org.keycloak.services.resources.admin.permissions.RolePermissions の継承関係図

org.keycloak.services.resources.admin.permissions.RolePermissions 連携図

公開メンバ関数
	RolePermissions (KeycloakSession session, RealmModel realm, AuthorizationProvider authz, MgmtPermissions root)

boolean	isPermissionsEnabled (RoleModel role)

void	setPermissionsEnabled (RoleModel role, boolean enable)

Map< String, String >	getPermissions (RoleModel role)

Policy	mapRolePermission (RoleModel role)

Policy	mapCompositePermission (RoleModel role)

Policy	mapClientScopePermission (RoleModel role)

Resource	resource (RoleModel role)

ResourceServer	resourceServer (RoleModel role)

boolean	canMapRole (RoleModel role)

void	requireMapRole (RoleModel role)

boolean	canList (RoleContainerModel container)

void	requireList (RoleContainerModel container)

boolean	canManage (RoleContainerModel container)

void	requireManage (RoleContainerModel container)

boolean	canView (RoleContainerModel container)

void	requireView (RoleContainerModel container)

boolean	canMapComposite (RoleModel role)

void	requireMapComposite (RoleModel role)

boolean	canMapClientScope (RoleModel role)

void	requireMapClientScope (RoleModel role)

boolean	canManage (RoleModel role)

boolean	canManageDefault (RoleModel role)

void	requireManage (RoleModel role)

boolean	canView (RoleModel role)

void	requireView (RoleModel role)

Policy	manageUsersPolicy (ResourceServer server)

Policy	viewUsersPolicy (ResourceServer server)

Policy	rolePolicy (ResourceServer server, RoleModel role)

静的公開変数類
static final String	MAP_ROLE_SCOPE = "map-role"

static final String	MAP_ROLE_CLIENT_SCOPE_SCOPE = "map-role-client-scope"

static final String	MAP_ROLE_COMPOSITE_SCOPE = "map-role-composite"

限定公開変数類
final KeycloakSession	session

final RealmModel	realm

final AuthorizationProvider	authz

final MgmtPermissions	root

非公開メンバ関数
void	disablePermissions (RoleModel role)

boolean	checkAdminRoles (RoleModel role)

boolean	adminConflictMessage (RoleModel role)

ClientModel	getRoleClient (RoleModel role)

Scope	mapRoleScope (ResourceServer server)

Scope	mapClientScope (ResourceServer server)

Scope	mapCompositeScope (ResourceServer server)

void	initialize (RoleModel role)

String	getMapRolePermissionName (RoleModel role)

String	getMapClientScopePermissionName (RoleModel role)

String	getMapCompositePermissionName (RoleModel role)

ResourceServer	sdfgetResourceServer (RoleModel role)

静的非公開メンバ関数
static String	getRoleResourceName (RoleModel role)

静的非公開変数類
static final Logger	logger = Logger.getLogger(RolePermissions.class)

詳解

著者: Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ RolePermissions()

org.keycloak.services.resources.admin.permissions.RolePermissions.RolePermissions	(	KeycloakSession	session,
		RealmModel	realm,
		AuthorizationProvider	authz,
		MgmtPermissions	root
	)

inline

                                                                                                                          {
         this.session = session;
         this.realm = realm;
         this.authz = authz;
         this.root = root;
     }

関数詳解

◆ adminConflictMessage()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.adminConflictMessage ( RoleModel role )

inlineprivate

                                                          {
         logger.debug("Trying to assign admin privileges of role: " + role.getName() + " but admin doesn't have same privilege");
         return false;
     }

◆ canList()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canList ( RoleContainerModel container )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                          {
         return root.hasAnyAdminRole();
     }

◆ canManage() [1/2]

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canManage ( RoleContainerModel container )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                            {
         if (container instanceof RealmModel) {
             return root.realm().canManageRealm();
         } else {
             return root.clients().canConfigure((ClientModel)container);
         }
     }

◆ canManage() [2/2]

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canManage ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                              {
         if (role.getContainer() instanceof RealmModel) {
             return root.realm().canManageRealm();
         } else if (role.getContainer() instanceof ClientModel) {
             ClientModel client = (ClientModel)role.getContainer();
             return root.clients().canManage(client);
         }
         return false;
     }

