Authorization services refactoring

Closes: #10447 * Prepare logical layer to distinguish between ResourceServer id and client.id * Reorder Authz methods: For entities outside of Authz we use RealmModel as first parameter for each method, to be consistent with this we move ResourceServer to the first place for each method in authz * Prepare Logical (Models/Adapters) layer for returning other models instead of ids * Replace resourceServerId with resourceServer model in PermissionTicketStore * Replace resourceServerId with resourceServer model in PolicyStore * Replace resourceServerId with resourceServer model in ScopeStore * Replace resourceServerId with resourceServer model in ResourceStore * Fix PermissionTicketStore bug * Fix NPEs in caching layer * Replace primitive int with Integer for pagination parameters
keycloak · Mar 22, 2022 · 99c06d1 · 99c06d1
1 parent c0255cb
commit 99c06d1
Show file tree

Hide file tree

Showing 79 changed files with 1,254 additions and 1,136 deletions.
diff --git a/...n/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java b/...n/java/org/keycloak/authorization/policy/provider/client/ClientPolicyProviderFactory.java
@@ -112,7 +112,7 @@ public void postInit(KeycloakSessionFactory factory) {
                 ResourceServer resourceServer = resourceServerStore.findByClient(removedClient);
 
                 if (resourceServer != null) {
-                    policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
+                    policyStore.findByType(resourceServer, getId()).forEach(policy -> {
                         List<String> clients = new ArrayList<>();
 
                         for (String clientId : getClients(policy)) {

diff --git a/.../keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProviderFactory.java b/.../keycloak/authorization/policy/provider/clientscope/ClientScopePolicyProviderFactory.java
@@ -74,7 +74,7 @@ public void postInit(KeycloakSessionFactory factory) {
 
                 filters.put(Policy.FilterOption.TYPE, new String[] { getId() });
 
-                policyStore.findByResourceServer(filters, null, -1, -1).forEach(new Consumer<Policy>() {
+                policyStore.findByResourceServer(null, filters, null, null).forEach(new Consumer<Policy>() {
 
                     @Override
                     public void accept(Policy policy) {

diff --git a/.../java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProviderFactory.java b/.../java/org/keycloak/authorization/policy/provider/permission/UMAPolicyProviderFactory.java
@@ -28,7 +28,6 @@
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.models.ClientModel;
-import org.keycloak.models.GroupModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.RealmModel;
@@ -397,7 +396,7 @@ private void createJSPolicy(Policy policy, PolicyStore policyStore, String condi
         rep.setName(KeycloakModelUtils.generateId());
         rep.setCode(condition);
 
-        Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer());
+        Policy associatedPolicy = policyStore.create(policy.getResourceServer(), rep);
 
         associatedPolicy.setOwner(owner);
 
@@ -410,7 +409,7 @@ private void createClientPolicy(Policy policy, PolicyStore policyStore, String c
         rep.setName(KeycloakModelUtils.generateId());
         rep.addClient(client);
 
-        Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer());
+        Policy associatedPolicy = policyStore.create(policy.getResourceServer(), rep);
 
         associatedPolicy.setOwner(owner);
 
@@ -423,7 +422,7 @@ private void createGroupPolicy(Policy policy, PolicyStore policyStore, String gr
         rep.setName(KeycloakModelUtils.generateId());
         rep.addGroupPath(group);
 
-        Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer());
+        Policy associatedPolicy = policyStore.create(policy.getResourceServer(), rep);
 
         associatedPolicy.setOwner(owner);
 
@@ -436,7 +435,7 @@ private void createRolePolicy(Policy policy, PolicyStore policyStore, String rol
         rep.setName(KeycloakModelUtils.generateId());
         rep.addRole(role, false);
 
-        Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer());
+        Policy associatedPolicy = policyStore.create(policy.getResourceServer(), rep);
 
         associatedPolicy.setOwner(owner);
 
@@ -449,7 +448,7 @@ private void createUserPolicy(Policy policy, PolicyStore policyStore, String use
         rep.setName(KeycloakModelUtils.generateId());
         rep.addUser(user);
 
