keycloak-aplcache
Changes
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyAdminResource.java 63(+0 -63)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java 40(+38 -2)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java 58(+25 -33)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java 108(+107 -1)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java 35(+0 -35)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java 38(+37 -1)
authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java 81(+76 -5)
authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java 17(+0 -17)
authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java 22(+22 -0)
core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java 74(+74 -0)
core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java 43(+43 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java 5(+5 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java 42(+42 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java 69(+69 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java 42(+42 -0)
integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java 69(+69 -0)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java 16(+6 -10)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java 6(+2 -4)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java 8(+5 -3)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java 10(+5 -5)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java 25(+14 -11)
model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java 9(+8 -1)
model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java 12(+9 -3)
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/DefaultPermissionEvaluator.java 8(+2 -6)
server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java 7(+2 -5)
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java 12(+0 -12)
server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java 16(+16 -0)
server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java 3(+3 -0)
server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java 3(+3 -0)
services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java 10(+1 -9)
testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java 20(+3 -17)
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java 2(+2 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java 16(+6 -10)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java 59(+29 -30)
Details
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
index 24bb09d..73443d1 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/aggregated/AggregatePolicyProviderFactory.java
@@ -17,19 +17,24 @@
*/
package org.keycloak.authorization.policy.provider.aggregated;
+import java.util.ArrayList;
+import java.util.List;
+
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
+public class AggregatePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
private AggregatePolicyProvider provider = new AggregatePolicyProvider();
@@ -50,7 +55,7 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
@Override
public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
- return new AggregatePolicyAdminResource();
+ return null;
}
@Override
@@ -59,6 +64,37 @@ public class AggregatePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ verifyCircularReference(policy, new ArrayList<>());
+ }
+
+ @Override
+ public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ verifyCircularReference(policy, new ArrayList<>());
+ }
+
+ private void verifyCircularReference(Policy policy, List<String> ids) {
+ if (!policy.getType().equals("aggregate")) {
+ return;
+ }
+
+ if (ids.contains(policy.getId())) {
+ throw new RuntimeException("Circular reference found [" + policy.getName() + "].");
+ }
+
+ ids.add(policy.getId());
+
+ for (Policy associated : policy.getAssociatedPolicies()) {
+ verifyCircularReference(associated, ids);
+ }
+ }
+
+ @Override
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+
+ }
+
+ @Override
public void init(Config.Scope config) {
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
index 57cb5ca..6ea7230 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/resource/ResourcePolicyProviderFactory.java
@@ -5,13 +5,10 @@ import java.util.Map;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
-import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
-import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
-import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
/**
@@ -48,46 +45,41 @@ public class ResourcePolicyProviderFactory implements PolicyProviderFactory<Reso
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
- return new PolicyProviderAdminService() {
- @Override
- public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
- updateResourceType(policy, representation);
- }
-
- @Override
- public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
- updateResourceType(policy, representation);
- }
+ public PolicyProvider create(KeycloakSession session) {
+ return null;
+ }
- private void updateResourceType(Policy policy, AbstractPolicyRepresentation representation) {
- if (representation != null) {
- //TODO: remove this check once we migrate to new API
- if (ResourcePermissionRepresentation.class.equals(representation.getClass())) {
- ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation);
- Map<String, String> config = policy.getConfig();
+ @Override
+ public void onCreate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
+ updateResourceType(policy, representation);
+ }
- config.compute("defaultResourceType", (key, value) -> {
- String resourceType = resourcePermission.getResourceType();
- return resourceType != null ? resourcePermission.getResourceType() : null;
- });
+ @Override
+ public void onUpdate(Policy policy, ResourcePermissionRepresentation representation, AuthorizationProvider authorization) {
+ updateResourceType(policy, representation);
+ }
- policy.setConfig(config);
+ private void updateResourceType(Policy policy, ResourcePermissionRepresentation representation) {
+ if (representation != null) {
+ //TODO: remove this check once we migrate to new API
+ if (ResourcePermissionRepresentation.class.equals(representation.getClass())) {
+ ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation);
+ Map<String, String> config = policy.getConfig();
- }
- }
- }
+ config.compute("defaultResourceType", (key, value) -> {
+ String resourceType = resourcePermission.getResourceType();
+ return resourceType != null ? resourcePermission.getResourceType() : null;
+ });
- @Override
- public void onRemove(Policy policy) {
+ policy.setConfig(config);
}
- };
+ }
}
@Override
- public PolicyProvider create(KeycloakSession session) {
- return null;
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+
}
@Override
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
index ab262d1..90047bb 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
@@ -35,18 +35,23 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleContainerModel.RoleRemovedEvent;
import org.keycloak.models.RoleModel;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.util.JsonSerialization;
import java.io.IOException;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class RolePolicyProviderFactory implements PolicyProviderFactory {
+public class RolePolicyProviderFactory implements PolicyProviderFactory<RolePolicyRepresentation> {
private RolePolicyProvider provider = new RolePolicyProvider();
@@ -76,6 +81,107 @@ public class RolePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public RolePolicyRepresentation toRepresentation(Policy policy, RolePolicyRepresentation representation) {
+ try {
+ representation.setRoles(JsonSerialization.readValue(policy.getConfig().get("roles"), Set.class));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
+ return representation;
+ }
+
+ @Override
+ public Class<RolePolicyRepresentation> getRepresentationType() {
+ return RolePolicyRepresentation.class;
+ }
+
+ @Override
+ public void onCreate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateRoles(policy, representation, authorization);
+ }
+
+ @Override
+ public void onUpdate(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateRoles(policy, representation, authorization);
+ }
+
+ @Override
+ public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ try {
+ updateRoles(policy, authorization, new HashSet<>(Arrays.asList(JsonSerialization.readValue(representation.getConfig().get("roles"), RolePolicyRepresentation.RoleDefinition[].class))));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles during import", cause);
+ }
+ }
+
+ private void updateRoles(Policy policy, RolePolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateRoles(policy, authorization, representation.getRoles());
+ }
+
+ private void updateRoles(Policy policy, AuthorizationProvider authorization, Set<RolePolicyRepresentation.RoleDefinition> roles) {
+ try {
+ RealmModel realm = authorization.getRealm();
+ Set<RolePolicyRepresentation.RoleDefinition> updatedRoles = new HashSet<>();
+
+ if (roles != null) {
+ for (RolePolicyRepresentation.RoleDefinition definition : roles) {
+ String roleName = definition.getId();
+ String clientId = null;
+ int clientIdSeparator = roleName.indexOf("/");
+
+ if (clientIdSeparator != -1) {
+ clientId = roleName.substring(0, clientIdSeparator);
+ roleName = roleName.substring(clientIdSeparator + 1);
+ }
+
+ RoleModel role;
+
+ if (clientId == null) {
+ role = realm.getRole(roleName);
+
+ if (role == null) {
+ role = realm.getRoleById(roleName);
+ }
+ } else {
+ ClientModel client = realm.getClientByClientId(clientId);
+
+ if (client == null) {
+ throw new RuntimeException("Client with id [" + clientId + "] not found.");
+ }
+
+ role = client.getRole(roleName);
+ }
+
+ // fallback to find any client role with the given name
+ if (role == null) {
+ String finalRoleName = roleName;
+ role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
+ .findFirst().orElse(null);
