Java Code Examples for org.keycloak.representations.idm.authorization.Permission#getScopes()

The following examples show how to use org.keycloak.representations.idm.authorization.Permission#getScopes() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: PermissionTicketAwareDecisionResultCollector.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
@Override
protected void onGrant(Permission grantedPermission) {
    // Removes permissions (represented by {@code ticket}) granted by any user-managed policy so we don't create unnecessary permission tickets.
    List<Permission> permissions = ticket.getPermissions();
    Iterator<Permission> itPermissions = permissions.iterator();

    while (itPermissions.hasNext()) {
        Permission permission = itPermissions.next();

        if (permission.getResourceId() == null || permission.getResourceId().equals(grantedPermission.getResourceId())) {
            Set<String> scopes = permission.getScopes();
            Iterator<String> itScopes = scopes.iterator();

            while (itScopes.hasNext()) {
                if (grantedPermission.getScopes().contains(itScopes.next())) {
                    itScopes.remove();
                }
            }

            if (scopes.isEmpty()) {
                itPermissions.remove();
            }
        }
    }
}
Example 2
Source File: AbstractResourceServerTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
protected void assertPermissions(Collection<Permission> permissions, String expectedResource, String... expectedScopes) {
    Iterator<Permission> iterator = permissions.iterator();

    while (iterator.hasNext()) {
        Permission permission = iterator.next();

        if (permission.getResourceName().equalsIgnoreCase(expectedResource) || permission.getResourceId().equals(expectedResource)) {
            Set<String> scopes = permission.getScopes();

            assertEquals(expectedScopes.length, scopes.size());

            if (scopes.containsAll(Arrays.asList(expectedScopes))) {
                iterator.remove();
            }
        }
    }
}
Example 3
Source File: GroupPermissions.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
private boolean hasPermission(Resource resource, EvaluationContext context, String... scopes) {
    ResourceServer server = root.realmResourceServer();
    Collection<Permission> permissions;

    if (context == null) {
        permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server);
    } else {
        permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server, context);
    }

    List<String> expectedScopes = Arrays.asList(scopes);


    for (Permission permission : permissions) {
        for (String scope : permission.getScopes()) {
            if (expectedScopes.contains(scope)) {
                return true;
            }
        }
    }

    return false;
}
Example 4
Source File: AbstractPolicyEnforcer.java    From keycloak with Apache License 2.0 6 votes vote down vote up 
private boolean hasResourceScopePermission(MethodConfig methodConfig, Permission permission) {
    List<String> requiredScopes = methodConfig.getScopes();
    Set<String> allowedScopes = permission.getScopes();

    if (allowedScopes.isEmpty()) {
        return true;
    }

    PolicyEnforcerConfig.ScopeEnforcementMode enforcementMode = methodConfig.getScopesEnforcementMode();

    if (PolicyEnforcerConfig.ScopeEnforcementMode.ALL.equals(enforcementMode)) {
        return allowedScopes.containsAll(requiredScopes);
    }

    if (PolicyEnforcerConfig.ScopeEnforcementMode.ANY.equals(enforcementMode)) {
        for (String requiredScope : requiredScopes) {
            if (allowedScopes.contains(requiredScope)) {
                return true;
            }
        }
    }

    return requiredScopes.isEmpty();
}
Example 5
Source File: UserPermissions.java    From keycloak with Apache License 2.0 5 votes vote down vote up 
private boolean hasPermission(EvaluationContext context, String... scopes) {
    ResourceServer server = root.realmResourceServer();

    if (server == null) {
        return false;
    }

    Resource resource =  resourceStore.findByName(USERS_RESOURCE, server.getId());
    List<String> expectedScopes = Arrays.asList(scopes);

    if (resource == null) {
        return grantIfNoPermission && expectedScopes.contains(MgmtPermissions.MANAGE_SCOPE) && expectedScopes.contains(MgmtPermissions.VIEW_SCOPE);
    }

    Collection<Permission> permissions;

    if (context == null) {
        permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server);
    } else {
        permissions = root.evaluatePermission(new ResourcePermission(resource, resource.getScopes(), server), server, context);
    }

    for (Permission permission : permissions) {
        for (String scope : permission.getScopes()) {
            if (expectedScopes.contains(scope)) {
                return true;
            }
        }
    }

    return false;
}
Example 6
Source File: HttpMethodAuthenticator.java    From keycloak with Apache License 2.0 4 votes vote down vote up 
public HttpMethod<R> uma(AuthorizationRequest request) {
    String ticket = request.getTicket();
    PermissionTicketToken permissions = request.getPermissions();

    if (ticket == null && permissions == null) {
        throw new IllegalArgumentException("You must either provide a permission ticket or the permissions you want to request.");
    }

    uma();
    method.param("ticket", ticket);
    method.param("claim_token", request.getClaimToken());
    method.param("claim_token_format", request.getClaimTokenFormat());
    method.param("pct", request.getPct());
    method.param("rpt", request.getRptToken());
    method.param("scope", request.getScope());
    method.param("audience", request.getAudience());
    method.param("subject_token", request.getSubjectToken());

    if (permissions != null) {
        for (Permission permission : permissions.getPermissions()) {
            String resourceId = permission.getResourceId();
            Set<String> scopes = permission.getScopes();
            StringBuilder value = new StringBuilder();

            if (resourceId != null) {
                value.append(resourceId);
            }

            if (scopes != null && !scopes.isEmpty()) {
                value.append("#");
                for (String scope : scopes) {
                    if (!value.toString().endsWith("#")) {
                        value.append(",");
                    }
                    value.append(scope);
                }
            }

            method.params("permission", value.toString());
        }
    }

    Metadata metadata = request.getMetadata();

    if (metadata != null) {
        if (metadata.getIncludeResourceName() != null) {
            method.param("response_include_resource_name", metadata.getIncludeResourceName().toString());
        }

        if (metadata.getLimit() != null) {
            method.param("response_permissions_limit", metadata.getLimit().toString());
        }
    }

    return method;
}