-        Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer());
+        Policy associatedPolicy = policyStore.create(policy.getResourceServer(), rep);
 
         associatedPolicy.setOwner(owner);
 

diff --git a/.../main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java b/.../main/java/org/keycloak/authorization/policy/provider/role/RolePolicyProviderFactory.java
@@ -223,7 +223,7 @@ private void updateResourceServer(ClientModel clientModel, RoleModel removedRole
         ResourceServer resourceServer = resourceServerStore.findByClient(clientModel);
 
         if (resourceServer != null) {
-            policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> {
+            policyStore.findByType(resourceServer, getId()).forEach(policy -> {
                 List<Map> roles = new ArrayList<>();
 
                 for (Map<String,Object> role : getRoles(policy)) {

diff --git a/...main/java/org/keycloak/models/cache/infinispan/authorization/PermissionTicketAdapter.java b/...main/java/org/keycloak/models/cache/infinispan/authorization/PermissionTicketAdapter.java
@@ -42,7 +42,8 @@ public PermissionTicketAdapter(CachedPermissionTicket cached, StoreFactoryCacheS
     @Override
     public PermissionTicket getDelegateForUpdate() {
         if (updated == null) {
-            updated = cacheSession.getPermissionTicketStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+            ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(cached.getResourceServerId());
+            updated = cacheSession.getPermissionTicketStoreDelegate().findById(resourceServer, cached.getId());
             if (updated == null) throw new IllegalStateException("Not found in database");
             cacheSession.registerPermissionTicketInvalidation(cached.getId(), cached.getOwner(), cached.getRequester(), cached.getResourceId(), updated.getResource().getName(), cached.getScopeId(), cached.getResourceServerId());
         }
@@ -69,7 +70,8 @@ public long getCacheTimestamp() {
     protected boolean isUpdated() {
         if (updated != null) return true;
         if (!invalidated) return false;
-        updated = cacheSession.getPermissionTicketStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+        ResourceServer resourceServer = cacheSession.getResourceServerStoreDelegate().findById(cached.getResourceServerId());
+        updated = cacheSession.getPermissionTicketStoreDelegate().findById(resourceServer, cached.getId());
         if (updated == null) throw new IllegalStateException("Not found in database");
         return true;
     }
@@ -126,7 +128,7 @@ public ResourceServer getResourceServer() {
     @Override
     public Policy getPolicy() {
         if (isUpdated()) return updated.getPolicy();
-        return cacheSession.getPolicyStore().findById(cached.getPolicy(), cached.getResourceServerId());
+        return cacheSession.getPolicyStore().findById(cacheSession.getResourceServerStore().findById(cached.getResourceServerId()), cached.getPolicy());
     }
 
     @Override
@@ -138,12 +140,12 @@ public void setPolicy(Policy policy) {
 
     @Override
     public Resource getResource() {
-        return cacheSession.getResourceStore().findById(cached.getResourceId(), getResourceServer().getId());
+        return cacheSession.getResourceStore().findById(getResourceServer(), cached.getResourceId());
     }
 
     @Override
     public Scope getScope() {
-        return cacheSession.getScopeStore().findById(cached.getScopeId(), getResourceServer().getId());
+        return cacheSession.getScopeStore().findById(getResourceServer(), cached.getScopeId());
     }
 
     @Override

diff --git a/...ispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java b/...ispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/PolicyAdapter.java
@@ -85,7 +85,7 @@ public long getCacheTimestamp() {
     protected boolean isUpdated() {
         if (updated != null) return true;
         if (!invalidated) return false;
-        updated = cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+        updated = cacheSession.getPolicyStoreDelegate().findById(cacheSession.getResourceServerStore().findById(cached.getResourceServerId()), cached.getId());
         if (updated == null) throw new IllegalStateException("Not found in database");
         return true;
     }
@@ -208,7 +208,7 @@ public Set<Policy> getAssociatedPolicies() {
         PolicyStore policyStore = cacheSession.getPolicyStore();
         String resourceServerId = cached.getResourceServerId();
         for (String id : cached.getAssociatedPoliciesIds(modelSupplier)) {
-            Policy policy = policyStore.findById(id, resourceServerId);
+            Policy policy = policyStore.findById(cacheSession.getResourceServerStore().findById(resourceServerId), id);
             cacheSession.cachePolicy(policy);
             associatedPolicies.add(policy);
         }
@@ -223,9 +223,9 @@ public Set<Resource> getResources() {
         if (resources != null) return resources;
         resources = new HashSet<>();
         ResourceStore resourceStore = cacheSession.getResourceStore();
+        ResourceServer resourceServer = getResourceServer();
         for (String resourceId : cached.getResourcesIds(modelSupplier)) {
-            String resourceServerId = cached.getResourceServerId();
-            Resource resource = resourceStore.findById(resourceId, resourceServerId);
+            Resource resource = resourceStore.findById(resourceServer, resourceId);
             cacheSession.cacheResource(resource);
             resources.add(resource);
         }
@@ -287,10 +287,10 @@ public Set<Scope> getScopes() {
         if (isUpdated()) return updated.getScopes();
         if (scopes != null) return scopes;
         scopes = new HashSet<>();
+        ResourceServer resourceServer = getResourceServer();
         ScopeStore scopeStore = cacheSession.getScopeStore();
-        String resourceServerId = cached.getResourceServerId();
         for (String scopeId : cached.getScopesIds(modelSupplier)) {
-            Scope scope = scopeStore.findById(scopeId, resourceServerId);
+            Scope scope = scopeStore.findById(resourceServer, scopeId);
             cacheSession.cacheScope(scope);
             scopes.add(scope);
         }
@@ -325,6 +325,6 @@ public int hashCode() {
     }
 
