AuthorizationProvider.java
/*
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.authorization;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.evaluator.Evaluators;
import org.keycloak.authorization.policy.evaluation.PolicyEvaluator;
import org.keycloak.authorization.policy.provider.PolicyProvider;
import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
import org.keycloak.authorization.store.PermissionTicketStore;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.ResourceServerStore;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.store.ScopeStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.cache.authorization.CachedStoreFactoryProvider;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.provider.Provider;
import org.keycloak.representations.idm.authorization.AbstractPolicyRepresentation;
/**
* <p>The main contract here is the creation of {@link org.keycloak.authorization.permission.evaluator.PermissionEvaluator} instances. Usually
* an application has a single {@link AuthorizationProvider} instance and threads servicing client requests obtain {@link org.keycloak.authorization.permission.evaluator.PermissionEvaluator}
* from the {@link #evaluators()} method.
*
* <p>The internal state of a {@link AuthorizationProvider} is immutable. This internal state includes all of the metadata
* used during the evaluation of policies.
*
* <p>Once created, {@link org.keycloak.authorization.permission.evaluator.PermissionEvaluator} instances can be obtained from the {@link #evaluators()} method:
*
* <pre>
* List<ResourcePermission> permissionsToEvaluate = getPermissions(); // the permissions to evaluate
* EvaluationContext evaluationContext = createEvaluationContext(); // the context with runtime environment information
* PermissionEvaluator evaluator = authorization.evaluators().from(permissionsToEvaluate, context);
*
* evaluator.evaluate(new Decision() {
*
* public void onDecision(Evaluation evaluation) {
* // do something on grant
* }
*
* });
* </pre>
*
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public final class AuthorizationProvider implements Provider {
private final PolicyEvaluator policyEvaluator;
private StoreFactory storeFactory;
private StoreFactory storeFactoryDelegate;
private final KeycloakSession keycloakSession;
private final RealmModel realm;
public AuthorizationProvider(KeycloakSession session, RealmModel realm, PolicyEvaluator policyEvaluator) {
this.keycloakSession = session;
this.realm = realm;
this.policyEvaluator = policyEvaluator;
}
/**
* Returns a {@link Evaluators} instance from where {@link org.keycloak.authorization.policy.evaluation.PolicyEvaluator} instances
* can be obtained.
*
* @return a {@link Evaluators} instance
*/
public Evaluators evaluators() {
return new Evaluators(this);
}
/**
* Cache sits in front of this
*
* Returns a {@link StoreFactory}.
*
* @return the {@link StoreFactory}
*/
public StoreFactory getStoreFactory() {
if (storeFactory != null) return storeFactory;
storeFactory = keycloakSession.getProvider(CachedStoreFactoryProvider.class);
if (storeFactory == null) storeFactory = getLocalStoreFactory();
storeFactory = createStoreFactory(storeFactory);
return storeFactory;
}
/**
* No cache sits in front of this
*
* @return
*/
public StoreFactory getLocalStoreFactory() {
if (storeFactoryDelegate != null) return storeFactoryDelegate;
storeFactoryDelegate = keycloakSession.getProvider(StoreFactory.class);
return storeFactoryDelegate;
}
/**
* Returns the registered {@link PolicyProviderFactory}.
*
* @return a {@link Stream} containing all registered {@link PolicyProviderFactory}
*/
public Stream<PolicyProviderFactory> getProviderFactoriesStream() {
return keycloakSession.getKeycloakSessionFactory().getProviderFactoriesStream(PolicyProvider.class)
.map(PolicyProviderFactory.class::cast);
}
/**
* Returns a {@link PolicyProviderFactory} given a <code>type</code>.
*
* @param type the type of the policy provider
* @return a {@link PolicyProviderFactory} with the given <code>type</code>
*/
public PolicyProviderFactory getProviderFactory(String type) {
return (PolicyProviderFactory) keycloakSession.getKeycloakSessionFactory().getProviderFactory(PolicyProvider.class, type);
}
/**
* Returns a {@link PolicyProviderFactory} given a <code>type</code>.
