources")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ List<ResourceRepresentation> resources();
+
+ @Path("/scopes")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ List<ScopeRepresentation> scopes();
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionsResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionsResource.java
new file mode 100644
index 0000000..c92b132
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ScopePermissionsResource.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface ScopePermissionsResource {
+
+ @POST
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
+ Response create(ScopePermissionRepresentation representation);
+
+ @Path("{id}")
+ ScopePermissionResource findById(@PathParam("id") String id);
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java
new file mode 100644
index 0000000..c1769d7
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface UserPoliciesResource {
+
+ @POST
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
+ Response create(UserPolicyRepresentation representation);
+
+ @Path("{id}")
+ UserPolicyResource findById(@PathParam("id") String id);
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java
new file mode 100644
index 0000000..d12378c
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import java.util.List;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface UserPolicyResource {
+
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ UserPolicyRepresentation toRepresentation();
+
+ @PUT
+ @Consumes(MediaType.APPLICATION_JSON)
+ void update(UserPolicyRepresentation representation);
+
+ @DELETE
+ void remove();
+
+ @Path("/associatedPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> associatedPolicies();
+
+ @Path("/dependentPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> dependentPolicies();
+
+ @Path("/resources")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ List<ResourceRepresentation> resources();
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
index 9cd4e74..5bb3651 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
@@ -42,6 +42,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.authorization.infinispan.InfinispanStoreFactoryProvider.CacheTransaction;
import org.keycloak.models.authorization.infinispan.entities.CachedPolicy;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
@@ -53,15 +54,14 @@ public class CachedPolicyStore implements PolicyStore {
private static final String POLICY_ID_CACHE_PREFIX = "policy-id-";
private final Cache<String, Map<String, List<CachedPolicy>>> cache;
- private final KeycloakSession session;
+ private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private final List<String> cacheKeys;
- private StoreFactory storeFactory;
+ private final StoreFactory storeFactory;
private PolicyStore delegate;
- private CachedStoreFactoryProvider cachedStoreFactory;
- public CachedPolicyStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
- this.session = session;
+ public CachedPolicyStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
+ this.cacheStoreFactory = cacheStoreFactory;
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
@@ -70,12 +70,12 @@ public class CachedPolicyStore implements PolicyStore {
cacheKeys.add("findByResourceType");
cacheKeys.add("findByScopeIds");
cacheKeys.add("findByType");
- this.storeFactory = storeFactory;
+ this.storeFactory = delegate;
}
@Override
- public Policy create(String name, String type, ResourceServer resourceServer) {
- Policy policy = getDelegate().create(name, type, getStoreFactory().getResourceServerStore().findById(resourceServer.getId()));
+ public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
+ Policy policy = getDelegate().create(representation, getStoreFactory().getResourceServerStore().findById(resourceServer.getId()));
String id = policy.getId();
this.transaction.whenRollback(() -> {
@@ -285,6 +285,7 @@ public class CachedPolicyStore implements PolicyStore {
public void removeScope(Scope scope) {
getDelegateForUpdate().removeScope(getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId()));
cached.removeScope(scope);
+ scopes.remove(scope);
}
@Override
@@ -297,6 +298,7 @@ public class CachedPolicyStore implements PolicyStore {
public void removeAssociatedPolicy(Policy associatedPolicy) {
getDelegateForUpdate().removeAssociatedPolicy(getStoreFactory().getPolicyStore().findById(associatedPolicy.getId(), cached.getResourceServerId()));
cached.removeAssociatedPolicy(associatedPolicy);
+ associatedPolicies.remove(associatedPolicy);
}
@Override
@@ -309,6 +311,7 @@ public class CachedPolicyStore implements PolicyStore {
public void removeResource(Resource resource) {
getDelegateForUpdate().removeResource(getStoreFactory().getResourceStore().findById(resource.getId(), cached.getResourceServerId()));
cached.removeResource(resource);
+ resources.remove(resource);
}
@Override
@@ -401,10 +404,7 @@ public class CachedPolicyStore implements PolicyStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
- if (cachedStoreFactory == null) {
- cachedStoreFactory = session.getProvider(CachedStoreFactoryProvider.class);
- }
- return cachedStoreFactory;
+ return cacheStoreFactory;
}
private void invalidateCache(String resourceServerId) {
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
index 95d3dba..a98a34e 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
@@ -41,18 +41,16 @@ public class CachedResourceServerStore implements ResourceServerStore {
private static final String RS_ID_CACHE_PREFIX = "rs-id-";
private static final String RS_CLIENT_ID_CACHE_PREFIX = "rs-client-id-";
- private final KeycloakSession session;
private final CacheTransaction transaction;
private StoreFactory storeFactory;
private ResourceServerStore delegate;
private final Cache<String, Map<String, List<CachedResourceServer>>> cache;
- public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
- this.session = session;
+ public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory delegate) {
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
- this.storeFactory = storeFactory;
+ this.storeFactory = delegate;
}
@Override
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
index b016702..e820ab0 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
@@ -49,15 +49,15 @@ public class CachedResourceStore implements ResourceStore {
private static final String RESOURCE_ID_CACHE_PREFIX = "rsc-id-";
private static final String RESOURCE_NAME_CACHE_PREFIX = "rsc-name-";
- private final KeycloakSession session;
+ private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private final List<String> cacheKeys;
- private StoreFactory storeFactory;
+ private StoreFactory delegateStoreFactory;
private ResourceStore delegate;
private final Cache<String, Map<String, List<CachedResource>>> cache;
- public CachedResourceStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
- this.session = session;
+ public CachedResourceStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
+ this.cacheStoreFactory = cacheStoreFactory;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
this.transaction = transaction;
@@ -65,12 +65,12 @@ public class CachedResourceStore implements ResourceStore {
cacheKeys.add("findByOwner");
cacheKeys.add("findByUri");
cacheKeys.add("findByName");
- this.storeFactory = storeFactory;
+ this.delegateStoreFactory = delegate;
}
@Override
public Resource create(String name, ResourceServer resourceServer, String owner) {
- Resource resource = getDelegate().create(name, getStoreFactory().getResourceServerStore().findById(resourceServer.getId()), owner);
+ Resource resource = getDelegate().create(name, getDelegateStoreFactory().getResourceServerStore().findById(resourceServer.getId()), owner);
this.transaction.whenRollback(() -> {
resolveResourceServerCache(resourceServer.getId()).remove(getCacheKeyForResource(resource.getId()));
@@ -176,14 +176,14 @@ public class CachedResourceStore implements ResourceStore {
private ResourceStore getDelegate() {
if (this.delegate == null) {
- this.delegate = getStoreFactory().getResourceStore();
+ this.delegate = getDelegateStoreFactory().getResourceStore();
}
return this.delegate;
}
- private StoreFactory getStoreFactory() {
- return this.storeFactory;
+ private StoreFactory getDelegateStoreFactory() {
+ return this.delegateStoreFactory;
}
private Resource createAdapter(CachedResource cached) {
@@ -270,7 +270,7 @@ public class CachedResourceStore implements ResourceStore {
@Override
public void updateScopes(Set<Scope> scopes) {
- getDelegateForUpdate().updateScopes(scopes.stream().map(scope -> getStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId())).collect(Collectors.toSet()));
+ getDelegateForUpdate().updateScopes(scopes.stream().map(scope -> getDelegateStoreFactory().getScopeStore().findById(scope.getId(), cached.getResourceServerId())).collect(Collectors.toSet()));
cached.updateScopes(scopes);
}
@@ -293,7 +293,7 @@ public class CachedResourceStore implements ResourceStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
- return session.getProvider(CachedStoreFactoryProvider.class);
+ return cacheStoreFactory;
}
private List<Resource> cacheResult(String resourceServerId, String key, Supplier<List<Resource>> provider) {
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
index ef2e19b..fb878d0 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
@@ -44,17 +44,17 @@ public class CachedScopeStore implements ScopeStore {
private static final String SCOPE_NAME_CACHE_PREFIX = "scp-name-";
private final Cache<String, Map<String, List<CachedScope>>> cache;
- private final KeycloakSession session;
+ private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private ScopeStore delegate;
private StoreFactory storeFactory;
- public CachedScopeStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
- this.session = session;
+ public CachedScopeStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
+ this.cacheStoreFactory = cacheStoreFactory;
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
- this.storeFactory = storeFactory;
+ this.storeFactory = delegate;
}
@Override
@@ -220,7 +220,7 @@ public class CachedScopeStore implements ScopeStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
- return session.getProvider(CachedStoreFactoryProvider.class);
+ return cacheStoreFactory;
}
private void invalidateCache(String resourceServerId) {
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java
index 775cf64..c7bef79 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/entities/CachedPolicy.java
@@ -160,7 +160,7 @@ public class CachedPolicy implements Policy, Serializable {
@Override
public void removeResource(Resource resource) {
- this.resourcesIds.add(resource.getId());
+ this.resourcesIds.remove(resource.getId());
}
@Override
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
index ff66da6..bbc3848 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
@@ -18,6 +18,9 @@
package org.keycloak.models.authorization.infinispan;
+import java.util.ArrayList;
+import java.util.List;
+
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@@ -27,31 +30,25 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
-import java.util.ArrayList;
-import java.util.List;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class InfinispanStoreFactoryProvider implements CachedStoreFactoryProvider {
- private final KeycloakSession session;
private final CacheTransaction transaction;
- private final StoreFactory storeFactory;
private final CachedResourceStore resourceStore;
private final CachedScopeStore scopeStore;
private final CachedPolicyStore policyStore;
private ResourceServerStore resourceServerStore;
- InfinispanStoreFactoryProvider(KeycloakSession delegate) {
- this.session = delegate;
+ public InfinispanStoreFactoryProvider(KeycloakSession session) {
this.transaction = new CacheTransaction();
- this.session.getTransactionManager().enlistAfterCompletion(transaction);
- storeFactory = this.session.getProvider(StoreFactory.class);
- resourceStore = new CachedResourceStore(this.session, this.transaction, storeFactory);
- resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, storeFactory);
- scopeStore = new CachedScopeStore(this.session, this.transaction, storeFactory);
- policyStore = new CachedPolicyStore(this.session, this.transaction, storeFactory);
+ session.getTransactionManager().enlistAfterCompletion(transaction);
+ StoreFactory delegate = session.getProvider(StoreFactory.class);
+ resourceStore = new CachedResourceStore(session, this, this.transaction, delegate);
+ resourceServerStore = new CachedResourceServerStore(session, this.transaction, delegate);
+ scopeStore = new CachedScopeStore(session, this, this.transaction, delegate);
+ policyStore = new CachedPolicyStore(session, this, this.transaction, delegate);
}
@Override
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
index ff7452b..ad58890 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
@@ -19,6 +19,8 @@
package org.keycloak.models.authorization.infinispan;
import org.keycloak.Config;
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
index 8788884..8750807 100644
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
@@ -18,14 +18,15 @@
package org.keycloak.authorization.jpa.store;
+import javax.persistence.EntityManager;
+
import org.keycloak.Config;
+import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.AuthorizationStoreFactory;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.connections.jpa.JpaConnectionProvider;
import org.keycloak.models.KeycloakSession;
-import javax.persistence.EntityManager;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
index 22fb951..c6671de 100644
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
@@ -17,14 +17,10 @@
*/
package org.keycloak.authorization.jpa.store;
-import org.keycloak.authorization.jpa.entities.PolicyEntity;
-import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
-import org.keycloak.authorization.jpa.entities.ScopeEntity;
-import org.keycloak.authorization.model.Policy;
-import org.keycloak.authorization.model.ResourceServer;
-import org.keycloak.authorization.model.Scope;
-import org.keycloak.authorization.store.PolicyStore;
-import org.keycloak.models.utils.KeycloakModelUtils;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
import javax.persistence.EntityManager;
import javax.persistence.NoResultException;
@@ -33,11 +29,14 @@ import javax.persistence.criteria.CriteriaBuilder;
import javax.persistence.criteria.CriteriaQuery;
import javax.persistence.criteria.Predicate;
import javax.persistence.criteria.Root;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
+
+import org.keycloak.authorization.jpa.entities.PolicyEntity;
+import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.store.PolicyStore;
+import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@@ -51,23 +50,19 @@ public class JPAPolicyStore implements PolicyStore {
}
@Override
- public Policy create(String name, String type, ResourceServer resourceServer) {
+ public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
PolicyEntity entity = new PolicyEntity();
entity.setId(KeycloakModelUtils.generateId());
- entity.setName(name);
- entity.setType(type);
+ entity.setType(representation.getType());
+ entity.setName(representation.getName());
entity.setResourceServer((ResourceServerEntity) resourceServer);
this.entityManager.persist(entity);
-
+ this.entityManager.flush();
return entity;
}
- public EntityManager getEntityManager() {
- return this.entityManager;
- }
-
@Override
public void delete(String id) {
Policy policy = entityManager.find(PolicyEntity.class, id);
@@ -99,7 +94,7 @@ public class JPAPolicyStore implements PolicyStore {
@Override
public Policy findByName(String name, String resourceServerId) {
try {
- Query query = getEntityManager().createQuery("from PolicyEntity where name = :name and resourceServer.id = :serverId");
+ Query query = entityManager.createQuery("from PolicyEntity where name = :name and resourceServer.id = :serverId");
query.setParameter("name", name);
query.setParameter("serverId", resourceServerId);
@@ -112,7 +107,7 @@ public class JPAPolicyStore implements PolicyStore {
@Override
public List<Policy> findByResourceServer(final String resourceServerId) {
- Query query = getEntityManager().createQuery("from PolicyEntity where resourceServer.id = :serverId");
+ Query query = entityManager.createQuery("from PolicyEntity where resourceServer.id = :serverId");
query.setParameter("serverId", resourceServerId);
@@ -158,7 +153,7 @@ public class JPAPolicyStore implements PolicyStore {
@Override
public List<Policy> findByResource(final String resourceId, String resourceServerId) {
- Query query = getEntityManager().createQuery("select p from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)");
+ Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.resources r where p.resourceServer.id = :serverId and (r.resourceServer.id = :serverId and r.id = :resourceId)");
query.setParameter("resourceId", resourceId);
query.setParameter("serverId", resourceServerId);
@@ -168,7 +163,7 @@ public class JPAPolicyStore implements PolicyStore {
@Override
public List<Policy> findByResourceType(final String resourceType, String resourceServerId) {
- Query query = getEntityManager().createQuery("select p from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type");
+ Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.config c where p.resourceServer.id = :serverId and KEY(c) = 'defaultResourceType' and c like :type");
query.setParameter("serverId", resourceServerId);
query.setParameter("type", resourceType);
@@ -183,7 +178,7 @@ public class JPAPolicyStore implements PolicyStore {
}
// Use separate subquery to handle DB2 and MSSSQL
- Query query = getEntityManager().createQuery("select pe from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))");
+ Query query = entityManager.createQuery("select pe from PolicyEntity pe where pe.resourceServer.id = :serverId and pe.id IN (select p.id from ScopeEntity s inner join s.policies p where s.resourceServer.id = :serverId and (p.resourceServer.id = :serverId and p.type = 'scope' and s.id in (:scopeIds)))");
query.setParameter("serverId", resourceServerId);
query.setParameter("scopeIds", scopeIds);
@@ -193,7 +188,7 @@ public class JPAPolicyStore implements PolicyStore {
@Override
public List<Policy> findByType(String type, String resourceServerId) {
- Query query = getEntityManager().createQuery("select p from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type");
+ Query query = entityManager.createQuery("select p from PolicyEntity p where p.resourceServer.id = :serverId and p.type = :type");
query.setParameter("serverId", resourceServerId);
query.setParameter("type", type);
@@ -203,7 +198,7 @@ public class JPAPolicyStore implements PolicyStore {
@Override
public List<Policy> findDependentPolicies(String policyId, String resourceServerId) {
- Query query = getEntityManager().createQuery("select p from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)");
+ Query query = entityManager.createQuery("select p from PolicyEntity p inner join p.associatedPolicies ap where p.resourceServer.id = :serverId and (ap.resourceServer.id = :serverId and ap.id = :policyId)");
query.setParameter("serverId", resourceServerId);
query.setParameter("policyId", policyId);
diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
index 5dad6af..e45d343 100644
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
@@ -18,43 +18,49 @@
package org.keycloak.authorization.jpa.store;
+import javax.persistence.EntityManager;
+
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
-import javax.persistence.EntityManager;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class JPAStoreFactory implements StoreFactory {
- private final EntityManager entityManager;
+ private final PolicyStore policyStore;
+ private final ResourceServerStore resourceServerStore;
+ private final ResourceStore resourceStore;
+ private final ScopeStore scopeStore;
public JPAStoreFactory(EntityManager entityManager) {
- this.entityManager = entityManager;
+ policyStore = new JPAPolicyStore(entityManager);
+ resourceServerStore = new JPAResourceServerStore(entityManager);
+ resourceStore = new JPAResourceStore(entityManager);
+ scopeStore = new JPAScopeStore(entityManager);
}
@Override
public PolicyStore getPolicyStore() {
- return new JPAPolicyStore(this.entityManager);
+ return policyStore;
}
@Override
public ResourceServerStore getResourceServerStore() {
- return new JPAResourceServerStore(this.entityManager);
+ return resourceServerStore;
}
@Override
public ResourceStore getResourceStore() {
- return new JPAResourceStore(this.entityManager);
+ return resourceStore;
}
@Override
public ScopeStore getScopeStore() {
- return new JPAScopeStore(this.entityManager);
+ return scopeStore;
}
@Override
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
index 3aafae3..76e6894 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
@@ -21,17 +21,23 @@ package org.keycloak.authorization;
import java.util.Collection;
import java.util.List;
import java.util.Map;
-import java.util.concurrent.Executor;
-import java.util.function.Supplier;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.permission.evaluator.Evaluators;
import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
+import org.keycloak.authorization.store.PolicyStore;
+import org.keycloak.authorization.store.ResourceServerStore;
+import org.keycloak.authorization.store.ResourceStore;
+import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
+import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.provider.Provider;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
* <p>The main contract here is the creation of {@link org.keycloak.authorization.permission.evaluator.PermissionEvaluator} instances. Usually
@@ -62,25 +68,19 @@ import org.keycloak.provider.Provider;
public final class AuthorizationProvider implements Provider {
private final DefaultPolicyEvaluator policyEvaluator;
- private final Executor scheduller;
- private final Supplier<StoreFactory> storeFactory;
+ private StoreFactory storeFactory;
private final Map<String, PolicyProviderFactory> policyProviderFactories;
private final KeycloakSession keycloakSession;
private final RealmModel realm;
- public AuthorizationProvider(KeycloakSession session, RealmModel realm, Supplier<StoreFactory> storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories, Executor scheduller) {
+ public AuthorizationProvider(KeycloakSession session, RealmModel realm, StoreFactory storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories) {
this.keycloakSession = session;
this.realm = realm;
this.storeFactory = storeFactory;
- this.scheduller = scheduller;
this.policyProviderFactories = policyProviderFactories;
this.policyEvaluator = new DefaultPolicyEvaluator(this);
}
- public AuthorizationProvider(KeycloakSession session, RealmModel realm, StoreFactory storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories) {
- this(session, realm, () -> storeFactory, policyProviderFactories, Runnable::run);
- }
-
/**
* Returns a {@link Evaluators} instance from where {@link org.keycloak.authorization.policy.evaluation.PolicyEvaluator} instances
* can be obtained.