+ }
+
+ if (role == null) {
+ throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
+ }
+
+ definition.setId(role.getId());
+
+ updatedRoles.add(definition);
+ }
+ try {
+ } catch (Exception e) {
+ throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
+ }
+ }
+
+ Map<String, String> config = policy.getConfig();
+ config.put("roles", JsonSerialization.writeValueAsString(updatedRoles));
+ policy.setConfig(config);
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
+ }
+
+ @Override
public void init(Config.Scope config) {
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
index e62602f..7c2206a 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyAdminResource.java
@@ -18,46 +18,11 @@
package org.keycloak.authorization.policy.provider.time;
-import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
-import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
-
-import java.text.SimpleDateFormat;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class TimePolicyAdminResource implements PolicyProviderAdminService {
- @Override
- public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
- validateConfig(policy);
- }
-
- private void validateConfig(Policy policy) {
- String nbf = policy.getConfig().get("nbf");
- String noa = policy.getConfig().get("noa");
-
- if (nbf != null && noa != null) {
- validateFormat(nbf);
- validateFormat(noa);
- }
- }
-
- @Override
- public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
- validateConfig(policy);
- }
-
- @Override
- public void onRemove(Policy policy) {
- }
-
- private void validateFormat(String date) {
- try {
- new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
- } catch (Exception e) {
- throw new RuntimeException("Could not parse a date using format [" + date + "]");
- }
- }
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
index 4e9fd9e..920cf45 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/time/TimePolicyProviderFactory.java
@@ -1,18 +1,22 @@
package org.keycloak.authorization.policy.provider.time;
+import java.text.SimpleDateFormat;
+
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class TimePolicyProviderFactory implements PolicyProviderFactory {
+public class TimePolicyProviderFactory implements PolicyProviderFactory<PolicyRepresentation> {
private TimePolicyProvider provider = new TimePolicyProvider();
@@ -42,6 +46,38 @@ public class TimePolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public void onCreate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ validateConfig(policy);
+ }
+
+ private void validateConfig(Policy policy) {
+ String nbf = policy.getConfig().get("nbf");
+ String noa = policy.getConfig().get("noa");
+
+ if (nbf != null && noa != null) {
+ validateFormat(nbf);
+ validateFormat(noa);
+ }
+ }
+
+ @Override
+ public void onUpdate(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ validateConfig(policy);
+ }
+
+ @Override
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+ }
+
+ private void validateFormat(String date) {
+ try {
+ new SimpleDateFormat(TimePolicyProvider.DEFAULT_DATE_PATTERN).parse(TimePolicyProvider.format(date));
+ } catch (Exception e) {
+ throw new RuntimeException("Could not parse a date using format [" + date + "]");
+ }
+ }
+
+ @Override
public void init(Config.Scope config) {
}
diff --git a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
index 7db61ba..715c9e8 100644
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/user/UserPolicyProviderFactory.java
@@ -20,14 +20,16 @@ package org.keycloak.authorization.policy.provider.user;
import java.io.IOException;
import java.util.ArrayList;
+import java.util.HashSet;
import java.util.List;
+import java.util.Map;
+import java.util.Set;
import org.keycloak.Config;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProvider;
-import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
@@ -37,12 +39,14 @@ import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserModel.UserRemovedEvent;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
-public class UserPolicyProviderFactory implements PolicyProviderFactory {
+public class UserPolicyProviderFactory implements PolicyProviderFactory<UserPolicyRepresentation> {
private UserPolicyProvider provider = new UserPolicyProvider();
@@ -62,13 +66,80 @@ public class UserPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
- public PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
+ public PolicyProvider create(KeycloakSession session) {
return null;
}
@Override
- public PolicyProvider create(KeycloakSession session) {
- return null;
+ public UserPolicyRepresentation toRepresentation(Policy policy, UserPolicyRepresentation representation) {
+ try {
+ representation.setUsers(JsonSerialization.readValue(policy.getConfig().get("users"), Set.class));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
+ return representation;
+ }
+
+ @Override
+ public Class<UserPolicyRepresentation> getRepresentationType() {
+ return UserPolicyRepresentation.class;
+ }
+
+ @Override
+ public void onCreate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateUsers(policy, representation, authorization);
+ }
+
+ @Override
+ public void onUpdate(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateUsers(policy, representation, authorization);
+ }
+
+ @Override
+ public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ try {
+ updateUsers(policy, authorization, JsonSerialization.readValue(representation.getConfig().get("users"), Set.class));
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize users during import", cause);
+ }
+ }
+
+ private void updateUsers(Policy policy, UserPolicyRepresentation representation, AuthorizationProvider authorization) {
+ updateUsers(policy, authorization, representation.getUsers());
+ }
+
+ private void updateUsers(Policy policy, AuthorizationProvider authorization, Set<String> users) {
+ try {
+ KeycloakSession session = authorization.getKeycloakSession();
+ RealmModel realm = authorization.getRealm();
+ Set<String> updatedRoles = new HashSet<>();
+
+ if (users != null) {
+ for (String userId : users) {
+ UserModel user = session.users().getUserByUsername(userId, realm);
+
+ if (user == null) {
+ user = session.users().getUserById(userId, realm);
+ }
+
+ if (user == null) {
+ throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
+ }
+
+ updatedRoles.add(user.getId());
+ }
+ try {
+ } catch (Exception e) {
+ throw new RuntimeException("Error while updating policy [" + policy.getName() + "].", e);
+ }
+ }
+
+ Map<String, String> config = policy.getConfig();
+ config.put("users", JsonSerialization.writeValueAsString(updatedRoles));
+ policy.setConfig(config);
+ } catch (IOException cause) {
+ throw new RuntimeException("Failed to deserialize roles", cause);
+ }
}
@Override
diff --git a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
index f334789..a9bdbb0 100644
--- a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
+++ b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyAdminResource.java
@@ -16,9 +16,7 @@
*/
package org.keycloak.authorization.policy.provider.drools;
-import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
-import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.kie.api.runtime.KieContainer;
@@ -39,21 +37,6 @@ public class DroolsPolicyAdminResource implements PolicyProviderAdminService {
this.factory = factory;
}
- @Override
- public void onCreate(Policy policy, AbstractPolicyRepresentation representation) {
- this.factory.update(policy);
- }
-
- @Override
- public void onUpdate(Policy policy, AbstractPolicyRepresentation representation) {
- this.factory.update(policy);
- }
-
- @Override
- public void onRemove(Policy policy) {
- this.factory.remove(policy);
- }
-
@Path("/resolveModules")
@POST
@Consumes("application/json")
diff --git a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
index d3dda33..8bbed33 100644
--- a/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
+++ b/authz/policy/drools/src/main/java/org/keycloak/authorization/policy/provider/drools/DroolsPolicyProviderFactory.java
@@ -13,6 +13,8 @@ import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
+import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.kie.api.KieServices;
import org.kie.api.KieServices.Factory;
import org.kie.api.runtime.KieContainer;
@@ -59,6 +61,26 @@ public class DroolsPolicyProviderFactory implements PolicyProviderFactory {
}
@Override
+ public void onCreate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
+ update(policy);
+ }
+
+ @Override
+ public void onUpdate(Policy policy, AbstractPolicyRepresentation representation, AuthorizationProvider authorization) {
+ update(policy);
+ }
+
+ @Override
+ public void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+ update(policy);
+ }
+
+ @Override
+ public void onRemove(Policy policy, AuthorizationProvider authorization) {
+ remove(policy);
+ }
+
+ @Override
public void init(Config.Scope config) {
this.ks = Factory.get();
}
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java
new file mode 100644
index 0000000..7dd7c57
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/RolePolicyRepresentation.java
@@ -0,0 +1,74 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.representations.idm.authorization;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class RolePolicyRepresentation extends AbstractPolicyRepresentation {
+
+ private Set<RoleDefinition> roles;
+
+ public Set<RoleDefinition> getRoles() {
+ return roles;
+ }
+
+ public void setRoles(Set<RoleDefinition> roles) {
+ this.roles = roles;
+ }
+
+ public void addRole(String name, boolean required) {
+ if (roles == null) {
+ roles = new HashSet<>();
+ }
+ roles.add(new RoleDefinition(name, required));
+ }
+
+ public static class RoleDefinition {
+
+ private String id;
+ private boolean required;
+
+ public RoleDefinition() {
+ this(null, false);
+ }
+
+ public RoleDefinition(String id, boolean required) {
+ this.id = id;
