Skip to content

Commit

Permalink
[KEYCLOAK-7849] - Improvements to RPT upgrade
Browse files Browse the repository at this point in the history
  • Loading branch information
@pedroigor
pedroigor committed Jul 18, 2018
1 parent 3440795 commit 8b6979a
Show file tree
Hide file tree
Showing 11 changed files with 420 additions and 135 deletions.
6 changes: 3 additions & 3 deletions .../client/src/main/java/org/keycloak/authorization/client/util/HttpMethodAuthenticator.java
View file
Expand Up @@ -25,8 +25,8 @@
import org.keycloak.authorization.client.ClientAuthenticator; import org.keycloak.authorization.client.ClientAuthenticator;
import org.keycloak.representations.idm.authorization.AuthorizationRequest; import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata; import org.keycloak.representations.idm.authorization.AuthorizationRequest.Metadata;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionTicketToken; import org.keycloak.representations.idm.authorization.PermissionTicketToken;
import org.keycloak.representations.idm.authorization.PermissionTicketToken.ResourcePermission;


/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
Expand Down Expand Up @@ -80,13 +80,13 @@ public HttpMethod<R> uma(AuthorizationRequest request) {
method.param("claim_token", request.getClaimToken()); method.param("claim_token", request.getClaimToken());
method.param("claim_token_format", request.getClaimTokenFormat()); method.param("claim_token_format", request.getClaimTokenFormat());
method.param("pct", request.getPct()); method.param("pct", request.getPct());
method.param("rpt", request.getRpt()); method.param("rpt", request.getRptToken());
method.param("scope", request.getScope()); method.param("scope", request.getScope());
method.param("audience", request.getAudience()); method.param("audience", request.getAudience());
method.param("subject_token", request.getSubjectToken()); method.param("subject_token", request.getSubjectToken());


if (permissions != null) { if (permissions != null) {
for (ResourcePermission permission : permissions.getResources()) { for (Permission permission : permissions.getPermissions()) {
String resourceId = permission.getResourceId(); String resourceId = permission.getResourceId();
Set<String> scopes = permission.getScopes(); Set<String> scopes = permission.getScopes();
StringBuilder value = new StringBuilder(); StringBuilder value = new StringBuilder();
Expand Down
27 changes: 18 additions & 9 deletions core/src/main/java/org/keycloak/representations/idm/authorization/AuthorizationRequest.java
View file
Expand Up @@ -23,15 +23,14 @@
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;


import org.keycloak.representations.idm.authorization.PermissionTicketToken.ResourcePermission; import org.keycloak.representations.AccessToken;


/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/ */
public class AuthorizationRequest { public class AuthorizationRequest {


private String ticket; private String ticket;
private String rpt;
private String claimToken; private String claimToken;
private String claimTokenFormat; private String claimTokenFormat;
private String pct; private String pct;
Expand All @@ -42,6 +41,8 @@ public class AuthorizationRequest {
private String subjectToken; private String subjectToken;
private boolean submitRequest; private boolean submitRequest;
private Map<String, List<String>> claims; private Map<String, List<String>> claims;
private AccessToken rpt;
private String rptToken;


public AuthorizationRequest(String ticket) { public AuthorizationRequest(String ticket) {
this.ticket = ticket; this.ticket = ticket;
Expand All @@ -59,14 +60,22 @@ public void setTicket(String ticket) {
this.ticket = ticket; this.ticket = ticket;
} }


public String getRpt() { public AccessToken getRpt() {
return this.rpt; return this.rpt;
} }


public void setRpt(String rpt) { public void setRpt(AccessToken rpt) {
this.rpt = rpt; this.rpt = rpt;
} }


public void setRpt(String rpt) {
this.rptToken = rpt;
}

public String getRptToken() {
return rptToken;
}

public void setClaimToken(String claimToken) { public void setClaimToken(String claimToken) {
this.claimToken = claimToken; this.claimToken = claimToken;
} }
Expand Down Expand Up @@ -145,21 +154,21 @@ public void addPermission(String resourceId, List<String> scopes) {


public void addPermission(String resourceId, String... scopes) { public void addPermission(String resourceId, String... scopes) {
if (permissions == null) { if (permissions == null) {
permissions = new PermissionTicketToken(new ArrayList<ResourcePermission>()); permissions = new PermissionTicketToken(new ArrayList<Permission>());
} }