@@ -88,7 +88,7 @@ public final class AuthorizationProvider implements Provider {
* @return a {@link Evaluators} instance
*/
public Evaluators evaluators() {
- return new Evaluators(this.policyEvaluator, this.scheduller);
+ return new Evaluators(policyEvaluator);
}
/**
@@ -97,7 +97,92 @@ public final class AuthorizationProvider implements Provider {
* @return the {@link StoreFactory}
*/
public StoreFactory getStoreFactory() {
- return this.storeFactory.get();
+ return createStoreFactory();
+ }
+
+ private StoreFactory createStoreFactory() {
+ return new StoreFactory() {
+ @Override
+ public ResourceStore getResourceStore() {
+ return storeFactory.getResourceStore();
+ }
+
+ @Override
+ public ResourceServerStore getResourceServerStore() {
+ return storeFactory.getResourceServerStore();
+ }
+
+ @Override
+ public ScopeStore getScopeStore() {
+ return storeFactory.getScopeStore();
+ }
+
+ @Override
+ public PolicyStore getPolicyStore() {
+ PolicyStore policyStore = storeFactory.getPolicyStore();
+ return new PolicyStore() {
+ @Override
+ public Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer) {
+ return RepresentationToModel.toModel(representation, AuthorizationProvider.this, policyStore.create(representation, resourceServer));
+ }
+
+ @Override
+ public void delete(String id) {
+ policyStore.delete(id);
+ }
+
+ @Override
+ public Policy findById(String id, String resourceServerId) {
+ return policyStore.findById(id, resourceServerId);
+ }
+
+ @Override
+ public Policy findByName(String name, String resourceServerId) {
+ return policyStore.findByName(name, resourceServerId);
+ }
+
+ @Override
+ public List<Policy> findByResourceServer(String resourceServerId) {
+ return policyStore.findByResourceServer(resourceServerId);
+ }
+
+ @Override
+ public List<Policy> findByResourceServer(Map<String, String[]> attributes, String resourceServerId, int firstResult, int maxResult) {
+ return policyStore.findByResourceServer(attributes, resourceServerId, firstResult, maxResult);
+ }
+
+ @Override
+ public List<Policy> findByResource(String resourceId, String resourceServerId) {
+ return policyStore.findByResource(resourceId, resourceServerId);
+ }
+
+ @Override
+ public List<Policy> findByResourceType(String resourceType, String resourceServerId) {
+ return policyStore.findByResourceType(resourceType, resourceServerId);
+ }
+
+ @Override
+ public List<Policy> findByScopeIds(List<String> scopeIds, String resourceServerId) {
+ return policyStore.findByScopeIds(scopeIds, resourceServerId);
+ }
+
+ @Override
+ public List<Policy> findByType(String type, String resourceServerId) {
+ return policyStore.findByType(type, resourceServerId);
+ }
+
+ @Override
+ public List<Policy> findDependentPolicies(String id, String resourceServerId) {
+ return policyStore.findDependentPolicies(id, resourceServerId);
+ }
+ };
+ }
+
+ @Override
+ public void close() {
+ storeFactory.close();
+ }
+ };
}
/**
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
index ed1aa89..00e1191 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
@@ -19,7 +19,6 @@
package org.keycloak.authorization.permission.evaluator;
import java.util.List;
-import java.util.concurrent.Executor;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
@@ -33,11 +32,9 @@ import org.keycloak.authorization.policy.evaluation.EvaluationContext;
public final class Evaluators {
private final DefaultPolicyEvaluator policyEvaluator;
- private final Executor scheduler;
- public Evaluators(DefaultPolicyEvaluator policyEvaluator, Executor scheduler) {
+ public Evaluators(DefaultPolicyEvaluator policyEvaluator) {
this.policyEvaluator = policyEvaluator;
- this.scheduler = scheduler;
}
public PermissionEvaluator from(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
@@ -45,6 +42,6 @@ public final class Evaluators {
}
public PermissionEvaluator schedule(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
- return new ScheduledPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator), this.scheduler);
+ return new DefaultPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator));
}
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
index 094607a..1ec8887 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/evaluation/DefaultPolicyEvaluator.java
@@ -35,6 +35,7 @@ import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.store.PolicyStore;
+import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
@@ -46,11 +47,13 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
private final AuthorizationProvider authorization;
private final StoreFactory storeFactory;
private final PolicyStore policyStore;
+ private final ResourceStore resourceStore;
public DefaultPolicyEvaluator(AuthorizationProvider authorization) {
this.authorization = authorization;
storeFactory = this.authorization.getStoreFactory();
policyStore = storeFactory.getPolicyStore();
+ resourceStore = storeFactory.getResourceStore();
}
@Override
@@ -159,7 +162,7 @@ public class DefaultPolicyEvaluator implements PolicyEvaluator {
String type = resource.getType();
if (type != null) {
- List<Resource> resourcesByType = authorization.getStoreFactory().getResourceStore().findByType(type, resource.getResourceServer().getId());
+ List<Resource> resourcesByType = resourceStore.findByType(type, resource.getResourceServer().getId());
for (Resource resourceType : resourcesByType) {
if (resourceType.getOwner().equals(resource.getResourceServer().getClientId())) {
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
index d26208e..b19c55b 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
@@ -18,16 +18,11 @@
package org.keycloak.authorization.policy.provider;
-import org.keycloak.authorization.model.Policy;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public interface PolicyProviderAdminService {
+public interface PolicyProviderAdminService<R extends AbstractPolicyRepresentation> {
- void onCreate(Policy policy);
-
- void onUpdate(Policy policy);
-
- void onRemove(Policy policy);
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
index f7041b5..af95b00 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
@@ -22,11 +22,13 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.provider.ProviderFactory;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public interface PolicyProviderFactory extends ProviderFactory<PolicyProvider> {
+public interface PolicyProviderFactory<R extends AbstractPolicyRepresentation> extends ProviderFactory<PolicyProvider> {
String getName();
@@ -34,5 +36,31 @@ public interface PolicyProviderFactory extends ProviderFactory<PolicyProvider> {
PolicyProvider create(AuthorizationProvider authorization);
- PolicyProviderAdminService getAdminResource(ResourceServer resourceServer);
+ default R toRepresentation(Policy policy, R representation) {
+ return representation;
+ }
+
+ default Class<R> getRepresentationType() {
+ return (Class<R>) PolicyRepresentation.class;
+ }
+
+ default void onCreate(Policy policy, R representation, AuthorizationProvider authorization) {
+
+ }
+
+ default void onUpdate(Policy policy, R representation, AuthorizationProvider authorization) {
+
+ }
+
+ default void onRemove(Policy policy, AuthorizationProvider authorization) {
+
+ }
+
+ default void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+
+ }
+
+ default PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
+ return null;
+ }
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
index 78a08bd..76a3fab 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
@@ -18,6 +18,9 @@
package org.keycloak.authorization.store;
+import java.util.HashMap;
+import java.util.Map;
+
import org.keycloak.authorization.store.syncronization.ClientApplicationSynchronizer;
import org.keycloak.authorization.store.syncronization.RealmSynchronizer;
import org.keycloak.authorization.store.syncronization.Synchronizer;
@@ -29,9 +32,6 @@ import org.keycloak.models.UserModel.UserRemovedEvent;
import org.keycloak.provider.ProviderEvent;
import org.keycloak.provider.ProviderFactory;
-import java.util.HashMap;
-import java.util.Map;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java
index 626e317..793185e 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/PolicyStore.java
@@ -18,12 +18,13 @@
package org.keycloak.authorization.store;
-import org.keycloak.authorization.model.Policy;
-import org.keycloak.authorization.model.ResourceServer;
-
import java.util.List;
import java.util.Map;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+
/**
* A {@link PolicyStore} is responsible to manage the persistence of {@link Policy} instances.
*
@@ -35,12 +36,11 @@ public interface PolicyStore {
* Creates a new {@link Policy} instance. The new instance is not necessarily persisted though, which may require
* a call to the {#save} method to actually make it persistent.
*
- * @param name the name of the policy
- * @param type the type of the policy
+ * @param representation the policy representation
* @param resourceServer the resource server to which this policy belongs
* @return a new instance of {@link Policy}
*/
- Policy create(String name, String type, ResourceServer resourceServer);
+ Policy create(AbstractPolicyRepresentation representation, ResourceServer resourceServer);
/**
* Deletes a policy from the underlying persistence mechanism.
diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
index 3090c6e..360f287 100755
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/ModelToRepresentation.java
@@ -33,6 +33,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.Time;
@@ -87,6 +88,7 @@ import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserConsentRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.UserSessionRepresentation;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
@@ -793,16 +795,29 @@ public class ModelToRepresentation {
return server;
}
- public static PolicyRepresentation toRepresentation(Policy model) {
- PolicyRepresentation representation = new PolicyRepresentation();
+ public static <R extends AbstractPolicyRepresentation> R toRepresentation(Policy policy, Class<R> representationType, AuthorizationProvider authorization) {
+ R representation;
- representation.setId(model.getId());
- representation.setName(model.getName());
- representation.setDescription(model.getDescription());
- representation.setType(model.getType());
- representation.setDecisionStrategy(model.getDecisionStrategy());
- representation.setLogic(model.getLogic());
- representation.setConfig(new HashMap<>(model.getConfig()));
+ try {
+ representation = representationType.newInstance();
+ } catch (Exception cause) {
+ throw new RuntimeException("Could not create policy [" + policy.getType() + "] representation", cause);
+ }
+
+ PolicyProviderFactory providerFactory = authorization.getProviderFactory(policy.getType());
+
+ representation.setId(policy.getId());
+ representation.setName(policy.getName());
+ representation.setDescription(policy.getDescription());
+ representation.setType(policy.getType());
+ representation.setDecisionStrategy(policy.getDecisionStrategy());
+ representation.setLogic(policy.getLogic());
+
+ if (representation instanceof PolicyRepresentation) {
+ PolicyRepresentation.class.cast(representation).setConfig(policy.getConfig());
+ } else {
+ representation = (R) providerFactory.toRepresentation(policy, representation);
+ }
return representation;
}
diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
index 2557bfd..4391341 100755
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@@ -17,6 +17,18 @@
package org.keycloak.models.utils;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Map;
+import java.util.Set;
+import java.util.function.Function;
+import java.util.stream.Collectors;
+
import org.jboss.logging.Logger;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.AuthorizationProviderFactory;
@@ -24,7 +36,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
-import org.keycloak.authorization.policy.provider.PolicyProvider;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@@ -92,6 +104,7 @@ import org.keycloak.representations.idm.UserConsentRepresentation;
import org.keycloak.representations.idm.UserFederationMapperRepresentation;
import org.keycloak.representations.idm.UserFederationProviderRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceOwnerRepresentation;
@@ -103,18 +116,6 @@ import org.keycloak.storage.UserStorageProviderModel;
import org.keycloak.storage.federated.UserFederatedStorageProvider;
import org.keycloak.util.JsonSerialization;
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.ListIterator;
-import java.util.Map;
-import java.util.Set;
-import java.util.function.Function;
-import java.util.stream.Collectors;
-
public class RepresentationToModel {
private static Logger logger = Logger.getLogger(RepresentationToModel.class);
@@ -1896,9 +1897,6 @@ public class RepresentationToModel {
resourceServer.setPolicyEnforcementMode(rep.getPolicyEnforcementMode());
resourceServer.setAllowRemoteResourceManagement(rep.isAllowRemoteResourceManagement());
- StoreFactory storeFactory = authorization.getStoreFactory();
- ScopeStore scopeStore = storeFactory.getScopeStore();
-
rep.getScopes().forEach(scope -> {
toModel(scope, resourceServer, authorization);
});
@@ -1932,138 +1930,12 @@ public class RepresentationToModel {
private static Policy importPolicies(AuthorizationProvider authorization, ResourceServer resourceServer, List<PolicyRepresentation> policiesToImport, String parentPolicyName) {
StoreFactory storeFactory = authorization.getStoreFactory();
- KeycloakSession session = authorization.getKeycloakSession();
- RealmModel realm = authorization.getRealm();
for (PolicyRepresentation policyRepresentation : policiesToImport) {
if (parentPolicyName != null && !parentPolicyName.equals(policyRepresentation.getName())) {
continue;
}
Map<String, String> config = policyRepresentation.getConfig();
-
- String roles = config.get("roles");
-
- if (roles != null && !roles.isEmpty()) {
- try {
- List<Map> rolesMap = (List<Map>) JsonSerialization.readValue(roles, List.class);
- config.put("roles", JsonSerialization.writeValueAsString(rolesMap.stream().map(roleConfig -> {
- String roleName = roleConfig.get("id").toString();
- String clientId = null;
- int clientIdSeparator = roleName.indexOf("/");
-
- if (clientIdSeparator != -1) {
- clientId = roleName.substring(0, clientIdSeparator);
- roleName = roleName.substring(clientIdSeparator + 1);
- }
-
- RoleModel role;
-
- if (clientId == null) {
- role = realm.getRole(roleName);
- } else {
- role = realm.getClientByClientId(clientId).getRole(roleName);
- }
-
- // fallback to find any client role with the given name
- if (role == null) {
- String finalRoleName = roleName;
- role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
- .findFirst().orElse(null);
- }
-
- if (role == null) {
- role = realm.getRoleById(roleName);
-
- if (role == null) {
- String finalRoleName1 = roleName;
- role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName1)).filter(roleModel -> roleModel != null)
- .findFirst().orElse(null);
- }
- }
-
- if (role == null) {
- throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
- }
-
- roleConfig.put("id", role.getId());
- return roleConfig;
- }).collect(Collectors.toList())));
- } catch (Exception e) {
- throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
- }
- }
-
- String users = config.get("users");
-
- if (users != null && !users.isEmpty()) {
- try {
- List<String> usersMap = (List<String>) JsonSerialization.readValue(users, List.class);
- config.put("users", JsonSerialization.writeValueAsString(usersMap.stream().map(userId -> {
- UserModel user = session.users().getUserByUsername(userId, realm);
-
- if (user == null) {
- user = session.users().getUserById(userId, realm);
- }
-
- if (user == null) {
- throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
- }
-
- return user.getId();
- }).collect(Collectors.toList())));
- } catch (Exception e) {
- throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
- }
- }
-
- String scopes = config.get("scopes");
-
- if (scopes != null && !scopes.isEmpty()) {
- try {
- ScopeStore scopeStore = storeFactory.getScopeStore();
- List<String> scopesMap = (List<String>) JsonSerialization.readValue(scopes, List.class);
- config.put("scopes", JsonSerialization.writeValueAsString(scopesMap.stream().map(scopeName -> {
- Scope newScope = scopeStore.findByName(scopeName, resourceServer.getId());
-
- if (newScope == null) {
- newScope = scopeStore.findById(scopeName, resourceServer.getId());
- }
-
- if (newScope == null) {
- throw new RuntimeException("Scope with name [" + scopeName + "] not defined.");
- }
-
- return newScope.getId();
- }).collect(Collectors.toList())));
- } catch (Exception e) {
- throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
- }
- }
-
- String policyResources = config.get("resources");
-
- if (policyResources != null && !policyResources.isEmpty()) {
- ResourceStore resourceStore = storeFactory.getResourceStore();
- try {
- List<String> resources = JsonSerialization.readValue(policyResources, List.class);
- config.put("resources", JsonSerialization.writeValueAsString(resources.stream().map(resourceName -> {
- Resource resource = resourceStore.findByName(resourceName, resourceServer.getId());
-
- if (resource == null) {
- resource = resourceStore.findById(resourceName, resourceServer.getId());
- }
-
- if (resource == null) {
- throw new RuntimeException("Resource with name [" + resourceName + "] not defined.");
- }
-
- return resource.getId();
- }).collect(Collectors.toList())));
- } catch (Exception e) {
- throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
- }
- }
-
String applyPolicies = config.get("applyPolicies");
if (applyPolicies != null && !applyPolicies.isEmpty()) {
@@ -2087,91 +1959,111 @@ public class RepresentationToModel {
return policy.getId();
}).collect(Collectors.toList())));
} catch (Exception e) {
- throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
+ throw new RuntimeException("Error while importing policy [" + policyRepresentation.getName() + "].", e);
}
}
- if (parentPolicyName == null) {
- toModel(policyRepresentation, resourceServer, authorization);
- } else if (parentPolicyName.equals(policyRepresentation.getName())) {
- return toModel(policyRepresentation, resourceServer, authorization);
+ PolicyStore policyStore = storeFactory.getPolicyStore();
+ Policy policy = policyStore.findById(policyRepresentation.getId(), resourceServer.getId());
+
+ if (policy == null) {
+ policy = policyStore.findByName(policyRepresentation.getName(), resourceServer.getId());
+ }
+
+ if (policy == null) {
+ policy = policyStore.create(policyRepresentation, resourceServer);
+ } else {
+ policy = toModel(policyRepresentation, authorization, policy);
+ }
+
+ if (parentPolicyName != null && parentPolicyName.equals(policyRepresentation.getName())) {
+ return policy;
}
}
return null;
}
- public static Policy toModel(PolicyRepresentation policy, ResourceServer resourceServer, AuthorizationProvider authorization) {
- String type = policy.getType();
- PolicyProvider provider = authorization.getProvider(type);
+ public static Policy toModel(AbstractPolicyRepresentation representation, AuthorizationProvider authorization, Policy model) {
+ model.setName(representation.getName());
+ model.setDescription(representation.getDescription());
+ model.setDecisionStrategy(representation.getDecisionStrategy());
+ model.setLogic(representation.getLogic());
- if (provider == null) {
- //TODO: temporary, remove this check on future versions as drools type is now deprecated
- if ("drools".equalsIgnoreCase(type)) {
- type = "rules";
- }
- if (authorization.getProvider(type) == null) {
- throw new RuntimeException("Unknown polucy type [" + type + "]. Could not find a provider for this type.");
+ Set resources = representation.getResources();
+ Set scopes = representation.getScopes();
+ Set policies = representation.getPolicies();
+
+ if (representation instanceof PolicyRepresentation) {
+ PolicyRepresentation policy = PolicyRepresentation.class.cast(representation);
+ String resourcesConfig = policy.getConfig().get("resources");
+
+ if (resourcesConfig != null) {
+ try {
+ resources = JsonSerialization.readValue(resourcesConfig, Set.class);
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
}
- }
- PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
- Policy existing;
+ String scopesConfig = policy.getConfig().get("scopes");
- if (policy.getId() != null) {
- existing = policyStore.findById(policy.getId(), resourceServer.getId());
- } else {
- existing = policyStore.findByName(policy.getName(), resourceServer.getId());
- }
+ if (scopesConfig != null) {
+ try {
+ scopes = JsonSerialization.readValue(scopesConfig, Set.class);
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+ }
- if (existing != null) {
- existing.setName(policy.getName());
- existing.setDescription(policy.getDescription());
- existing.setConfig(policy.getConfig());
- existing.setDecisionStrategy(policy.getDecisionStrategy());
- existing.setLogic(policy.getLogic());
+ String policiesConfig = policy.getConfig().get("applyPolicies");
- updateResources(existing, authorization);
- updateAssociatedPolicies(existing, resourceServer, authorization);
- updateScopes(existing, authorization);
+ if (policiesConfig != null) {
+ try {
+ policies = JsonSerialization.readValue(policiesConfig, Set.class);
+ } catch (IOException e) {
+ throw new RuntimeException(e);
+ }
+ }
- return existing;
+ model.setConfig(policy.getConfig());
}
- Policy model = policyStore.create(policy.getName(), type, resourceServer);
+ StoreFactory storeFactory = authorization.getStoreFactory();
+
+ updateResources(resources, model, storeFactory);
+ updateScopes(scopes, model, storeFactory);
+ updateAssociatedPolicies(policies, model, storeFactory);
+
+ PolicyProviderFactory provider = authorization.getProviderFactory(model.getType());
- model.setDescription(policy.getDescription());
