keycloak-oidc-service
静的公開メンバ関数 | 静的非公開メンバ関数 | 全メンバ一覧
org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder クラス
org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder 連携図
Collaboration graph

静的公開メンバ関数

static PolicyEvaluationResponse build (PolicyEvaluationService.EvaluationDecisionCollector decision, ResourceServer resourceServer, AuthorizationProvider authorization, KeycloakIdentity identity)
 

静的非公開メンバ関数

static PolicyEvaluationResponse.PolicyResultRepresentation toRepresentation (Result.PolicyResult result, AuthorizationProvider authorization)
 
static String getUserEmailOrUserName (UserModel user)
 

詳解

著者
Bill Burke
バージョン
Revision
1

関数詳解

◆ build()

static PolicyEvaluationResponse org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.build ( PolicyEvaluationService.EvaluationDecisionCollector  decision,
ResourceServer  resourceServer,
AuthorizationProvider  authorization,
KeycloakIdentity  identity 
)
inlinestatic
56  {
57  PolicyEvaluationResponse response = new PolicyEvaluationResponse();
58  List<PolicyEvaluationResponse.EvaluationResultRepresentation> resultsRep = new ArrayList<>();
59  AccessToken accessToken = identity.getAccessToken();
60  AccessToken.Authorization authorizationData = new AccessToken.Authorization();
61 
62  authorizationData.setPermissions(decision.results());
63  accessToken.setAuthorization(authorizationData);
64 
65  ClientModel clientModel = authorization.getRealm().getClientById(resourceServer.getId());
66 
67  if (!accessToken.hasAudience(clientModel.getClientId())) {
68  accessToken.audience(clientModel.getClientId());
69  }
70 
71  response.setRpt(accessToken);
72 
73  Collection<Result> results = decision.getResults();
74 
75  if (results.stream().anyMatch(evaluationResult -> evaluationResult.getEffect().equals(Decision.Effect.DENY))) {
76  response.setStatus(DecisionEffect.DENY);
77  } else {
78  response.setStatus(DecisionEffect.PERMIT);
79  }
80 
81  for (Result result : results) {
82  PolicyEvaluationResponse.EvaluationResultRepresentation rep = new PolicyEvaluationResponse.EvaluationResultRepresentation();
83 
84  if (result.getEffect() == Decision.Effect.DENY) {
85  rep.setStatus(DecisionEffect.DENY);
86  } else {
87  rep.setStatus(DecisionEffect.PERMIT);
88 
89  }
90  resultsRep.add(rep);
91 
92  if (result.getPermission().getResource() != null) {
93  ResourceRepresentation resource = new ResourceRepresentation();
94 
95  resource.setId(result.getPermission().getResource().getId());
96  resource.setName(result.getPermission().getResource().getName());
97 
98  rep.setResource(resource);
99  } else {
100  ResourceRepresentation resource = new ResourceRepresentation();
101 
102  resource.setName("Any Resource with Scopes " + result.getPermission().getScopes().stream().map(Scope::getName).collect(Collectors.toList()));
103 
104  rep.setResource(resource);
105  }
106 
107  rep.setScopes(result.getPermission().getScopes().stream().map(scope -> {
108  ScopeRepresentation representation = new ScopeRepresentation();
109 
110  representation.setId(scope.getId());
111  representation.setName(scope.getName());
112 
113  return representation;
114  }).collect(Collectors.toList()));
115 
116  List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = new ArrayList<>();
117 
118  for (Result.PolicyResult policy : result.getResults()) {
119  PolicyResultRepresentation policyRep = toRepresentation(policy, authorization);
120 
121  if ("resource".equals(policy.getPolicy().getType())) {
122  policyRep.getPolicy().setScopes(result.getPermission().getResource().getScopes().stream().map(Scope::getName).collect(Collectors.toSet()));
123  }
124 
125  policies.add(policyRep);
126  }
127 
128  rep.setPolicies(policies);
129  }
130 
131  resultsRep.sort(Comparator.comparing(o -> o.getResource().getName()));
132 
133  Map<String, PolicyEvaluationResponse.EvaluationResultRepresentation> groupedResults = new HashMap<>();
134 
135  resultsRep.forEach(evaluationResultRepresentation -> {
136  PolicyEvaluationResponse.EvaluationResultRepresentation result = groupedResults.get(evaluationResultRepresentation.getResource().getId());
137  ResourceRepresentation resource = evaluationResultRepresentation.getResource();
138 
139  if (result == null) {
140  groupedResults.put(resource.getId(), evaluationResultRepresentation);
141  result = evaluationResultRepresentation;
142  }
143 
144  if (result.getStatus().equals(DecisionEffect.PERMIT) || (evaluationResultRepresentation.getStatus().equals(DecisionEffect.PERMIT) && result.getStatus().equals(DecisionEffect.DENY))) {
145  result.setStatus(DecisionEffect.PERMIT);
146  }
147 
148  List<ScopeRepresentation> scopes = result.getScopes();
149 
150  if (DecisionEffect.PERMIT.equals(result.getStatus())) {
151  result.setAllowedScopes(scopes);
152  }
153 
154  if (resource.getId() != null) {
155  if (!scopes.isEmpty()) {
156  result.getResource().setName(evaluationResultRepresentation.getResource().getName() + " with scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList()));
157  } else {
158  result.getResource().setName(evaluationResultRepresentation.getResource().getName());
159  }
160  } else {
161  result.getResource().setName("Any Resource with Scopes " + scopes.stream().flatMap((Function<ScopeRepresentation, Stream<?>>) scopeRepresentation -> Arrays.asList(scopeRepresentation.getName()).stream()).collect(Collectors.toList()));
162  }
163 
164  List<PolicyEvaluationResponse.PolicyResultRepresentation> policies = result.getPolicies();
165 
166  for (PolicyEvaluationResponse.PolicyResultRepresentation policy : new ArrayList<>(evaluationResultRepresentation.getPolicies())) {
167  if (!policies.contains(policy)) {
168  policies.add(policy);
169  }
170  }
171  });
172 
173  response.setResults(groupedResults.values().stream().collect(Collectors.toList()));
174 
175  return response;
176  }
org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.toRepresentation
static PolicyEvaluationResponse.PolicyResultRepresentation toRepresentation(Result.PolicyResult result, AuthorizationProvider authorization)
Definition: PolicyEvaluationResponseBuilder.java:178

