ResourceService.java
/*
* Copyright 2022 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.services.resources.account.resources;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.PUT;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.Response;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.keycloak.http.HttpRequest;
import org.keycloak.authorization.model.PermissionTicket;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.models.AccountRoles;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserProvider;
import org.keycloak.services.managers.Auth;
import org.keycloak.utils.MediaType;
import static org.keycloak.models.utils.ModelToRepresentation.toRepresentation;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class ResourceService extends AbstractResourceService {
private final org.keycloak.authorization.model.Resource resource;
private final ResourceServer resourceServer;
ResourceService(org.keycloak.authorization.model.Resource resource, KeycloakSession session, UserModel user,
Auth auth, HttpRequest request) {
super(session, user, auth, request);
this.resource = resource;
this.resourceServer = resource.getResourceServer();
}
/**
* Returns a {@link Resource} where the {@link #user} is the resource owner.
*
* @return the resource
*/
@GET
@Produces(MediaType.APPLICATION_JSON)
public Resource getResource() {
return new Resource(resource, provider);
}
/**
* Returns a list of {@link Permission} containing the users to which the {@link #user} granted access to a resource.
*
* @return the users with access to a resource
*/
@GET
@Path("permissions")
@Produces(MediaType.APPLICATION_JSON)
public Collection<Permission> toPermissions() {
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.OWNER, user.getId());
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.TRUE.toString());
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
Collection<ResourcePermission> resources = toPermissions(ticketStore.find(resourceServer.getRealm(), resourceServer, filters, null, null));
Collection<Permission> permissions = Collections.EMPTY_LIST;
if (!resources.isEmpty()) {
permissions = resources.iterator().next().getPermissions();
}
return permissions;
}
@GET
@Path("user")
@Produces(MediaType.APPLICATION_JSON)
public Response user(@QueryParam("value") String value) {
try {
final UserModel user = getUser(value);
return Response.ok(toRepresentation(provider.getKeycloakSession(), provider.getRealm(), user)).build();
} catch (NotFoundException e) {
return Response.noContent().build();
}
}
/**
* Updates the permission set for a resource based on the given {@code permissions}.
*
* @param permissions the permissions that should be updated
* @return if successful, a {@link Response.Status#NO_CONTENT} response
*/
@PUT
@Path("permissions")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response revoke(List<Permission> permissions) {
auth.require(AccountRoles.MANAGE_ACCOUNT);
if (permissions == null || permissions.isEmpty()) {
throw new BadRequestException("invalid_permissions");
}
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
RealmModel realm = resourceServer.getRealm();
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
for (Permission permission : permissions) {
UserModel user = getUser(permission.getUsername());
filters.put(PermissionTicket.FilterOption.REQUESTER, user.getId());
List<PermissionTicket> tickets = ticketStore.find(realm, resourceServer, filters, null, null);
// grants all requested permissions
if (tickets.isEmpty()) {
for (String scope : permission.getScopes()) {
grantPermission(user, scope);
}
} else {
Iterator<String> scopesIterator = permission.getScopes().iterator();
while (scopesIterator.hasNext()) {
org.keycloak.authorization.model.Scope scope = getScope(scopesIterator.next(), resourceServer);
Iterator<PermissionTicket> ticketIterator = tickets.iterator();
while (ticketIterator.hasNext()) {
PermissionTicket ticket = ticketIterator.next();
if (scope.getId().equals(ticket.getScope().getId())) {
if (!ticket.isGranted()) {
ticket.setGrantedTimestamp(System.currentTimeMillis());
}
// permission exists, remove from the list to avoid deletion
ticketIterator.remove();
// scope already granted, remove from the list to avoid creating it again
scopesIterator.remove();
}
}
}
// only create permissions for the scopes that don't have a tocket
for (String scope : permission.getScopes()) {
grantPermission(user, scope);
}
// remove all tickets that are not within the requested permissions
for (PermissionTicket ticket : tickets) {
ticketStore.delete(realm, ticket.getId());
}
}
}
return Response.noContent().build();
}
/**
* Returns a list of {@link Permission} requests waiting for the {@link #user} approval.
*
* @return the permission requests waiting for the user approval
*/
@GET
@Path("permissions/requests")
@Produces(MediaType.APPLICATION_JSON)
public Collection<Permission> getPermissionRequests() {
Map<PermissionTicket.FilterOption, String> filters = new EnumMap<>(PermissionTicket.FilterOption.class);
filters.put(PermissionTicket.FilterOption.OWNER, user.getId());
filters.put(PermissionTicket.FilterOption.GRANTED, Boolean.FALSE.toString());
filters.put(PermissionTicket.FilterOption.RESOURCE_ID, resource.getId());
Map<String, Permission> requests = new HashMap<>();
for (PermissionTicket ticket : ticketStore.find(resourceServer.getRealm(), resourceServer, filters, null, null)) {
requests.computeIfAbsent(ticket.getRequester(), requester -> new Permission(ticket, provider)).addScope(ticket.getScope().getName());
}
return requests.values();
}
private void grantPermission(UserModel user, String scopeId) {
org.keycloak.authorization.model.Scope scope = getScope(scopeId, resourceServer);
PermissionTicket ticket = ticketStore.create(resourceServer, resource, scope, user.getId());
ticket.setGrantedTimestamp(Calendar.getInstance().getTimeInMillis());
}
private org.keycloak.authorization.model.Scope getScope(String scopeId, ResourceServer resourceServer) {
org.keycloak.authorization.model.Scope scope = scopeStore.findByName(resourceServer, scopeId);
if (scope == null) {
scope = scopeStore.findById(resourceServer.getRealm(), resourceServer, scopeId);
}
return scope;
}
private UserModel getUser(String requester) {
UserProvider users = provider.getKeycloakSession().users();
UserModel user = users.getUserByUsername(provider.getRealm(), requester);
if (user == null) {
user = users.getUserByEmail(provider.getRealm(), requester);
}
if (user == null) {
throw new NotFoundException(requester);
}
return user;
}
private Collection<ResourcePermission> toPermissions(List<PermissionTicket> tickets) {
Map<String, ResourcePermission> permissions = new HashMap<>();
for (PermissionTicket ticket : tickets) {
ResourcePermission resource = permissions
.computeIfAbsent(ticket.getResource().getId(), s -> new ResourcePermission(ticket, provider));
Permission user = resource.getPermission(ticket.getRequester());
if (user == null) {
resource.addPermission(ticket.getRequester(), user = new Permission(ticket.getRequester(), provider));
}
user.addScope(ticket.getScope().getName());
}
return permissions.values();
}
}