public CachedPolicy(Long revision, Policy policy) { super(revision, policy.getId()); this.type = policy.getType(); this.decisionStrategy = policy.getDecisionStrategy(); this.logic = policy.getLogic(); this.name = policy.getName(); this.description = policy.getDescription(); this.resourceServerId = policy.getResourceServer().getId(); if (policy.isFetched("associatedPolicies")) { Set<String> data = policy.getAssociatedPolicies().stream().map(Policy::getId).collect(Collectors.toSet()); this.associatedPoliciesIds = source -> data; } else { this.associatedPoliciesIds = new DefaultLazyLoader<>(source -> source.getAssociatedPolicies().stream().map(Policy::getId).collect(Collectors.toSet()), Collections::emptySet); if (policy.isFetched("resources")) { Set<String> data = policy.getResources().stream().map(Resource::getId).collect(Collectors.toSet()); this.resourcesIds = source -> data; } else { this.resourcesIds = new DefaultLazyLoader<>(source -> source.getResources().stream().map(Resource::getId).collect(Collectors.toSet()), Collections::emptySet); if (policy.isFetched("scopes")) { Set<String> data = policy.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()); this.scopesIds = source -> data; } else { this.scopesIds = new DefaultLazyLoader<>(source -> source.getScopes().stream().map(Scope::getId).collect(Collectors.toSet()), Collections::emptySet); if (policy.isFetched("config")) { Map<String, String> data = new HashMap<>(policy.getConfig()); this.config = source -> data;
private void createUserPolicy(Policy policy, PolicyStore policyStore, String user, String owner) { UserPolicyRepresentation rep = new UserPolicyRepresentation(); rep.setName(KeycloakModelUtils.generateId()); rep.addUser(user); Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer()); associatedPolicy.setOwner(owner); policy.addAssociatedPolicy(associatedPolicy); } }
private void verifyCircularReference(Policy policy, List<String> ids) { if (!policy.getType().equals("aggregate")) { return; } if (ids.contains(policy.getId())) { throw new RuntimeException("Circular reference found [" + policy.getName() + "]."); } ids.add(policy.getId()); for (Policy associated : policy.getAssociatedPolicies()) { verifyCircularReference(associated, ids); } }
private ScriptModel getScriptModel(final Policy policy, final RealmModel realm, final ScriptingProvider scripting) { String scriptName = policy.getName(); String scriptCode = policy.getConfig().get("code"); String scriptDescription = policy.getDescription(); //TODO lookup script by scriptId instead of creating it every time return scripting.createScript(realm.getId(), ScriptModel.TEXT_JAVASCRIPT, scriptName, scriptCode, scriptDescription); }
void remove(Policy policy) { DroolsPolicy holder = this.containers.remove(policy.getId()); if (holder != null) { holder.dispose(); } }
private void updateResourceServer(ClientModel clientModel, RoleModel removedRole, ResourceServerStore resourceServerStore, PolicyStore policyStore) { ResourceServer resourceServer = resourceServerStore.findById(clientModel.getId()); if (resourceServer != null) { policyStore.findByType(getId(), resourceServer.getId()).forEach(policy -> { List<Map> roles = new ArrayList<>(); for (Map<String,Object> role : getRoles(policy)) { if (!role.get("id").equals(removedRole.getId())) { Map updated = new HashMap(); updated.put("id", role.get("id")); Object required = role.get("required"); if (required != null) { updated.put("required", required); } roles.add(updated); } } try { if (roles.isEmpty()) { policyStore.delete(policy.getId()); } else { policy.putConfig("roles", JsonSerialization.writeValueAsString(roles)); } } catch (IOException e) { throw new RuntimeException("Error while synchronizing roles with policy [" + policy.getName() + "].", e); } }); } }
@Override public void delete(String id) { if (id == null) return; Policy policy = findById(id, null); if (policy == null) return; cache.invalidateObject(id); Set<String> resources = policy.getResources().stream().map(resource -> resource.getId()).collect(Collectors.toSet()); ResourceServer resourceServer = policy.getResourceServer(); Set<String> resourceTypes = getResourceTypes(resources, resourceServer.getId()); String defaultResourceType = policy.getConfig().get("defaultResourceType"); if (Objects.nonNull(defaultResourceType)) { resourceTypes.add(defaultResourceType); } Set<String> scopes = policy.getScopes().stream().map(scope -> scope.getId()).collect(Collectors.toSet()); invalidationEvents.add(PolicyRemovedEvent.create(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId())); cache.policyRemoval(id, policy.getName(), resources, resourceTypes, scopes, resourceServer.getId(), invalidations); getPolicyStoreDelegate().delete(id); }
@Override public void onUpdate(Policy policy, UmaPermissionRepresentation representation, AuthorizationProvider authorization) { PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore(); Set<Policy> associatedPolicies = policy.getAssociatedPolicies(); policyStore.delete(associatedPolicy.getId()); } else { RepresentationToModel.toModel(rep, authorization, associatedPolicy); RepresentationToModel.toModel(rep, authorization, associatedPolicy); } else { policyStore.delete(associatedPolicy.getId()); policyStore.delete(associatedPolicy.getId()); } else { RepresentationToModel.toModel(rep, authorization, associatedPolicy); policyStore.delete(associatedPolicy.getId()); } else { RepresentationToModel.toModel(rep, authorization, associatedPolicy); policyStore.delete(associatedPolicy.getId()); } else { RepresentationToModel.toModel(rep, authorization, associatedPolicy); if ("role".equals(associatedPolicy.getType())) { createPolicy = false; createRolePolicy(policy, policyStore, role, policy.getOwner());