◆ canManageDefault()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canManageDefault ( RoleModel role )

inline

                                                     {
         if (role.getContainer() instanceof RealmModel) {
             return root.realm().canManageRealmDefault();
         } else if (role.getContainer() instanceof ClientModel) {
             ClientModel client = (ClientModel)role.getContainer();
             return root.clients().canManageClientsDefault();
         }
         return false;
     }

◆ canMapClientScope()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canMapClientScope ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                      {
         if (root.clients().canManageClientsDefault()) return true;
         if (!root.isAdminSameRealm()) {
             return false;
         }
         if (role.getContainer() instanceof ClientModel) {
             if (root.clients().canMapClientScopeRoles((ClientModel)role.getContainer())) return true;
         }
         if (!isPermissionsEnabled(role)){
             return false;
         }
 
         ResourceServer resourceServer = resourceServer(role);
         if (resourceServer == null) return false;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapClientScopePermissionName(role), resourceServer.getId());
         if (policy == null || policy.getAssociatedPolicies().isEmpty()) {
             return false;
         }
 
         Resource roleResource = resource(role);
         Scope scope = mapClientScope(resourceServer);
         return root.evaluatePermission(roleResource, scope, resourceServer);
     }

◆ canMapComposite()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canMapComposite ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                    {
         if (canManageDefault(role)) return checkAdminRoles(role);
 
         if (!root.isAdminSameRealm()) {
             return false;
         }
         if (role.getContainer() instanceof ClientModel) {
             if (root.clients().canMapCompositeRoles((ClientModel)role.getContainer())) return true;
         }
         if (!isPermissionsEnabled(role)){
             return false;
         }
 
         ResourceServer resourceServer = resourceServer(role);
         if (resourceServer == null) return false;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapCompositePermissionName(role), resourceServer.getId());
         if (policy == null || policy.getAssociatedPolicies().isEmpty()) {
             return false;
         }
 
         Resource roleResource = resource(role);
         Scope scope = mapCompositeScope(resourceServer);
         if (root.evaluatePermission(roleResource, scope, resourceServer)) {
             return checkAdminRoles(role);
         } else {
             return false;
         }
     }

◆ canMapRole()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canMapRole ( RoleModel role )

inline

Is admin allowed to map this role?

引数

role

戻り値

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                               {
         if (root.users().canManageDefault()) return checkAdminRoles(role);
         if (!root.isAdminSameRealm()) {
             return false;
         }
 
         if (role.getContainer() instanceof ClientModel) {
             if (root.clients().canMapRoles((ClientModel)role.getContainer())) return true;
         }
         if (!isPermissionsEnabled(role)){
             return false;
         }
 
         ResourceServer resourceServer = resourceServer(role);
         if (resourceServer == null) return false;
 
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRolePermissionName(role), resourceServer.getId());
         if (policy == null || policy.getAssociatedPolicies().isEmpty()) {
             return false;
         }
 
         Resource roleResource = resource(role);
         Scope mapRoleScope = mapRoleScope(resourceServer);
         if (root.evaluatePermission(roleResource, mapRoleScope, resourceServer)) {
             return checkAdminRoles(role);
         } else {
             return false;
         }
     }

◆ canView() [1/2]

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canView ( RoleContainerModel container )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                          {
         if (container instanceof RealmModel) {
             return root.realm().canViewRealm();
         } else {
             return root.clients().canView((ClientModel)container);
         }
     }

◆ canView() [2/2]

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.canView ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                            {
         if (role.getContainer() instanceof RealmModel) {
             return root.realm().canViewRealm();
         } else if (role.getContainer() instanceof ClientModel) {
             ClientModel client = (ClientModel)role.getContainer();
             return root.clients().canView(client);
         }
         return false;
     }

◆ checkAdminRoles()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.checkAdminRoles ( RoleModel role )

inlineprivate

                                                     {
         if (AdminRoles.ALL_ROLES.contains(role.getName())) {
             if (root.admin().hasRole(role)) return true;
 