ResourcePermission permission = null; Permission permission = null;


for (ResourcePermission resourcePermission : permissions.getResources()) { for (Permission resourcePermission : permissions.getPermissions()) {
if (resourcePermission.getResourceId() != null && resourcePermission.getResourceId().equals(resourceId)) { if (resourcePermission.getResourceId() != null && resourcePermission.getResourceId().equals(resourceId)) {
permission = resourcePermission; permission = resourcePermission;
break; break;
} }
} }


if (permission == null) { if (permission == null) {
permission = new ResourcePermission(resourceId, new HashSet<String>()); permission = new Permission(resourceId, new HashSet<String>());
permissions.getResources().add(permission); permissions.getPermissions().add(permission);
} }


permission.getScopes().addAll(Arrays.asList(scopes)); permission.getScopes().addAll(Arrays.asList(scopes));
Expand Down
36 changes: 33 additions & 3 deletions core/src/main/java/org/keycloak/representations/idm/authorization/Permission.java
View file
Expand Up @@ -33,7 +33,7 @@ public class Permission {
private String resourceId; private String resourceId;


@JsonProperty("rsname") @JsonProperty("rsname")
private final String resourceName; private String resourceName;


@JsonInclude(JsonInclude.Include.NON_EMPTY) @JsonInclude(JsonInclude.Include.NON_EMPTY)
private Set<String> scopes; private Set<String> scopes;
Expand All @@ -45,17 +45,29 @@ public Permission() {
this(null, null, null, null); this(null, null, null, null);
} }


public Permission(final String resourceId, final Set<String> scopes) {
this(resourceId, null, scopes, null);
}

public Permission(final String resourceId, String resourceName, final Set<String> scopes, Map<String, Set<String>> claims) { public Permission(final String resourceId, String resourceName, final Set<String> scopes, Map<String, Set<String>> claims) {
this.resourceId = resourceId; this.resourceId = resourceId;
this.resourceName = resourceName; this.resourceName = resourceName;
this.scopes = scopes; this.scopes = scopes;
this.claims = claims; this.claims = claims;
} }


public void setResourceId(String resourceId) {
this.resourceId = resourceId;
}

public String getResourceId() { public String getResourceId() {
return this.resourceId; return this.resourceId;
} }


public void setResourceName(String resourceName) {
this.resourceName = resourceName;
}

public String getResourceName() { public String getResourceName() {
return this.resourceName; return this.resourceName;
} }
Expand All @@ -75,11 +87,29 @@ public Map<String, Set<String>> getClaims() {
@Override @Override
public boolean equals(Object o) { public boolean equals(Object o) {
if (this == o) return true; if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false; if (o == null || !getClass().isAssignableFrom(o.getClass())) return false;


Permission that = (Permission) o; Permission that = (Permission) o;


return getResourceId().equals(that.resourceId); if (getResourceId() != null || getResourceName() != null) {
if (!getResourceId().equals(that.resourceId)) {
return false;
}

if (getScopes().isEmpty() && that.getScopes().isEmpty()) {
return true;
}
} else if (that.resourceId != null) {
return false;
}

for (String scope : that.getScopes()) {
if (getScopes().contains(scope)) {
return true;
}
}

return false;
} }


@Override @Override
Expand Down
39 changes: 7 additions & 32 deletions core/src/main/java/org/keycloak/representations/idm/authorization/PermissionTicketToken.java
View file
Expand Up @@ -33,16 +33,16 @@
*/ */
public class PermissionTicketToken extends JsonWebToken { public class PermissionTicketToken extends JsonWebToken {


private final List<ResourcePermission> resources; private final List<Permission> permissions;