+ this.required = required;
+ }
+
+ public String getId() {
+ return id;
+ }
+
+ public void setId(String id) {
+ this.id = id;
+ }
+
+ public boolean isRequired() {
+ return required;
+ }
+
+ public void setRequired(boolean required) {
+ this.required = required;
+ }
+ }
+}
diff --git a/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java
new file mode 100644
index 0000000..dc38e65
--- /dev/null
+++ b/core/src/main/java/org/keycloak/representations/idm/authorization/UserPolicyRepresentation.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.representations.idm.authorization;
+
+import java.util.HashSet;
+import java.util.Set;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class UserPolicyRepresentation extends AbstractPolicyRepresentation {
+
+ private Set<String> users;
+
+ public Set<String> getUsers() {
+ return users;
+ }
+
+ public void setUsers(Set<String> users) {
+ this.users= users;
+ }
+
+ public void addUser(String name) {
+ if (users == null) {
+ users = new HashSet<>();
+ }
+ users.add(name);
+ }
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
index 2d31ab1..433a112 100644
--- a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/PoliciesResource.java
@@ -69,4 +69,9 @@ public interface PoliciesResource {
@Path("evaluate")
PolicyEvaluationResponse evaluate(PolicyEvaluationRequest evaluationRequest);
+ @Path("role")
+ RolePoliciesResource roles();
+
+ @Path("user")
+ UserPoliciesResource users();
}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java
new file mode 100644
index 0000000..9ed6226
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePoliciesResource.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface RolePoliciesResource {
+
+ @POST
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
+ Response create(RolePolicyRepresentation representation);
+
+ @Path("{id}")
+ RolePolicyResource findById(@PathParam("id") String id);
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java
new file mode 100644
index 0000000..824554f
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RolePolicyResource.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import java.util.List;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface RolePolicyResource {
+
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ RolePolicyRepresentation toRepresentation();
+
+ @PUT
+ @Consumes(MediaType.APPLICATION_JSON)
+ void update(RolePolicyRepresentation representation);
+
+ @DELETE
+ void remove();
+
+ @Path("/associatedPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> associatedPolicies();
+
+ @Path("/dependentPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> dependentPolicies();
+
+ @Path("/resources")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ List<ResourceRepresentation> resources();
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java
new file mode 100644
index 0000000..c1769d7
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPoliciesResource.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface UserPoliciesResource {
+
+ @POST
+ @Consumes(MediaType.APPLICATION_JSON)
+ @Produces(MediaType.APPLICATION_JSON)
+ Response create(UserPolicyRepresentation representation);
+
+ @Path("{id}")
+ UserPolicyResource findById(@PathParam("id") String id);
+
+}
diff --git a/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java
new file mode 100644
index 0000000..d12378c
--- /dev/null
+++ b/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/UserPolicyResource.java
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.admin.client.resource;
+
+import java.util.List;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.PUT;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.jboss.resteasy.annotations.cache.NoCache;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public interface UserPolicyResource {
+
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ UserPolicyRepresentation toRepresentation();
+
+ @PUT
+ @Consumes(MediaType.APPLICATION_JSON)
+ void update(UserPolicyRepresentation representation);
+
+ @DELETE
+ void remove();
+
+ @Path("/associatedPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> associatedPolicies();
+
+ @Path("/dependentPolicies")
+ @GET
+ @Produces(MediaType.APPLICATION_JSON)
+ @NoCache
+ List<PolicyRepresentation> dependentPolicies();
+
+ @Path("/resources")
+ @GET
+ @Produces("application/json")
+ @NoCache
+ List<ResourceRepresentation> resources();
+
+}
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
index e8a64eb..5bb3651 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedPolicyStore.java
@@ -54,15 +54,14 @@ public class CachedPolicyStore implements PolicyStore {
private static final String POLICY_ID_CACHE_PREFIX = "policy-id-";
private final Cache<String, Map<String, List<CachedPolicy>>> cache;
- private final KeycloakSession session;
+ private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private final List<String> cacheKeys;
- private StoreFactory storeFactory;
+ private final StoreFactory storeFactory;
private PolicyStore delegate;
- private CachedStoreFactoryProvider cachedStoreFactory;
- public CachedPolicyStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
- this.session = session;
+ public CachedPolicyStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
+ this.cacheStoreFactory = cacheStoreFactory;
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
@@ -71,7 +70,7 @@ public class CachedPolicyStore implements PolicyStore {
cacheKeys.add("findByResourceType");
cacheKeys.add("findByScopeIds");
cacheKeys.add("findByType");
- this.storeFactory = storeFactory;
+ this.storeFactory = delegate;
}
@Override
@@ -405,10 +404,7 @@ public class CachedPolicyStore implements PolicyStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
- if (cachedStoreFactory == null) {
- cachedStoreFactory = session.getProvider(CachedStoreFactoryProvider.class);
- }
- return cachedStoreFactory;
+ return cacheStoreFactory;
}
private void invalidateCache(String resourceServerId) {
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
index 95d3dba..a98a34e 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceServerStore.java
@@ -41,18 +41,16 @@ public class CachedResourceServerStore implements ResourceServerStore {
private static final String RS_ID_CACHE_PREFIX = "rs-id-";
private static final String RS_CLIENT_ID_CACHE_PREFIX = "rs-client-id-";
- private final KeycloakSession session;
private final CacheTransaction transaction;
private StoreFactory storeFactory;
private ResourceServerStore delegate;
private final Cache<String, Map<String, List<CachedResourceServer>>> cache;
- public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
- this.session = session;
+ public CachedResourceServerStore(KeycloakSession session, CacheTransaction transaction, StoreFactory delegate) {
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
- this.storeFactory = storeFactory;
+ this.storeFactory = delegate;
}
@Override
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
index b016702..6c72f25 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedResourceStore.java
@@ -50,14 +50,16 @@ public class CachedResourceStore implements ResourceStore {
private static final String RESOURCE_NAME_CACHE_PREFIX = "rsc-name-";
private final KeycloakSession session;
+ private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private final List<String> cacheKeys;
private StoreFactory storeFactory;
private ResourceStore delegate;
private final Cache<String, Map<String, List<CachedResource>>> cache;
- public CachedResourceStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
+ public CachedResourceStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
this.session = session;
+ this.cacheStoreFactory = cacheStoreFactory;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
this.transaction = transaction;
@@ -65,7 +67,7 @@ public class CachedResourceStore implements ResourceStore {
cacheKeys.add("findByOwner");
cacheKeys.add("findByUri");
cacheKeys.add("findByName");
- this.storeFactory = storeFactory;
+ this.storeFactory = delegate;
}
@Override
@@ -293,7 +295,7 @@ public class CachedResourceStore implements ResourceStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
- return session.getProvider(CachedStoreFactoryProvider.class);
+ return cacheStoreFactory;
}
private List<Resource> cacheResult(String resourceServerId, String key, Supplier<List<Resource>> provider) {
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
index ef2e19b..fb878d0 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/CachedScopeStore.java
@@ -44,17 +44,17 @@ public class CachedScopeStore implements ScopeStore {
private static final String SCOPE_NAME_CACHE_PREFIX = "scp-name-";
private final Cache<String, Map<String, List<CachedScope>>> cache;
- private final KeycloakSession session;
+ private final CachedStoreFactoryProvider cacheStoreFactory;
private final CacheTransaction transaction;
private ScopeStore delegate;
private StoreFactory storeFactory;
- public CachedScopeStore(KeycloakSession session, CacheTransaction transaction, StoreFactory storeFactory) {
- this.session = session;
+ public CachedScopeStore(KeycloakSession session, CachedStoreFactoryProvider cacheStoreFactory, CacheTransaction transaction, StoreFactory delegate) {
+ this.cacheStoreFactory = cacheStoreFactory;
this.transaction = transaction;
InfinispanConnectionProvider provider = session.getProvider(InfinispanConnectionProvider.class);
this.cache = provider.getCache(InfinispanConnectionProvider.AUTHORIZATION_CACHE_NAME);
- this.storeFactory = storeFactory;
+ this.storeFactory = delegate;
}
@Override
@@ -220,7 +220,7 @@ public class CachedScopeStore implements ScopeStore {
}
private CachedStoreFactoryProvider getCachedStoreFactory() {
- return session.getProvider(CachedStoreFactoryProvider.class);
+ return cacheStoreFactory;
}
private void invalidateCache(String resourceServerId) {
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
