keycloak-service
公開メンバ関数 | 非公開メンバ関数 | 非公開変数類 | 全メンバ一覧
org.keycloak.authorization.protection.permission.PermissionTicketService クラス
org.keycloak.authorization.protection.permission.PermissionTicketService 連携図
Collaboration graph

公開メンバ関数

 PermissionTicketService (KeycloakIdentity identity, ResourceServer resourceServer, AuthorizationProvider authorization)
 
Response create (PermissionTicketRepresentation representation)
 
Response update (PermissionTicketRepresentation representation)
 
Response delete (@PathParam("id") String id)
 
Response find (@QueryParam("scopeId") String scopeId, @QueryParam("resourceId") String resourceId, @QueryParam("owner") String owner, @QueryParam("requester") String requester, @QueryParam("granted") Boolean granted, @QueryParam("returnNames") Boolean returnNames, @QueryParam("first") Integer firstResult, @QueryParam("max") Integer maxResult)
 

非公開メンバ関数

String getUserId (String userIdOrName)
 

非公開変数類

final AuthorizationProvider authorization
 
final KeycloakIdentity identity
 
final ResourceServer resourceServer
 

詳解

著者
Pedro Igor

構築子と解体子

◆ PermissionTicketService()

org.keycloak.authorization.protection.permission.PermissionTicketService.PermissionTicketService ( KeycloakIdentity  identity,
ResourceServer  resourceServer,
AuthorizationProvider  authorization 
)
inline
63  {
64  this.identity = identity;
65  this.resourceServer = resourceServer;
66  this.authorization = authorization;
67  }
org.keycloak.authorization.protection.permission.PermissionTicketService.authorization
final AuthorizationProvider authorization
Definition: PermissionTicketService.java:59
org.keycloak.authorization.protection.permission.PermissionTicketService.identity
final KeycloakIdentity identity
Definition: PermissionTicketService.java:60
org.keycloak.authorization.protection.permission.PermissionTicketService.resourceServer
final ResourceServer resourceServer
Definition: PermissionTicketService.java:61

関数詳解

◆ create()

Response org.keycloak.authorization.protection.permission.PermissionTicketService.create ( PermissionTicketRepresentation  representation)
inline
72  {
73  PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
74  if (representation == null)
75  throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_permission", Response.Status.BAD_REQUEST);
76  if (representation.getId() != null)
77  throw new ErrorResponseException("invalid_permission", "created permissions should not have id", Response.Status.BAD_REQUEST);
78  if (representation.getResource() == null)
79  throw new ErrorResponseException("invalid_permission", "created permissions should have resource", Response.Status.BAD_REQUEST);
80  if (representation.getScope() == null && representation.getScopeName() == null)
81  throw new ErrorResponseException("invalid_permission", "created permissions should have scope or scopeName", Response.Status.BAD_REQUEST);
82  if (representation.getRequester() == null && representation.getRequesterName() == null)
83  throw new ErrorResponseException("invalid_permission", "created permissions should have requester or requesterName", Response.Status.BAD_REQUEST);
84 
85  ResourceStore rstore = this.authorization.getStoreFactory().getResourceStore();
86  Resource resource = rstore.findById(representation.getResource(), resourceServer.getId());
87  if (resource == null ) throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not exists in this server.", Response.Status.BAD_REQUEST);
88 
89  if (!resource.getOwner().equals(this.identity.getId()))
90  throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be only created by the owner", Response.Status.FORBIDDEN);
91 
92  UserModel user = null;
93  if(representation.getRequester() != null)
94  user = this.authorization.getKeycloakSession().userStorageManager().getUserById(representation.getRequester(), this.authorization.getRealm());
95  else
96  user = this.authorization.getKeycloakSession().userStorageManager().getUserByUsername(representation.getRequesterName(), this.authorization.getRealm());
97 
98  if (user == null)
99  throw new ErrorResponseException("invalid_permission", "Requester does not exists in this server as user.", Response.Status.BAD_REQUEST);
100 
101  Scope scope = null;
102  ScopeStore sstore = this.authorization.getStoreFactory().getScopeStore();
103 
104  if(representation.getScopeName() != null)
105  scope = sstore.findByName(representation.getScopeName(), resourceServer.getId());
106  else
107  scope = sstore.findById(representation.getScope(), resourceServer.getId());
108 
109  if (scope == null && representation.getScope() !=null )
110  throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScope() + "] is invalid", Response.Status.BAD_REQUEST);
111  if (scope == null && representation.getScopeName() !=null )
112  throw new ErrorResponseException("invalid_scope", "Scope [" + representation.getScopeName() + "] is invalid", Response.Status.BAD_REQUEST);
113 
114  boolean match = resource.getScopes().contains(scope);
115 
116  if (!match)
117  throw new ErrorResponseException("invalid_resource_id", "Resource set with id [" + representation.getResource() + "] does not have Scope [" + scope.getName() + "]", Response.Status.BAD_REQUEST);
118 
119  Map<String, String> attributes = new HashMap<String, String>();
120  attributes.put(PermissionTicket.RESOURCE, resource.getId());
121  attributes.put(PermissionTicket.SCOPE, scope.getId());
122  attributes.put(PermissionTicket.REQUESTER, user.getId());
123 
124  if (!ticketStore.find(attributes, resourceServer.getId(), -1, -1).isEmpty())
125  throw new ErrorResponseException("invalid_permission", "Permission already exists", Response.Status.BAD_REQUEST);
126 
127  PermissionTicket ticket = ticketStore.create(resource.getId(), scope.getId(), user.getId(), resourceServer);
128  if(representation.isGranted())
129  ticket.setGrantedTimestamp(java.lang.System.currentTimeMillis());
130  representation = ModelToRepresentation.toRepresentation(ticket, authorization);
131  return Response.ok(representation).build();
132  }
org.keycloak.authorization.protection.permission.PermissionTicketService.authorization
final AuthorizationProvider authorization
Definition: PermissionTicketService.java:59
org.keycloak.authorization.protection.permission.PermissionTicketService.identity
final KeycloakIdentity identity
Definition: PermissionTicketService.java:60
org.keycloak.authorization.protection.permission.PermissionTicketService.resourceServer
final ResourceServer resourceServer
Definition: PermissionTicketService.java:61
org.keycloak.authorization.common.KeycloakIdentity.getId
String getId()
Definition: KeycloakIdentity.java:214