- model.setDecisionStrategy(policy.getDecisionStrategy());
- model.setLogic(policy.getLogic());
- model.setConfig(policy.getConfig());
+ if (representation instanceof PolicyRepresentation) {
+ provider.onImport(model, PolicyRepresentation.class.cast(representation), authorization);
+ } else if (representation.getId() == null) {
+ provider.onCreate(model, representation, authorization);
+ } else {
+ provider.onUpdate(model, representation, authorization);
+ }
- updateResources(model, authorization);
- updateAssociatedPolicies(model, resourceServer, authorization);
- updateScopes(model, authorization);
- policy.setId(model.getId());
+ representation.setId(model.getId());
return model;
}
- private static void updateScopes(Policy policy, AuthorizationProvider authorization) {
- String scopes = policy.getConfig().get("scopes");
- if (scopes != null) {
- String[] scopeIds;
-
- try {
- scopeIds = JsonSerialization.readValue(scopes, String[].class);
- } catch (IOException e) {
- throw new RuntimeException(e);
+ private static void updateScopes(Set<String> scopeIds, Policy policy, StoreFactory storeFactory) {
+ if (scopeIds != null) {
+ if (scopeIds.isEmpty()) {
+ for (Scope scope : new HashSet<Scope>(policy.getScopes())) {
+ policy.removeScope(scope);
+ }
+ return;
}
-
- StoreFactory storeFactory = authorization.getStoreFactory();
-
for (String scopeId : scopeIds) {
boolean hasScope = false;
for (Scope scopeModel : new HashSet<Scope>(policy.getScopes())) {
- if (scopeModel.getId().equals(scopeId)) {
+ if (scopeModel.getId().equals(scopeId) || scopeModel.getName().equals(scopeId)) {
hasScope = true;
}
}
@@ -2180,7 +2072,10 @@ public class RepresentationToModel {
Scope scope = storeFactory.getScopeStore().findById(scopeId, resourceServer.getId());
if (scope == null) {
- storeFactory.getScopeStore().findByName(scopeId, resourceServer.getId());
+ scope = storeFactory.getScopeStore().findByName(scopeId, resourceServer.getId());
+ if (scope == null) {
+ throw new RuntimeException("Scope with id or name [" + scopeId + "] does not exist");
+ }
}
policy.addScope(scope);
@@ -2191,7 +2086,7 @@ public class RepresentationToModel {
boolean hasScope = false;
for (String scopeId : scopeIds) {
- if (scopeModel.getId().equals(scopeId)) {
+ if (scopeModel.getId().equals(scopeId) || scopeModel.getName().equals(scopeId)) {
hasScope = true;
}
}
@@ -2199,24 +2094,22 @@ public class RepresentationToModel {
policy.removeScope(scopeModel);
}
}
-
- policy.getConfig().remove("scopes");
}
- }
- private static void updateAssociatedPolicies(Policy policy, ResourceServer resourceServer, AuthorizationProvider authorization) {
- String policies = policy.getConfig().get("applyPolicies");
+ policy.getConfig().remove("scopes");
+ }
- if (policies != null) {
- String[] policyIds;
+ private static void updateAssociatedPolicies(Set<String> policyIds, Policy policy, StoreFactory storeFactory) {
+ ResourceServer resourceServer = policy.getResourceServer();
- try {
- policyIds = JsonSerialization.readValue(policies, String[].class);
- } catch (IOException e) {
- throw new RuntimeException(e);
+ if (policyIds != null) {
+ if (policyIds.isEmpty()) {
+ for (Policy associated: new HashSet<Policy>(policy.getAssociatedPolicies())) {
+ policy.removeAssociatedPolicy(associated);
+ }
+ return;
}
- StoreFactory storeFactory = authorization.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
for (String policyId : policyIds) {
@@ -2228,12 +2121,14 @@ public class RepresentationToModel {
}
}
-
if (!hasPolicy) {
Policy associatedPolicy = policyStore.findById(policyId, resourceServer.getId());
if (associatedPolicy == null) {
associatedPolicy = policyStore.findByName(policyId, resourceServer.getId());
+ if (associatedPolicy == null) {
+ throw new RuntimeException("Policy with id or name [" + policyId + "] does not exist");
+ }
}
policy.addAssociatedPolicy(associatedPolicy);
@@ -2250,31 +2145,24 @@ public class RepresentationToModel {
}
if (!hasPolicy) {
policy.removeAssociatedPolicy(policyModel);
- ;
}
}
-
- policy.getConfig().remove("applyPolicies");
}
- }
- private static void updateResources(Policy policy, AuthorizationProvider authorization) {
- String resources = policy.getConfig().get("resources");
- if (resources != null) {
- String[] resourceIds;
+ policy.getConfig().remove("applyPolicies");
+ }
- try {
- resourceIds = JsonSerialization.readValue(resources, String[].class);
- } catch (IOException e) {
- throw new RuntimeException(e);
+ private static void updateResources(Set<String> resourceIds, Policy policy, StoreFactory storeFactory) {
+ if (resourceIds != null) {
+ if (resourceIds.isEmpty()) {
+ for (Scope scope : new HashSet<Scope>(policy.getScopes())) {
+ policy.removeScope(scope);
+ }
}
-
- StoreFactory storeFactory = authorization.getStoreFactory();
-
for (String resourceId : resourceIds) {
boolean hasResource = false;
for (Resource resourceModel : new HashSet<Resource>(policy.getResources())) {
- if (resourceModel.getId().equals(resourceId)) {
+ if (resourceModel.getId().equals(resourceId) || resourceModel.getName().equals(resourceId)) {
hasResource = true;
}
}
@@ -2282,7 +2170,10 @@ public class RepresentationToModel {
Resource resource = storeFactory.getResourceStore().findById(resourceId, policy.getResourceServer().getId());
if (resource == null) {
- throw new RuntimeException("Resource [" + resourceId + "] not found.");
+ resource = storeFactory.getResourceStore().findByName(resourceId, policy.getResourceServer().getId());
+ if (resource == null) {
+ throw new RuntimeException("Resource with id or name [" + resourceId + "] does not exist");
+ }
}
policy.addResource(resource);
@@ -2293,7 +2184,7 @@ public class RepresentationToModel {
boolean hasResource = false;
for (String resourceId : resourceIds) {
- if (resourceModel.getId().equals(resourceId)) {
+ if (resourceModel.getId().equals(resourceId) || resourceModel.getName().equals(resourceId)) {
hasResource = true;
}
}
@@ -2302,9 +2193,9 @@ public class RepresentationToModel {
policy.removeResource(resourceModel);
}
}
-
- policy.getConfig().remove("resources");
}
+
+ policy.getConfig().remove("resources");
}
public static Resource toModel(ResourceRepresentation resource, ResourceServer resourceServer, AuthorizationProvider authorization) {
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PermissionService.java b/services/src/main/java/org/keycloak/authorization/admin/PermissionService.java
new file mode 100644
index 0000000..4ada87d
--- /dev/null
+++ b/services/src/main/java/org/keycloak/authorization/admin/PermissionService.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.authorization.admin;
+
+import java.util.List;
+import java.util.Map;
+
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.services.resources.admin.RealmAuth;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class PermissionService extends PolicyService {
+
+ public PermissionService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
+ super(resourceServer, authorization, auth);
+ }
+
+ @Override
+ protected PolicyResourceService doCreatePolicyResource(Policy policy) {
+ return new PolicyTypeResourceService(policy, resourceServer, authorization, auth);
+ }
+
+ @Override
+ protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
+ filters.put("permission", new String[] {Boolean.TRUE.toString()});
+ return super.doSearch(firstResult, maxResult, filters);
+ }
+}
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
new file mode 100644
index 0000000..e2db57e
--- /dev/null
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
@@ -0,0 +1,236 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.authorization.admin;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.Response.Status;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
+import org.keycloak.authorization.store.PolicyStore;
+import org.keycloak.authorization.store.StoreFactory;
+import org.keycloak.models.utils.ModelToRepresentation;
+import org.keycloak.models.utils.RepresentationToModel;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.ScopeRepresentation;
+import org.keycloak.services.resources.admin.RealmAuth;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class PolicyResourceService {
+
+ private final Policy policy;
+ protected final ResourceServer resourceServer;
+ protected final AuthorizationProvider authorization;
+ protected final RealmAuth auth;
+
+ public PolicyResourceService(Policy policy, ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
+ this.policy = policy;
+ this.resourceServer = resourceServer;
+ this.authorization = authorization;
+ this.auth = auth;
+ }
+
+ @PUT
+ @Consumes("application/json")
+ @Produces("application/json")
+ @NoCache
+ public Response update(String payload) {
+ this.auth.requireManage();
+
+ AbstractPolicyRepresentation representation = doCreateRepresentation(payload);
+
+ if (policy == null) {
+ return Response.status(Status.NOT_FOUND).build();
+ }
+
+ representation.setId(policy.getId());
+
+ RepresentationToModel.toModel(representation, authorization, policy);
+
+ return Response.status(Status.CREATED).build();
+ }
+
+ @DELETE
+ public Response delete() {
+ this.auth.requireManage();
+
+ if (policy == null) {
+ return Response.status(Status.NOT_FOUND).build();
+ }
+
+ StoreFactory storeFactory = authorization.getStoreFactory();
+ PolicyStore policyStore = storeFactory.getPolicyStore();
+ PolicyProviderFactory resource = getProviderFactory(policy.getType());
+
+ resource.onRemove(policy, authorization);
+
+ policyStore.findDependentPolicies(policy.getId(), resourceServer.getId()).forEach(dependentPolicy -> {
+ if (dependentPolicy.getAssociatedPolicies().size() == 1) {
+ policyStore.delete(dependentPolicy.getId());
+ } else {
+ dependentPolicy.removeAssociatedPolicy(policy);
+ }
+ });
+
+ policyStore.delete(policy.getId());
+
+ return Response.noContent().build();
+ }
+
+ @GET
+ @Produces("application/json")
+ @NoCache
+ public Response findById() {
+ this.auth.requireView();
+
+ if (policy == null) {
+ return Response.status(Status.NOT_FOUND).build();
+ }
+
+ return Response.ok(toRepresentation(policy, authorization)).build();
+ }
+
+ protected AbstractPolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
+ return ModelToRepresentation.toRepresentation(policy, PolicyRepresentation.class, authorization);
+ }
+
+ @Path("/dependentPolicies")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ public Response getDependentPolicies() {
+ this.auth.requireView();
+
+ if (policy == null) {
+ return Response.status(Status.NOT_FOUND).build();
+ }
+
+ List<Policy> policies = authorization.getStoreFactory().getPolicyStore().findDependentPolicies(policy.getId(), resourceServer.getId());
+
+ return Response.ok(policies.stream().map(policy -> {
+ PolicyRepresentation representation1 = new PolicyRepresentation();
+
+ representation1.setId(policy.getId());
+ representation1.setName(policy.getName());
+ representation1.setType(policy.getType());
+
+ return representation1;
+ }).collect(Collectors.toList())).build();
+ }
+
+ @Path("/scopes")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ public Response getScopes() {
+ this.auth.requireView();
+
+ if (policy == null) {
+ return Response.status(Status.NOT_FOUND).build();
+ }
+
+ return Response.ok(policy.getScopes().stream().map(scope -> {
+ ScopeRepresentation representation = new ScopeRepresentation();
+
+ representation.setId(scope.getId());
+ representation.setName(scope.getName());
+
+ return representation;
+ }).collect(Collectors.toList())).build();
+ }
+
+ @Path("/resources")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ public Response getResources() {
+ this.auth.requireView();
+
+ if (policy == null) {
+ return Response.status(Status.NOT_FOUND).build();
+ }
+
+ return Response.ok(policy.getResources().stream().map(resource -> {
+ ResourceRepresentation representation = new ResourceRepresentation();
+
+ representation.setId(resource.getId());
+ representation.setName(resource.getName());
+
+ return representation;
+ }).collect(Collectors.toList())).build();
+ }
+
+ @Path("/associatedPolicies")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ public Response getAssociatedPolicies() {
+ this.auth.requireView();
+
+ if (policy == null) {
+ return Response.status(Status.NOT_FOUND).build();
+ }
+
+ return Response.ok(policy.getAssociatedPolicies().stream().map(policy -> {
+ PolicyRepresentation representation1 = new PolicyRepresentation();
+
+ representation1.setId(policy.getId());
+ representation1.setName(policy.getName());
+ representation1.setType(policy.getType());
+
+ return representation1;
+ }).collect(Collectors.toList())).build();
+ }
+
+ protected AbstractPolicyRepresentation doCreateRepresentation(String payload) {
+ PolicyRepresentation representation;
+
+ try {
+ representation = JsonSerialization.readValue(payload, PolicyRepresentation.class);
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize representation", cause);
+ }
+
+ return representation;
+ }
+
+ private PolicyProviderFactory getProviderFactory(String policyType) {
+ return authorization.getProviderFactory(policyType);
+ }
+
+ protected Policy getPolicy() {
+ return policy;
+ }
+}
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
index 8982a29..011aa2d 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
@@ -17,9 +17,7 @@
*/
package org.keycloak.authorization.admin;
-import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
-import static org.keycloak.models.utils.RepresentationToModel.toModel;
-
+import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@@ -29,14 +27,13 @@ import java.util.Map;
import java.util.stream.Collectors;
import javax.ws.rs.Consumes;
-import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
-import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
@@ -48,24 +45,24 @@ import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
-import org.keycloak.authorization.store.ResourceStore;
-import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.Constants;
+import org.keycloak.models.utils.ModelToRepresentation;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyProviderRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
-import org.keycloak.representations.idm.authorization.ResourceRepresentation;
-import org.keycloak.representations.idm.authorization.ScopeRepresentation;
+import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.admin.RealmAuth;
+import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class PolicyService {
- private final ResourceServer resourceServer;
- private final AuthorizationProvider authorization;
- private final RealmAuth auth;
+ protected final ResourceServer resourceServer;
+ protected final AuthorizationProvider authorization;
+ protected final RealmAuth auth;
public PolicyService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
this.resourceServer = resourceServer;
@@ -73,210 +70,66 @@ public class PolicyService {
this.auth = auth;
}
- @POST
- @Consumes("application/json")
- @Produces("application/json")
- @NoCache
- public Response create(PolicyRepresentation representation) {
- this.auth.requireManage();
- Policy policy = toModel(representation, this.resourceServer, authorization);
- PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType(), authorization);
-
- if (resource != null) {
- try {
- resource.onCreate(policy);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- }
-
- representation.setId(policy.getId());
-
- return Response.status(Status.CREATED).entity(representation).build();
- }
-
- @Path("{id}")
- @PUT
- @Consumes("application/json")
- @Produces("application/json")
- @NoCache
- public Response update(@PathParam("id") String id, PolicyRepresentation representation) {
- this.auth.requireManage();
- representation.setId(id);
- StoreFactory storeFactory = authorization.getStoreFactory();
- Policy policy = storeFactory.getPolicyStore().findById(representation.getId(), resourceServer.getId());
-
- if (policy == null) {
- return Response.status(Status.NOT_FOUND).build();
- }
-
- policy = toModel(representation, resourceServer, authorization);
-
- PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType(), authorization);
-
- if (resource != null) {
- try {
- resource.onUpdate(policy);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- }
-
- return Response.status(Status.CREATED).build();
- }
-
- @Path("{id}")
- @DELETE
- public Response delete(@PathParam("id") String id) {
- this.auth.requireManage();
- StoreFactory storeFactory = authorization.getStoreFactory();
- PolicyStore policyStore = storeFactory.getPolicyStore();
- Policy policy = policyStore.findById(id, resourceServer.getId());
-
- if (policy == null) {
- return Response.status(Status.NOT_FOUND).build();
- }
-
- PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType(), authorization);
+ @Path("{type}")
+ public Object getResource(@PathParam("type") String type) {
+ PolicyProviderFactory providerFactory = getPolicyProviderFactory(type);
- if (resource != null) {
- try {
- resource.onRemove(policy);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
+ if (providerFactory != null) {
+ return new PolicyTypeService(type, resourceServer, authorization, auth);
}
- policyStore.findDependentPolicies(id, resourceServer.getId()).forEach(dependentPolicy -> {
- if (dependentPolicy.getAssociatedPolicies().size() == 1) {
- policyStore.delete(dependentPolicy.getId());
- } else {
- dependentPolicy.removeAssociatedPolicy(policy);
- }
- });
+ Policy policy = authorization.getStoreFactory().getPolicyStore().findById(type, resourceServer.getId());
- policyStore.delete(policy.getId());
-
- return Response.noContent().build();
+ return doCreatePolicyResource(policy);
}
- @Path("{id}")
- @GET
- @Produces("application/json")
- @NoCache
- public Response findById(@PathParam("id") String id) {
- this.auth.requireView();
- StoreFactory storeFactory = authorization.getStoreFactory();
- Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
-
- if (model == null) {
- return Response.status(Status.NOT_FOUND).build();
- }
-
- return Response.ok(toRepresentation(model)).build();
+ protected Object doCreatePolicyResource(Policy policy) {
+ return new PolicyResourceService(policy, resourceServer, authorization, auth);
}
- @Path("{id}/dependentPolicies")
- @GET
- @Produces("application/json")
- @NoCache
- public Response getDependentPolicies(@PathParam("id") String id) {
- this.auth.requireView();
- StoreFactory storeFactory = authorization.getStoreFactory();
- Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
-
- if (model == null) {
- return Response.status(Status.NOT_FOUND).build();
- }
-
- List<Policy> policies = authorization.getStoreFactory().getPolicyStore().findDependentPolicies(model.getId(), resourceServer.getId());
-
- return Response.ok(policies.stream().map(policy -> {
- PolicyRepresentation representation1 = new PolicyRepresentation();
-
- representation1.setId(policy.getId());
- representation1.setName(policy.getName());
- representation1.setType(policy.getType());
-
- return representation1;
- }).collect(Collectors.toList())).build();
- }
-
- @Path("{id}/scopes")
- @GET
- @Produces("application/json")
+ @POST
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
@NoCache
- public Response getScopes(@PathParam("id") String id) {
- this.auth.requireView();
- StoreFactory storeFactory = authorization.getStoreFactory();
- Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
-
- if (model == null) {
- return Response.status(Status.NOT_FOUND).build();
- }
+ public Response create(String payload) {
+ this.auth.requireManage();
- return Response.ok(model.getScopes().stream().map(scope -> {
- ScopeRepresentation representation = new ScopeRepresentation();
+ AbstractPolicyRepresentation representation = doCreateRepresentation(payload);
+ Policy policy = create(representation);
- representation.setId(scope.getId());
- representation.setName(scope.getName());
+ representation.setId(policy.getId());
- return representation;
- }).collect(Collectors.toList())).build();
+ return Response.status(Status.CREATED).entity(representation).build();
}
- @Path("{id}/resources")
- @GET
- @Produces("application/json")
- @NoCache
- public Response getResources(@PathParam("id") String id) {
- this.auth.requireView();
- StoreFactory storeFactory = authorization.getStoreFactory();
- Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
+ protected AbstractPolicyRepresentation doCreateRepresentation(String payload) {
+ PolicyRepresentation representation;
- if (model == null) {
- return Response.status(Status.NOT_FOUND).build();
+ try {
+ representation = JsonSerialization.readValue(payload, PolicyRepresentation.class);
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize representation", cause);
}
- return Response.ok(model.getResources().stream().map(resource -> {
- ResourceRepresentation representation = new ResourceRepresentation();
-
- representation.setId(resource.getId());
- representation.setName(resource.getName());
-
- return representation;
- }).collect(Collectors.toList())).build();
+ return representation;
}
- @Path("{id}/associatedPolicies")
- @GET
- @Produces("application/json")
- @NoCache
- public Response getAssociatedPolicies(@PathParam("id") String id) {
- this.auth.requireView();
- StoreFactory storeFactory = authorization.getStoreFactory();
- Policy model = storeFactory.getPolicyStore().findById(id, resourceServer.getId());
+ public Policy create(AbstractPolicyRepresentation representation) {
+ PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
+ Policy existing = policyStore.findByName(representation.getName(), resourceServer.getId());
- if (model == null) {
- return Response.status(Status.NOT_FOUND).build();
+ if (existing != null) {
+ throw new ErrorResponseException("Policy with name [" + representation.getName() + "] already exists", "Conflicting policy", Status.CONFLICT);
}
- return Response.ok(model.getAssociatedPolicies().stream().map(policy -> {