index ff66da6..25507b0 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreFactoryProvider.java
@@ -18,6 +18,11 @@
package org.keycloak.models.authorization.infinispan;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.store.AuthorizationStoreFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@@ -27,9 +32,6 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakTransaction;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
-import java.util.ArrayList;
-import java.util.List;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
@@ -37,21 +39,22 @@ public class InfinispanStoreFactoryProvider implements CachedStoreFactoryProvide
private final KeycloakSession session;
private final CacheTransaction transaction;
- private final StoreFactory storeFactory;
+ private final StoreFactory delegate;
private final CachedResourceStore resourceStore;
private final CachedScopeStore scopeStore;
private final CachedPolicyStore policyStore;
private ResourceServerStore resourceServerStore;
- InfinispanStoreFactoryProvider(KeycloakSession delegate) {
- this.session = delegate;
+ public InfinispanStoreFactoryProvider(AuthorizationProvider authorizationProvider) {
+ this.session = authorizationProvider.getKeycloakSession();
this.transaction = new CacheTransaction();
this.session.getTransactionManager().enlistAfterCompletion(transaction);
- storeFactory = this.session.getProvider(StoreFactory.class);
- resourceStore = new CachedResourceStore(this.session, this.transaction, storeFactory);
- resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, storeFactory);
- scopeStore = new CachedScopeStore(this.session, this.transaction, storeFactory);
- policyStore = new CachedPolicyStore(this.session, this.transaction, storeFactory);
+ AuthorizationStoreFactory providerFactory = (AuthorizationStoreFactory) this.session.getKeycloakSessionFactory().getProviderFactory(StoreFactory.class);
+ delegate = providerFactory.create(authorizationProvider);
+ resourceStore = new CachedResourceStore(this.session, this, this.transaction, delegate);
+ resourceServerStore = new CachedResourceServerStore(this.session, this.transaction, delegate);
+ scopeStore = new CachedScopeStore(this.session, this, this.transaction, delegate);
+ policyStore = new CachedPolicyStore(this.session, this, this.transaction, delegate);
}
@Override
diff --git a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
index ff7452b..d3df3db 100644
--- a/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
+++ b/model/infinispan/src/main/java/org/keycloak/models/authorization/infinispan/InfinispanStoreProviderFactory.java
@@ -19,6 +19,8 @@
package org.keycloak.models.authorization.infinispan;
import org.keycloak.Config;
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
@@ -31,7 +33,7 @@ import org.keycloak.provider.EnvironmentDependentProviderFactory;
public class InfinispanStoreProviderFactory implements CachedStoreProviderFactory, EnvironmentDependentProviderFactory {
@Override
public CachedStoreFactoryProvider create(KeycloakSession session) {
- return new InfinispanStoreFactoryProvider(session);
+ return null;
}
@Override
@@ -58,4 +60,9 @@ public class InfinispanStoreProviderFactory implements CachedStoreProviderFactor
public boolean isSupported() {
return true;
}
+
+ @Override
+ public StoreFactory create(AuthorizationProvider authorizationProvider) {
+ return new InfinispanStoreFactoryProvider(authorizationProvider);
+ }
}
diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
index 8788884..9885c24 100644
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAAuthorizationStoreFactory.java
@@ -18,21 +18,22 @@
package org.keycloak.authorization.jpa.store;
+import javax.persistence.EntityManager;
+
import org.keycloak.Config;
+import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.AuthorizationStoreFactory;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.connections.jpa.JpaConnectionProvider;
import org.keycloak.models.KeycloakSession;
-import javax.persistence.EntityManager;
-
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
@Override
public StoreFactory create(KeycloakSession session) {
- return new JPAStoreFactory(getEntityManager(session));
+ return null;
}
@Override
@@ -53,4 +54,9 @@ public class JPAAuthorizationStoreFactory implements AuthorizationStoreFactory {
private EntityManager getEntityManager(KeycloakSession session) {
return session.getProvider(JpaConnectionProvider.class).getEntityManager();
}
+
+ @Override
+ public StoreFactory create(AuthorizationProvider authorizationProvider) {
+ return new JPAStoreFactory(getEntityManager(authorizationProvider.getKeycloakSession()), authorizationProvider);
+ }
}
diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
index 527671f..6b30961 100644
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAPolicyStore.java
@@ -17,15 +17,18 @@
*/
package org.keycloak.authorization.jpa.store;
+import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.jpa.entities.PolicyEntity;
import org.keycloak.authorization.jpa.entities.ResourceServerEntity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
+import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import javax.persistence.EntityManager;
import javax.persistence.NoResultException;
@@ -46,10 +49,12 @@ public class JPAPolicyStore implements PolicyStore {
private final EntityManager entityManager;
private final StoreFactory storeFactory;
+ private final AuthorizationProvider authorization;
- public JPAPolicyStore(EntityManager entityManager, StoreFactory storeFactory) {
+ public JPAPolicyStore(EntityManager entityManager, JPAStoreFactory jpaStoreFactory, AuthorizationProvider authorization) {
this.entityManager = entityManager;
- this.storeFactory = storeFactory;
+ this.storeFactory = jpaStoreFactory;
+ this.authorization = authorization;
}
@Override
@@ -59,10 +64,20 @@ public class JPAPolicyStore implements PolicyStore {
entity.setId(KeycloakModelUtils.generateId());
entity.setResourceServer((ResourceServerEntity) resourceServer);
entity.setType(representation.getType());
+ entity.setName(representation.getName());
+
+ this.entityManager.persist(entity);
entity = (PolicyEntity) RepresentationToModel.toModel(representation, storeFactory, entity);
- this.entityManager.persist(entity);
+ PolicyProviderFactory provider = authorization.getProviderFactory(entity.getType());
+
+ if (representation instanceof PolicyRepresentation) {
+ provider.onImport(entity, PolicyRepresentation.class.cast(representation), authorization);
+ } else {
+ provider.onCreate(entity, representation, authorization);
+ }
+
return entity;
}
diff --git a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
index 1a534bb..8bf2e37 100644
--- a/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
+++ b/model/jpa/src/main/java/org/keycloak/authorization/jpa/store/JPAStoreFactory.java
@@ -18,6 +18,7 @@
package org.keycloak.authorization.jpa.store;
+import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@@ -32,14 +33,16 @@ import javax.persistence.EntityManager;
public class JPAStoreFactory implements StoreFactory {
private final EntityManager entityManager;
+ private final AuthorizationProvider authorization;
- public JPAStoreFactory(EntityManager entityManager) {
+ public JPAStoreFactory(EntityManager entityManager, AuthorizationProvider authorizationProvider) {
this.entityManager = entityManager;
+ this.authorization = authorizationProvider;
}
@Override
public PolicyStore getPolicyStore() {
- return new JPAPolicyStore(this.entityManager, this);
+ return new JPAPolicyStore(entityManager, this, authorization);
}
@Override
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
index 3aafae3..ff2019a 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/AuthorizationProvider.java
@@ -21,8 +21,6 @@ package org.keycloak.authorization;
import java.util.Collection;
import java.util.List;
import java.util.Map;
-import java.util.concurrent.Executor;
-import java.util.function.Supplier;
import org.keycloak.authorization.permission.evaluator.Evaluators;
import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
@@ -31,6 +29,8 @@ import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
+import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
+import org.keycloak.models.cache.authorization.CachedStoreProviderFactory;
import org.keycloak.provider.Provider;
/**
@@ -62,25 +62,20 @@ import org.keycloak.provider.Provider;
public final class AuthorizationProvider implements Provider {
private final DefaultPolicyEvaluator policyEvaluator;
- private final Executor scheduller;
- private final Supplier<StoreFactory> storeFactory;
+ private StoreFactory storeFactory;
private final Map<String, PolicyProviderFactory> policyProviderFactories;
private final KeycloakSession keycloakSession;
private final RealmModel realm;
- public AuthorizationProvider(KeycloakSession session, RealmModel realm, Supplier<StoreFactory> storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories, Executor scheduller) {
+ public AuthorizationProvider(KeycloakSession session, RealmModel realm, Map<String, PolicyProviderFactory> policyProviderFactories) {
this.keycloakSession = session;
this.realm = realm;
- this.storeFactory = storeFactory;
- this.scheduller = scheduller;
+ CachedStoreProviderFactory providerFactory = (CachedStoreProviderFactory) session.getKeycloakSessionFactory().getProviderFactory(CachedStoreFactoryProvider.class);
+ storeFactory = providerFactory.create(this);
this.policyProviderFactories = policyProviderFactories;
this.policyEvaluator = new DefaultPolicyEvaluator(this);
}
- public AuthorizationProvider(KeycloakSession session, RealmModel realm, StoreFactory storeFactory, Map<String, PolicyProviderFactory> policyProviderFactories) {
- this(session, realm, () -> storeFactory, policyProviderFactories, Runnable::run);
- }
-
/**
* Returns a {@link Evaluators} instance from where {@link org.keycloak.authorization.policy.evaluation.PolicyEvaluator} instances
* can be obtained.
