org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector の継承関係図

org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector 連携図

公開メンバ関数
	PermissionTicketAwareDecisionResultCollector (AuthorizationRequest request, PermissionTicketToken ticket, Identity identity, ResourceServer resourceServer, AuthorizationProvider authorization)

void	onComplete ()

void	onComplete (Result result)

void	onComplete (ResourcePermission permission)

Collection< Permission >	results ()

void	onError (Throwable cause)

void	onDecision (DefaultEvaluation evaluation)

void	onDecision (D evaluation)

限定公開メンバ関数
void	onGrant (Permission grantedPermission)

void	onComplete (Collection< Result > permissions)

void	grantPermission (AuthorizationProvider authorizationProvider, List< Permission > permissions, ResourcePermission permission, Collection< Scope > grantedScopes, ResourceServer resourceServer, AuthorizationRequest request, Result result)

boolean	isGranted (Result.PolicyResult policyResult)

限定公開変数類
final Map< ResourcePermission, Result >	results = new LinkedHashMap<>()

非公開変数類
final AuthorizationRequest	request

PermissionTicketToken	ticket

final Identity	identity

ResourceServer	resourceServer

final AuthorizationProvider	authorization

詳解

著者: Pedro Igor

構築子と解体子

◆ PermissionTicketAwareDecisionResultCollector()

org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.PermissionTicketAwareDecisionResultCollector	(	AuthorizationRequest	request,
		PermissionTicketToken	ticket,
		Identity	identity,
		ResourceServer	resourceServer,
		AuthorizationProvider	authorization
	)

inline

                                                                                                                                                                                                            {
         super(authorization, resourceServer, request);
         this.request = request;
         this.ticket = ticket;
         this.identity = identity;
         this.resourceServer = resourceServer;
         this.authorization = authorization;
     }

関数詳解

◆ grantPermission()

void org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.grantPermission	(	AuthorizationProvider	authorizationProvider,
		List< Permission >	permissions,
		ResourcePermission	permission,
		Collection< Scope >	grantedScopes,
		ResourceServer	resourceServer,
		AuthorizationRequest	request,
		Result	result
	)

inlineprotectedinherited

                                                                                                                                                                                                                                                           {
         Set<String> scopeNames = grantedScopes.stream().map(Scope::getName).collect(Collectors.toSet());
         Resource resource = permission.getResource();
 
         if (resource != null) {
             permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request));
         } else if (!grantedScopes.isEmpty()) {
             ResourceStore resourceStore = authorizationProvider.getStoreFactory().getResourceStore();
 
             resourceStore.findByScope(grantedScopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId(), resource1 -> permissions.add(createPermission(resource, scopeNames, permission.getClaims(), request)));
 
             if (permissions.isEmpty()) {
                 permissions.add(createPermission(null, scopeNames, permission.getClaims(), request));
             }
         }
     }

◆ isGranted()

boolean org.keycloak.authorization.policy.evaluation.AbstractDecisionCollector.isGranted ( Result.PolicyResult policyResult )

inlineprotectedinherited

                                                                   {
         Policy policy = policyResult.getPolicy();
         DecisionStrategy decisionStrategy = policy.getDecisionStrategy();
 
         switch (decisionStrategy) {
             case AFFIRMATIVE:
                 for (Result.PolicyResult decision : policyResult.getAssociatedPolicies()) {
                     if (Effect.PERMIT.equals(decision.getEffect())) {
                         return true;
                     }
                 }
                 return false;
             case CONSENSUS:
                 int grantCount = 0;
                 int denyCount = policy.getAssociatedPolicies().size();
 
                 for (Result.PolicyResult decision : policyResult.getAssociatedPolicies()) {
                     if (decision.getEffect().equals(Effect.PERMIT)) {
                         grantCount++;
                         denyCount--;
                     }
                 }
 
                 return grantCount > denyCount;
             default:
                 // defaults to UNANIMOUS
                 for (Result.PolicyResult decision : policyResult.getAssociatedPolicies()) {
                     if (Effect.DENY.equals(decision.getEffect())) {
                         return false;
                     }
                 }
                 return true;
         }
     }