@JsonDeserialize(using = StringListMapDeserializer.class) @JsonDeserialize(using = StringListMapDeserializer.class)
private Map<String, List<String>> claims; private Map<String, List<String>> claims;


public PermissionTicketToken() { public PermissionTicketToken() {
this(new ArrayList<ResourcePermission>()); this(new ArrayList<Permission>());
} }


public PermissionTicketToken(List<ResourcePermission> resources, String audience, AccessToken accessToken) { public PermissionTicketToken(List<Permission> permissions, String audience, AccessToken accessToken) {
if (accessToken != null) { if (accessToken != null) {
id(TokenIdGenerator.generateId()); id(TokenIdGenerator.generateId());
subject(accessToken.getSubject()); subject(accessToken.getSubject());
Expand All @@ -54,15 +54,15 @@ public PermissionTicketToken(List<ResourcePermission> resources, String audience
if (audience != null) { if (audience != null) {
audience(audience); audience(audience);
} }
this.resources = resources; this.permissions = permissions;
} }


public PermissionTicketToken(List<ResourcePermission> resources) { public PermissionTicketToken(List<Permission> resources) {
this(resources, null, null); this(resources, null, null);
} }


public List<ResourcePermission> getResources() { public List<Permission> getPermissions() {
return this.resources; return this.permissions;
} }


public Map<String, List<String>> getClaims() { public Map<String, List<String>> getClaims() {
Expand All @@ -72,29 +72,4 @@ public Map<String, List<String>> getClaims() {
public void setClaims(Map<String, List<String>> claims) { public void setClaims(Map<String, List<String>> claims) {
this.claims = claims; this.claims = claims;
} }

public static class ResourcePermission {

@JsonProperty("id")
private String resourceId;

@JsonProperty("scopes")
private Set<String> scopes;

public ResourcePermission() {
}

public ResourcePermission(String resourceId, Set<String> scopes) {
this.resourceId = resourceId;
this.scopes = scopes;
}

public String getResourceId() {
return resourceId;
}

public Set<String> getScopes() {
return scopes;
}
}
} }
12 changes: 6 additions & 6 deletions ...eycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.java
View file
Expand Up @@ -31,11 +31,11 @@
import org.keycloak.authorization.model.ResourceServer; import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope; import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission; import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.policy.evaluation.Result.PolicyResult;
import org.keycloak.authorization.store.ResourceStore; import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore; import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory; import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.representations.idm.authorization.AuthorizationRequest; import org.keycloak.representations.idm.authorization.AuthorizationRequest;
import org.keycloak.representations.idm.authorization.Permission;
import org.keycloak.representations.idm.authorization.PermissionTicketToken; import org.keycloak.representations.idm.authorization.PermissionTicketToken;


/** /**
Expand Down Expand Up @@ -75,12 +75,12 @@ private void removePermissionsIfGranted(DefaultEvaluation evaluation) {


if ("uma".equals(policy.getType())) { if ("uma".equals(policy.getType())) {
ResourcePermission grantedPermission = evaluation.getPermission(); ResourcePermission grantedPermission = evaluation.getPermission();
List<PermissionTicketToken.ResourcePermission> permissions = ticket.getResources(); List<Permission> permissions = ticket.getPermissions();


Iterator<PermissionTicketToken.ResourcePermission> itPermissions = permissions.iterator(); Iterator<Permission> itPermissions = permissions.iterator();


while (itPermissions.hasNext()) { while (itPermissions.hasNext()) {
PermissionTicketToken.ResourcePermission permission = itPermissions.next(); Permission permission = itPermissions.next();


if (permission.getResourceId().equals(grantedPermission.getResource().getId())) { if (permission.getResourceId().equals(grantedPermission.getResource().getId())) {
Set<String> scopes = permission.getScopes(); Set<String> scopes = permission.getScopes();
Expand Down Expand Up @@ -109,10 +109,10 @@ public void onComplete() {
if (request.isSubmitRequest()) { if (request.isSubmitRequest()) {
StoreFactory storeFactory = authorization.getStoreFactory(); StoreFactory storeFactory = authorization.getStoreFactory();
ResourceStore resourceStore = storeFactory.getResourceStore(); ResourceStore resourceStore = storeFactory.getResourceStore();
List<PermissionTicketToken.ResourcePermission> permissions = ticket.getResources(); List<Permission> permissions = ticket.getPermissions();


if (permissions != null) { if (permissions != null) {
for (PermissionTicketToken.ResourcePermission permission : permissions) { for (Permission permission : permissions) {
Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId()); Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId());


if (resource == null) { if (resource == null) {
Expand Down

0 comments on commit 8b6979a

Please sign in to comment.