@@ -88,7 +83,7 @@ public final class AuthorizationProvider implements Provider {
* @return a {@link Evaluators} instance
*/
public Evaluators evaluators() {
- return new Evaluators(this.policyEvaluator, this.scheduller);
+ return new Evaluators(policyEvaluator);
}
/**
@@ -97,7 +92,7 @@ public final class AuthorizationProvider implements Provider {
* @return the {@link StoreFactory}
*/
public StoreFactory getStoreFactory() {
- return this.storeFactory.get();
+ return this.storeFactory;
}
/**
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
index ed1aa89..00e1191 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/permission/evaluator/Evaluators.java
@@ -19,7 +19,6 @@
package org.keycloak.authorization.permission.evaluator;
import java.util.List;
-import java.util.concurrent.Executor;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator;
@@ -33,11 +32,9 @@ import org.keycloak.authorization.policy.evaluation.EvaluationContext;
public final class Evaluators {
private final DefaultPolicyEvaluator policyEvaluator;
- private final Executor scheduler;
- public Evaluators(DefaultPolicyEvaluator policyEvaluator, Executor scheduler) {
+ public Evaluators(DefaultPolicyEvaluator policyEvaluator) {
this.policyEvaluator = policyEvaluator;
- this.scheduler = scheduler;
}
public PermissionEvaluator from(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
@@ -45,6 +42,6 @@ public final class Evaluators {
}
public PermissionEvaluator schedule(List<ResourcePermission> permissions, EvaluationContext evaluationContext) {
- return new ScheduledPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator), this.scheduler);
+ return new DefaultPermissionEvaluator(new IterablePermissionEvaluator(permissions.iterator(), evaluationContext, this.policyEvaluator));
}
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
index 44263a7..b19c55b 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderAdminService.java
@@ -18,7 +18,6 @@
package org.keycloak.authorization.policy.provider;
-import org.keycloak.authorization.model.Policy;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
@@ -26,15 +25,4 @@ import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentati
*/
public interface PolicyProviderAdminService<R extends AbstractPolicyRepresentation> {
- default void onCreate(Policy policy, R representation) {
-
- }
-
- default void onUpdate(Policy policy, R representation) {
-
- }
-
- default void onRemove(Policy policy) {
-
- }
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
index 72ffb56..af95b00 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/policy/provider/PolicyProviderFactory.java
@@ -44,6 +44,22 @@ public interface PolicyProviderFactory<R extends AbstractPolicyRepresentation> e
return (Class<R>) PolicyRepresentation.class;
}
+ default void onCreate(Policy policy, R representation, AuthorizationProvider authorization) {
+
+ }
+
+ default void onUpdate(Policy policy, R representation, AuthorizationProvider authorization) {
+
+ }
+
+ default void onRemove(Policy policy, AuthorizationProvider authorization) {
+
+ }
+
+ default void onImport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) {
+
+ }
+
default PolicyProviderAdminService getAdminResource(ResourceServer resourceServer, AuthorizationProvider authorization) {
return null;
}
diff --git a/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java b/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
index 78a08bd..7f008ec 100644
--- a/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/authorization/store/AuthorizationStoreFactory.java
@@ -18,6 +18,7 @@
package org.keycloak.authorization.store;
+import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.store.syncronization.ClientApplicationSynchronizer;
import org.keycloak.authorization.store.syncronization.RealmSynchronizer;
import org.keycloak.authorization.store.syncronization.Synchronizer;
@@ -61,4 +62,6 @@ public interface AuthorizationStoreFactory extends ProviderFactory<StoreFactory>
}
});
}
+
+ StoreFactory create(AuthorizationProvider authorizationProvider);
}
diff --git a/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java b/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java
index b8563cb..eb18dbd 100644
--- a/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/cache/authorization/CachedStoreProviderFactory.java
@@ -18,10 +18,13 @@
package org.keycloak.models.cache.authorization;
+import org.keycloak.authorization.AuthorizationProvider;
+import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.provider.ProviderFactory;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public interface CachedStoreProviderFactory extends ProviderFactory<CachedStoreFactoryProvider> {
+ StoreFactory create(AuthorizationProvider authorizationProvider);
}
diff --git a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
index f0576eb..7dd47bd 100755
--- a/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
@@ -36,6 +36,7 @@ import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
@@ -1941,81 +1942,6 @@ public class RepresentationToModel {
Map<String, String> config = policyRepresentation.getConfig();
- String roles = config.get("roles");
-
- if (roles != null && !roles.isEmpty()) {
- try {
- List<Map> rolesMap = (List<Map>) JsonSerialization.readValue(roles, List.class);
- config.put("roles", JsonSerialization.writeValueAsString(rolesMap.stream().map(roleConfig -> {
- String roleName = roleConfig.get("id").toString();
- String clientId = null;
- int clientIdSeparator = roleName.indexOf("/");
-
- if (clientIdSeparator != -1) {
- clientId = roleName.substring(0, clientIdSeparator);
- roleName = roleName.substring(clientIdSeparator + 1);
- }
-
- RoleModel role;
-
- if (clientId == null) {
- role = realm.getRole(roleName);
- } else {
- role = realm.getClientByClientId(clientId).getRole(roleName);
- }
-
- // fallback to find any client role with the given name
- if (role == null) {
- String finalRoleName = roleName;
- role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName)).filter(roleModel -> roleModel != null)
- .findFirst().orElse(null);
- }
-
- if (role == null) {
- role = realm.getRoleById(roleName);
-
- if (role == null) {
- String finalRoleName1 = roleName;
- role = realm.getClients().stream().map(clientModel -> clientModel.getRole(finalRoleName1)).filter(roleModel -> roleModel != null)
- .findFirst().orElse(null);
- }
- }
-
- if (role == null) {
- throw new RuntimeException("Error while importing configuration. Role [" + roleName + "] could not be found.");
- }
-
- roleConfig.put("id", role.getId());
- return roleConfig;
- }).collect(Collectors.toList())));
- } catch (Exception e) {
- throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
- }
- }
-
- String users = config.get("users");
-
- if (users != null && !users.isEmpty()) {
- try {
- List<String> usersMap = (List<String>) JsonSerialization.readValue(users, List.class);
- config.put("users", JsonSerialization.writeValueAsString(usersMap.stream().map(userId -> {
- UserModel user = session.users().getUserByUsername(userId, realm);
-
- if (user == null) {
- user = session.users().getUserById(userId, realm);
- }
-
- if (user == null) {
- throw new RuntimeException("Error while importing configuration. User [" + userId + "] could not be found.");
- }
-
- return user.getId();
- }).collect(Collectors.toList())));
- } catch (Exception e) {
- throw new RuntimeException("Error while exporting policy [" + policyRepresentation.getName() + "].", e);
- }
- }
-
String scopes = config.get("scopes");
if (scopes != null && !scopes.isEmpty()) {
@@ -2098,12 +2024,16 @@ public class RepresentationToModel {
policy = policyStore.findByName(policyRepresentation.getName(), resourceServer.getId());
}
+ PolicyProviderFactory providerFactory = authorization.getProviderFactory(policyRepresentation.getType());
+
if (policy == null) {
policy = policyStore.create(policyRepresentation, resourceServer);
} else {
toModel(policyRepresentation, storeFactory, policy);
}
+ providerFactory.onImport(policy, policyRepresentation, authorization);
+
if (parentPolicyName != null && parentPolicyName.equals(policyRepresentation.getName())) {
return policy;
}
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
index 5908dcf..07e4ef9 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyResourceService.java
@@ -34,6 +34,7 @@ import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.policy.provider.PolicyProviderAdminService;
+import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.utils.ModelToRepresentation;
@@ -79,14 +80,12 @@ public class PolicyResourceService {