◆ onComplete() [1/4]

void org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.onComplete ( Result result )

inlineinherited

                                           {
         ResourcePermission permission = result.getPermission();
         Resource resource = permission.getResource();
         List<Scope> requestedScopes = permission.getScopes();
 
         if (Effect.PERMIT.equals(result.getEffect())) {
             grantPermission(authorizationProvider, permissions, permission, resource != null ? resource.getScopes() : requestedScopes, resourceServer, request, result);
         } else {
             Set<Scope> grantedScopes = new HashSet<>();
             Set<Scope> deniedScopes = new HashSet<>();
             List<Result.PolicyResult> userManagedPermissions = new ArrayList<>();
             boolean resourceGranted = false;
             boolean anyDeny = false;
 
             for (Result.PolicyResult policyResult : result.getResults()) {
                 Policy policy = policyResult.getPolicy();
                 Set<Scope> policyScopes = policy.getScopes();
 
                 if (isGranted(policyResult)) {
                     if (isScopePermission(policy)) {
                         for (Scope scope : requestedScopes) {
                             if (policyScopes.contains(scope)) {
                                 grantedScopes.add(scope);
                             }
                         }
                     } else if (isResourcePermission(policy)) {
                         grantedScopes.addAll(requestedScopes);
                     } else if (resource != null && resource.isOwnerManagedAccess() && "uma".equals(policy.getType())) {
                         userManagedPermissions.add(policyResult);
                     }
                     if (!resourceGranted) {
                         resourceGranted = policy.getResources().contains(resource);
                     }
                 } else {
                     if (isResourcePermission(policy)) {
                         if (!resourceGranted) {
                             deniedScopes.addAll(requestedScopes);
                         }
                     } else {
                         deniedScopes.addAll(policyScopes);
                     }
                     if (!anyDeny) {
                         anyDeny = true;
                     }
                 }
             }
 
             // remove any scope denied from the list of granted scopes
             grantedScopes.removeAll(deniedScopes);
 
             if (userManagedPermissions.isEmpty()) {
                 if (!resourceGranted && (grantedScopes.isEmpty() && !requestedScopes.isEmpty())) {
                     return;
                 }
             } else {
                 for (Result.PolicyResult userManagedPermission : userManagedPermissions) {
                     grantedScopes.addAll(userManagedPermission.getPolicy().getScopes());
                 }
 
                 if (grantedScopes.isEmpty() && !resource.getScopes().isEmpty()) {
                     return;
                 }
 
                 anyDeny = false;
             }
 
             if (anyDeny && grantedScopes.isEmpty()) {
                 return;
             }
 
             grantPermission(authorizationProvider, permissions, permission, grantedScopes, resourceServer, request, result);
         }
     }

◆ onComplete() [2/4]

void org.keycloak.authorization.policy.evaluation.AbstractDecisionCollector.onComplete ( ResourcePermission permission )

inlineinherited

org.keycloak.authorization.Decision< D extends Evaluation >を実装しています。

                                                           {
         Result result = results.get(permission);
 
         if (result != null) {
             onComplete(result);
         }
     }

◆ onComplete() [3/4]

void org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.onComplete ( )

inline

org.keycloak.authorization.Decision< D extends Evaluation >を実装しています。

                              {
         super.onComplete();
 
         if (request.isSubmitRequest()) {
             StoreFactory storeFactory = authorization.getStoreFactory();
             ResourceStore resourceStore = storeFactory.getResourceStore();
             List<Permission> permissions = ticket.getPermissions();
 
             if (permissions != null) {
                 for (Permission permission : permissions) {
                     Resource resource = resourceStore.findById(permission.getResourceId(), resourceServer.getId());
 
                     if (resource == null) {
                         resource = resourceStore.findByName(permission.getResourceId(), identity.getId(), resourceServer.getId());
                     }
 
                     if (resource == null || !resource.isOwnerManagedAccess() || resource.getOwner().equals(identity.getId()) || resource.getOwner().equals(resourceServer.getId())) {
                         continue;
                     }
 
                     Set<String> scopes = permission.getScopes();
 
                     if (scopes.isEmpty()) {
                         scopes = resource.getScopes().stream().map(Scope::getName).collect(Collectors.toSet());
                     }
 
                     if (scopes.isEmpty()) {
                         Map<String, String> filters = new HashMap<>();
 
                         filters.put(PermissionTicket.RESOURCE, resource.getId());
                         filters.put(PermissionTicket.REQUESTER, identity.getId());
                         filters.put(PermissionTicket.SCOPE_IS_NULL, Boolean.TRUE.toString());
 
                         List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer().getId(), -1, -1);
 
                         if (tickets.isEmpty()) {
                             authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), null, identity.getId(), resource.getResourceServer());
                         }
                     } else {
                         ScopeStore scopeStore = authorization.getStoreFactory().getScopeStore();
 
                         for (String scopeId : scopes) {
                             Scope scope = scopeStore.findByName(scopeId, resourceServer.getId());
 
                             if (scope == null) {
                                 scope = scopeStore.findById(scopeId, resourceServer.getId());
                             }
 
                             Map<String, String> filters = new HashMap<>();
 
                             filters.put(PermissionTicket.RESOURCE, resource.getId());
                             filters.put(PermissionTicket.REQUESTER, identity.getId());
                             filters.put(PermissionTicket.SCOPE, scope.getId());
 
                             List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, resource.getResourceServer().getId(), -1, -1);
 