             ClientModel adminClient = root.getRealmManagementClient();
             // is this an admin role in 'realm-management' client of the realm we are managing?
             if (adminClient.equals(role.getContainer())) {
                 // if this is realm admin role, then check to see if admin has similar permissions
                 // we do this so that the authz service is invoked
                 if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
                         || role.getName().equals(AdminRoles.CREATE_CLIENT)
                         ) {
                     if (!root.clients().canManage()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.VIEW_CLIENTS)) {
                     if (!root.clients().canView()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
 
                 } else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
                     return true;
                 } else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
                     return true;
                 } else if (role.getName().equals(AdminRoles.QUERY_USERS)) {
                     return true;
                 } else if (role.getName().equals(AdminRoles.QUERY_GROUPS)) {
                     return true;
                 } else if (role.getName().equals(AdminRoles.MANAGE_AUTHORIZATION)) {
                     if (!root.realm().canManageAuthorization()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.VIEW_AUTHORIZATION)) {
                     if (!root.realm().canViewAuthorization()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.MANAGE_EVENTS)) {
                     if (!root.realm().canManageEvents()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.VIEW_EVENTS)) {
                     if (!root.realm().canViewEvents()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.MANAGE_USERS)) {
                     if (!root.users().canManage()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.VIEW_USERS)) {
                     if (!root.users().canView()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.MANAGE_IDENTITY_PROVIDERS)) {
                     if (!root.realm().canManageIdentityProviders()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.VIEW_IDENTITY_PROVIDERS)) {
                     if (!root.realm().canViewIdentityProviders()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.MANAGE_REALM)) {
                     if (!root.realm().canManageRealm()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.VIEW_REALM)) {
                     if (!root.realm().canViewRealm()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(ImpersonationConstants.IMPERSONATION_ROLE)) {
                     if (!root.users().canImpersonate()) {
                         return adminConflictMessage(role);
                     } else {
                         return true;
                     }
                 } else if (role.getName().equals(AdminRoles.REALM_ADMIN)) {
                     // check to see if we have masterRealm.admin role.  Otherwise abort
                     if (root.adminsRealm() == null || !root.adminsRealm().getName().equals(Config.getAdminRealm())) {
                         return adminConflictMessage(role);
                     }
 
                     RealmModel masterRealm = root.adminsRealm();
                     RoleModel adminRole = masterRealm.getRole(AdminRoles.ADMIN);
                     if (root.admin().hasRole(adminRole)) {
                         return true;
                     } else {
                         return adminConflictMessage(role);
                     }
                  } else {
                     return adminConflictMessage(role);
                 }
 
             } else {
                 // now we need to check to see if this is a master admin role
                 if (role.getContainer() instanceof RealmModel) {
                     RealmModel realm = (RealmModel)role.getContainer();
                     // If realm role is master admin role then abort
                     // if realm name is master realm, than we know this is a admin role in master realm.
                     if (realm.getName().equals(Config.getAdminRealm())) {
                         return adminConflictMessage(role);
                     }
                 } else {
                     ClientModel container = (ClientModel)role.getContainer();
                     // abort if this is an role in master realm and role is an admin role of any realm
                     if (container.getRealm().getName().equals(Config.getAdminRealm())
                             && container.getClientId().endsWith("-realm")) {
                         return adminConflictMessage(role);
                     }
                 }
                 return true;
             }
 
         }
         return true;
 
     }

◆ disablePermissions()

void org.keycloak.services.resources.admin.permissions.RolePermissions.disablePermissions ( RoleModel role )

inlineprivate

                                                     {
         ResourceServer server = resourceServer(role);
         if (server == null) return;
         Policy policy = mapRolePermission(role);
         if (policy != null) authz.getStoreFactory().getPolicyStore().delete(policy.getId());
         policy = mapClientScopePermission(role);
         if (policy != null) authz.getStoreFactory().getPolicyStore().delete(policy.getId());
         policy = mapCompositePermission(role);
         if (policy != null) authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         Resource resource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(role), server.getId());
         if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
     }

◆ getMapClientScopePermissionName()

String org.keycloak.services.resources.admin.permissions.RolePermissions.getMapClientScopePermissionName ( RoleModel role )

inlineprivate

                                                                    {
         return MAP_ROLE_CLIENT_SCOPE_SCOPE + ".permission." + role.getId();
     }

◆ getMapCompositePermissionName()