Policy updated = RepresentationToModel.toModel(representation, authorization.getStoreFactory(), policy);
- PolicyProviderAdminService resource = getPolicyProviderAdminResource(updated.getType());
+ PolicyProviderFactory resource = getProviderFactory(updated.getType());
- if (resource != null) {
- try {
- resource.onUpdate(updated, representation);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
+ if (representation instanceof PolicyRepresentation) {
+ resource.onImport(updated, PolicyRepresentation.class.cast(representation), authorization);
+ } else {
+ resource.onUpdate(updated, representation, authorization);
}
return Response.status(Status.CREATED).build();
@@ -102,15 +101,9 @@ public class PolicyResourceService {
StoreFactory storeFactory = authorization.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
- PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
+ PolicyProviderFactory resource = getProviderFactory(policy.getType());
- if (resource != null) {
- try {
- resource.onRemove(policy);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- }
+ resource.onRemove(policy, authorization);
policyStore.findDependentPolicies(policy.getId(), resourceServer.getId()).forEach(dependentPolicy -> {
if (dependentPolicy.getAssociatedPolicies().size() == 1) {
@@ -242,8 +235,8 @@ public class PolicyResourceService {
return representation;
}
- protected PolicyProviderAdminService getPolicyProviderAdminResource(String policyType) {
- return authorization.getProviderFactory(policyType).getAdminResource(resourceServer, authorization);
+ private PolicyProviderFactory getProviderFactory(String policyType) {
+ return authorization.getProviderFactory(policyType);
}
protected Policy getPolicy() {
diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
index 4c8677f..d57fec8 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
@@ -96,16 +96,6 @@ public class PolicyService {
AbstractPolicyRepresentation representation = doCreateRepresentation(payload);
Policy policy = create(representation);
- PolicyProviderAdminService provider = getPolicyProviderAdminResource(representation.getType());
-
- if (provider != null) {
- try {
- provider.onCreate(policy, representation);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
- }
-
representation.setId(policy.getId());
@@ -133,14 +123,12 @@ public class PolicyService {
}
Policy policy = policyStore.create(representation, resourceServer);
- PolicyProviderAdminService resource = getPolicyProviderAdminResource(policy.getType());
+ PolicyProviderFactory provider = getPolicyProviderFactory(policy.getType());
- if (resource != null) {
- try {
- resource.onCreate(policy, null);
- } catch (Exception e) {
- throw new RuntimeException(e);
- }
+ if (representation instanceof PolicyRepresentation) {
+ provider.onImport(policy, PolicyRepresentation.class.cast(representation), authorization);
+ } else {
+ provider.onCreate(policy, representation, authorization);
}
return policy;
diff --git a/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java b/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
index ffd67b6..15f1db7 100644
--- a/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
+++ b/services/src/main/java/org/keycloak/authorization/admin/ResourceServerService.java
@@ -50,6 +50,7 @@ import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.services.resources.admin.RealmAuth;
@@ -183,21 +184,15 @@ public class ResourceServerService {
}
private void createDefaultPermission(ResourceRepresentation resource, PolicyRepresentation policy) {
- PolicyRepresentation defaultPermission = new PolicyRepresentation();
+ ResourcePermissionRepresentation defaultPermission = new ResourcePermissionRepresentation();
defaultPermission.setName("Default Permission");
- defaultPermission.setType("resource");
defaultPermission.setDescription("A permission that applies to the default resource type");
defaultPermission.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
defaultPermission.setLogic(Logic.POSITIVE);
- HashMap<String, String> defaultPermissionConfig = new HashMap<>();
-
- defaultPermissionConfig.put("default", "true");
- defaultPermissionConfig.put("defaultResourceType", resource.getType());
- defaultPermissionConfig.put("applyPolicies", "[\"" + policy.getName() + "\"]");
-
- defaultPermission.setConfig(defaultPermissionConfig);
+ defaultPermission.setResourceType(resource.getType());
+ defaultPermission.addPolicy(policy.getName());
getPolicyResource().create(defaultPermission);
}
diff --git a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
index 7891e18..6b5b027 100644
--- a/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
+++ b/services/src/main/java/org/keycloak/authorization/common/KeycloakIdentity.java
@@ -139,12 +139,19 @@ public class KeycloakIdentity implements Identity {
if (this.accessToken.getClientSession() != null) {
ClientSessionModel clientSession = this.keycloakSession.sessions().getClientSession(this.accessToken.getClientSession());
- clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
- } else if (this.accessToken.getIssuedFor() != null) {
- ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
- clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
+
+ if (clientSession != null) {
+ clientUser = this.keycloakSession.users().getServiceAccount(clientSession.getClient());
+ }
}
+ if (this.accessToken.getIssuedFor() != null) {
+ ClientModel clientModel = this.keycloakSession.realms().getClientById(this.accessToken.getIssuedFor(), this.realm);
+
+ if (clientModel != null) {
+ clientUser = this.keycloakSession.users().getServiceAccount(clientModel);
+ }
+ }
if (clientUser == null) {
return false;
diff --git a/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java b/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
index 159e5aa..ca59f42 100644
--- a/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
+++ b/services/src/main/java/org/keycloak/authorization/DefaultAuthorizationProviderFactory.java
@@ -26,11 +26,9 @@ import java.util.concurrent.Executor;
import org.keycloak.Config;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
-import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
-import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
import org.keycloak.provider.ProviderFactory;
/**
@@ -76,13 +74,7 @@ public class DefaultAuthorizationProviderFactory implements AuthorizationProvide
@Override
public AuthorizationProvider create(KeycloakSession session, RealmModel realm) {
- StoreFactory storeFactory = session.getProvider(CachedStoreFactoryProvider.class);
-
- if (storeFactory == null) {
- storeFactory = session.getProvider(StoreFactory.class);
- }
-
- return new AuthorizationProvider(session, realm, storeFactory, policyProviderFactories);
+ return new AuthorizationProvider(session, realm, policyProviderFactories);
}
private Map<String, PolicyProviderFactory> configurePolicyProviderFactories(KeycloakSessionFactory keycloakSessionFactory) {
diff --git a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
index 620916c..326deb6 100644
--- a/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
+++ b/services/src/main/java/org/keycloak/authorization/entitlement/EntitlementService.java
@@ -139,7 +139,7 @@ public class EntitlementService {
.allowedOrigins(identity.getAccessToken())
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
} else {
- asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
+ asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
}
}
});
@@ -192,7 +192,7 @@ public class EntitlementService {
.allowedOrigins(identity.getAccessToken())
.exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
} else {
- asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements)))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
+ asyncResponse.resume(Cors.add(request, Response.ok().entity(new EntitlementResponse(createRequestingPartyToken(entitlements, identity.getAccessToken())))).allowedOrigins(identity.getAccessToken()).allowedMethods("GET").exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).build());
}
}
});
@@ -207,8 +207,7 @@ public class EntitlementService {
}
}
- private String createRequestingPartyToken(List<Permission> permissions) {
- AccessToken accessToken = Tokens.getAccessToken(this.authorization.getKeycloakSession());
+ private String createRequestingPartyToken(List<Permission> permissions, AccessToken accessToken) {
RealmModel realm = this.authorization.getKeycloakSession().getContext().getRealm();
AccessToken.Authorization authorization = new AccessToken.Authorization();
