public void addGroupPath(String... paths) { for (String path : paths) { addGroupPath(path, false); } }
@Override public GroupPolicyRepresentation toRepresentation(Policy policy, AuthorizationProvider authorization) { GroupPolicyRepresentation representation = new GroupPolicyRepresentation(); representation.setGroupsClaim(policy.getConfig().get("groupsClaim")); try { representation.setGroups(getGroupsDefinition(policy.getConfig())); } catch (IOException cause) { throw new RuntimeException("Failed to deserialize groups", cause); } return representation; }
public void addGroup(String... ids) { for (String id : ids) { addGroup(id, false); } }
@Override public void onUpdate(Policy policy, GroupPolicyRepresentation representation, AuthorizationProvider authorization) { updatePolicy(policy, representation.getGroupsClaim(), representation.getGroups(), authorization); }
private void createGroupPolicy(Policy policy, PolicyStore policyStore, String group, String owner) { GroupPolicyRepresentation rep = new GroupPolicyRepresentation(); rep.setName(KeycloakModelUtils.generateId()); rep.addGroupPath(group); Policy associatedPolicy = policyStore.create(rep, policy.getResourceServer()); associatedPolicy.setOwner(owner); policy.addAssociatedPolicy(associatedPolicy); }
GroupPolicyRepresentation rep = GroupPolicyRepresentation.class.cast(associatedRep); rep.setGroups(new HashSet<>()); rep.addGroupPath(group); if (rep.getGroups().isEmpty()) { policyStore.delete(associatedPolicy.getId()); } else {
GroupPolicyRepresentation rep = GroupPolicyRepresentation.class.cast(associatedRep); for (GroupDefinition definition : rep.getGroups()) { representation.addGroup(ModelToRepresentation.buildGroupPath(realm.getGroupById(definition.getId())));
@Override public void onCreate(Policy policy, GroupPolicyRepresentation representation, AuthorizationProvider authorization) { updatePolicy(policy, representation.getGroupsClaim(), representation.getGroups(), authorization); }
@Override public void onExport(Policy policy, PolicyRepresentation representation, AuthorizationProvider authorization) { Map<String, String> config = new HashMap<>(); GroupPolicyRepresentation groupPolicy = toRepresentation(policy, authorization); Set<GroupPolicyRepresentation.GroupDefinition> groups = groupPolicy.getGroups(); for (GroupPolicyRepresentation.GroupDefinition definition: groups) { GroupModel group = authorization.getRealm().getGroupById(definition.getId()); definition.setId(null); definition.setPath(ModelToRepresentation.buildGroupPath(group)); } try { String groupsClaim = groupPolicy.getGroupsClaim(); if (groupsClaim != null) { config.put("groupsClaim", groupsClaim); } config.put("groups", JsonSerialization.writeValueAsString(groups)); } catch (IOException cause) { throw new RuntimeException("Failed to export group policy [" + policy.getName() + "]", cause); } representation.setConfig(config); }
@Override public void evaluate(Evaluation evaluation) { AuthorizationProvider authorizationProvider = evaluation.getAuthorizationProvider(); GroupPolicyRepresentation policy = representationFunction.apply(evaluation.getPolicy(), authorizationProvider); RealmModel realm = authorizationProvider.getRealm(); Attributes.Entry groupsClaim = evaluation.getContext().getIdentity().getAttributes().getValue(policy.getGroupsClaim()); if (groupsClaim == null || groupsClaim.isEmpty()) { List<String> userGroups = evaluation.getRealm().getUserGroups(evaluation.getContext().getIdentity().getId()); groupsClaim = new Entry(policy.getGroupsClaim(), userGroups); } for (GroupPolicyRepresentation.GroupDefinition definition : policy.getGroups()) { GroupModel allowedGroup = realm.getGroupById(definition.getId()); for (int i = 0; i < groupsClaim.size(); i++) { String group = groupsClaim.asString(i); if (group.indexOf('/') != -1) { String allowedGroupPath = buildGroupPath(allowedGroup); if (group.equals(allowedGroupPath) || (definition.isExtendChildren() && group.startsWith(allowedGroupPath))) { evaluation.grant(); return; } } // in case the group from the claim does not represent a path, we just check an exact name match if (group.equals(allowedGroup.getName())) { evaluation.grant(); return; } } } }