String org.keycloak.services.resources.admin.permissions.RolePermissions.getMapCompositePermissionName ( RoleModel role )

inlineprivate

                                                                  {
         return MAP_ROLE_COMPOSITE_SCOPE + ".permission." + role.getId();
     }

◆ getMapRolePermissionName()

String org.keycloak.services.resources.admin.permissions.RolePermissions.getMapRolePermissionName ( RoleModel role )

inlineprivate

                                                             {
         return MAP_ROLE_SCOPE + ".permission." + role.getId();
     }

◆ getPermissions()

Map<String, String> org.keycloak.services.resources.admin.permissions.RolePermissions.getPermissions ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                               {
         initialize(role);
         Map<String, String> scopes = new LinkedHashMap<>();
         scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId());
         scopes.put(RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE, mapClientScopePermission(role).getId());
         scopes.put(RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE, mapCompositePermission(role).getId());
         return scopes;
     }

◆ getRoleClient()

ClientModel org.keycloak.services.resources.admin.permissions.RolePermissions.getRoleClient ( RoleModel role )

inlineprivate

                                                       {
         ClientModel client = null;
         if (role.getContainer() instanceof ClientModel) {
             client = (ClientModel)role.getContainer();
         } else {
             client = root.getRealmManagementClient();
         }
         return client;
     }

◆ getRoleResourceName()

static String org.keycloak.services.resources.admin.permissions.RolePermissions.getRoleResourceName ( RoleModel role )

inlinestaticprivate

                                                               {
         return "role.resource." + role.getId();
     }

◆ initialize()

void org.keycloak.services.resources.admin.permissions.RolePermissions.initialize ( RoleModel role )

inlineprivate

                                             {
         ResourceServer server = resourceServer(role);
         if (server == null) {
             ClientModel client = getRoleClient(role);
             server = root.findOrCreateResourceServer(client);
         }
         Scope mapRoleScope = mapRoleScope(server);
         if (mapRoleScope == null) {
             mapRoleScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLE_SCOPE, server);
         }
         Scope mapClientScope = mapClientScope(server);
         if (mapClientScope == null) {
             mapClientScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLE_CLIENT_SCOPE_SCOPE, server);
         }
         Scope mapCompositeScope = mapCompositeScope(server);
         if (mapCompositeScope == null) {
             mapCompositeScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLE_COMPOSITE_SCOPE, server);
         }
 
         String roleResourceName = getRoleResourceName(role);
         Resource resource = authz.getStoreFactory().getResourceStore().findByName(roleResourceName, server.getId());
         if (resource == null) {
             resource = authz.getStoreFactory().getResourceStore().create(roleResourceName, server, server.getId());
             Set<Scope> scopeset = new HashSet<>();
             scopeset.add(mapClientScope);
             scopeset.add(mapCompositeScope);
             scopeset.add(mapRoleScope);
             resource.updateScopes(scopeset);
             resource.setType("Role");
         }
         Policy mapRolePermission = mapRolePermission(role);
         if (mapRolePermission == null) {
             mapRolePermission = Helper.addEmptyScopePermission(authz, server, getMapRolePermissionName(role), resource, mapRoleScope);
             mapRolePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
         }
 
         Policy mapClientScopePermission = mapClientScopePermission(role);
         if (mapClientScopePermission == null) {
             mapClientScopePermission = Helper.addEmptyScopePermission(authz, server, getMapClientScopePermissionName(role), resource, mapClientScope);
             mapClientScopePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
         }
 
         Policy mapCompositePermission = mapCompositePermission(role);
         if (mapCompositePermission == null) {
             mapCompositePermission = Helper.addEmptyScopePermission(authz, server, getMapCompositePermissionName(role), resource, mapCompositeScope);
             mapCompositePermission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
         }
     }

◆ isPermissionsEnabled()

boolean org.keycloak.services.resources.admin.permissions.RolePermissions.isPermissionsEnabled ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                         {
         return mapRolePermission(role) != null;
     }

◆ manageUsersPolicy()

Policy org.keycloak.services.resources.admin.permissions.RolePermissions.manageUsersPolicy ( ResourceServer server )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                            {
         RoleModel role = root.getRealmManagementClient().getRole(AdminRoles.MANAGE_USERS);
         return rolePolicy(server, role);
     }