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
index f3c432b..7be8fb4 100644
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/authorization/AbstractPhotozAdminTest.java
@@ -40,6 +40,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.util.JsonSerialization;
@@ -287,26 +288,11 @@ public abstract class AbstractPhotozAdminTest extends AbstractAuthorizationTest
return onAuthorizationSession(authorizationProvider -> {
StoreFactory storeFactory = authorizationProvider.getStoreFactory();
PolicyStore policyStore = storeFactory.getPolicyStore();
- PolicyRepresentation representation = new PolicyRepresentation();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName("Any Admin Policy");
representation.setType("role");
-
- HashedMap config = new HashedMap();
- RealmModel realm = authorizationProvider.getKeycloakSession().realms().getRealmByName(TEST_REALM_NAME);
- RoleModel adminRole = realm.getRole("admin");
-
- Map role = new HashMap();
-
- role.put("id", adminRole.getId());
-
- try {
- config.put("roles", JsonSerialization.writeValueAsString(new Map[] {role}));
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
-
- representation.setConfig(config);
+ representation.addRole("admin", false);
return policyStore.create(representation, resourceServer);
});
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
index 8f5018c..4d11f93 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/adapter/page/PhotozClientAuthzTestApp.java
@@ -108,11 +108,13 @@ public class PhotozClientAuthzTestApp extends AbstractPageWithInjectedUrl {
public void requestEntitlement() {
entitlement.click();
pause(WAIT_AFTER_OPERATION);
+ pause(WAIT_AFTER_OPERATION);
}
public void requestEntitlements() {
entitlements.click();
pause(WAIT_AFTER_OPERATION);
+ pause(WAIT_AFTER_OPERATION);
}
public void login(String username, String password, String... scopes) throws InterruptedException {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
index de16e41..814fb51 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AuthzCleanupTest.java
@@ -18,6 +18,7 @@ package org.keycloak.testsuite.admin;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Ignore;
import org.junit.Test;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.model.Policy;
@@ -29,13 +30,11 @@ import org.keycloak.models.RoleModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
-import org.keycloak.representations.idm.authorization.PolicyRepresentation;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
-import java.util.HashMap;
import java.util.List;
-import java.util.Map;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
@@ -43,6 +42,7 @@ import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
+@Ignore
public class AuthzCleanupTest extends AbstractKeycloakTest {
@Deployment
@@ -60,12 +60,12 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
}
public static void setup(KeycloakSession session) {
+ AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = session.realms().addClient(realm, "myclient");
RoleModel role1 = client.addRole("client-role1");
RoleModel role2 = client.addRole("client-role2");
- AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
createRolePolicy(authz, resourceServer, role1);
createRolePolicy(authz, resourceServer, role2);
@@ -74,17 +74,13 @@ public class AuthzCleanupTest extends AbstractKeycloakTest {
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
- PolicyRepresentation representation = new PolicyRepresentation();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
representation.setName(role.getName());
representation.setType("role");
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
-
- String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
- Map<String, String> config = new HashMap<>();
- config.put("roles", roleValues);
- representation.setConfig(config);
+ representation.addRole(role.getName(), true);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java
index 7dc5843..2a53424 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/AbstractPermissionManagementTest.java
@@ -23,10 +23,8 @@ import static org.junit.Assert.assertTrue;
import java.io.IOException;
import java.util.ArrayList;
-import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
-import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
@@ -34,27 +32,30 @@ import org.junit.Before;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
-import org.keycloak.authorization.client.AuthzClient;
-import org.keycloak.authorization.client.Configuration;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
+import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;
-import org.keycloak.util.JsonSerialization;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public abstract class AbstractPermissionManagementTest extends AbstractKeycloakTest {
+
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
- testRealms.add(RealmBuilder.create().name("authz-test")
+ testRealms.add(createTestRealm().build());
+ }
+
+ protected RealmBuilder createTestRealm() {
+ return RealmBuilder.create().name("authz-test")
.user(UserBuilder.create().username("marta").password("password"))
.user(UserBuilder.create().username("kolo").password("password"))
.client(ClientBuilder.create().clientId("resource-server-test")
@@ -62,8 +63,7 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
.authorizationServicesEnabled(true)
.redirectUris("http://localhost/resource-server-test")
.defaultRoles("uma_protection")
- .directAccessGrants())
- .build());
+ .directAccessGrants());
}
@Before
@@ -88,18 +88,31 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
assertNull(actual.getPolicies());
assertNull(actual.getScopes());
- assertEquals(expected.getPolicies().size(), policies.get().stream().map(representation1 -> representation1.getName()).filter(policyName -> expected.getPolicies().contains(policyName)).count());
+ List<PolicyRepresentation> associatedPolicies = policies.get();
+
+ if (expected.getPolicies() != null) {
+ assertEquals(expected.getPolicies().size(), associatedPolicies.size());
+ assertEquals(0, associatedPolicies.stream().map(representation1 -> representation1.getName()).filter(policyName -> !expected.getPolicies().contains(policyName)).count());
+ } else {
+ assertTrue(associatedPolicies.isEmpty());
+ }
+
+ List<ResourceRepresentation> associatedResources = resources.get();
if (expected.getResources() != null) {
- assertEquals(expected.getResources().size(), resources.get().stream().map(representation1 -> representation1.getName()).filter(resourceName -> expected.getResources().contains(resourceName)).count());
+ assertEquals(expected.getResources().size(), associatedResources.size());
+ assertEquals(0, associatedResources.stream().map(representation1 -> representation1.getName()).filter(resourceName -> !expected.getResources().contains(resourceName)).count());
} else {
- assertTrue(resources.get().isEmpty());
+ assertTrue(associatedResources.isEmpty());
}
+ List<ScopeRepresentation> associatedScopes = scopes.get();
+
if (expected.getScopes() != null) {
- assertEquals(expected.getScopes().size(), scopes.get().stream().map(representation1 -> representation1.getName()).filter(scopeName -> expected.getScopes().contains(scopeName)).count());
+ assertEquals(expected.getScopes().size(), associatedScopes.size());
+ assertEquals(expected.getScopes().size(), associatedScopes.stream().map(representation1 -> representation1.getName()).filter(scopeName -> !expected.getScopes().contains(scopeName)).count());
} else {
- assertTrue(scopes.get().isEmpty());
+ assertTrue(associatedScopes.isEmpty());
}
expected.setId(actual.getId());
@@ -129,18 +142,12 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
private void createUserPolicy(String name, RealmResource realm, ClientResource client, String username) throws IOException {
String userId = realm.users().search(username).stream().map(representation -> representation.getId()).findFirst().orElseThrow(() -> new RuntimeException("Expected user [userId]"));
- PolicyRepresentation representation = new PolicyRepresentation();
+ UserPolicyRepresentation representation = new UserPolicyRepresentation();
representation.setName(name);
- representation.setType("user");
+ representation.addUser(userId);
- Map<String, String> config = new HashMap<>();
-
- config.put("users", JsonSerialization.writeValueAsString(new String[]{userId}));
-
- representation.setConfig(config);
-
- client.authorization().policies().create(representation);
+ client.authorization().policies().users().create(representation);
}
protected ClientResource getClient() {