- PolicyRepresentation representation1 = new PolicyRepresentation();
-
- representation1.setId(policy.getId());
- representation1.setName(policy.getName());
- representation1.setType(policy.getType());
-
- return representation1;
- }).collect(Collectors.toList())).build();
+ return policyStore.create(representation, resourceServer);
}
@Path("/search")
@GET
- @Produces("application/json")
+ @Produces(MediaType.APPLICATION_JSON)
@NoCache
- public Response find(@QueryParam("name") String name) {
+ public Response findByName(@QueryParam("name") String name) {
this.auth.requireView();
StoreFactory storeFactory = authorization.getStoreFactory();
@@ -290,11 +143,11 @@ public class PolicyService {
return Response.status(Status.OK).build();
}
- return Response.ok(toRepresentation(model)).build();
+ return Response.ok(toRepresentation(model, authorization)).build();
}
@GET
- @Produces("application/json")
+ @Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response findAll(@QueryParam("policyId") String id,
@QueryParam("name") String name,
@@ -363,15 +216,24 @@ public class PolicyService {
}
return Response.ok(
- policyStore.findByResourceServer(search, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream()
- .map(policy -> toRepresentation(policy))
- .collect(Collectors.toList()))
+ doSearch(firstResult, maxResult, search))
.build();
}
+ protected AbstractPolicyRepresentation toRepresentation(Policy model, AuthorizationProvider authorization) {
+ return ModelToRepresentation.toRepresentation(model, PolicyRepresentation.class, authorization);
+ }
+
+ protected List<Object> doSearch(Integer firstResult, Integer maxResult, Map<String, String[]> filters) {
+ PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore();
+ return policyStore.findByResourceServer(filters, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS).stream()
+ .map(policy -> toRepresentation(policy, authorization))
+ .collect(Collectors.toList());
+ }
+
@Path("providers")
@GET
- @Produces("application/json")
+ @Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response findPolicyProviders() {
this.auth.requireView();
@@ -400,20 +262,12 @@ public class PolicyService {
return resource;
}
- @Path("{policyType}")
- public Object getPolicyTypeResource(@PathParam("policyType") String policyType) {
- this.auth.requireView();
- return getPolicyProviderAdminResource(policyType, this.authorization);
+ protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
+ return getPolicyProviderFactory(policyType).getAdminResource(resourceServer, authorization);
}
- private PolicyProviderAdminService getPolicyProviderAdminResource(String policyType, AuthorizationProvider authorization) {
- PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyType);
-
- if (providerFactory != null) {
- return providerFactory.getAdminResource(this.resourceServer);
- }
-
- return null;
+ protected PolicyProviderFactory getPolicyProviderFactory(String policyType) {
+ return authorization.getProviderFactory(policyType);
}
private void findAssociatedPolicies(Policy policy, List<Policy> policies) {
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyTypeResourceService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyTypeResourceService.java
new file mode 100644
index 0000000..8756721
--- /dev/null
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyTypeResourceService.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.authorization.admin;
+
+import java.io.IOException;
+
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
+import org.keycloak.models.utils.ModelToRepresentation;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.services.resources.admin.RealmAuth;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class PolicyTypeResourceService extends PolicyResourceService {
+
+ public PolicyTypeResourceService(Policy policy, ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
+ super(policy, resourceServer, authorization, auth);
+ }
+
+ @Override
+ protected AbstractPolicyRepresentation doCreateRepresentation(String payload) {
+ String type = getPolicy().getType();
+ Class<? extends AbstractPolicyRepresentation> representationType = authorization.getProviderFactory(type).getRepresentationType();
+
+ if (representationType == null) {
+ throw new RuntimeException("Policy provider for type [" + type + "] returned a null representation type.");
+ }
+
+ AbstractPolicyRepresentation representation;
+
+ try {
+ representation = JsonSerialization.readValue(payload, representationType);
+ } catch (IOException e) {
+ throw new RuntimeException("Failed to deserialize JSON using policy provider for type [" + type + "].", e);
+ }
+
+ representation.setType(type);
+
+ return representation;
+ }
+
+ @Override
+ protected AbstractPolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
+ PolicyProviderFactory providerFactory = authorization.getProviderFactory(policy.getType());
+ return ModelToRepresentation.toRepresentation(policy, providerFactory.getRepresentationType(), authorization);
+ }
+}
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyTypeService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyTypeService.java
new file mode 100644
index 0000000..c2e4db5
--- /dev/null
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyTypeService.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.authorization.admin;
+
+import java.io.IOException;
+
+import javax.ws.rs.Path;
+
+import org.jboss.resteasy.spi.ResteasyProviderFactory;
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
+import org.keycloak.models.utils.ModelToRepresentation;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.services.resources.admin.RealmAuth;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class PolicyTypeService extends PolicyService {
+
+ private final String type;
+
+ PolicyTypeService(String type, ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
+ super(resourceServer, authorization, auth);
+ this.type = type;
+ }
+
+ @Path("/provider")
+ public Object getPolicyAdminResourceProvider() {
+ PolicyProviderAdminService resource = getPolicyProviderAdminResource(type);
+
+ if (resource == null) {
+ return null;
+ }
+
+ ResteasyProviderFactory.getInstance().injectProperties(resource);
+
+ return resource;
+ }
+
+ @Override
+ protected Object doCreatePolicyResource(Policy policy) {
+ return new PolicyTypeResourceService(policy, resourceServer,authorization, auth);
+ }
+
+ @Override
+ protected AbstractPolicyRepresentation doCreateRepresentation(String payload) {
+ PolicyProviderFactory provider = getPolicyProviderFactory(type);
+ Class<? extends AbstractPolicyRepresentation> representationType = provider.getRepresentationType();
+
+ if (representationType == null) {
+ throw new RuntimeException("Policy provider for type [" + type + "] returned a null representation type.");
+ }
+
+ AbstractPolicyRepresentation representation;
+
+ try {
+ representation = JsonSerialization.readValue(payload, representationType);
+ } catch (IOException e) {
+ throw new RuntimeException("Failed to deserialize JSON using policy provider for type [" + type + "].", e);
+ }
+
+ representation.setType(type);
+
+ return representation;
+ }
+
+ @Override
+ protected AbstractPolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) {
+ PolicyProviderFactory providerFactory = authorization.getProviderFactory(policy.getType());
+ return ModelToRepresentation.toRepresentation(policy, providerFactory.getRepresentationType(), authorization);
+ }
+}
diff --git a/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java b/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
index 52d6a38..15f1db7 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
@@ -17,6 +17,22 @@
*/
package org.keycloak.authorization.admin;
+import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
+
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.ResourceServer;
@@ -34,25 +50,11 @@ import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
-import javax.ws.rs.Consumes;
-import javax.ws.rs.GET;
-import javax.ws.rs.POST;
-import javax.ws.rs.PUT;
-import javax.ws.rs.Path;
-import javax.ws.rs.Produces;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
-import java.io.IOException;
-import java.util.HashMap;
-
-import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
@@ -171,22 +173,26 @@ public class ResourceServerService {
return resource;
}
+ @Path("/permission")
+ public Object getPermissionTypeResource() {
+ this.auth.requireView();
+ PermissionService resource = new PermissionService(this.resourceServer, this.authorization, this.auth);
+
+ ResteasyProviderFactory.getInstance().injectProperties(resource);
+
+ return resource;
+ }
+
private void createDefaultPermission(ResourceRepresentation resource, PolicyRepresentation policy) {
- PolicyRepresentation defaultPermission = new PolicyRepresentation();
+ ResourcePermissionRepresentation defaultPermission = new ResourcePermissionRepresentation();
defaultPermission.setName("Default Permission");
- defaultPermission.setType("resource");
defaultPermission.setDescription("A permission that applies to the default resource type");
defaultPermission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
defaultPermission.setLogic(Logic.POSITIVE);
- HashMap<String, String> defaultPermissionConfig = new HashMap<>();
-
- defaultPermissionConfig.put("default", "true");
- defaultPermissionConfig.put("defaultResourceType", resource.getType());
- defaultPermissionConfig.put("applyPolicies", "[\"" + policy.getName() + "\"]");
-
- defaultPermission.setConfig(defaultPermissionConfig);
+ defaultPermission.setResourceType(resource.getType());
+ defaultPermission.addPolicy(policy.getName());
getPolicyResource().create(defaultPermission);
}
diff --git a/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java b/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
index bb241d8..5d65923 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/ResourceSetService.java
@@ -58,7 +58,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-import java.util.function.Function;
import java.util.stream.Collectors;
import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
diff --git a/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java b/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java
index 7724830..1ec9a13 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/ScopeService.java
@@ -41,6 +41,7 @@ import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
@@ -69,8 +70,8 @@ public class ScopeService {
}
@POST
- @Consumes("application/json")
- @Produces("application/json")
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
public Response create(ScopeRepresentation scope) {
this.auth.requireManage();
Scope model = toModel(scope, this.resourceServer, authorization);
@@ -82,8 +83,8 @@ public class ScopeService {
@Path("{id}")
@PUT
- @Consumes("application/json")
- @Produces("application/json")
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
public Response update(@PathParam("id") String id, ScopeRepresentation scope) {
this.auth.requireManage();
scope.setId(id);
@@ -134,7 +135,7 @@ public class ScopeService {
@Path("{id}")
@GET
- @Produces("application/json")
+ @Produces(MediaType.APPLICATION_JSON)
public Response findById(@PathParam("id") String id) {
this.auth.requireView();
Scope model = this.authorization.getStoreFactory().getScopeStore().findById(id, resourceServer.getId());
@@ -148,7 +149,7 @@ public class ScopeService {
@Path("{id}/resources")
@GET
- @Produces("application/json")
+ @Produces(MediaType.APPLICATION_JSON)
public Response getResources(@PathParam("id") String id) {
this.auth.requireView();
StoreFactory storeFactory = this.authorization.getStoreFactory();
@@ -170,7 +171,7 @@ public class ScopeService {
@Path("{id}/permissions")
@GET
- @Produces("application/json")
+ @Produces(MediaType.APPLICATION_JSON)
public Response getPermissions(@PathParam("id") String id) {
this.auth.requireView();
StoreFactory storeFactory = this.authorization.getStoreFactory();
@@ -195,7 +196,7 @@ public class ScopeService {
@Path("/search")
@GET
- @Produces("application/json")
+ @Produces(MediaType.APPLICATION_JSON)
@NoCache
public Response find(@QueryParam("name") String name) {
this.auth.requireView();
diff --git a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
index 7891e18..6b5b027 100644
--- a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
+++ b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
@@ -139,12 +139,19 @@ public class KeycloakIdentity implements Identity {
if (this.accessToken.getClientSession() != null) {
ClientSessionModel clientSession = this.keycloakSession.sessions().getClientSession(this.accessToken.getClientSession());
- clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
- } else if (this.accessToken.getIssuedFor() != null) {
- ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
- clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
+
+ if (clientSession != null) {
+ clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
+ }
}
+ if (this.accessToken.getIssuedFor() != null) {
+ ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
+
+ if (clientModel != null) {
+ clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
+ }
+ }
if (clientUser == null) {
return false;
diff --git a/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java b/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
index 159e5aa..cc06284 100644
--- a/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
+++ b/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
@@ -21,7 +21,6 @@ package org.keycloak.authorization;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.concurrent.Executor;
import org.keycloak.Config;
import org.keycloak.authorization.policy.provider.PolicyProvider;
@@ -38,7 +37,6 @@ import org.keycloak.provider.ProviderFactory;
*/
public class DefaultAuthorizationProviderFactory implements AuthorizationProviderFactory {
- private Executor scheduler;
private Map<String, PolicyProviderFactory> policyProviderFactories;
@Override
@@ -48,15 +46,6 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide
@Override
public void init(Config.Scope config) {
- //TODO: user-defined configuration
-// Executor executor = Executors.newWorkStealingPool();
-// this.scheduler = command -> {
-// Map<Class<?>, Object> contextDataMap = ResteasyProviderFactory.getContextDataMap();
-// executor.execute(() -> {
-// ResteasyProviderFactory.pushContextDataMap(contextDataMap);
-// command.run();
-// });
-// };
}
@Override
@@ -77,11 +66,9 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide
@Override
public AuthorizationProvider create(KeycloakSession session, RealmModel realm) {
StoreFactory storeFactory = session.getProvider(CachedStoreFactoryProvider.class);
-
if (storeFactory == null) {
storeFactory = session.getProvider(StoreFactory.class);
}
-
return new AuthorizationProvider(session, realm, storeFactory, policyProviderFactories);
}
diff --git a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
index 620916c..326deb6 100644
--- a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
+++ b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
@@ -139,7 +139,7 @@ public class EntitlementService {
.allowedOrigins(identity.getAccessToken())
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
} else {
- asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
+ asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
}
}
});
@@ -192,7 +192,7 @@ public class EntitlementService {
.allowedOrigins(identity.getAccessToken())
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
} else {
- asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
+ asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
}
}
});
@@ -207,8 +207,7 @@ public class EntitlementService {
}
}
- private String createRequestingPartyToken(List<Permission> permissions) {
- AccessToken accessToken = Tokens.getAccessToken(this.authorization.getKeycloakSession());
+ private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken) {
RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
AccessToken.Authorization authorization = new AccessToken.Authorization();
diff --git a/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java b/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
index 403551f..51ed405 100755
--- a/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
+++ b/services/src/main/java/org/keycloak/exportimport/util/ExportUtils.java
@@ -337,7 +337,7 @@ public class ExportUtils {
RealmModel realm = authorizationProvider.getRealm();
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
try {
- PolicyRepresentation rep = toRepresentation(policy);
+ PolicyRepresentation rep = toRepresentation(policy, PolicyRepresentation.class, authorizationProvider);
rep.setId(null);
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
index 642e116..7be8fb4 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
@@ -38,7 +38,9 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.util.JsonSerialization;
@@ -246,10 +248,14 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
- Policy policy = policyStore.create("Administration Policy", "aggregate", resourceServer);
+ PolicyRepresentation representation = new PolicyRepresentation();
- policy.addAssociatedPolicy(anyAdminPolicy);
- policy.addAssociatedPolicy(onlyFromSpecificAddressPolicy);
+ representation.setName("Administration Policy");
+ representation.setType("aggregate");
+ representation.addPolicy(anyAdminPolicy.getName());
+ representation.addPolicy(onlyFromSpecificAddressPolicy.getName());
+
+ Policy policy = policyStore.create(representation, resourceServer);
return policy;
});
@@ -259,19 +265,22 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
- Policy policy = policyStore.create("Only From a Specific Client Address", "js", resourceServer);
+ PolicyRepresentation representation = new PolicyRepresentation();
+
+ representation.setName("Only From a Specific Client Address");
+ representation.setType("js");
HashedMap config = new HashedMap();
config.put("code",
"var contextAttributes = $evaluation.getContext().getAttributes();" +
- "var networkAddress = contextAttributes.getValue('kc.client.network.ip_address');" +
- "if ('127.0.0.1'.equals(networkAddress.asInetAddress(0).getHostAddress())) {" +
- "$evaluation.grant();" +
- "}");
+ "var networkAddress = contextAttributes.getValue('kc.client.network.ip_address');" +
+ "if ('127.0.0.1'.equals(networkAddress.asInetAddress(0).getHostAddress())) {" +
+ "$evaluation.grant();" +
+ "}");
- policy.setConfig(config);
+ representation.setConfig(config);
- return policy;
+ return policyStore.create(representation, resourceServer);
});
}
@@ -279,24 +288,13 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
- Policy policy = policyStore.create("Any Admin Policy", "role", resourceServer);
- HashedMap config = new HashedMap();
- RealmModel realm = authorizationProvider.getKeycloakSession().realms().getRealmByName(TEST_REALM_NAME);
- RoleModel adminRole = realm.getRole("admin");
-
- Map role = new HashMap();
-
- role.put("id", adminRole.getId());
-
- try {
- config.put("roles", JsonSerialization.writeValueAsString(new Map[] {role}));
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
- policy.setConfig(config);
+ representation.setName("Any Admin Policy");
+ representation.setType("role");
+ representation.addRole("admin", false);
- return policy;
+ return policyStore.create(representation, resourceServer);
});
}
@@ -358,7 +356,11 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
- Policy policy = policyStore.create("Any User Policy", "role", resourceServer);
+ PolicyRepresentation representation = new PolicyRepresentation();
+
+ representation.setName("Any User Policy");
+ representation.setType("role");
+
HashedMap config = new HashedMap();
RealmModel realm = authorizationProvider.getKeycloakSession().realms().getRealmByName(TEST_REALM_NAME);
RoleModel userRole = realm.getRole("user");
@@ -373,7 +375,9 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
throw new RuntimeException(e);
}
- policy.setConfig(config);
+ representation.setConfig(config);
+
+ Policy policy = policyStore.create(representation, resourceServer);
return policy;
});
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/ResourcePermissionManagementTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/ResourcePermissionManagementTest.java
index 4708a2a..be17a80 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/ResourcePermissionManagementTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/ResourcePermissionManagementTest.java
@@ -46,12 +46,9 @@ import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
-import java.util.function.Function;
-import java.util.function.Predicate;
import java.util.stream.Collectors;
import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
@@ -392,7 +389,10 @@ public class ResourcePermissionManagementTest extends AbstractPhotozAdminTest {
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
- Policy policy = policyStore.create("Client-Based Policy", "client", resourceServer);
+ PolicyRepresentation representation = new PolicyRepresentation();
+
+ representation.setName("Client-Based Policy");
+ representation.setType("client");
List<String> clientIds = new ArrayList<>();
for (ClientModel client : allowedClients) {
@@ -408,9 +408,9 @@ public class ResourcePermissionManagementTest extends AbstractPhotozAdminTest {
throw new RuntimeException(e);
}
- policy.setConfig(config);
+ representation.setConfig(config);
- return policy;
+ return policyStore.create(representation, resourceServer);
});
}
diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authorization/TestPolicyProviderFactory.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authorization/TestPolicyProviderFactory.java
index b3a0475..8e07ee2 100644
--- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authorization/TestPolicyProviderFactory.java