*
* @param type the type of the policy provider
* @param <P> the expected type of the provider
* @return a {@link PolicyProvider} with the given <code>type</code>
*/
public <P extends PolicyProvider> P getProvider(String type) {
PolicyProviderFactory policyProviderFactory = getProviderFactory(type);
if (policyProviderFactory == null) {
return null;
}
return (P) policyProviderFactory.create(this);
}
public KeycloakSession getKeycloakSession() {
return this.keycloakSession;
}
public RealmModel getRealm() {
return realm;
}
public PolicyEvaluator getPolicyEvaluator() {
return policyEvaluator;
}
@Override
public void close() {
}
private StoreFactory createStoreFactory(StoreFactory storeFactory) {
return new StoreFactory() {
ResourceStore resourceStore;
ScopeStore scopeStore;
PolicyStore policyStore;
@Override
public ResourceStore getResourceStore() {
if (resourceStore == null) {
resourceStore = createResourceStoreWrapper(storeFactory);
}
return resourceStore;
}
@Override
public ResourceServerStore getResourceServerStore() {
return storeFactory.getResourceServerStore();
}
@Override
public ScopeStore getScopeStore() {
if (scopeStore == null) {
scopeStore = createScopeWrapper(storeFactory);
}
return scopeStore;
}
@Override
public PolicyStore getPolicyStore() {
if (policyStore == null) {
policyStore = createPolicyWrapper(storeFactory);
}
return policyStore;
}
@Override
public PermissionTicketStore getPermissionTicketStore() {
return storeFactory.getPermissionTicketStore();
}
@Override
public void close() {
storeFactory.close();
}
@Override
public void setReadOnly(boolean readOnly) {
storeFactory.setReadOnly(readOnly);
}
@Override
public boolean isReadOnly() {
return storeFactory.isReadOnly();
}
};
}
private ScopeStore createScopeWrapper(StoreFactory storeFactory) {
return new ScopeStore() {
ScopeStore delegate = storeFactory.getScopeStore();
@Override
public Scope create(ResourceServer resourceServer, String name) {
return delegate.create(resourceServer, name);
}
@Override
public Scope create(ResourceServer resourceServer, String id, String name) {
return delegate.create(resourceServer, id, name);
}
@Override
public void delete(RealmModel realm, String id) {
Scope scope = findById(realm, null, id);
PermissionTicketStore ticketStore = AuthorizationProvider.this.getStoreFactory().getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByScope(scope.getResourceServer(), scope);
for (PermissionTicket permission : permissions) {
ticketStore.delete(realm, permission.getId());
}
delegate.delete(realm, id);
}
@Override
public Scope findById(RealmModel realm, ResourceServer resourceServer, String id) {
return delegate.findById(realm, resourceServer, id);
}
@Override
public Scope findByName(ResourceServer resourceServer, String name) {
return delegate.findByName(resourceServer, name);
}
@Override
public List<Scope> findByResourceServer(ResourceServer resourceServer) {
return delegate.findByResourceServer(resourceServer);
}
@Override
public List<Scope> findByResourceServer(ResourceServer resourceServer, Map<Scope.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return delegate.findByResourceServer(resourceServer, attributes, firstResult, maxResults);
}
};
}
private PolicyStore createPolicyWrapper(StoreFactory storeFactory) {
return new PolicyStore() {
PolicyStore policyStore = storeFactory.getPolicyStore();
@Override
public Policy create(ResourceServer resourceServer, AbstractPolicyRepresentation representation) {
Set<String> resources = representation.getResources();
RealmModel realm = resourceServer.getRealm();
if (resources != null) {
representation.setResources(resources.stream().map(id -> {
Resource resource = storeFactory.getResourceStore().findById(realm, resourceServer, id);
if (resource == null) {
resource = storeFactory.getResourceStore().findByName(resourceServer, id);
}
if (resource == null) {
throw new RuntimeException("Resource [" + id + "] does not exist or is not owned by the resource server.");
}
return resource.getId();
}).collect(Collectors.toSet()));
}
Set<String> scopes = representation.getScopes();
if (scopes != null) {
representation.setScopes(scopes.stream().map(id -> {
Scope scope = storeFactory.getScopeStore().findById(realm, resourceServer, id);
if (scope == null) {
scope = storeFactory.getScopeStore().findByName(resourceServer, id);
}
if (scope == null) {
throw new RuntimeException("Scope [" + id + "] does not exist");
}
return scope.getId();
}).collect(Collectors.toSet()));
}
Set<String> policies = representation.getPolicies();
if (policies != null) {
representation.setPolicies(policies.stream().map(id -> {
Policy policy = storeFactory.getPolicyStore().findById(realm, resourceServer, id);
if (policy == null) {
policy = storeFactory.getPolicyStore().findByName(resourceServer, id);
}
if (policy == null) {
throw new RuntimeException("Policy [" + id + "] does not exist");
}
return policy.getId();
}).collect(Collectors.toSet()));
}
return RepresentationToModel.toModel(representation, AuthorizationProvider.this, policyStore.create(resourceServer, representation));
}
@Override
public void delete(RealmModel realm, String id) {
Policy policy = findById(realm, null, id);
if (policy != null) {
ResourceServer resourceServer = policy.getResourceServer();
// if uma policy (owned by a user) also remove associated policies
if (policy.getOwner() != null) {
for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
// only remove associated policies created from the policy being deleted
if (associatedPolicy.getOwner() != null) {
policy.removeAssociatedPolicy(associatedPolicy);
policyStore.delete(realm, associatedPolicy.getId());
}
}
}
findDependentPolicies(resourceServer, policy.getId()).forEach(dependentPolicy -> {
dependentPolicy.removeAssociatedPolicy(policy);
