org.keycloak.authorization.admin.PolicyEvaluationService 連携図

クラス
class	CloseableKeycloakIdentity

class	EvaluationDecisionCollector

公開メンバ関数
Response	evaluate (PolicyEvaluationRequest evaluationRequest)

関数
	PolicyEvaluationService (ResourceServer resourceServer, AuthorizationProvider authorization, AdminPermissionEvaluator auth)

非公開メンバ関数
EvaluationDecisionCollector	evaluate (PolicyEvaluationRequest evaluationRequest, EvaluationContext evaluationContext, AuthorizationRequest request)

EvaluationContext	createEvaluationContext (PolicyEvaluationRequest representation, KeycloakIdentity identity)

List< ResourcePermission >	createPermissions (PolicyEvaluationRequest representation, EvaluationContext evaluationContext, AuthorizationProvider authorization, AuthorizationRequest request)

CloseableKeycloakIdentity	createIdentity (PolicyEvaluationRequest representation)

非公開変数類
final AuthorizationProvider	authorization

final AdminPermissionEvaluator	auth

final ResourceServer	resourceServer

静的非公開変数類
static final Logger	logger = Logger.getLogger(PolicyEvaluationService.class)

詳解

著者: Pedro Igor

構築子と解体子

◆ PolicyEvaluationService()

org.keycloak.authorization.admin.PolicyEvaluationService.PolicyEvaluationService	(	ResourceServer	resourceServer,
		AuthorizationProvider	authorization,
		AdminPermissionEvaluator	auth
	)

inlinepackage

                                                                                                                                {
         this.resourceServer = resourceServer;
         this.authorization = authorization;
         this.auth = auth;
     }

関数詳解

◆ createEvaluationContext()

EvaluationContext org.keycloak.authorization.admin.PolicyEvaluationService.createEvaluationContext	(	PolicyEvaluationRequest	representation,
		KeycloakIdentity	identity
	)

inlineprivate

                                                                                                                          {
         return new KeycloakEvaluationContext(identity, this.authorization.getKeycloakSession()) {
             @Override
             public Attributes getAttributes() {
                 Map<String, Collection<String>> attributes = new HashMap<>(super.getAttributes().toMap());
                 Map<String, String> givenAttributes = representation.getContext().get("attributes");
 
                 if (givenAttributes != null) {
                     givenAttributes.forEach((key, entryValue) -> {
                         if (entryValue != null) {
                             List<String> values = new ArrayList();
 
                             for (String value : entryValue.split(",")) {
                                 values.add(value);
                             }
 
                             attributes.put(key, values);
                         }
                     });
                 }
 
                 return Attributes.from(attributes);
             }
         };
     }

◆ createIdentity()

CloseableKeycloakIdentity org.keycloak.authorization.admin.PolicyEvaluationService.createIdentity ( PolicyEvaluationRequest representation )

inlineprivate

                                                                                              {
         KeycloakSession keycloakSession = this.authorization.getKeycloakSession();
         RealmModel realm = keycloakSession.getContext().getRealm();
         AccessToken accessToken = null;
 
 
         String subject = representation.getUserId();
 
         UserSessionModel userSession = null;
         if (subject != null) {
             UserModel userModel = keycloakSession.users().getUserById(subject, realm);
 
             if (userModel != null) {
                 String clientId = representation.getClientId();
 
                 if (clientId == null) {
                     clientId = resourceServer.getId();
                 }
 
                 if (clientId != null) {
                     ClientModel clientModel = realm.getClientById(clientId);
 
                     AuthenticationSessionModel authSession = keycloakSession.authenticationSessions().createRootAuthenticationSession(realm)
                             .createAuthenticationSession(clientModel);
                     authSession.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
                     authSession.setAuthenticatedUser(userModel);
                     userSession = keycloakSession.sessions().createUserSession(authSession.getParentSession().getId(), realm, userModel, userModel.getUsername(), "127.0.0.1", "passwd", false, null, null);
 
                     AuthenticationManager.setClientScopesInSession(authSession);
                     ClientSessionContext clientSessionCtx = TokenManager.attachAuthenticationSession(keycloakSession, userSession, authSession);
 
                     accessToken = new TokenManager().createClientAccessToken(keycloakSession, realm, clientModel, userModel, userSession, clientSessionCtx);
                 }
             }
         }
 
         if (accessToken == null) {
             accessToken = new AccessToken();
 
             accessToken.subject(representation.getUserId());
             accessToken.issuedFor(representation.getClientId());
             accessToken.audience(representation.getClientId());
             accessToken.issuer(Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realm.getName()));
             accessToken.setRealmAccess(new AccessToken.Access());
 
         }
 
         AccessToken.Access realmAccess = accessToken.getRealmAccess();
 
         if (representation.getRoleIds() != null) {
             representation.getRoleIds().forEach(roleName -> realmAccess.addRole(roleName));
         }
 
         return new CloseableKeycloakIdentity(accessToken, keycloakSession, userSession);
     }

◆ createPermissions()