+++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authorization/TestPolicyProviderFactory.java
@@ -47,7 +47,7 @@ public class TestPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer) {
+ public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null;
}
diff --git a/testsuite/integration-arquillian/tests/base/pom.xml b/testsuite/integration-arquillian/tests/base/pom.xml
index 02cd878..65081de 100644
--- a/testsuite/integration-arquillian/tests/base/pom.xml
+++ b/testsuite/integration-arquillian/tests/base/pom.xml
@@ -96,6 +96,7 @@
<filtering>true</filtering>
<includes>
<include>migration-test/*</include>
+ <include>authorization-test/*</include>
</includes>
</testResource>
<testResource>
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
index 8f5018c..4d11f93 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
@@ -108,11 +108,13 @@ public class PhotozClientAuthzTestApp extends AbstractPageWithInjectedUrl {
public void requestEntitlement() {
entitlement.click();
pause(WAIT_AFTER_OPERATION);
+ pause(WAIT_AFTER_OPERATION);
}
public void requestEntitlements() {
entitlements.click();
pause(WAIT_AFTER_OPERATION);
+ pause(WAIT_AFTER_OPERATION);
}
public void login(String username, String password, String... scopes) throws InterruptedException {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java
index fd27852..de1a2de 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractServletAuthzAdapterTest.java
@@ -16,6 +16,22 @@
*/
package org.keycloak.testsuite.adapter.example.authorization;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.keycloak.testsuite.util.IOUtil.loadJson;
+import static org.keycloak.testsuite.util.IOUtil.loadRealm;
+import static org.keycloak.testsuite.util.WaitUtils.pause;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+
import org.jboss.arquillian.container.test.api.Deployer;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.test.api.ArquillianResource;
@@ -41,22 +57,6 @@ import org.keycloak.util.JsonSerialization;
import org.openqa.selenium.By;
import org.openqa.selenium.WebElement;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.List;
-
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-import static org.keycloak.testsuite.util.IOUtil.loadJson;
-import static org.keycloak.testsuite.util.IOUtil.loadRealm;
-import static org.keycloak.testsuite.util.WaitUtils.pause;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
@@ -82,17 +82,9 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
return exampleDeployment(RESOURCE_SERVER_ID);
}
- @Override
- public void beforeAbstractKeycloakTest() throws Exception {
- super.beforeAbstractKeycloakTest();
- importResourceServerSettings();
- }
-
@Test
public void testRegularUserPermissions() throws Exception {
- try {
- this.deployer.deploy(RESOURCE_SERVER_ID);
-
+ performTests(() -> {
login("alice", "alice");
assertFalse(wasDenied());
assertTrue(hasLink("User Premium"));
@@ -111,16 +103,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
navigateToAdminPage();
assertTrue(wasDenied());
- } finally {
- this.deployer.undeploy(RESOURCE_SERVER_ID);
- }
+ });
}
@Test
public void testUserPremiumPermissions() throws Exception {
- try {
- this.deployer.deploy(RESOURCE_SERVER_ID);
-
+ performTests(() -> {
login("jdoe", "jdoe");
assertFalse(wasDenied());
assertTrue(hasLink("User Premium"));
@@ -139,16 +127,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
navigateToAdminPage();
assertTrue(wasDenied());
- } finally {
- this.deployer.undeploy(RESOURCE_SERVER_ID);
- }
+ });
}
@Test
public void testAdminPermissions() throws Exception {
- try {
- this.deployer.deploy(RESOURCE_SERVER_ID);
-
+ performTests(() -> {
login("admin", "admin");
assertFalse(wasDenied());
assertTrue(hasLink("User Premium"));
@@ -167,16 +151,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
navigateToAdminPage();
assertFalse(wasDenied());
- } finally {
- this.deployer.undeploy(RESOURCE_SERVER_ID);
- }
+ });
}
@Test
public void testGrantPremiumAccessToUser() throws Exception {
- try {
- this.deployer.deploy(RESOURCE_SERVER_ID);
-
+ performTests(() -> {
login("alice", "alice");
assertFalse(wasDenied());
@@ -233,16 +213,12 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
navigateToUserPremiumPage();
assertFalse(wasDenied());
- } finally {
- this.deployer.undeploy(RESOURCE_SERVER_ID);
- }
+ });
}
@Test
public void testGrantAdministrativePermissions() throws Exception {
- try {
- this.deployer.deploy(RESOURCE_SERVER_ID);
-
+ performTests(() -> {
login("jdoe", "jdoe");
navigateToAdminPage();
@@ -263,23 +239,30 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
navigateToAdminPage();
assertFalse(wasDenied());
- } finally {
- this.deployer.undeploy(RESOURCE_SERVER_ID);
- }
+ });
}
//KEYCLOAK-3830
@Test
public void testAccessPublicResource() throws Exception {
- try {
- this.deployer.deploy(RESOURCE_SERVER_ID);
-
+ performTests(() -> {
driver.navigate().to(getResourceServerUrl() + "/public-html.html");
WaitUtils.waitForPageToLoad(driver);
assertTrue(hasText("This is public resource that should be accessible without login."));
-
+ });
+ }
+
+ private void performTests(TestRunnable assertion) {
+ try {
+ importResourceServerSettings();
+ deployer.deploy(RESOURCE_SERVER_ID);
+ assertion.run();
+ } catch (FileNotFoundException cause) {
+ throw new RuntimeException("Failed to import authorization settings", cause);
+ } catch (Exception cause) {
+ throw new RuntimeException("Error while executing tests", cause);
} finally {
- this.deployer.undeploy(RESOURCE_SERVER_ID);
+ deployer.undeploy(RESOURCE_SERVER_ID);
}
}
@@ -299,7 +282,7 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
getAuthorizationResource().importSettings(loadJson(new FileInputStream(new File(TEST_APPS_HOME_DIR + "/servlet-authz-app/servlet-authz-app-authz-service.json")), ResourceServerRepresentation.class));
}
- private AuthorizationResource getAuthorizationResource() throws FileNotFoundException {
+ private AuthorizationResource getAuthorizationResource() {
return getClientResource(RESOURCE_SERVER_ID).authorization();
}
@@ -317,18 +300,22 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
pause(500);
}
- private void login(String username, String password) throws InterruptedException {
- navigateTo();
- Thread.sleep(2000);
- if (this.driver.getCurrentUrl().startsWith(getResourceServerUrl().toString())) {
- Thread.sleep(2000);
- logOut();
+ private void login(String username, String password) {
+ try {
navigateTo();
- }
+ Thread.sleep(2000);
+ if (this.driver.getCurrentUrl().startsWith(getResourceServerUrl().toString())) {
+ Thread.sleep(2000);
+ logOut();
+ navigateTo();
+ }
- Thread.sleep(2000);
+ Thread.sleep(2000);
- this.loginPage.form().login(username, password);
+ this.loginPage.form().login(username, password);
+ } catch (Exception cause) {
+ throw new RuntimeException("Login failed", cause);
+ }
}
private void navigateTo() {
@@ -362,4 +349,8 @@ public abstract class AbstractServletAuthzAdapterTest extends AbstractExampleAda
navigateTo();
getLink("Administration").click();
}
+
+ private interface TestRunnable {
+ void run() throws Exception;
+ }
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
index 6f68ae1..69d8d6b 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
@@ -16,6 +16,10 @@
*/
package org.keycloak.testsuite.admin;
+import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
+
+import java.util.List;
+
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Test;
@@ -25,18 +29,14 @@ import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
-import org.keycloak.models.RoleModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
-
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-
-import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
+import org.keycloak.testsuite.util.ClientBuilder;
+import org.keycloak.testsuite.util.RealmBuilder;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -51,37 +51,34 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
- RealmRepresentation testRealmRep = new RealmRepresentation();
- testRealmRep.setId(TEST);
- testRealmRep.setRealm(TEST);
- testRealmRep.setEnabled(true);
- testRealms.add(testRealmRep);
+ testRealms.add(RealmBuilder.create().name(TEST)
+ .client(ClientBuilder.create().clientId("myclient")
+ .secret("secret")
+ .authorizationServicesEnabled(true)
+ .redirectUris("http://localhost/myclient")
+ .defaultRoles("client-role-1", "client-role-2").build()).build());
}
public static void setup(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
- ClientModel client = session.realms().addClient(realm, "myclient");
- RoleModel role1 = client.addRole("client-role1");
- RoleModel role2 = client.addRole("client-role2");
-
+ session.getContext().setRealm(realm);
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
- ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
- createRolePolicy(authz, resourceServer, role1);
- createRolePolicy(authz, resourceServer, role2);
-
-
+ ClientModel myclient = realm.getClientByClientId("myclient");
+ ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(myclient.getId());
+ createRolePolicy(authz, resourceServer, "client-role-1");
+ createRolePolicy(authz, resourceServer, "client-role-2");
}
- private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
- Policy policy = authz.getStoreFactory().getPolicyStore().create(role.getName(), "role", resourceServer);
+ private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, String roleName) {
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName(roleName);
+ representation.setType("role");
+ representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
+ representation.setLogic(Logic.POSITIVE);
+ representation.addRole(roleName, true);
- String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
- policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
- policy.setLogic(Logic.POSITIVE);
- Map<String, String> config = new HashMap<>();
- config.put("roles", roleValues);
- policy.setConfig(config);
- return policy;
+ return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java
new file mode 100644
index 0000000..264a888
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java
@@ -0,0 +1,169 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.admin.client.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.function.Supplier;
+
+import org.junit.Before;
+import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.ClientsResource;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.ScopeRepresentation;
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
+import org.keycloak.testsuite.AbstractKeycloakTest;
+import org.keycloak.testsuite.util.AdminClientUtil;
+import org.keycloak.testsuite.util.ClientBuilder;
+import org.keycloak.testsuite.util.RealmBuilder;
+import org.keycloak.testsuite.util.UserBuilder;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public abstract class AbstractPermissionManagementTest extends AbstractKeycloakTest {
+
+ @Override
+ public void addTestRealms(List<RealmRepresentation> testRealms) {
+ testRealms.add(createTestRealm().build());
+ }
+
+ protected RealmBuilder createTestRealm() {
+ return RealmBuilder.create().name("authz-test")
+ .user(UserBuilder.create().username("marta").password("password"))
+ .user(UserBuilder.create().username("kolo").password("password"))
+ .client(ClientBuilder.create().clientId("resource-server-test")
+ .secret("secret")
+ .authorizationServicesEnabled(true)
+ .redirectUris("http://localhost/resource-server-test")
+ .defaultRoles("uma_protection")
+ .directAccessGrants());
+ }
+
+ @Before
+ public void configureAuthorization() throws Exception {
+ createResourcesAndScopes();
+ RealmResource realm = getRealm();
+ createPolicies(realm, getClient(realm));
+ }
+
+ protected void assertRepresentation(AbstractPolicyRepresentation expected, AbstractPolicyRepresentation actual,
+ Supplier<List<ResourceRepresentation>> resources,
+ Supplier<List<ScopeRepresentation>> scopes,
+ Supplier<List<PolicyRepresentation>> policies) {
+ assertNotNull(actual);
+ assertNotNull(actual.getId());
+
+ assertEquals(expected.getName(), actual.getName());
+ assertEquals(expected.getDescription(), actual.getDescription());
+ assertEquals(expected.getDecisionStrategy(), actual.getDecisionStrategy());
+ assertEquals(expected.getLogic(), actual.getLogic());
+ assertNull(actual.getResources());
+ assertNull(actual.getPolicies());
+ assertNull(actual.getScopes());
+
+ List<PolicyRepresentation> associatedPolicies = policies.get();
+
+ if (expected.getPolicies() != null) {
+ assertEquals(expected.getPolicies().size(), associatedPolicies.size());
+ assertEquals(0, associatedPolicies.stream().map(representation1 -> representation1.getName()).filter(policyName -> !expected.getPolicies().contains(policyName)).count());
+ } else {
+ assertTrue(associatedPolicies.isEmpty());
+ }
+
+ List<ResourceRepresentation> associatedResources = resources.get();
+
+ if (expected.getResources() != null) {
+ assertEquals(expected.getResources().size(), associatedResources.size());
+ assertEquals(0, associatedResources.stream().map(representation1 -> representation1.getName()).filter(resourceName -> !expected.getResources().contains(resourceName)).count());
+ } else {
+ assertTrue(associatedResources.isEmpty());
+ }
+
+ List<ScopeRepresentation> associatedScopes = scopes.get();
+
+ if (expected.getScopes() != null) {
+ assertEquals(expected.getScopes().size(), associatedScopes.size());
+ assertEquals(0, associatedScopes.stream().map(representation1 -> representation1.getName()).filter(scopeName -> !expected.getScopes().contains(scopeName)).count());
+ } else {
+ assertTrue(associatedScopes.isEmpty());
+ }
+
+ expected.setId(actual.getId());
+ }
+
+ private void createResourcesAndScopes() throws IOException {
+ Set<ScopeRepresentation> scopes = new HashSet<>();
+
+ scopes.add(new ScopeRepresentation("read"));
+ scopes.add(new ScopeRepresentation("write"));
+ scopes.add(new ScopeRepresentation("execute"));
+
+ List<ResourceRepresentation> resources = new ArrayList<>();
+
+ resources.add(new ResourceRepresentation("Resource A", scopes));
+ resources.add(new ResourceRepresentation("Resource B", scopes));
+ resources.add(new ResourceRepresentation("Resource C", scopes));
+
+ resources.forEach(resource -> getClient().authorization().resources().create(resource));
+ }
+
+ private void createPolicies(RealmResource realm, ClientResource client) throws IOException {
+ createUserPolicy("Only Marta Policy", realm, client, "marta");
+ createUserPolicy("Only Kolo Policy", realm, client, "kolo");
+ }
+
+ private void createUserPolicy(String name, RealmResource realm, ClientResource client, String username) throws IOException {
+ String userId = realm.users().search(username).stream().map(representation -> representation.getId()).findFirst().orElseThrow(() -> new RuntimeException("Expected user [userId]"));
+
+ UserPolicyRepresentation representation = new UserPolicyRepresentation();
+
+ representation.setName(name);
+ representation.addUser(userId);
+
+ client.authorization().policies().users().create(representation);
+ }
+
+ protected ClientResource getClient() {
+ return getClient(getRealm());
+ }
+
+ protected ClientResource getClient(RealmResource realm) {
+ ClientsResource clients = realm.clients();
+ return clients.findByClientId("resource-server-test").stream().map(representation -> clients.get(representation.getId())).findFirst().orElseThrow(() -> new RuntimeException("Expected client [resource-server-test]"));
+ }
+
+ protected RealmResource getRealm() {
+ try {
+ return AdminClientUtil.createAdminClient().realm("authz-test");
+ } catch (Exception cause) {
+ throw new RuntimeException("Failed to create admin client", cause);
+ }
+ }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourcePermissionManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourcePermissionManagementTest.java
new file mode 100644
index 0000000..1deed22
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ResourcePermissionManagementTest.java
@@ -0,0 +1,165 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.admin.client.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.util.Collections;
+
+import javax.ws.rs.NotFoundException;
+import javax.ws.rs.core.Response;
+
+import org.junit.Test;
+import org.keycloak.admin.client.resource.AuthorizationResource;
+import org.keycloak.admin.client.resource.ResourcePermissionResource;
+import org.keycloak.admin.client.resource.ResourcePermissionsResource;
+import org.keycloak.representations.idm.authorization.DecisionStrategy;
+import org.keycloak.representations.idm.authorization.Logic;
+import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class ResourcePermissionManagementTest extends AbstractPermissionManagementTest {
+
+ @Test
+ public void testCreateResourcePermission() {
+ AuthorizationResource authorization = getClient().authorization();
+ ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
+
+ representation.setName("Resource A Permission");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addResource("Resource A");
+ representation.addPolicy("Only Marta Policy", "Only Kolo Policy");
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testCreateResourceType() {
+ AuthorizationResource authorization = getClient().authorization();
+ ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
+
+ representation.setName("Resource A Type Permission");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.setResourceType("test-resource");
+ representation.addPolicy("Only Marta Policy");
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testUpdate() {
+ AuthorizationResource authorization = getClient().authorization();
+ ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
+
+ representation.setName("Update Test Resource Permission");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addResource("Resource A");
+ representation.addPolicy("Only Marta Policy", "Only Kolo Policy");
+
+ assertCreated(authorization, representation);
+
+ representation.setName("changed");
+ representation.setDescription("changed");
+ representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
+ representation.setLogic(Logic.POSITIVE);
+ representation.getResources().remove("Resource A");
+ representation.addResource("Resource B");
+ representation.getPolicies().remove("Only Marta Policy");
+
+ ResourcePermissionsResource permissions = authorization.permissions().resource();
+ ResourcePermissionResource permission = permissions.findById(representation.getId());
+
+ permission.update(representation);
+
+ assertRepresentation(representation, permission);
+
+ representation.getResources().clear();
+ representation.setResourceType("changed");
+
+ permission.update(representation);
+
+ assertRepresentation(representation, permission);
+ }
+
+ @Test
+ public void testDelete() {
+ AuthorizationResource authorization = getClient().authorization();
+ ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
+
+ representation.setName("Test Delete Permission");
+ representation.setResourceType("test-resource");
+ representation.addPolicy("Only Marta Policy");
+
+ ResourcePermissionsResource permissions = authorization.permissions().resource();
+ Response response = permissions.create(representation);
+ ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
+
+ permissions.findById(created.getId()).remove();
+
+ ResourcePermissionResource removed = permissions.findById(created.getId());
+
+ try {
+ removed.toRepresentation();
+ fail("Permission not removed");
+ } catch (NotFoundException ignore) {
+
+ }
+ }
+
+ @Test
+ public void failCreateWithSameName() {
+ AuthorizationResource authorization = getClient().authorization();
+ ResourcePermissionRepresentation permission1 = new ResourcePermissionRepresentation();
+
+ permission1.setName("Conflicting Name Permission");
+ permission1.setResourceType("test-resource");
+ permission1.addPolicy("Only Marta Policy");
+
+ ResourcePermissionsResource permissions = authorization.permissions().resource();
+
+ permissions.create(permission1);
+
+ ResourcePermissionRepresentation permission2 = new ResourcePermissionRepresentation();
+
+ permission2.setName(permission1.getName());
+
+ Response response = permissions.create(permission2);
+
+ assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
+ }
+
+ private void assertCreated(AuthorizationResource authorization, ResourcePermissionRepresentation representation) {
+ ResourcePermissionsResource permissions = authorization.permissions().resource();
+ Response response = permissions.create(representation);
+ ResourcePermissionRepresentation created = response.readEntity(ResourcePermissionRepresentation.class);
+ ResourcePermissionResource permission = permissions.findById(created.getId());
+ assertRepresentation(representation, permission);
+ }
+
+ private void assertRepresentation(ResourcePermissionRepresentation representation, ResourcePermissionResource permission) {
+ assertRepresentation(representation, permission.toRepresentation(), () -> permission.resources(), () -> Collections.emptyList(), () -> permission.associatedPolicies());
+ }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
new file mode 100644
index 0000000..1b4a701
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
@@ -0,0 +1,211 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.admin.client.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Collections;
+import java.util.stream.Collectors;
+
+import javax.management.relation.Role;
+import javax.ws.rs.NotFoundException;
+import javax.ws.rs.core.Response;
+
+import org.junit.Test;
+import org.keycloak.admin.client.resource.AuthorizationResource;
+import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.PolicyResource;
+import org.keycloak.admin.client.resource.RolePoliciesResource;
+import org.keycloak.admin.client.resource.RolePolicyResource;
+import org.keycloak.admin.client.resource.RolesResource;
+import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.RoleRepresentation;