if (dependentPolicy.getAssociatedPolicies().isEmpty()) {
delete(realm, dependentPolicy.getId());
}
});
policyStore.delete(realm, id);
}
}
@Override
public Policy findById(RealmModel realm, ResourceServer resourceServer, String id) {
return policyStore.findById(realm, resourceServer, id);
}
@Override
public Policy findByName(ResourceServer resourceServer, String name) {
return policyStore.findByName(resourceServer, name);
}
@Override
public List<Policy> findByResourceServer(ResourceServer resourceServer) {
return policyStore.findByResourceServer(resourceServer);
}
@Override
public List<Policy> find(RealmModel realm, ResourceServer resourceServer, Map<Policy.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return policyStore.find(realm, resourceServer, attributes, firstResult, maxResults);
}
@Override
public List<Policy> findByResource(ResourceServer resourceServer, Resource resource) {
return policyStore.findByResource(resourceServer, resource);
}
@Override
public void findByResource(ResourceServer resourceServer, Resource resource, Consumer<Policy> consumer) {
policyStore.findByResource(resourceServer, resource, consumer);
}
@Override
public List<Policy> findByResourceType(ResourceServer resourceServer, String resourceType) {
return policyStore.findByResourceType(resourceServer, resourceType);
}
@Override
public List<Policy> findByScopes(ResourceServer resourceServer, List<Scope> scopes) {
return policyStore.findByScopes(resourceServer, scopes);
}
@Override
public List<Policy> findByScopes(ResourceServer resourceServer, Resource resource, List<Scope> scopes) {
return policyStore.findByScopes(resourceServer, resource, scopes);
}
@Override
public void findByScopes(ResourceServer resourceServer, Resource resource, List<Scope> scopes, Consumer<Policy> consumer) {
policyStore.findByScopes(resourceServer, resource, scopes, consumer);
}
@Override
public List<Policy> findByType(ResourceServer resourceServer, String type) {
return policyStore.findByType(resourceServer, type);
}
@Override
public List<Policy> findDependentPolicies(ResourceServer resourceServer, String id) {
return policyStore.findDependentPolicies(resourceServer, id);
}
@Override
public void findByResourceType(ResourceServer resourceServer, String type, Consumer<Policy> policyConsumer) {
policyStore.findByResourceType(resourceServer, type, policyConsumer);
}
};
}
private ResourceStore createResourceStoreWrapper(StoreFactory storeFactory) {
return new ResourceStore() {
ResourceStore delegate = storeFactory.getResourceStore();
@Override
public Resource create(ResourceServer resourceServer, String name, String owner) {
return delegate.create(resourceServer, name, owner);
}
@Override
public Resource create(ResourceServer resourceServer, String id, String name, String owner) {
return delegate.create(resourceServer, id, name, owner);
}
@Override
public void delete(RealmModel realm, String id) {
Resource resource = findById(realm, null, id);
StoreFactory storeFactory = AuthorizationProvider.this.getStoreFactory();
PermissionTicketStore ticketStore = storeFactory.getPermissionTicketStore();
List<PermissionTicket> permissions = ticketStore.findByResource(resource.getResourceServer(), resource);
for (PermissionTicket permission : permissions) {
ticketStore.delete(realm, permission.getId());
}
PolicyStore policyStore = storeFactory.getPolicyStore();
List<Policy> policies = policyStore.findByResource(resource.getResourceServer(), resource);
for (Policy policyModel : policies) {
if (policyModel.getResources().size() == 1) {
policyStore.delete(realm, policyModel.getId());
} else {
policyModel.removeResource(resource);
}
}
delegate.delete(realm, id);
}
@Override
public Resource findById(RealmModel realm, ResourceServer resourceServer, String id) {
return delegate.findById(realm, resourceServer, id);
}
@Override
public List<Resource> findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId) {
return delegate.findByOwner(realm, resourceServer, ownerId);
}
@Override
public void findByOwner(RealmModel realm, ResourceServer resourceServer, String ownerId, Consumer<Resource> consumer) {
delegate.findByOwner(realm, resourceServer, ownerId, consumer);
}
@Override
public List<Resource> findByResourceServer(ResourceServer resourceServer) {
return delegate.findByResourceServer(resourceServer);
}
@Override
public List<Resource> find(RealmModel realm, ResourceServer resourceServer, Map<Resource.FilterOption, String[]> attributes, Integer firstResult, Integer maxResults) {
return delegate.find(realm, resourceServer, attributes, firstResult, maxResults);
}
@Override
public List<Resource> findByScopes(ResourceServer resourceServer, Set<Scope> scopes) {
return delegate.findByScopes(resourceServer, scopes);
}
@Override
public void findByScopes(ResourceServer resourceServer, Set<Scope> scopes, Consumer<Resource> consumer) {
delegate.findByScopes(resourceServer, scopes, consumer);
}
@Override
public Resource findByName(ResourceServer resourceServer, String name, String ownerId) {
return delegate.findByName(resourceServer, name, ownerId);
}
@Override
public List<Resource> findByType(ResourceServer resourceServer, String type) {
return delegate.findByType(resourceServer, type);
}
@Override
public void findByType(ResourceServer resourceServer, String type, Consumer<Resource> consumer) {
delegate.findByType(resourceServer, type, consumer);
}
@Override
public void findByType(ResourceServer resourceServer, String type, String owner, Consumer<Resource> consumer) {
delegate.findByType(resourceServer, type, owner, consumer);
}
@Override
public void findByTypeInstance(ResourceServer resourceServer, String type, Consumer<Resource> consumer) {
delegate.findByTypeInstance(resourceServer, type, consumer);
}
};
}
}