List<ResourcePermission> org.keycloak.authorization.admin.PolicyEvaluationService.createPermissions	(	PolicyEvaluationRequest	representation,
		EvaluationContext	evaluationContext,
		AuthorizationProvider	authorization,
		AuthorizationRequest	request
	)

inlineprivate

                                                                                                                                                                                                        {
         return representation.getResources().stream().flatMap((Function<ResourceRepresentation, Stream<ResourcePermission>>) resource -> {
             StoreFactory storeFactory = authorization.getStoreFactory();
             if (resource == null) {
                 resource = new ResourceRepresentation();
             }
 
             Set<ScopeRepresentation> givenScopes = resource.getScopes();
 
             if (givenScopes == null) {
                 givenScopes = new HashSet();
             }
 
             ScopeStore scopeStore = storeFactory.getScopeStore();
 
             Set<Scope> scopes = givenScopes.stream().map(scopeRepresentation -> scopeStore.findByName(scopeRepresentation.getName(), resourceServer.getId())).collect(Collectors.toSet());
 
             if (resource.getId() != null) {
                 Resource resourceModel = storeFactory.getResourceStore().findById(resource.getId(), resourceServer.getId());
                 return new ArrayList<>(Arrays.asList(Permissions.createResourcePermissions(resourceModel, scopes, authorization, request))).stream();
             } else if (resource.getType() != null) {
                 return storeFactory.getResourceStore().findByType(resource.getType(), resourceServer.getId()).stream().map(resource1 -> Permissions.createResourcePermissions(resource1, scopes, authorization, request));
             } else {
                 if (scopes.isEmpty()) {
                     return Permissions.all(resourceServer, evaluationContext.getIdentity(), authorization, request).stream();
                 }
 
                 List<Resource> resources = storeFactory.getResourceStore().findByScope(scopes.stream().map(Scope::getId).collect(Collectors.toList()), resourceServer.getId());
 
                 if (resources.isEmpty()) {
                     return scopes.stream().map(scope -> new ResourcePermission(null, new ArrayList<>(Arrays.asList(scope)), resourceServer));
                 }
 
 
                 return resources.stream().map(resource12 -> Permissions.createResourcePermissions(resource12, scopes, authorization, request));
             }
         }).collect(Collectors.toList());
     }

◆ evaluate() [1/2]

Response org.keycloak.authorization.admin.PolicyEvaluationService.evaluate ( PolicyEvaluationRequest evaluationRequest )

inline

                                                                         {
         this.auth.realm().requireViewAuthorization();
         CloseableKeycloakIdentity identity = createIdentity(evaluationRequest);
         try {
             AuthorizationRequest request = new AuthorizationRequest();
             Map<String, List<String>> claims = new HashMap<>();
             Map<String, String> givenAttributes = evaluationRequest.getContext().get("attributes");
 
             if (givenAttributes != null) {
                 givenAttributes.forEach((key, entryValue) -> {
                     if (entryValue != null) {
                         List<String> values = new ArrayList();
 
                         for (String value : entryValue.split(",")) {
                             values.add(value);
                         }
 
                         claims.put(key, values);
                     }
                 });
             }
 
             request.setClaims(claims);
 
             return Response.ok(PolicyEvaluationResponseBuilder.build(evaluate(evaluationRequest, createEvaluationContext(evaluationRequest, identity), request), resourceServer, authorization, identity)).build();
         } catch (Exception e) {
             logger.error("Error while evaluating permissions", e);
             throw new ErrorResponseException(OAuthErrorException.SERVER_ERROR, "Error while evaluating permissions.", Status.INTERNAL_SERVER_ERROR);
         } finally {
             identity.close();
         }
     }

◆ evaluate() [2/2]

EvaluationDecisionCollector org.keycloak.authorization.admin.PolicyEvaluationService.evaluate	(	PolicyEvaluationRequest	evaluationRequest,
		EvaluationContext	evaluationContext,
		AuthorizationRequest	request
	)

inlineprivate

                                                                                                                                                                {
         return authorization.evaluators().from(createPermissions(evaluationRequest, evaluationContext, authorization, request), evaluationContext).evaluate(new EvaluationDecisionCollector(authorization, resourceServer, request));
     }

メンバ詳解

◆ auth

final AdminPermissionEvaluator org.keycloak.authorization.admin.PolicyEvaluationService.auth

private

◆ authorization

final AuthorizationProvider org.keycloak.authorization.admin.PolicyEvaluationService.authorization

private

◆ logger

final Logger org.keycloak.authorization.admin.PolicyEvaluationService.logger = Logger.getLogger(PolicyEvaluationService.class)

staticprivate

◆ resourceServer

final ResourceServer org.keycloak.authorization.admin.PolicyEvaluationService.resourceServer

private

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java

クラス

公開メンバ関数

関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ PolicyEvaluationService()

関数詳解

◆ createEvaluationContext()

◆ createIdentity()

◆ createPermissions()

◆ evaluate() [1/2]

◆ evaluate() [2/2]

メンバ詳解

◆ auth

◆ authorization

◆ logger

◆ resourceServer