◆ delete()

Response org.keycloak.authorization.protection.permission.PermissionTicketService.delete ( @PathParam("id") String  id)
inline
160  {
161  if (id == null) {
162  throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
163  }
164 
165  PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
166  PermissionTicket ticket = ticketStore.findById(id, resourceServer.getId());
167 
168  if (ticket == null) {
169  throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
170  }
171 
172  if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer() && !ticket.getRequester().equals(this.identity.getId()))
173  throw new ErrorResponseException("not_authorised", "permissions for [" + ticket.getResource() + "] can be deleted only by the owner, the requester, or the resource server", Response.Status.FORBIDDEN);
174 
175  ticketStore.delete(id);
176 
177  return Response.noContent().build();
178  }
org.keycloak.authorization.protection.permission.PermissionTicketService.authorization
final AuthorizationProvider authorization
Definition: PermissionTicketService.java:59
org.keycloak.authorization.protection.permission.PermissionTicketService.identity
final KeycloakIdentity identity
Definition: PermissionTicketService.java:60
org.keycloak.authorization.protection.permission.PermissionTicketService.resourceServer
final ResourceServer resourceServer
Definition: PermissionTicketService.java:61
org.keycloak.authorization.common.KeycloakIdentity.getId
String getId()
Definition: KeycloakIdentity.java:214
org.keycloak.authorization.common.KeycloakIdentity.isResourceServer
boolean isResourceServer()
Definition: KeycloakIdentity.java:232

◆ find()