                             if (tickets.isEmpty()) {
                                 authorization.getStoreFactory().getPermissionTicketStore().create(resource.getId(), scope.getId(), identity.getId(), resource.getResourceServer());
                             }
                         }
                     }
                 }
             }
         }
     }

◆ onComplete() [4/4]

void org.keycloak.authorization.policy.evaluation.AbstractDecisionCollector.onComplete ( Collection< Result > permissions )

inlineprotectedinherited

                                                               {
 
     }

◆ onDecision() [1/2]

void org.keycloak.authorization.Decision< D extends Evaluation >.onDecision ( D evaluation )

inherited

◆ onDecision() [2/2]

void org.keycloak.authorization.policy.evaluation.AbstractDecisionCollector.onDecision ( DefaultEvaluation evaluation )

inlineinherited

                                                          {
         Policy parentPolicy = evaluation.getParentPolicy();
         ResourcePermission permission = evaluation.getPermission();
 
         if (parentPolicy != null) {
             if (parentPolicy.equals(evaluation.getPolicy())) {
                 results.computeIfAbsent(permission, permission1 -> {
                     for (Result result : results.values()) {
                         Result.PolicyResult policyResult = result.getPolicy(parentPolicy);
 
                         if (policyResult != null) {
                             Result newResult = new Result(permission1, evaluation);
                             Result.PolicyResult newPolicyResult = newResult.policy(parentPolicy);
 
                             for (Result.PolicyResult associatePolicy : policyResult.getAssociatedPolicies()) {
                                 newPolicyResult.policy(associatePolicy.getPolicy(), associatePolicy.getEffect());
                             }
 
                             Map<String, Set<String>> claims = result.getPermission().getClaims();
 
                             if (!claims.isEmpty()) {
                                 permission1.addClaims(claims);
                             }
 
                             return newResult;
                         }
                     }
 
                     return null;
                 }).policy(parentPolicy);
             } else {
                 results.computeIfAbsent(permission, p -> new Result(p, evaluation)).policy(parentPolicy).policy(evaluation.getPolicy(), evaluation.getEffect());
             }
         } else {
             results.computeIfAbsent(permission, p -> new Result(p, evaluation)).setStatus(evaluation.getEffect());
         }
     }

◆ onError()

void org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.onError ( Throwable cause )

inlineinherited

org.keycloak.authorization.Decision< D extends Evaluation >を実装しています。

                                          {
         throw new RuntimeException("Failed to evaluate permissions", cause);
     }

◆ onGrant()

void org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.onGrant ( Permission grantedPermission )

inlineprotected

                                                          {
         // Removes permissions (represented by {@code ticket}) granted by any user-managed policy so we don't create unnecessary permission tickets.
         List<Permission> permissions = ticket.getPermissions();
         Iterator<Permission> itPermissions = permissions.iterator();
 
         while (itPermissions.hasNext()) {
             Permission permission = itPermissions.next();
 
             if (permission.getResourceId() == null || permission.getResourceId().equals(grantedPermission.getResourceId())) {
                 Set<String> scopes = permission.getScopes();
                 Iterator<String> itScopes = scopes.iterator();
 
                 while (itScopes.hasNext()) {
                     if (grantedPermission.getScopes().contains(itScopes.next())) {
                         itScopes.remove();
                     }
                 }
 
                 if (scopes.isEmpty()) {
                     itPermissions.remove();
                 }
             }
         }
     }

◆ results()

Collection<Permission> org.keycloak.authorization.policy.evaluation.DecisionPermissionCollector.results ( )

inlineinherited

                                             {
         return permissions;
     }

メンバ詳解

◆ authorization

final AuthorizationProvider org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.authorization

private

◆ identity

final Identity org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.identity

private

◆ request

final AuthorizationRequest org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.request

private

◆ resourceServer

ResourceServer org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.resourceServer

private

◆ results

final Map<ResourcePermission, Result> org.keycloak.authorization.policy.evaluation.AbstractDecisionCollector.results = new LinkedHashMap<>()

protectedinherited

◆ ticket

PermissionTicketToken org.keycloak.authorization.policy.evaluation.PermissionTicketAwareDecisionResultCollector.ticket

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/src/keycloak/src/main/java/org/keycloak/authorization/policy/evaluation/PermissionTicketAwareDecisionResultCollector.java

公開メンバ関数

限定公開メンバ関数

限定公開変数類

非公開変数類

詳解

構築子と解体子

◆ PermissionTicketAwareDecisionResultCollector()

関数詳解

◆ grantPermission()

◆ isGranted()

◆ onComplete() [1/4]

◆ onComplete() [2/4]

◆ onComplete() [3/4]

◆ onComplete() [4/4]

◆ onDecision() [1/2]

◆ onDecision() [2/2]

◆ onError()

◆ onGrant()

◆ results()

メンバ詳解

◆ authorization

◆ identity

◆ request

◆ resourceServer

◆ results

◆ ticket