+import org.keycloak.representations.idm.authorization.DecisionStrategy;
+import org.keycloak.representations.idm.authorization.Logic;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
+import org.keycloak.testsuite.util.RealmBuilder;
+import org.keycloak.testsuite.util.RolesBuilder;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class RolePolicyManagementTest extends AbstractPermissionManagementTest {
+
+ @Override
+ protected RealmBuilder createTestRealm() {
+ return super.createTestRealm().roles(
+ RolesBuilder.create()
+ .realmRole(new RoleRepresentation("Role A", "Role A description", false))
+ .realmRole(new RoleRepresentation("Role B", "Role B description", false))
+ .realmRole(new RoleRepresentation("Role C", "Role C description", false))
+ );
+ }
+
+ @Test
+ public void testCreateRealmRolePolicy() {
+ AuthorizationResource authorization = getClient().authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Realm Role Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addRole("Role A", false);
+ representation.addRole("Role B", true);
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testCreateClientRolePolicy() {
+ ClientResource client = getClient();
+ AuthorizationResource authorization = client.authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Realm Client Role Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+
+ RolesResource roles = client.roles();
+
+ roles.create(new RoleRepresentation("Client Role A", "desc", false));
+
+ ClientRepresentation clientRep = client.toRepresentation();
+
+ roles.create(new RoleRepresentation("Client Role B", "desc", false));
+
+ representation.addRole("Client Role A");
+ representation.addClientRole(clientRep.getClientId(), "Client Role B", true);
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testUpdate() {
+ AuthorizationResource authorization = getClient().authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Update Test Role Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addRole("Role A", false);
+ representation.addRole("Role B", true);
+ representation.addRole("Role C", false);
+
+ assertCreated(authorization, representation);
+
+ representation.setName("changed");
+ representation.setDescription("changed");
+ representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
+ representation.setLogic(Logic.POSITIVE);
+ representation.setRoles(representation.getRoles().stream().filter(roleDefinition -> !roleDefinition.getId().equals("Resource A")).collect(Collectors.toSet()));
+
+ RolePoliciesResource policies = authorization.policies().roles();
+ RolePolicyResource permission = policies.findById(representation.getId());
+
+ permission.update(representation);
+ assertRepresentation(representation, permission);
+
+ for (RolePolicyRepresentation.RoleDefinition roleDefinition : representation.getRoles()) {
+ if (roleDefinition.getId().equals("Role B")) {
+ roleDefinition.setRequired(false);
+ }
+ if (roleDefinition.getId().equals("Role C")) {
+ roleDefinition.setRequired(true);
+ }
+ }
+
+ permission.update(representation);
+ assertRepresentation(representation, permission);
+ }
+
+ @Test
+ public void testDelete() {
+ AuthorizationResource authorization = getClient().authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Test Delete Permission");
+ representation.addRole("Role A", false);
+
+ RolePoliciesResource policies = authorization.policies().roles();
+ Response response = policies.create(representation);
+ RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
+
+ policies.findById(created.getId()).remove();
+
+ RolePolicyResource removed = policies.findById(created.getId());
+
+ try {
+ removed.toRepresentation();
+ fail("Permission not removed");
+ } catch (NotFoundException ignore) {
+
+ }
+ }
+
+ @Test
+ public void testGenericConfig() {
+ AuthorizationResource authorization = getClient().authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Test Generic Config Permission");
+ representation.addRole("Role A", false);
+
+ RolePoliciesResource policies = authorization.policies().roles();
+ Response response = policies.create(representation);
+ RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
+
+ PolicyResource policy = authorization.policies().policy(created.getId());
+ PolicyRepresentation genericConfig = policy.toRepresentation();
+
+ assertNotNull(genericConfig.getConfig());
+ assertNotNull(genericConfig.getConfig().get("roles"));
+
+ RoleRepresentation role = getRealm().roles().get("Role A").toRepresentation();
+
+ assertTrue(genericConfig.getConfig().get("roles").contains(role.getId()));
+ }
+
+ private void assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
+ RolePoliciesResource permissions = authorization.policies().roles();
+ Response response = permissions.create(representation);
+ RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
+ RolePolicyResource permission = permissions.findById(created.getId());
+ assertRepresentation(representation, permission);
+ }
+
+ private void assertRepresentation(RolePolicyRepresentation representation, RolePolicyResource permission) {
+ RolePolicyRepresentation actual = permission.toRepresentation();
+ assertRepresentation(representation, actual, () -> permission.resources(), () -> Collections.emptyList(), () -> permission.associatedPolicies());
+ assertEquals(representation.getRoles().size(), actual.getRoles().size());
+ ClientRepresentation clientRep = getClient().toRepresentation();
+ assertEquals(0, actual.getRoles().stream().filter(actualDefinition -> !representation.getRoles().stream()
+ .filter(roleDefinition -> (getRoleName(actualDefinition.getId()).equals(roleDefinition.getId()) || (clientRep.getClientId() + "/" + getRoleName(actualDefinition.getId())).equals(roleDefinition.getId())) && actualDefinition.isRequired() == roleDefinition.isRequired())
+ .findFirst().isPresent())
+ .count());
+ }
+
+ private String getRoleName(String id) {
+ return getRealm().rolesById().getRole(id).getName();
+ }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ScopePermissionManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ScopePermissionManagementTest.java
new file mode 100644
index 0000000..a833668
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/ScopePermissionManagementTest.java
@@ -0,0 +1,159 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.admin.client.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import javax.ws.rs.NotFoundException;
+import javax.ws.rs.core.Response;
+
+import org.junit.Test;
+import org.keycloak.admin.client.resource.AuthorizationResource;
+import org.keycloak.admin.client.resource.ScopePermissionResource;
+import org.keycloak.admin.client.resource.ScopePermissionsResource;
+import org.keycloak.representations.idm.authorization.DecisionStrategy;
+import org.keycloak.representations.idm.authorization.Logic;
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class ScopePermissionManagementTest extends AbstractPermissionManagementTest {
+
+ @Test
+ public void testCreateResourceScopePermission() {
+ AuthorizationResource authorization = getClient().authorization();
+ ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
+
+ representation.setName("Resource A Scope Permission");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addResource("Resource A");
+ representation.addScope("read", "execute");
+ representation.addPolicy("Only Marta Policy", "Only Kolo Policy");
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testCreateScopePermission() {
+ AuthorizationResource authorization = getClient().authorization();
+ ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
+
+ representation.setName("Read Permission");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addScope("read", "write");
+ representation.addPolicy("Only Marta Policy");
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testUpdate() {
+ AuthorizationResource authorization = getClient().authorization();
+ ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
+
+ representation.setName("Update Test Scope Permission");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addResource("Resource A");
+ representation.addScope("read", "execute");
+ representation.addPolicy("Only Marta Policy", "Only Kolo Policy");
+
+ assertCreated(authorization, representation);
+
+ representation.setName("changed");
+ representation.setDescription("changed");
+ representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
+ representation.setLogic(Logic.POSITIVE);
+ representation.getResources().remove("Resource A");
+ representation.addResource("Resource B");
+ representation.getScopes().remove("execute");
+ representation.getPolicies().remove("Only Marta Policy");
+
+ ScopePermissionsResource permissions = authorization.permissions().scope();
+ ScopePermissionResource permission = permissions.findById(representation.getId());
+
+ permission.update(representation);
+
+ assertRepresentation(representation, permission);
+ }
+
+ @Test
+ public void testDelete() {
+ AuthorizationResource authorization = getClient().authorization();
+ ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
+
+ representation.setName("Test Delete Permission");
+ representation.addScope("execute");
+ representation.addPolicy("Only Marta Policy");
+
+ assertCreated(authorization, representation);
+
+ ScopePermissionsResource permissions = authorization.permissions().scope();
+
+ permissions.findById(representation.getId()).remove();
+
+ ScopePermissionResource removed = permissions.findById(representation.getId());
+
+ try {
+ removed.toRepresentation();
+ fail("Permission not removed");
+ } catch (NotFoundException ignore) {
+
+ }
+ }
+
+ @Test
+ public void failCreateWithSameName() {
+ AuthorizationResource authorization = getClient().authorization();
+ ScopePermissionRepresentation permission1 = new ScopePermissionRepresentation();
+
+ permission1.setName("Conflicting Name Permission");
+ permission1.addScope("read");
+ permission1.addPolicy("Only Marta Policy");
+
+ ScopePermissionsResource permissions = authorization.permissions().scope();
+
+ permissions.create(permission1);
+
+ ScopePermissionRepresentation permission2 = new ScopePermissionRepresentation();
+
+ permission2.setName(permission1.getName());
+
+ Response response = permissions.create(permission2);
+
+ assertEquals(Response.Status.CONFLICT.getStatusCode(), response.getStatus());
+ }
+
+ private void assertCreated(AuthorizationResource authorization, ScopePermissionRepresentation representation) {
+ ScopePermissionsResource permissions = authorization.permissions().scope();
+ Response response = permissions.create(representation);
+ ScopePermissionRepresentation created = response.readEntity(ScopePermissionRepresentation.class);
+ ScopePermissionResource permission = permissions.findById(created.getId());
+ assertRepresentation(representation, permission);
+ }
+
+ private void assertRepresentation(ScopePermissionRepresentation representation, ScopePermissionResource permission) {
+ assertRepresentation(representation, permission.toRepresentation(), () -> permission.resources(), () -> permission.scopes(), () -> permission.associatedPolicies());
+ }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/UserPolicyManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/UserPolicyManagementTest.java
new file mode 100644
index 0000000..9a80d68
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/UserPolicyManagementTest.java
@@ -0,0 +1,172 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.admin.client.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Collections;
+import java.util.stream.Collectors;
+
+import javax.ws.rs.NotFoundException;
+import javax.ws.rs.core.Response;
+
+import org.junit.Test;
+import org.keycloak.admin.client.resource.AuthorizationResource;
+import org.keycloak.admin.client.resource.PolicyResource;
+import org.keycloak.admin.client.resource.UserPoliciesResource;
+import org.keycloak.admin.client.resource.UserPolicyResource;
+import org.keycloak.representations.idm.UserRepresentation;
+import org.keycloak.representations.idm.authorization.DecisionStrategy;
+import org.keycloak.representations.idm.authorization.Logic;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
+import org.keycloak.testsuite.util.RealmBuilder;
+import org.keycloak.testsuite.util.UserBuilder;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class UserPolicyManagementTest extends AbstractPermissionManagementTest {
+
+ @Override
+ protected RealmBuilder createTestRealm() {
+ return super.createTestRealm()
+ .user(UserBuilder.create().username("User A"))
+ .user(UserBuilder.create().username("User B"))
+ .user(UserBuilder.create().username("User C"));
+ }
+
+ @Test
+ public void testCreateUserPolicy() {
+ AuthorizationResource authorization = getClient().authorization();
+ UserPolicyRepresentation representation = new UserPolicyRepresentation();
+
+ representation.setName("Realm User Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addUser("User A");
+ representation.addUser("User B");
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testUpdate() {
+ AuthorizationResource authorization = getClient().authorization();
+ UserPolicyRepresentation representation = new UserPolicyRepresentation();
+
+ representation.setName("Update Test User Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addUser("User A");
+ representation.addUser("User B");
+ representation.addUser("User C");
+
+ assertCreated(authorization, representation);
+
+ representation.setName("changed");
+ representation.setDescription("changed");
+ representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
+ representation.setLogic(Logic.POSITIVE);
+ representation.setUsers(representation.getUsers().stream().filter(userName -> !userName.equals("User A")).collect(Collectors.toSet()));
+
+ UserPoliciesResource policies = authorization.policies().users();
+ UserPolicyResource permission = policies.findById(representation.getId());
+
+ permission.update(representation);
+ assertRepresentation(representation, permission);
+
+ representation.setUsers(representation.getUsers().stream().filter(userName -> !userName.equals("User C")).collect(Collectors.toSet()));
+
+ permission.update(representation);
+ assertRepresentation(representation, permission);
+ }
+
+ @Test
+ public void testDelete() {
+ AuthorizationResource authorization = getClient().authorization();
+ UserPolicyRepresentation representation = new UserPolicyRepresentation();
+
+ representation.setName("Test Delete Permission");
+ representation.addUser("User A");
+
+ UserPoliciesResource policies = authorization.policies().users();
+ Response response = policies.create(representation);
+ UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
+
+ policies.findById(created.getId()).remove();
+
+ UserPolicyResource removed = policies.findById(created.getId());
+
+ try {
+ removed.toRepresentation();
+ fail("Permission not removed");
+ } catch (NotFoundException ignore) {
+
+ }
+ }
+
+ @Test
+ public void testGenericConfig() {
+ AuthorizationResource authorization = getClient().authorization();
+ UserPolicyRepresentation representation = new UserPolicyRepresentation();
+
+ representation.setName("Test Generic Config Permission");
+ representation.addUser("User A");
+
+ UserPoliciesResource policies = authorization.policies().users();
+ Response response = policies.create(representation);
+ UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
+
+ PolicyResource policy = authorization.policies().policy(created.getId());
+ PolicyRepresentation genericConfig = policy.toRepresentation();
+
+ assertNotNull(genericConfig.getConfig());
+ assertNotNull(genericConfig.getConfig().get("users"));
+
+ UserRepresentation user = getRealm().users().search("User A").get(0);
+
+ assertTrue(genericConfig.getConfig().get("users").contains(user.getId()));
+ }
+
+ private void assertCreated(AuthorizationResource authorization, UserPolicyRepresentation representation) {
+ UserPoliciesResource permissions = authorization.policies().users();
+ Response response = permissions.create(representation);
+ UserPolicyRepresentation created = response.readEntity(UserPolicyRepresentation.class);
+ UserPolicyResource permission = permissions.findById(created.getId());
+ assertRepresentation(representation, permission);
+ }
+
+ private void assertRepresentation(UserPolicyRepresentation representation, UserPolicyResource permission) {
+ UserPolicyRepresentation actual = permission.toRepresentation();
+ assertRepresentation(representation, actual, () -> permission.resources(), () -> Collections.emptyList(), () -> permission.associatedPolicies());
+ assertEquals(representation.getUsers().size(), actual.getUsers().size());
+ assertEquals(0, actual.getUsers().stream().filter(userId -> !representation.getUsers().stream()
+ .filter(userName -> getUserName(userId).equalsIgnoreCase(userName))
+ .findFirst().isPresent())
+ .count());
+ }
+
+ private String getUserName(String id) {
+ return getRealm().users().get(id).toRepresentation().getUsername();
+ }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java
index a533c41..ee28edd 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java
@@ -39,6 +39,8 @@ import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.util.HashMap;
@@ -102,21 +104,16 @@ public class FineGrainAdminLocalTest extends AbstractKeycloakTest {
}
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
- Policy permission = authz.getStoreFactory().getPolicyStore().create(name, "scope", resourceServer);
- String resources = "[\"" + resource.getId() + "\"]";
- String scopes = "[\"" + scope.getId() + "\"]";
- String applyPolicies = "[\"" + policy.getId() + "\"]";
- Map<String, String> config = new HashMap<>();
- config.put("resources", resources);
- config.put("scopes", scopes);
- config.put("applyPolicies", applyPolicies);
- permission.setConfig(config);
- permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
- permission.setLogic(Logic.POSITIVE);
- permission.addResource(resource);
- permission.addScope(scope);
- permission.addAssociatedPolicy(policy);
- return permission;
+ ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
+
+ representation.setName(name);
+ representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
+ representation.setLogic(Logic.POSITIVE);
+ representation.addResource(resource.getName());
+ representation.addScope(scope.getName());
+ representation.addPolicy(policy.getName());
+
+ return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
private static Resource createRoleResource(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
@@ -144,15 +141,18 @@ public class FineGrainAdminLocalTest extends AbstractKeycloakTest {
roleName = client.getClientId() ;
}
roleName = "role.policy." + roleName + "." + role.getName();
- Policy policy = authz.getStoreFactory().getPolicyStore().create(roleName, "role", resourceServer);
+ PolicyRepresentation representation = new PolicyRepresentation();
+ representation.setName(roleName);
+ representation.setType("role");
+ representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
+ representation.setLogic(Logic.POSITIVE);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
- policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
- policy.setLogic(Logic.POSITIVE);
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
- policy.setConfig(config);
- return policy;
+ representation.setConfig(config);
+
+ return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
public static void setupUsers(KeycloakSession session) {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java
new file mode 100644
index 0000000..6db4891
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ConflictingScopePermissionTest.java
@@ -0,0 +1,229 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.authz;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.keycloak.admin.client.resource.AuthorizationResource;
+import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.ClientsResource;
+import org.keycloak.admin.client.resource.RealmResource;
+import org.keycloak.authorization.client.AuthzClient;
+import org.keycloak.authorization.client.Configuration;
+import org.keycloak.authorization.client.representation.EntitlementResponse;
+import org.keycloak.authorization.client.representation.ResourceRepresentation;
+import org.keycloak.authorization.client.representation.ScopeRepresentation;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
+import org.keycloak.representations.AccessToken;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.representations.idm.authorization.Permission;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
+import org.keycloak.testsuite.AbstractKeycloakTest;
+import org.keycloak.testsuite.util.AdminClientUtil;
+import org.keycloak.testsuite.util.ClientBuilder;
+import org.keycloak.testsuite.util.RealmBuilder;
+import org.keycloak.testsuite.util.UserBuilder;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class ConflictingScopePermissionTest extends AbstractKeycloakTest {
+
+ @Override
+ public void addTestRealms(List<RealmRepresentation> testRealms) {
+ testRealms.add(RealmBuilder.create().name("authz-test")
+ .user(UserBuilder.create().username("marta").password("password"))
+ .user(UserBuilder.create().username("kolo").password("password"))
+ .client(ClientBuilder.create().clientId("resource-server-test")
+ .secret("secret")
+ .authorizationServicesEnabled(true)
+ .redirectUris("http://localhost/resource-server-test")
+ .defaultRoles("uma_protection")
+ .directAccessGrants())
+ .build());
+ }
+
+ @Before
+ public void configureAuthorization() throws Exception {
+ createResourcesAndScopes();
+
+ RealmResource realm = getRealm();
+ ClientResource client = getClient(realm);
+
+ createPolicies(realm, client);
+ createPermissions(client);
+ }
+
+ /**
+ * <p>Scope Read on Resource A has two conflicting permissions. One is granting access for Marta and the other for Kolo.