◆ mapClientScope()

Scope org.keycloak.services.resources.admin.permissions.RolePermissions.mapClientScope ( ResourceServer server )

inlineprivate

                                                         {
         return authz.getStoreFactory().getScopeStore().findByName(MAP_ROLE_CLIENT_SCOPE_SCOPE, server.getId());
     }

◆ mapClientScopePermission()

Policy org.keycloak.services.resources.admin.permissions.RolePermissions.mapClientScopePermission ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                            {
         ResourceServer server = resourceServer(role);
         if (server == null) return null;
 
         return  authz.getStoreFactory().getPolicyStore().findByName(getMapClientScopePermissionName(role), server.getId());
     }

◆ mapCompositePermission()

Policy org.keycloak.services.resources.admin.permissions.RolePermissions.mapCompositePermission ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                          {
         ResourceServer server = resourceServer(role);
         if (server == null) return null;
 
         return  authz.getStoreFactory().getPolicyStore().findByName(getMapCompositePermissionName(role), server.getId());
     }

◆ mapCompositeScope()

Scope org.keycloak.services.resources.admin.permissions.RolePermissions.mapCompositeScope ( ResourceServer server )

inlineprivate

                                                            {
         return authz.getStoreFactory().getScopeStore().findByName(MAP_ROLE_COMPOSITE_SCOPE, server.getId());
     }

◆ mapRolePermission()

Policy org.keycloak.services.resources.admin.permissions.RolePermissions.mapRolePermission ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                     {
         ResourceServer server = resourceServer(role);
         if (server == null) return null;
         return  authz.getStoreFactory().getPolicyStore().findByName(getMapRolePermissionName(role), server.getId());
     }

◆ mapRoleScope()

Scope org.keycloak.services.resources.admin.permissions.RolePermissions.mapRoleScope ( ResourceServer server )

inlineprivate

                                                       {
         return authz.getStoreFactory().getScopeStore().findByName(MAP_ROLE_SCOPE, server.getId());
     }

◆ requireList()

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireList ( RoleContainerModel container )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                           {
         if (!canList(container)) {
             throw new ForbiddenException();
         }
 
     }

◆ requireManage() [1/2]

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireManage ( RoleContainerModel container )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                             {
         if (!canManage(container)) {
             throw new ForbiddenException();
         }
     }

◆ requireManage() [2/2]

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireManage ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                               {
         if (!canManage(role)) {
             throw new ForbiddenException();
         }
 
     }

◆ requireMapClientScope()

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireMapClientScope ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                       {
         if (!canMapClientScope(role)) {
             throw new ForbiddenException();
         }
     }

◆ requireMapComposite()

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireMapComposite ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                     {
         if (!canMapComposite(role)) {
             throw new ForbiddenException();
         }
 
     }

◆ requireMapRole()

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireMapRole ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                {
         if (!canMapRole(role)) {
             throw new ForbiddenException();
         }
 
     }

◆ requireView() [1/2]

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireView ( RoleContainerModel container )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                                           {
         if (!canView(container)) {
             throw new ForbiddenException();
         }
     }

◆ requireView() [2/2]

void org.keycloak.services.resources.admin.permissions.RolePermissions.requireView ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionEvaluatorを実装しています。

                                             {
         if (!canView(role)) {
             throw new ForbiddenException();
         }
 
     }

◆ resource()

Resource org.keycloak.services.resources.admin.permissions.RolePermissions.resource ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                              {
         ResourceStore resourceStore = authz.getStoreFactory().getResourceStore();
         ResourceServer server = resourceServer(role);
         if (server == null) return null;
         return  resourceStore.findByName(getRoleResourceName(role), server.getId());
     }

◆ resourceServer()

ResourceServer org.keycloak.services.resources.admin.permissions.RolePermissions.resourceServer ( RoleModel role )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                          {
         ClientModel client = getRoleClient(role);
         return root.resourceServer(client);
     }

◆ rolePolicy()

Policy org.keycloak.services.resources.admin.permissions.RolePermissions.rolePolicy	(	ResourceServer	server,
		RoleModel	role
	)