Response org.keycloak.authorization.protection.permission.PermissionTicketService.find ( @QueryParam("scopeId") String  scopeId,
@QueryParam("resourceId") String  resourceId,
@QueryParam("owner") String  owner,
@QueryParam("requester") String  requester,
@QueryParam("granted") Boolean  granted,
@QueryParam("returnNames") Boolean  returnNames,
@QueryParam("first") Integer  firstResult,
@QueryParam("max") Integer  maxResult 
)
inline
189  {
190  StoreFactory storeFactory = authorization.getStoreFactory();
191  PermissionTicketStore permissionTicketStore = storeFactory.getPermissionTicketStore();
192 
193  Map<String, String> filters = new HashMap<>();
194 
195  if (resourceId != null) {
196  filters.put(PermissionTicket.RESOURCE, resourceId);
197  }
198 
199  if (scopeId != null) {
200  ScopeStore scopeStore = storeFactory.getScopeStore();
201  Scope scope = scopeStore.findById(scopeId, resourceServer.getId());
202 
203  if (scope == null) {
204  scope = scopeStore.findByName(scopeId, resourceServer.getId());
205  }
206 
207  filters.put(PermissionTicket.SCOPE, scope != null ? scope.getId() : scopeId);
208  }
209 
210  if (owner != null) {
211  filters.put(PermissionTicket.OWNER, getUserId(owner));
212  }
213 
214  if (requester != null) {
215  filters.put(PermissionTicket.REQUESTER, getUserId(requester));
216  }
217 
218  if (granted != null) {
219  filters.put(PermissionTicket.GRANTED, granted.toString());
220  }
221 
222  return Response.ok().entity(permissionTicketStore.find(filters, resourceServer.getId(), firstResult != null ? firstResult : -1, maxResult != null ? maxResult : Constants.DEFAULT_MAX_RESULTS)
223  .stream()
224  .map(permissionTicket -> ModelToRepresentation.toRepresentation(permissionTicket, authorization, returnNames == null ? false : returnNames))
225  .collect(Collectors.toList()))
226  .build();
227  }
org.keycloak.authorization.protection.permission.PermissionTicketService.authorization
final AuthorizationProvider authorization
Definition: PermissionTicketService.java:59
org.keycloak.authorization.protection.permission.PermissionTicketService.resourceServer
final ResourceServer resourceServer
Definition: PermissionTicketService.java:61
org.keycloak.authorization.protection.permission.PermissionTicketService.getUserId
String getUserId(String userIdOrName)
Definition: PermissionTicketService.java:229

◆ getUserId()

String org.keycloak.authorization.protection.permission.PermissionTicketService.getUserId ( String  userIdOrName)
inlineprivate
229  {
230  UserProvider userProvider = authorization.getKeycloakSession().users();
231  RealmModel realm = authorization.getRealm();
232  UserModel userModel = userProvider.getUserById(userIdOrName, realm);
233 
234  if (userModel != null) {
235  return userModel.getId();
236  }
237 
238  userModel = userProvider.getUserByUsername(userIdOrName, realm);
239 
240  if (userModel != null) {
241  return userModel.getId();
242  }
243 
244  return userIdOrName;
245  }
org.keycloak.authorization.protection.permission.PermissionTicketService.authorization
final AuthorizationProvider authorization
Definition: PermissionTicketService.java:59

◆ update()

Response org.keycloak.authorization.protection.permission.PermissionTicketService.update ( PermissionTicketRepresentation  representation)
inline
136  {
137  if (representation == null || representation.getId() == null) {
138  throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
139  }
140 
141  PermissionTicketStore ticketStore = authorization.getStoreFactory().getPermissionTicketStore();
142  PermissionTicket ticket = ticketStore.findById(representation.getId(), resourceServer.getId());
143 
144  if (ticket == null) {
145  throw new ErrorResponseException(OAuthErrorException.INVALID_REQUEST, "invalid_ticket", Response.Status.BAD_REQUEST);
146  }
147 
148  if (!ticket.getOwner().equals(this.identity.getId()) && !this.identity.isResourceServer())
149  throw new ErrorResponseException("not_authorised", "permissions for [" + representation.getResource() + "] can be updated only by the owner or by the resource server", Response.Status.FORBIDDEN);
150 
151  RepresentationToModel.toModel(representation, resourceServer.getId(), authorization);
152 
153  return Response.noContent().build();
154  }
org.keycloak.authorization.protection.permission.PermissionTicketService.authorization
final AuthorizationProvider authorization
Definition: PermissionTicketService.java:59
org.keycloak.authorization.protection.permission.PermissionTicketService.identity
final KeycloakIdentity identity
Definition: PermissionTicketService.java:60
org.keycloak.authorization.protection.permission.PermissionTicketService.resourceServer
final ResourceServer resourceServer
Definition: PermissionTicketService.java:61
org.keycloak.authorization.common.KeycloakIdentity.getId
String getId()
Definition: KeycloakIdentity.java:214
org.keycloak.authorization.common.KeycloakIdentity.isResourceServer
boolean isResourceServer()
Definition: KeycloakIdentity.java:232

メンバ詳解

◆ authorization

final AuthorizationProvider org.keycloak.authorization.protection.permission.PermissionTicketService.authorization
private

◆ identity

final KeycloakIdentity org.keycloak.authorization.protection.permission.PermissionTicketService.identity
private

◆ resourceServer

final ResourceServer org.keycloak.authorization.protection.permission.PermissionTicketService.resourceServer
private
このクラス詳解は次のファイルから抽出されました:
2018年11月18日(日) 14時00分08秒作成 - keycloak-service / 構成:   doxygen 1.8.13