+ *
+ * <p>Scope Read should not be granted for Marta.
+ */
+ @Test
+ public void testMartaCanAccessResourceAWithExecuteAndWrite() {
+ List<Permission> permissions = getEntitlements("marta", "password");
+
+ for (Permission permission : new ArrayList<>(permissions)) {
+ String resourceSetName = permission.getResourceSetName();
+
+ switch (resourceSetName) {
+ case "Resource A":
+ assertEquals(2, permission.getScopes().size());
+ assertTrue(permission.getScopes().contains("execute"));
+ assertTrue(permission.getScopes().contains("write"));
+ permissions.remove(permission);
+ break;
+ case "Resource C":
+ assertEquals(3, permission.getScopes().size());
+ assertTrue(permission.getScopes().contains("execute"));
+ assertTrue(permission.getScopes().contains("write"));
+ assertTrue(permission.getScopes().contains("read"));
+ permissions.remove(permission);
+ break;
+ default:
+ fail("Unexpected permission for resource [" + resourceSetName + "]");
+ }
+ }
+
+ assertTrue(permissions.isEmpty());
+ }
+
+ private List<Permission> getEntitlements(String username, String password) {
+ AuthzClient authzClient = getAuthzClient();
+ EntitlementResponse response = authzClient.entitlement(authzClient.obtainAccessToken(username, password).getToken()).getAll("resource-server-test");
+ AccessToken accessToken;
+
+ try {
+ accessToken = new JWSInput(response.getRpt()).readJsonContent(AccessToken.class);
+ } catch (JWSInputException cause) {
+ throw new RuntimeException("Failed to deserialize RPT", cause);
+ }
+
+ AccessToken.Authorization authorization = accessToken.getAuthorization();
+
+ assertNotNull("RPT does not contain any authorization data", authorization);
+
+ return authorization.getPermissions();
+ }
+
+ private RealmResource getRealm() throws Exception {
+ return AdminClientUtil.createAdminClient().realm("authz-test");
+ }
+
+ private ClientResource getClient(RealmResource realm) {
+ ClientsResource clients = realm.clients();
+ return clients.findByClientId("resource-server-test").stream().map(representation -> clients.get(representation.getId())).findFirst().orElseThrow(() -> new RuntimeException("Expected client [resource-server-test]"));
+ }
+
+ private void createPermissions(ClientResource client) throws IOException {
+ createResourcePermission("Resource C Only For Marta Permission", "Resource C", Arrays.asList("Only Marta Policy"), client);
+ createScopePermission("Resource A Scope Read Only For Marta Permission", "Resource A", Arrays.asList("read"), Arrays.asList("Only Marta Policy"), client);
+ createScopePermission("Resource A Scope Read Only For Kolo Permission", "Resource A", Arrays.asList("read"), Arrays.asList("Only Kolo Policy"), client);
+ }
+
+ private void createPolicies(RealmResource realm, ClientResource client) throws IOException {
+ createUserPolicy("Only Marta Policy", realm, client, "marta");
+ createUserPolicy("Only Kolo Policy", realm, client, "kolo");
+ }
+
+ private void createResourcesAndScopes() throws IOException {
+ AuthzClient authzClient = getAuthzClient();
+ Set<ScopeRepresentation> scopes = new HashSet<>();
+
+ scopes.add(new ScopeRepresentation("read"));
+ scopes.add(new ScopeRepresentation("write"));
+ scopes.add(new ScopeRepresentation("execute"));
+
+ List<ResourceRepresentation> resources = new ArrayList<>();
+
+ resources.add(new ResourceRepresentation("Resource A", scopes));
+ resources.add(new ResourceRepresentation("Resource B", scopes));
+ resources.add(new ResourceRepresentation("Resource C", scopes));
+
+ resources.forEach(resource -> authzClient.protection().resource().create(resource));
+ }
+
+ private void createUserPolicy(String name, RealmResource realm, ClientResource client, String username) throws IOException {
+ String userId = realm.users().search(username).stream().map(representation -> representation.getId()).findFirst().orElseThrow(() -> new RuntimeException("Expected user [userId]"));
+
+ PolicyRepresentation representation = new PolicyRepresentation();
+
+ representation.setName(name);
+ representation.setType("user");
+
+ Map<String, String> config = new HashMap<>();
+
+ config.put("users", JsonSerialization.writeValueAsString(new String[] {userId}));
+
+ representation.setConfig(config);
+
+ client.authorization().policies().create(representation);
+ }
+
+ private void createResourcePermission(String name, String resourceName, List<String> policies, ClientResource client) throws IOException {
+ ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
+
+ representation.setName(name);
+ representation.addResource(resourceName);
+ representation.addPolicy(policies.toArray(new String[policies.size()]));
+
+ client.authorization().permissions().resource().create(representation);
+ }
+
+ private void createScopePermission(String name, String resourceName, List<String> scopes, List<String> policies, ClientResource client) throws IOException {
+ AuthorizationResource authorization = client.authorization();
+ ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
+
+ representation.setName(name);
+
+ if (resourceName != null) {
+ representation.addResource(resourceName);
+ }
+
+ representation.addScope(scopes.toArray(new String[scopes.size()]));
+ representation.addPolicy(scopes.toArray(new String[policies.size()]));
+
+ authorization.permissions().scope().create(representation);
+ }
+
+ private AuthzClient getAuthzClient() {
+ try {
+ return AuthzClient.create(JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"), Configuration.class));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to create authz client", cause);
+ }
+ }
+}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java
index 98d3366..74fcb7b 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationCompositeRoleTest.java
@@ -24,9 +24,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
-import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
-import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
@@ -38,6 +36,8 @@ import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.util.HashMap;
@@ -82,34 +82,33 @@ public class PolicyEvaluationCompositeRoleTest extends AbstractKeycloakTest {
}
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
- Policy permission = authz.getStoreFactory().getPolicyStore().create(name, "scope", resourceServer);
- String resources = "[\"" + resource.getId() + "\"]";
- String scopes = "[\"" + scope.getId() + "\"]";
- String applyPolicies = "[\"" + policy.getId() + "\"]";
- Map<String, String> config = new HashMap<>();
- config.put("resources", resources);
- config.put("scopes", scopes);
- config.put("applyPolicies", applyPolicies);
- permission.setConfig(config);
- permission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
- permission.setLogic(Logic.POSITIVE);
- permission.addResource(resource);
- permission.addScope(scope);
- permission.addAssociatedPolicy(policy);
- return permission;
+ ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
+
+ representation.setName(name);
+ representation.setType("scope");
+ representation.addResource(resource.getName());
+ representation.addScope(scope.getName());
+ representation.addPolicy(policy.getName());
+ representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
+ representation.setLogic(Logic.POSITIVE);
+
+ return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
- Policy policy = authz.getStoreFactory().getPolicyStore().create(role.getName(), "role", resourceServer);
+ PolicyRepresentation representation = new PolicyRepresentation();
+ representation.setName(role.getName());
+ representation.setType("role");
+ representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
+ representation.setLogic(Logic.POSITIVE);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
- policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
- policy.setLogic(Logic.POSITIVE);
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
- policy.setConfig(config);
- return policy;
+ representation.setConfig(config);
+
+ return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientBuilder.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientBuilder.java
index 7530275..df49edb 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientBuilder.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientBuilder.java
@@ -159,4 +159,9 @@ public class ClientBuilder {
rep.setRootUrl(rootUrl);
return this;
}
+
+ public ClientBuilder authorizationServicesEnabled(boolean enable) {
+ rep.setAuthorizationServicesEnabled(true);
+ return this;
+ }
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/default-keycloak.json b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/default-keycloak.json
new file mode 100644
index 0000000..7308c71
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/resources/authorization-test/default-keycloak.json
@@ -0,0 +1,8 @@
+{
+ "realm": "authz-test",
+ "auth-server-url" : "http://localhost:8180/auth",
+ "resource" : "resource-server-test",
+ "credentials": {
+ "secret": "secret"
+ }
+}
\ No newline at end of file
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
index e40fcec..ed5620c 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
@@ -646,7 +646,7 @@ module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $l
};
});
-module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) {
+module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPermission, PolicyProvider, client) {
$scope.realm = realm;
$scope.client = client;
$scope.policyProviders = [];
@@ -654,7 +654,6 @@ module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route
$scope.query = {
realm: realm.realm,
client : client.id,
- permission: true,
max : 20,
first : 0
};
@@ -705,7 +704,7 @@ module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route
$scope.searchQuery = function() {
$scope.searchLoaded = false;
- ResourceServerPolicy.query($scope.query, function(data) {
+ ResourceServerPermission.query($scope.query, function(data) {
$scope.policies = data;
$scope.searchLoaded = true;
$scope.lastSearch = $scope.query.search;
@@ -723,7 +722,7 @@ module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route
policy.details = {loaded: false};
- ResourceServerPolicy.associatedPolicies({
+ ResourceServerPermission.associatedPolicies({
realm : $route.current.params.realm,
client : client.id,
id : policy.id
@@ -758,7 +757,7 @@ module.controller('ResourceServerPolicyDroolsDetailCtrl', function($scope, $http
policy = $scope.policy;
}
- $http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/resolveModules'
+ $http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/provider/resolveModules'
, policy).success(function(data) {
$scope.drools.moduleNames = data;
$scope.resolveSessions();
@@ -766,7 +765,7 @@ module.controller('ResourceServerPolicyDroolsDetailCtrl', function($scope, $http
}
$scope.resolveSessions = function() {
- $http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/resolveSessions'
+ $http.post(authUrl + '/admin/realms/'+ $route.current.params.realm + '/clients/' + client.id + '/authz/resource-server/policy/rules/provider/resolveSessions'
, $scope.policy).success(function(data) {
$scope.drools.moduleSessions = data;
});
@@ -789,7 +788,7 @@ module.controller('ResourceServerPolicyDroolsDetailCtrl', function($scope, $http
}, realm, client, $scope);
});
-module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $route, $location, realm, client, PolicyController, ResourceServerPolicy, ResourceServerResource) {
+module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $route, $location, realm, client, PolicyController, ResourceServerPermission, ResourceServerResource) {
PolicyController.onInit({
getPolicyType : function() {
return "resource";
@@ -848,7 +847,7 @@ module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $ro
max : 20,
first : 0
};
- ResourceServerPolicy.query($scope.query, function(response) {
+ ResourceServerPermission.searchPolicies($scope.query, function(response) {
data.results = response;
query.callback(data);
});
@@ -860,59 +859,89 @@ module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $ro
};
$scope.applyToResourceType = function() {
- if ($scope.policy.config.default) {
- $scope.policy.config.resources = [];
+ if ($scope.applyToResourceTypeFlag) {
+ $scope.selectedResource = null;
} else {
- $scope.policy.config.defaultResourceType = null;
+ $scope.policy.resourceType = null;
}
}
},
onInitUpdate : function(policy) {
- policy.config.default = eval(policy.config.default);
- policy.config.resources = {};
- ResourceServerPolicy.resources({
- realm : $route.current.params.realm,
- client : client.id,
- id : policy.id
- }, function(resources) {
- resources[0].text = resources[0].name;
- $scope.policy.config.resources = resources[0];
- });
+ if (!policy.resourceType) {
+ $scope.selectedResource = {};
+ ResourceServerPermission.resources({
+ realm: $route.current.params.realm,
+ client: client.id,
+ id: policy.id
+ }, function (resources) {
+ resources[0].text = resources[0].name;
+ $scope.selectedResource = resources[0];
+ var copy = angular.copy($scope.selectedResource);
+ $scope.$watch('selectedResource', function() {
+ if (!angular.equals($scope.selectedResource, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
+ });
+ } else {
+ $scope.applyToResourceTypeFlag = true;
+ }
- policy.config.applyPolicies = [];
- ResourceServerPolicy.associatedPolicies({
+ $scope.selectedPolicies = [];
+ ResourceServerPermission.associatedPolicies({
realm : $route.current.params.realm,
client : client.id,
id : policy.id
}, function(policies) {
for (i = 0; i < policies.length; i++) {
policies[i].text = policies[i].name;
- $scope.policy.config.applyPolicies.push(policies[i]);
+ $scope.selectedPolicies.push(policies[i]);
+ var copy = angular.copy($scope.selectedPolicies);
+ $scope.$watch('selectedPolicies', function() {
+ if (!angular.equals($scope.selectedPolicies, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
}
});
},
onUpdate : function() {
- if ($scope.policy.config.resources && $scope.policy.config.resources._id) {
- $scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]);
+ if ($scope.selectedResource && $scope.selectedResource._id) {
+ $scope.policy.resources = [];
+ $scope.policy.resources.push($scope.selectedResource._id);
} else {
- delete $scope.policy.config.resources
+ delete $scope.policy.resources
}
var policies = [];
- for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) {
- policies.push($scope.policy.config.applyPolicies[i].id);
+ for (i = 0; i < $scope.selectedPolicies.length; i++) {
+ policies.push($scope.selectedPolicies[i].id);
}
- $scope.policy.config.applyPolicies = JSON.stringify(policies);
+ $scope.policy.policies = policies;
+ delete $scope.policy.config;
},
onInitCreate : function(newPolicy) {
newPolicy.decisionStrategy = 'UNANIMOUS';
- newPolicy.config = {};
- newPolicy.config.resources = null;
+ $scope.selectedResource = null;
+ var copy = angular.copy($scope.selectedResource);
+ $scope.$watch('selectedResource', function() {
+ if (!angular.equals($scope.selectedResource, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
+
+ $scope.selectedPolicies = null;
+ var copy = angular.copy($scope.selectedPolicies);
+ $scope.$watch('selectedPolicies', function() {
+ if (!angular.equals($scope.selectedPolicies, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
var resourceId = $location.search()['rsrid'];
@@ -923,25 +952,27 @@ module.controller('ResourceServerPolicyResourceDetailCtrl', function($scope, $ro
rsrid : resourceId
}, function(data) {
data.text = data.name;
- $scope.policy.config.resources = data;
+ $scope.selectedResource = data;
});
}
},
onCreate : function() {
- if ($scope.policy.config.resources && $scope.policy.config.resources._id) {
- $scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]);
+ if ($scope.selectedResource && $scope.selectedResource._id) {
+ $scope.policy.resources = [];
+ $scope.policy.resources.push($scope.selectedResource._id);
} else {
- delete $scope.policy.config.resources
+ delete $scope.policy.resources
}
var policies = [];
- for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) {
- policies.push($scope.policy.config.applyPolicies[i].id);
+ for (i = 0; i < $scope.selectedPolicies.length; i++) {
+ policies.push($scope.selectedPolicies[i].id);
}
- $scope.policy.config.applyPolicies = JSON.stringify(policies);
+ $scope.policy.policies = policies;
+ delete $scope.policy.config;
}
}, realm, client, $scope);
});
@@ -1046,14 +1077,14 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
};
$scope.selectResource = function() {
- $scope.policy.config.scopes = null;
- if ($scope.policy.config.resources) {
+ $scope.selectedScopes = null;
+ if ($scope.selectedResource) {
ResourceServerResource.scopes({
realm: $route.current.params.realm,
client: client.id,
- rsrid: $scope.policy.config.resources._id
+ rsrid: $scope.selectedResource._id
}, function (data) {
- $scope.policy.config.resources.scopes = data;
+ $scope.resourceScopes = data;
});
}
}
@@ -1079,88 +1110,118 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
deep: false
}, function (resource) {
resource[0].text = resource[0].name;
- $scope.policy.config.resources = resource[0];
+ $scope.selectedResource = resource[0];
+ var copy = angular.copy($scope.selectedResource);
+ $scope.$watch('selectedResource', function() {
+ if (!angular.equals($scope.selectedResource, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
ResourceServerResource.scopes({
realm: $route.current.params.realm,
client: client.id,
rsrid: resource[0]._id
}, function (scopes) {
- $scope.policy.config.resources.scopes = scopes;
- });
- ResourceServerPolicy.scopes({
- realm: $route.current.params.realm,
- client: client.id,
- id: policy.id
- }, function (scopes) {
- $scope.policy.config.scopes = [];
- for (i = 0; i < scopes.length; i++) {
- $scope.policy.config.scopes.push(scopes[i].id);
- }
+ $scope.resourceScopes = scopes;
+ ResourceServerPolicy.scopes({
