UserManagedPermissionUtil.java

/*
 * Copyright 2022 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.keycloak.authorization;

import java.util.EnumMap;
import java.util.List;
import java.util.Map;

import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.store.PolicyStore;
import org.keycloak.authorization.store.StoreFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;

/**
 * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
 */
public class UserManagedPermissionUtil {

    public static void updatePolicy(PermissionTicket ticket, StoreFactory storeFactory) {
        Scope scope = ticket.getScope();
        Policy policy = ticket.getPolicy();
        ResourceServer resourceServer = ticket.getResourceServer();

        if (policy == null) {
            Map<PermissionTicket.FilterOption, String> filter = new EnumMap<>(PermissionTicket.FilterOption.class);

            filter.put(PermissionTicket.FilterOption.OWNER, ticket.getOwner());
            filter.put(PermissionTicket.FilterOption.REQUESTER, ticket.getRequester());
            filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId());
            filter.put(PermissionTicket.FilterOption.POLICY_IS_NOT_NULL, Boolean.TRUE.toString());

            List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(resourceServer.getRealm(), resourceServer, filter, null, null);

            if (!tickets.isEmpty()) {
                policy = tickets.iterator().next().getPolicy();
            }
        }

        if (ticket.isGranted()) {
            if (policy == null) {
                policy = createUserManagedPermission(ticket, storeFactory);
            }

            if (scope != null && !policy.getScopes().contains(scope)) {
                policy.addScope(scope);
            }

            ticket.setPolicy(policy);
        } else if (scope != null) {
            policy.removeScope(scope);
            ticket.setPolicy(null);
        }
    }

    public static void removePolicy(PermissionTicket ticket, StoreFactory storeFactory) {
        Policy policy = ticket.getPolicy();
        RealmModel realm = ticket.getResourceServer().getRealm();

        if (policy != null) {
            Map<PermissionTicket.FilterOption, String> filter = new EnumMap<>(PermissionTicket.FilterOption.class);

            filter.put(PermissionTicket.FilterOption.OWNER, ticket.getOwner());
            filter.put(PermissionTicket.FilterOption.REQUESTER, ticket.getRequester());
            filter.put(PermissionTicket.FilterOption.RESOURCE_ID, ticket.getResource().getId());
            filter.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());

            List<PermissionTicket> tickets = storeFactory.getPermissionTicketStore().find(realm, ticket.getResourceServer(), filter, null, null);

            if (tickets.isEmpty()) {
                PolicyStore policyStore = storeFactory.getPolicyStore();

                for (Policy associatedPolicy : policy.getAssociatedPolicies()) {
                    policyStore.delete(realm, associatedPolicy.getId());
                }

                policyStore.delete(realm, policy.getId());
            } else if (ticket.getScope() != null) {
                policy.removeScope(ticket.getScope());
            }
        }
    }

    private static Policy createUserManagedPermission(PermissionTicket ticket, StoreFactory storeFactory) {
        PolicyStore policyStore = storeFactory.getPolicyStore();
        UserPolicyRepresentation userPolicyRep = new UserPolicyRepresentation();

        userPolicyRep.setName(KeycloakModelUtils.generateId());
        userPolicyRep.addUser(ticket.getRequester());

        Policy userPolicy = policyStore.create(ticket.getResourceServer(), userPolicyRep);

        userPolicy.setOwner(ticket.getOwner());

        PolicyRepresentation policyRep = new PolicyRepresentation();

        policyRep.setName(KeycloakModelUtils.generateId());
        policyRep.setType("uma");
        policyRep.addPolicy(userPolicy.getId());

        Policy policy = policyStore.create(ticket.getResourceServer(), policyRep);

        policy.setOwner(ticket.getOwner());
        policy.addResource(ticket.getResource());

        Scope scope = ticket.getScope();

        if (scope != null) {
            policy.addScope(scope);
        }

        return policy;
    }

}