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                                     {
         String policyName = Helper.getRolePolicyName(role);
         Policy policy = authz.getStoreFactory().getPolicyStore().findByName(policyName, server.getId());
         if (policy != null) return policy;
         return Helper.createRolePolicy(authz, server, role, policyName);
     }

◆ sdfgetResourceServer()

ResourceServer org.keycloak.services.resources.admin.permissions.RolePermissions.sdfgetResourceServer ( RoleModel role )

inlineprivate

                                                                 {
         ClientModel client = getRoleClient(role);
         return root.findOrCreateResourceServer(client);
     }

◆ setPermissionsEnabled()

void org.keycloak.services.resources.admin.permissions.RolePermissions.setPermissionsEnabled	(	RoleModel	role,
		boolean	enable
	)

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                                       {
        if (enable) {
            initialize(role);
        } else {
            disablePermissions(role);
        }
     }

◆ viewUsersPolicy()

Policy org.keycloak.services.resources.admin.permissions.RolePermissions.viewUsersPolicy ( ResourceServer server )

inline

org.keycloak.services.resources.admin.permissions.RolePermissionManagementを実装しています。

                                                          {
         RoleModel role = root.getRealmManagementClient().getRole(AdminRoles.VIEW_USERS);
         return rolePolicy(server, role);
     }

メンバ詳解

◆ authz

final AuthorizationProvider org.keycloak.services.resources.admin.permissions.RolePermissions.authz

protected

◆ logger

final Logger org.keycloak.services.resources.admin.permissions.RolePermissions.logger = Logger.getLogger(RolePermissions.class)

staticprivate

◆ MAP_ROLE_CLIENT_SCOPE_SCOPE

final String org.keycloak.services.resources.admin.permissions.RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE = "map-role-client-scope"

staticinherited

◆ MAP_ROLE_COMPOSITE_SCOPE

final String org.keycloak.services.resources.admin.permissions.RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE = "map-role-composite"

staticinherited

◆ MAP_ROLE_SCOPE

final String org.keycloak.services.resources.admin.permissions.RolePermissionManagement.MAP_ROLE_SCOPE = "map-role"

staticinherited

◆ realm

final RealmModel org.keycloak.services.resources.admin.permissions.RolePermissions.realm

protected

◆ root

final MgmtPermissions org.keycloak.services.resources.admin.permissions.RolePermissions.root

protected

◆ session

final KeycloakSession org.keycloak.services.resources.admin.permissions.RolePermissions.session

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java

公開メンバ関数

静的公開変数類

限定公開変数類

非公開メンバ関数

静的非公開メンバ関数

静的非公開変数類

詳解

構築子と解体子

◆ RolePermissions()

関数詳解

◆ adminConflictMessage()

◆ canList()

◆ canManage() [1/2]

◆ canManage() [2/2]

◆ canManageDefault()

◆ canMapClientScope()

◆ canMapComposite()

◆ canMapRole()

◆ canView() [1/2]

◆ canView() [2/2]

◆ checkAdminRoles()

◆ disablePermissions()

◆ getMapClientScopePermissionName()

◆ getMapCompositePermissionName()

◆ getMapRolePermissionName()

◆ getPermissions()

◆ getRoleClient()

◆ getRoleResourceName()

◆ initialize()

◆ isPermissionsEnabled()

◆ manageUsersPolicy()

◆ mapClientScope()

◆ mapClientScopePermission()

◆ mapCompositePermission()

◆ mapCompositeScope()

◆ mapRolePermission()

◆ mapRoleScope()

◆ requireList()

◆ requireManage() [1/2]

◆ requireManage() [2/2]

◆ requireMapClientScope()

◆ requireMapComposite()

◆ requireMapRole()

◆ requireView() [1/2]

◆ requireView() [2/2]

◆ resource()

◆ resourceServer()

◆ rolePolicy()

◆ sdfgetResourceServer()

◆ setPermissionsEnabled()

◆ viewUsersPolicy()

メンバ詳解

◆ authz

◆ logger

◆ MAP_ROLE_CLIENT_SCOPE_SCOPE

◆ MAP_ROLE_COMPOSITE_SCOPE

◆ MAP_ROLE_SCOPE

◆ realm

◆ root

◆ session