+ realm : $route.current.params.realm,
+ client : client.id,
+ id : policy.id
+ }, function(scopes) {
+ $scope.selectedScopes = [];
+ for (i = 0; i < scopes.length; i++) {
+ scopes[i].text = scopes[i].name;
+ $scope.selectedScopes.push(scopes[i].id);
+ }
+ var copy = angular.copy($scope.selectedScopes);
+ $scope.$watch('selectedScopes', function() {
+ if (!angular.equals($scope.selectedScopes, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
+ });
});
});
});
}
} else {
- $scope.policy.config.resources = null;
+ $scope.selectedResource = null;
+ var copy = angular.copy($scope.selectedResource);
+ $scope.$watch('selectedResource', function() {
+ if (!angular.equals($scope.selectedResource, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
ResourceServerPolicy.scopes({
realm : $route.current.params.realm,
client : client.id,
id : policy.id
}, function(scopes) {
- $scope.policy.config.scopes = [];
+ $scope.selectedScopes = [];
for (i = 0; i < scopes.length; i++) {
scopes[i].text = scopes[i].name;
- $scope.policy.config.scopes.push(scopes[i]);
+ $scope.selectedScopes.push(scopes[i]);
}
+ var copy = angular.copy($scope.selectedScopes);
+ $scope.$watch('selectedScopes', function() {
+ if (!angular.equals($scope.selectedScopes, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
});
}
});
- policy.config.applyPolicies = [];
ResourceServerPolicy.associatedPolicies({
realm : $route.current.params.realm,
client : client.id,
id : policy.id
}, function(policies) {
+ $scope.selectedPolicies = [];
for (i = 0; i < policies.length; i++) {
policies[i].text = policies[i].name;
- $scope.policy.config.applyPolicies.push(policies[i]);
+ $scope.selectedPolicies.push(policies[i]);
}
+ var copy = angular.copy($scope.selectedPolicies);
+ $scope.$watch('selectedPolicies', function() {
+ if (!angular.equals($scope.selectedPolicies, copy)) {
+ $scope.changed = true;
+ }
+ }, true);
});
},
onUpdate : function() {
- if ($scope.policy.config.resources != null) {
- $scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]);
+ if ($scope.selectedResource != null) {
+ $scope.policy.resources = [$scope.selectedResource._id];
} else {
- $scope.policy.config.resources = JSON.stringify([""]);
+ delete $scope.policy.resources;
}
var scopes = [];
- for (i = 0; i < $scope.policy.config.scopes.length; i++) {
- if ($scope.policy.config.scopes[i].id) {
- scopes.push($scope.policy.config.scopes[i].id);
+ for (i = 0; i < $scope.selectedScopes.length; i++) {
+ if ($scope.selectedScopes[i].id) {
+ scopes.push($scope.selectedScopes[i].id);
} else {
- scopes.push($scope.policy.config.scopes[i]);
+ scopes.push($scope.selectedScopes[i]);
}
}
- $scope.policy.config.scopes = JSON.stringify(scopes);
+ $scope.policy.scopes = scopes;
var policies = [];
- for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) {
- policies.push($scope.policy.config.applyPolicies[i].id);
+ for (i = 0; i < $scope.selectedPolicies.length; i++) {
+ policies.push($scope.selectedPolicies[i].id);
}
- $scope.policy.config.applyPolicies = JSON.stringify(policies);
+ $scope.policy.policies = policies;
+ delete $scope.policy.config;
},
onInitCreate : function(newPolicy) {
newPolicy.decisionStrategy = 'UNANIMOUS';
- newPolicy.config = {};
- newPolicy.config.resources = null;
var scopeId = $location.search()['scpid'];
@@ -1171,38 +1232,39 @@ module.controller('ResourceServerPolicyScopeDetailCtrl', function($scope, $route
id: scopeId,
}, function (data) {
data.text = data.name;
- if (!$scope.policy.config.scopes) {
- $scope.policy.config.scopes = [];
+ if (!$scope.policy.scopes) {
+ $scope.selectedScopes = [];
}
- $scope.policy.config.scopes.push(data);
+ $scope.selectedScopes.push(data);
});
}
},
onCreate : function() {
- if ($scope.policy.config.resources != null) {
- $scope.policy.config.resources = JSON.stringify([$scope.policy.config.resources._id]);
+ if ($scope.selectedResource != null) {
+ $scope.policy.resources = [$scope.selectedResource._id];
}
var scopes = [];
- for (i = 0; i < $scope.policy.config.scopes.length; i++) {
- if ($scope.policy.config.scopes[i].id) {
- scopes.push($scope.policy.config.scopes[i].id);
+ for (i = 0; i < $scope.selectedScopes.length; i++) {
+ if ($scope.selectedScopes[i].id) {
+ scopes.push($scope.selectedScopes[i].id);
} else {
- scopes.push($scope.policy.config.scopes[i]);
+ scopes.push($scope.selectedScopes[i]);
}
}
- $scope.policy.config.scopes = JSON.stringify(scopes);
+ $scope.policy.scopes = scopes;
var policies = [];
- for (i = 0; i < $scope.policy.config.applyPolicies.length; i++) {
- policies.push($scope.policy.config.applyPolicies[i].id);
+ for (i = 0; i < $scope.selectedPolicies.length; i++) {
+ policies.push($scope.selectedPolicies[i].id);
}
- $scope.policy.config.applyPolicies = JSON.stringify(policies);
+ $scope.policy.policies = policies;
+ delete $scope.policy.config;
}
}, realm, client, $scope);
});
@@ -1264,8 +1326,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
onInitUpdate : function(policy) {
var selectedUsers = [];
- if (policy.config.users) {
- var users = eval(policy.config.users);
+ if (policy.users) {
+ var users = policy.users;
for (i = 0; i < users.length; i++) {
User.get({realm: $route.current.params.realm, userId: users[i]}, function(data) {
@@ -1289,7 +1351,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
users.push($scope.selectedUsers[i].id);
}
- $scope.policy.config.users = JSON.stringify(users);
+ $scope.policy.users = users;
+ delete $scope.policy.config;
},
onCreate : function() {
@@ -1299,7 +1362,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
users.push($scope.selectedUsers[i].id);
}
- $scope.policy.config.users = JSON.stringify(users);
+ $scope.policy.users = users;
+ delete $scope.policy.config;
}
}, realm, client, $scope);
});
@@ -1483,8 +1547,8 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
onInitUpdate : function(policy) {
var selectedRoles = [];
- if (policy.config.roles) {
- var roles = eval(policy.config.roles);
+ if (policy.roles) {
+ var roles = policy.roles;
for (i = 0; i < roles.length; i++) {
RoleById.get({realm: $route.current.params.realm, role: roles[i].id}, function(data) {
@@ -1524,7 +1588,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
roles.push(role);
}
- $scope.policy.config.roles = JSON.stringify(roles);
+ $scope.policy.roles = roles;
},
onCreate : function() {
@@ -1539,7 +1603,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
roles.push(role);
}
- $scope.policy.config.roles = JSON.stringify(roles);
+ $scope.policy.roles = roles;
}
}, realm, client, $scope);
@@ -1743,7 +1807,7 @@ module.controller('ResourceServerPolicyAggregateDetailCtrl', function($scope, $r
}, realm, client, $scope);
});
-module.service("PolicyController", function($http, $route, $location, ResourceServer, ResourceServerPolicy, AuthzDialog, Notifications) {
+module.service("PolicyController", function($http, $route, $location, ResourceServer, ResourceServerPolicy, ResourceServerPermission, AuthzDialog, Notifications) {
var PolicyController = {};
@@ -1754,6 +1818,12 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
}
}
+ var service = ResourceServerPolicy;
+
+ if (delegate.isPermission()) {
+ service = ResourceServerPermission;
+ }
+
$scope.realm = realm;
$scope.client = client;
@@ -1799,7 +1869,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
if (delegate.onCreate) {
delegate.onCreate();
}
- ResourceServerPolicy.save({realm : realm.realm, client : client.id}, $scope.policy, function(data) {
+ service.save({realm : realm.realm, client : client.id, type: $scope.policy.type}, $scope.policy, function(data) {
if (delegate.isPermission()) {
$location.url("/realms/" + realm.realm + "/clients/" + client.id + "/authz/resource-server/permission/" + $scope.policy.type + "/" + data.id);
Notifications.success("The permission has been created.");
@@ -1819,9 +1889,10 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
}
}
} else {
- ResourceServerPolicy.get({
+ service.get({
realm: realm.realm,
client : client.id,
+ type: delegate.getPolicyType(),
id: $route.current.params.id
}, function(data) {
$scope.originalPolicy = data;
@@ -1845,7 +1916,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
if (delegate.onUpdate) {
delegate.onUpdate();
}
- ResourceServerPolicy.update({realm : realm.realm, client : client.id, id : $scope.policy.id}, $scope.policy, function() {
+ service.update({realm : realm.realm, client : client.id, type: $scope.policy.type, id : $scope.policy.id}, $scope.policy, function() {
$route.reload();
if (delegate.isPermission()) {
Notifications.success("The permission has been updated.");
@@ -1871,7 +1942,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
$scope.remove = function() {
var msg = "";
- ResourceServerPolicy.dependentPolicies({
+ service.dependentPolicies({
realm : $route.current.params.realm,
client : client.id,
id : $scope.policy.id
@@ -1887,7 +1958,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
}
AuthzDialog.confirmDeleteWithMsg($scope.policy.name, "Policy", msg, function() {
- ResourceServerPolicy.delete({realm : $scope.realm.realm, client : $scope.client.id, id : $scope.policy.id}, null, function() {
+ service.delete({realm : $scope.realm.realm, client : $scope.client.id, id : $scope.policy.id}, null, function() {
if (delegate.isPermission()) {
$location.url("/realms/" + realm.realm + "/clients/" + client.id + "/authz/resource-server/permission");
Notifications.success("The permission has been deleted.");
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-services.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-services.js
index 1c4f584..92219bb 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-services.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-services.js
@@ -36,10 +36,11 @@ module.factory('ResourceServerScope', function($resource) {
});
module.factory('ResourceServerPolicy', function($resource) {
- return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:id', {
+ return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:type/:id', {
realm : '@realm',
client: '@client',
- id : '@id'
+ id : '@id',
+ type: '@type'
}, {
'update' : {method : 'PUT'},
'search' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/search', method : 'GET'},
@@ -50,6 +51,23 @@ module.factory('ResourceServerPolicy', function($resource) {
});
});
+module.factory('ResourceServerPermission', function($resource) {
+ return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/:type/:id', {
+ realm : '@realm',
+ client: '@client',
+ type: '@type',
+ id : '@id'
+ }, {
+ 'update' : {method : 'PUT'},
+ 'search' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/search', method : 'GET'},
+ 'searchPolicies' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy', method : 'GET', isArray: true},
+ 'associatedPolicies' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:id/associatedPolicies', method : 'GET', isArray: true},
+ 'dependentPolicies' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/:id/dependentPolicies', method : 'GET', isArray: true},
+ 'scopes' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/:id/scopes', method : 'GET', isArray: true},
+ 'resources' : {url: authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/permission/:id/resources', method : 'GET', isArray: true}
+ });
+});
+
module.factory('PolicyProvider', function($resource) {
return $resource(authUrl + '/admin/realms/:realm/clients/:client/authz/resource-server/policy/providers', {
realm : '@realm',
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-resource-detail.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-resource-detail.html
index 10e3170..7a5ba6d 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-resource-detail.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-resource-detail.html
@@ -29,25 +29,25 @@
<kc-tooltip>{{:: 'authz-permission-description.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group">
- <label class="col-md-2 control-label" for="policy.config.default">{{:: 'authz-permission-resource-apply-to-resource-type' | translate}}</label>
+ <label class="col-md-2 control-label" for="applyToResourceTypeFlag">{{:: 'authz-permission-resource-apply-to-resource-type' | translate}}</label>
<div class="col-md-6">
- <input ng-model="policy.config.default" id="policy.config.default" onoffswitch data-ng-click="applyToResourceType()"/>
+ <input ng-model="applyToResourceTypeFlag" id="applyToResourceTypeFlag" onoffswitch data-ng-click="applyToResourceType()"/>
</div>
<kc-tooltip>{{:: 'authz-permission-resource-apply-to-resource-type.tooltip' | translate}}</kc-tooltip>
</div>
- <div class="form-group clearfix" data-ng-hide="policy.config.default">
+ <div class="form-group clearfix" data-ng-hide="applyToResourceTypeFlag">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-resources' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
- <input type="hidden" ui-select2="resourcesUiSelect" id="reqActions" data-ng-model="policy.config.resources" data-placeholder="{{:: 'authz-select-resource' | translate}}..." data-ng-required="!policy.config.default"/>
+ <input type="hidden" ui-select2="resourcesUiSelect" id="reqActions" data-ng-model="selectedResource" data-placeholder="{{:: 'authz-select-resource' | translate}}..." data-ng-required="!applyToResourceTypeFlag"/>
</div>
<kc-tooltip>{{:: 'authz-permission-resource-resource.tooltip' | translate}}</kc-tooltip>
</div>
- <div class="form-group clearfix" data-ng-show="policy.config.default">
- <label class="col-md-2 control-label" for="policy.config.defaultResourceType">{{:: 'authz-resource-type' | translate}} <span class="required">*</span></label>
+ <div class="form-group clearfix" data-ng-show="applyToResourceTypeFlag">
+ <label class="col-md-2 control-label" for="policy.resourceType">{{:: 'authz-resource-type' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
- <input class="form-control" type="text" id="policy.config.defaultResourceType" name="policy.config.defaultResourceType" data-ng-model="policy.config.defaultResourceType" data-ng-required="policy.config.default">
+ <input class="form-control" type="text" id="policy.resourceType" name="policy.resourceType" data-ng-model="policy.resourceType" data-ng-required="applyToResourceTypeFlag">
</div>
<kc-tooltip>{{:: 'authz-permission-resource-type.tooltip' | translate}}</kc-tooltip>
@@ -56,7 +56,7 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-policy-apply-policy' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
- <input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="policy.config.applyPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
+ <input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="selectedPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
</div>
<kc-tooltip>{{:: 'authz-policy-apply-policy.tooltip' | translate}}</kc-tooltip>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-scope-detail.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-scope-detail.html
index 90a3dc6..5da3a12 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-scope-detail.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/permission/provider/resource-server-policy-scope-detail.html
@@ -32,27 +32,28 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-resource' | translate}}</label>
<div class="col-md-6">
- <input type="hidden" ui-select2="resourcesUiSelect" data-ng-change="selectResource()" id="reqActions" data-ng-model="policy.config.resources" data-placeholder="{{:: 'authz-any-resource' | translate}}..." />
+ <input type="hidden" ui-select2="resourcesUiSelect" data-ng-change="selectResource()" id="reqActions" data-ng-model="selectedResource" data-placeholder="{{:: 'authz-any-resource' | translate}}..." />
</div>
<kc-tooltip>{{:: 'authz-permission-scope-resource.tooltip' | translate}}</kc-tooltip>
</div>
- <div class="form-group clearfix" data-ng-show="policy.config.resources">
+ <div class="form-group clearfix" data-ng-show="selectedResource">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
<select ui-select2 id="reqActions2"
- data-ng-model="policy.config.scopes"
+ data-ng-model="selectedScopes"
data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple
- data-ng-required="policy.config.resources != null"
- data-ng-options="scope.id as scope.name for scope in policy.config.resources.scopes track by scope.id"/>
+ data-ng-required="selectedResource != null">
+ <option ng-repeat="scope in resourceScopes" value="{{scope.id}}">{{scope.name}}</option>
+ </select>
</div>
<kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip>
</div>
- <div class="form-group clearfix" data-ng-show="!policy.config.resources">
+ <div class="form-group clearfix" data-ng-show="!selectedResource">
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-scopes' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
- <input type="hidden" ui-select2="scopesUiSelect" id="reqActions" data-ng-model="policy.config.scopes" data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple data-ng-required="policy.config.resources == null" />
+ <input type="hidden" ui-select2="scopesUiSelect" id="reqActions" data-ng-model="selectedScopes" data-placeholder="{{:: 'authz-any-scope' | translate}}..." multiple data-ng-required="selectedResource == null" />
</div>
<kc-tooltip>{{:: 'authz-permission-scope-scope.tooltip' | translate}}</kc-tooltip>
</div>
@@ -60,7 +61,7 @@
<label class="col-md-2 control-label" for="reqActions">{{:: 'authz-policy-apply-policy' | translate}} <span class="required">*</span></label>
<div class="col-md-6">
- <input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="policy.config.applyPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
+ <input type="hidden" ui-select2="policiesUiSelect" id="reqActions" data-ng-model="selectedPolicies" data-placeholder="{{:: 'authz-select-a-policy' | translate}}..." multiple required />
</div>
<kc-tooltip>{{:: 'authz-policy-apply-policy.tooltip' | translate}}</kc-tooltip>