@@ -159,12 +166,4 @@ public abstract class AbstractPermissionManagementTest extends AbstractKeycloakT
throw new RuntimeException("Failed to create admin client", cause);
}
}
-
- private AuthzClient getAuthzClient() {
- try {
- return AuthzClient.create(JsonSerialization.readValue(getClass().getResourceAsStream("/authorization-test/default-keycloak.json"), Configuration.class));
- } catch (IOException cause) {
- throw new RuntimeException("Failed to create authz client", cause);
- }
- }
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
new file mode 100644
index 0000000..b4960aa
--- /dev/null
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/RolePolicyManagementTest.java
@@ -0,0 +1,183 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.testsuite.admin.client.authorization;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.util.Collections;
+import java.util.stream.Collectors;
+
+import javax.ws.rs.NotFoundException;
+import javax.ws.rs.core.Response;
+
+import org.junit.Test;
+import org.keycloak.admin.client.resource.AuthorizationResource;
+import org.keycloak.admin.client.resource.ClientResource;
+import org.keycloak.admin.client.resource.RolePoliciesResource;
+import org.keycloak.admin.client.resource.RolePolicyResource;
+import org.keycloak.admin.client.resource.RolesResource;
+import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.RoleRepresentation;
+import org.keycloak.representations.idm.authorization.DecisionStrategy;
+import org.keycloak.representations.idm.authorization.Logic;
+import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
+import org.keycloak.testsuite.util.RealmBuilder;
+import org.keycloak.testsuite.util.RolesBuilder;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class RolePolicyManagementTest extends AbstractPermissionManagementTest {
+
+ @Override
+ protected RealmBuilder createTestRealm() {
+ return super.createTestRealm().roles(
+ RolesBuilder.create()
+ .realmRole(new RoleRepresentation("Role A", "Role A description", false))
+ .realmRole(new RoleRepresentation("Role B", "Role B description", false))
+ .realmRole(new RoleRepresentation("Role C", "Role C description", false))
+ );
+ }
+
+ @Test
+ public void testCreateRealmRolePolicy() {
+ AuthorizationResource authorization = getClient().authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Realm Role Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addRole("Role A", false);
+ representation.addRole("Role B", true);
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testCreateClientRolePolicy() {
+ ClientResource client = getClient();
+ AuthorizationResource authorization = client.authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Realm Client Role Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+
+ RolesResource roles = client.roles();
+
+ roles.create(new RoleRepresentation("Client Role A", "desc", false));
+
+ ClientRepresentation clientRep = client.toRepresentation();
+
+ roles.create(new RoleRepresentation("Client Role B", "desc", false));
+
+ representation.addRole("Client Role A", true);
+ representation.addRole(clientRep.getClientId() + "/Client Role B", true);
+
+ assertCreated(authorization, representation);
+ }
+
+ @Test
+ public void testUpdate() {
+ AuthorizationResource authorization = getClient().authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Update Test Role Policy");
+ representation.setDescription("description");
+ representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+ representation.setLogic(Logic.NEGATIVE);
+ representation.addRole("Role A", false);
+ representation.addRole("Role B", true);
+ representation.addRole("Role C", false);
+
+ assertCreated(authorization, representation);
+
+ representation.setName("changed");
+ representation.setDescription("changed");
+ representation.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
+ representation.setLogic(Logic.POSITIVE);
+ representation.setRoles(representation.getRoles().stream().filter(roleDefinition -> !roleDefinition.getId().equals("Resource A")).collect(Collectors.toSet()));
+
+ RolePoliciesResource policies = authorization.policies().roles();
+ RolePolicyResource permission = policies.findById(representation.getId());
+
+ permission.update(representation);
+ assertRepresentation(representation, permission);
+
+ for (RolePolicyRepresentation.RoleDefinition roleDefinition : representation.getRoles()) {
+ if (roleDefinition.getId().equals("Role B")) {
+ roleDefinition.setRequired(false);
+ }
+ if (roleDefinition.getId().equals("Role C")) {
+ roleDefinition.setRequired(true);
+ }
+ }
+
+ permission.update(representation);
+ assertRepresentation(representation, permission);
+ }
+
+ @Test
+ public void testDelete() {
+ AuthorizationResource authorization = getClient().authorization();
+ RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+ representation.setName("Test Delete Permission");
+ representation.addRole("Role A", false);
+
+ RolePoliciesResource policies = authorization.policies().roles();
+ Response response = policies.create(representation);
+ RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
+
+ policies.findById(created.getId()).remove();
+
+ RolePolicyResource removed = policies.findById(created.getId());
+
+ try {
+ removed.toRepresentation();
+ fail("Permission not removed");
+ } catch (NotFoundException ignore) {
+
+ }
+ }
+
+ private void assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
+ RolePoliciesResource permissions = authorization.policies().roles();
+ Response response = permissions.create(representation);
+ RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
+ RolePolicyResource permission = permissions.findById(created.getId());
+ assertRepresentation(representation, permission);
+ }
+
+ private void assertRepresentation(RolePolicyRepresentation representation, RolePolicyResource permission) {
+ RolePolicyRepresentation actual = permission.toRepresentation();
+ assertRepresentation(representation, actual, () -> permission.resources(), () -> Collections.emptyList(), () -> permission.associatedPolicies());
+ assertEquals(representation.getRoles().size(), actual.getRoles().size());
+ ClientRepresentation clientRep = getClient().toRepresentation();
+ assertEquals(0, actual.getRoles().stream().filter(actualDefinition -> !representation.getRoles().stream()
+ .filter(roleDefinition -> (getRoleName(actualDefinition.getId()).equals(roleDefinition.getId()) || (clientRep.getClientId() + "/" + getRoleName(actualDefinition.getId())).equals(roleDefinition.getId())) && actualDefinition.isRequired() == roleDefinition.isRequired())
+ .findFirst().isPresent())
+ .count());
+ }
+
+ private String getRoleName(String id) {
+ return getRealm().rolesById().getRole(id).getName();
+ }
+}
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
index bad0bb2..ed5620c 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
@@ -1326,8 +1326,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
onInitUpdate : function(policy) {
var selectedUsers = [];
- if (policy.config.users) {
- var users = eval(policy.config.users);
+ if (policy.users) {
+ var users = policy.users;
for (i = 0; i < users.length; i++) {
User.get({realm: $route.current.params.realm, userId: users[i]}, function(data) {
@@ -1351,7 +1351,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
users.push($scope.selectedUsers[i].id);
}
- $scope.policy.config.users = JSON.stringify(users);
+ $scope.policy.users = users;
+ delete $scope.policy.config;
},
onCreate : function() {
@@ -1361,7 +1362,8 @@ module.controller('ResourceServerPolicyUserDetailCtrl', function($scope, $route,
users.push($scope.selectedUsers[i].id);
}
- $scope.policy.config.users = JSON.stringify(users);
+ $scope.policy.users = users;
+ delete $scope.policy.config;
}
}, realm, client, $scope);
});
@@ -1545,8 +1547,8 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
onInitUpdate : function(policy) {
var selectedRoles = [];
- if (policy.config.roles) {
- var roles = eval(policy.config.roles);
+ if (policy.roles) {
+ var roles = policy.roles;
for (i = 0; i < roles.length; i++) {
RoleById.get({realm: $route.current.params.realm, role: roles[i].id}, function(data) {
@@ -1586,7 +1588,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
roles.push(role);
}
- $scope.policy.config.roles = JSON.stringify(roles);
+ $scope.policy.roles = roles;
},
onCreate : function() {
@@ -1601,7 +1603,7 @@ module.controller('ResourceServerPolicyRoleDetailCtrl', function($scope, $route,
roles.push(role);
}
- $scope.policy.config.roles = JSON.stringify(roles);
+ $scope.policy.roles = roles;
}
}, realm, client, $scope);