     private Policy getPolicyModel() {
-        return cacheSession.getPolicyStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+        return cacheSession.getPolicyStoreDelegate().findById(cacheSession.getResourceServerStore().findById(cached.getResourceServerId()), cached.getId());
     }
 }
diff --git a/...pan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java b/...pan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ResourceAdapter.java
@@ -81,7 +81,7 @@ public long getCacheTimestamp() {
     protected boolean isUpdated() {
         if (updated != null) return true;
         if (!invalidated) return false;
-        updated = cacheSession.getResourceStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+        updated = cacheSession.getResourceStoreDelegate().findById(getResourceServer(), cached.getId());
         if (updated == null) throw new IllegalStateException("Not found in database");
         return true;
     }
@@ -133,9 +133,8 @@ public void setIconUri(String iconUri) {
     }
 
     @Override
-    public String getResourceServer() {
-        if (isUpdated()) return updated.getResourceServer();
-        return cached.getResourceServerId();
+    public ResourceServer getResourceServer() {
+        return cacheSession.getResourceServerStoreDelegate().findById(cached.getResourceServerId());
     }
 
     @Override
@@ -173,7 +172,7 @@ public List<Scope> getScopes() {
         if (scopes != null) return scopes;
         scopes = new LinkedList<>();
         for (String scopeId : cached.getScopesIds(modelSupplier)) {
-            scopes.add(cacheSession.getScopeStore().findById(scopeId, cached.getResourceServerId()));
+            scopes.add(cacheSession.getScopeStore().findById(getResourceServer(), scopeId));
         }
         return scopes = Collections.unmodifiableList(scopes);
     }
@@ -204,7 +203,7 @@ public void updateScopes(Set<Scope> scopes) {
         for (Scope scope : updated.getScopes()) {
             if (!scopes.contains(scope)) {
                 PermissionTicketStore permissionStore = cacheSession.getPermissionTicketStore();
-                List<PermissionTicket> permissions = permissionStore.findByScope(scope.getId(), getResourceServer());
+                List<PermissionTicket> permissions = permissionStore.findByScope(getResourceServer(), scope);
 
                 for (PermissionTicket permission : permissions) {
                     permissionStore.delete(permission.getId());
@@ -216,7 +215,7 @@ public void updateScopes(Set<Scope> scopes) {
 
         for (Scope scope : updated.getScopes()) {
             if (!scopes.contains(scope)) {
-                policyStore.findByResource(getId(), getResourceServer(), policy -> policy.removeScope(scope));
+                policyStore.findByResource(getResourceServer(), this, policy -> policy.removeScope(scope));
             }
         }
 
@@ -283,6 +282,6 @@ public int hashCode() {
     }
 
     private Resource getResourceModel() {
-        return cacheSession.getResourceStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+        return cacheSession.getResourceStoreDelegate().findById(getResourceServer(), cached.getId());
     }
 }
diff --git a/...nispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java b/...nispan/src/main/java/org/keycloak/models/cache/infinispan/authorization/ScopeAdapter.java
@@ -39,7 +39,7 @@ public ScopeAdapter(CachedScope cached, StoreFactoryCacheSession cacheSession) {
     public Scope getDelegateForUpdate() {
         if (updated == null) {
             cacheSession.registerScopeInvalidation(cached.getId(), cached.getName(), cached.getResourceServerId());
-            updated = cacheSession.getScopeStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+            updated = cacheSession.getScopeStoreDelegate().findById(getResourceServer(), cached.getId());
             if (updated == null) throw new IllegalStateException("Not found in database");
         }
         return updated;
@@ -66,7 +66,7 @@ public long getCacheTimestamp() {
     protected boolean isUpdated() {
         if (updated != null) return true;
         if (!invalidated) return false;
-        updated = cacheSession.getScopeStoreDelegate().findById(cached.getId(), cached.getResourceServerId());
+        updated = cacheSession.getScopeStoreDelegate().findById(getResourceServer(), cached.getId());
         if (updated == null) throw new IllegalStateException("Not found in database");
         return true;
     }