Java Code Examples for org.keycloak.models.ClientModel#getRoles()

The following examples show how to use org.keycloak.models.ClientModel#getRoles() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: CompositeRolesModelTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
public static Set<RoleModel> getRequestedRoles(ClientModel application, UserModel user) {

        Set<RoleModel> requestedRoles = new HashSet<>();

        Set<RoleModel> roleMappings = user.getRoleMappings();
        Set<RoleModel> scopeMappings = application.getScopeMappings();
        Set<RoleModel> appRoles = application.getRoles();
        if (appRoles != null) scopeMappings.addAll(appRoles);

        for (RoleModel role : roleMappings) {
            if (role.getContainer().equals(application)) requestedRoles.add(role);
            for (RoleModel desiredRole : scopeMappings) {
                Set<RoleModel> visited = new HashSet<>();
                applyScope(role, desiredRole, visited, requestedRoles);
            }
        }
        return requestedRoles;
    }
Example 2
Source File: KeycloakOIDCClientInstallation.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
private void configureAuthorizationSettings(KeycloakSession session, ClientModel client, ClientManager.InstallationAdapterConfig rep) {
    if (new AuthorizationService(session, client, null, null).isEnabled()) {
        PolicyEnforcerConfig enforcerConfig = new PolicyEnforcerConfig();

        enforcerConfig.setEnforcementMode(null);
        enforcerConfig.setLazyLoadPaths(null);

        rep.setEnforcerConfig(enforcerConfig);

        Set<RoleModel> clientRoles = client.getRoles();

        if (clientRoles.size() == 1) {
            if (clientRoles.iterator().next().getName().equals(Constants.AUTHZ_UMA_PROTECTION)) {
                rep.setUseResourceRoleMappings(null);
            }
        }
    }
}
Example 3
Source File: ClientRemovedEvent.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
public static ClientRemovedEvent create(ClientModel client) {
    ClientRemovedEvent event = new ClientRemovedEvent();

    event.realmId = client.getRealm().getId();
    event.clientUuid = client.getId();
    event.clientId = client.getClientId();
    event.clientRoles = new HashMap<>();
    for (RoleModel clientRole : client.getRoles()) {
        event.clientRoles.put(clientRole.getId(), clientRole.getName());
    }

    return event;
}
Example 4
Source File: JpaRealmProvider.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
@Override
public boolean removeClient(String id, RealmModel realm) {
    final ClientModel client = getClientById(id, realm);
    if (client == null) return false;

    session.users().preRemove(realm, client);

    for (RoleModel role : client.getRoles()) {
        // No need to go through cache. Roles were already invalidated
        removeRole(realm, role);
    }

    ClientEntity clientEntity = em.find(ClientEntity.class, id, LockModeType.PESSIMISTIC_WRITE);

    session.getKeycloakSessionFactory().publish(new RealmModel.ClientRemovedEvent() {
        @Override
        public ClientModel getClient() {
            return client;
        }

        @Override
        public KeycloakSession getKeycloakSession() {
            return session;
        }
    });

    int countRemoved = em.createNamedQuery("deleteClientScopeClientMappingByClient")
            .setParameter("client", clientEntity)
            .executeUpdate();
    em.remove(clientEntity);  // i have no idea why, but this needs to come before deleteScopeMapping

    try {
        em.flush();
    } catch (RuntimeException e) {
        logger.errorv("Unable to delete client entity: {0} from realm {1}", client.getClientId(), realm.getName());
        throw e;
    }

    return true;
}
Example 5
Source File: TokenManager.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
public static Set<RoleModel> getAccess(UserModel user, ClientModel client, Set<ClientScopeModel> clientScopes) {
    Set<RoleModel> roleMappings = RoleUtils.getDeepUserRoleMappings(user);

    if (client.isFullScopeAllowed()) {
        if (logger.isTraceEnabled()) {
            logger.tracef("Using full scope for client %s", client.getClientId());
        }
        return roleMappings;
    } else {

        // 1 - Client roles of this client itself
        Set<RoleModel> scopeMappings = new HashSet<>(client.getRoles());

        // 2 - Role mappings of client itself + default client scopes + optional client scopes requested by scope parameter (if applyScopeParam is true)
        for (ClientScopeModel clientScope : clientScopes) {
            if (logger.isTraceEnabled()) {
                logger.tracef("Adding client scope role mappings of client scope '%s' to client '%s'", clientScope.getName(), client.getClientId());
            }
            scopeMappings.addAll(clientScope.getScopeMappings());
        }

        // 3 - Expand scope mappings
        scopeMappings = RoleUtils.expandCompositeRoles(scopeMappings);

        // Intersection of expanded user roles and expanded scopeMappings
        roleMappings.retainAll(scopeMappings);

        return roleMappings;
    }
}
Example 6
Source File: AdminConsole.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
private void addRealmAccess(RealmModel realm, UserModel user, Map<String, Set<String>> realmAdminAccess) {
    RealmManager realmManager = new RealmManager(session);
    ClientModel realmAdminApp = realm.getClientByClientId(realmManager.getRealmAdminClientId(realm));
    Set<RoleModel> roles = realmAdminApp.getRoles();
    for (RoleModel role : roles) {
        if (!user.hasRole(role)) continue;
        if (!realmAdminAccess.containsKey(realm.getName())) {
            realmAdminAccess.put(realm.getName(), new HashSet<String>());
        }
        realmAdminAccess.get(realm.getName()).add(role.getName());
    }

}
Example 7
Source File: AdminConsole.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
private void addMasterRealmAccess(RealmModel masterRealm, UserModel user, Map<String, Set<String>> realmAdminAccess) {
    List<RealmModel> realms = session.realms().getRealms();
    for (RealmModel realm : realms) {
        ClientModel realmAdminApp = realm.getMasterAdminClient();
        Set<RoleModel> roles = realmAdminApp.getRoles();
        for (RoleModel role : roles) {
            if (!user.hasRole(role)) continue;
            if (!realmAdminAccess.containsKey(realm.getName())) {
                realmAdminAccess.put(realm.getName(), new HashSet<String>());
            }
            realmAdminAccess.get(realm.getName()).add(role.getName());
        }
    }
}
Example 8
Source File: ClientRolesPartialImport.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
public boolean exists(RealmModel realm, KeycloakSession session, String clientId, RoleRepresentation roleRep) {
    ClientModel client = realm.getClientByClientId(clientId);
    if (client == null) return false;

    for (RoleModel role : client.getRoles()) {
        if (getName(roleRep).equals(role.getName())) return true;
    }

    return false;
}