private Map<String, Object>[] getRoles(Policy policy) { String roles = policy.getConfig().get("roles"); if (roles != null) { try { return JsonSerialization.readValue(roles.getBytes(), Map[].class); } catch (IOException e) { throw new RuntimeException("Could not parse roles [" + roles + "] from policy config [" + policy.getName() + ".", e); } } return new Map[] {}; } }
@Override public RulePolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) { RulePolicyRepresentation representation = new RulePolicyRepresentation(); representation.setArtifactGroupId(policy.getConfig().get("mavenArtifactGroupId")); representation.setArtifactId(policy.getConfig().get("mavenArtifactId")); representation.setArtifactVersion(policy.getConfig().get("mavenArtifactVersion")); representation.setScannerPeriod(policy.getConfig().get("scannerPeriod")); representation.setScannerPeriodUnit(policy.getConfig().get("scannerPeriodUnit")); representation.setSessionName(policy.getConfig().get("sessionName")); representation.setModuleName(policy.getConfig().get("moduleName")); return representation; }
@Override public void onRemove(Policy policy, AuthorizationProvider authorization) { PolicyStore policyStore = authorization.getStoreFactory().getPolicyStore(); for (Policy associatedPolicy : policy.getAssociatedPolicies()) { policyStore.delete(associatedPolicy.getId()); } }
private void updateResourceType(Policy policy, ResourcePermissionRepresentation representation) { if (representation != null) { //TODO: remove this check once we migrate to new API if (ResourcePermissionRepresentation.class.equals(representation.getClass())) { ResourcePermissionRepresentation resourcePermission = ResourcePermissionRepresentation.class.cast(representation); Map<String, String> config = new HashMap(policy.getConfig()); config.compute("defaultResourceType", (key, value) -> { String resourceType = resourcePermission.getResourceType(); return resourceType != null ? resourcePermission.getResourceType() : null; }); policy.setConfig(config); } } }
private void updateClients(Policy policy, Set<String> clients, AuthorizationProvider authorization) { RealmModel realm = authorization.getRealm(); if (clients == null || clients.isEmpty()) { throw new RuntimeException("No client provided."); } Set<String> updatedClients = new HashSet<>(); for (String id : clients) { ClientModel client = realm.getClientByClientId(id); if (client == null) { client = realm.getClientById(id); } if (client == null) { throw new RuntimeException("Error while updating policy [" + policy.getName() + "]. Client [" + id + "] could not be found."); } updatedClients.add(client.getId()); } try { policy.putConfig("clients", JsonSerialization.writeValueAsString(updatedClients)); } catch (IOException cause) { throw new RuntimeException("Failed to serialize clients", cause); } }
UmaPermissionRepresentation representation = new UmaPermissionRepresentation(); representation.setScopes(policy.getScopes().stream().map(Scope::getName).collect(Collectors.toSet())); representation.setOwner(policy.getOwner()); for (Policy associatedPolicy : policy.getAssociatedPolicies()) { AbstractPolicyRepresentation associatedRep = ModelToRepresentation.toRepresentation(associatedPolicy, authorization, false, false); RealmModel realm = authorization.getRealm(); representation.addClient(realm.getClientById(client).getClientId()); } else if ("user".equals(associatedPolicy.getType())) { UserPolicyRepresentation rep = UserPolicyRepresentation.class.cast(associatedRep);
@Override public void evaluate(Evaluation evaluation) { AuthorizationProvider authorization = evaluation.getAuthorizationProvider(); DefaultEvaluation defaultEvaluation = DefaultEvaluation.class.cast(evaluation); Map<Policy, Map<Object, Decision.Effect>> decisionCache = defaultEvaluation.getDecisionCache(); Policy policy = evaluation.getPolicy(); ResourcePermission permission = evaluation.getPermission(); policy.getAssociatedPolicies().forEach(associatedPolicy -> { Map<Object, Decision.Effect> decisions = decisionCache.computeIfAbsent(associatedPolicy, p -> new HashMap<>()); Decision.Effect effect = decisions.get(permission); defaultEvaluation.setPolicy(associatedPolicy); if (effect == null) { PolicyProvider policyProvider = authorization.getProvider(associatedPolicy.getType()); policyProvider.evaluate(defaultEvaluation); evaluation.denyIfNoEffect(); decisions.put(permission, defaultEvaluation.getEffect()); } else { defaultEvaluation.setEffect(effect); } }); }
@Override public String getName() { if (isUpdated()) return updated.getName(); return cached.getName(); }
private void updateConfig(Policy policy, RulePolicyRepresentation representation) { policy.putConfig("mavenArtifactGroupId", representation.getArtifactGroupId()); policy.putConfig("mavenArtifactId", representation.getArtifactId()); policy.putConfig("mavenArtifactVersion", representation.getArtifactVersion()); policy.putConfig("scannerPeriod", representation.getScannerPeriod()); policy.putConfig("scannerPeriodUnit", representation.getScannerPeriodUnit()); policy.putConfig("sessionName", representation.getSessionName()); policy.putConfig("moduleName", representation.getModuleName()); }
@Override public void addAssociatedPolicy(Policy associatedPolicy) { getDelegateForUpdate(); updated.addAssociatedPolicy(associatedPolicy); }
@Override public String getDescription() { if (isUpdated()) return updated.getDescription(); return cached.getDescription(); }