◆ getUserEmailOrUserName()

static String org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.getUserEmailOrUserName ( UserModel  user)
inlinestaticprivate
235  {
236  return (user.getEmail() != null ? user.getEmail() : user.getUsername());
237  }

◆ toRepresentation()

static PolicyEvaluationResponse.PolicyResultRepresentation org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.toRepresentation ( Result.PolicyResult  result,
AuthorizationProvider  authorization 
)
inlinestaticprivate
178  {
179  PolicyEvaluationResponse.PolicyResultRepresentation policyResultRep = new PolicyEvaluationResponse.PolicyResultRepresentation();
180 
181  PolicyRepresentation representation = new PolicyRepresentation();
182  Policy policy = result.getPolicy();
183 
184  representation.setId(policy.getId());
185  representation.setName(policy.getName());
186  representation.setType(policy.getType());
187  representation.setDecisionStrategy(policy.getDecisionStrategy());
188  representation.setDescription(policy.getDescription());
189 
190  if ("uma".equals(representation.getType())) {
191  Map<String, String> filters = new HashMap<>();
192 
193  filters.put(PermissionTicket.POLICY, policy.getId());
194 
195  List<PermissionTicket> tickets = authorization.getStoreFactory().getPermissionTicketStore().find(filters, policy.getResourceServer().getId(), -1, 1);
196 
197  if (!tickets.isEmpty()) {
198  KeycloakSession keycloakSession = authorization.getKeycloakSession();
199  PermissionTicket ticket = tickets.get(0);
200  UserModel owner = keycloakSession.users().getUserById(ticket.getOwner(), authorization.getRealm());
201  UserModel requester = keycloakSession.users().getUserById(ticket.getRequester(), authorization.getRealm());
202 
203  representation.setDescription("Resource owner (" + getUserEmailOrUserName(owner) + ") grants access to " + getUserEmailOrUserName(requester));
204  } else {
205  String description = representation.getDescription();
206 
207  if (description != null) {
208  representation.setDescription(description + " (User-Managed Policy)");
209  } else {
210  representation.setDescription("User-Managed Policy");
211  }
212  }
213  }
214 
215  representation.setResources(policy.getResources().stream().map(resource -> resource.getName()).collect(Collectors.toSet()));
216 
217  Set<String> scopeNames = policy.getScopes().stream().map(scope -> scope.getName()).collect(Collectors.toSet());
218 
219  representation.setScopes(scopeNames);
220 
221  policyResultRep.setPolicy(representation);
222 
223  if (result.getEffect() == Decision.Effect.DENY) {
224  policyResultRep.setStatus(DecisionEffect.DENY);
225  policyResultRep.setScopes(representation.getScopes());
226  } else {
227  policyResultRep.setStatus(DecisionEffect.PERMIT);
228  }
229 
230  policyResultRep.setAssociatedPolicies(result.getAssociatedPolicies().stream().map(policy1 -> toRepresentation(policy1, authorization)).collect(Collectors.toList()));
231 
232  return policyResultRep;
233  }
org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.getUserEmailOrUserName
static String getUserEmailOrUserName(UserModel user)
Definition: PolicyEvaluationResponseBuilder.java:235
org.keycloak.authorization.admin.representation.PolicyEvaluationResponseBuilder.toRepresentation
static PolicyEvaluationResponse.PolicyResultRepresentation toRepresentation(Result.PolicyResult result, AuthorizationProvider authorization)
Definition: PolicyEvaluationResponseBuilder.java:178
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時17分20秒作成 - keycloak-oidc-service / 構成:   doxygen 1.8.13