org.keycloak.services.resources.admin.permissions.MgmtPermissions の継承関係図

org.keycloak.services.resources.admin.permissions.MgmtPermissions 連携図

公開メンバ関数
ClientModel	getRealmManagementClient ()

AuthorizationProvider	authz ()

void	requireAnyAdminRole ()

boolean	hasAnyAdminRole ()

boolean	hasAnyAdminRole (RealmModel realm)

boolean	hasOneAdminRole (String... adminRoles)

boolean	hasOneAdminRole (RealmModel realm, String... adminRoles)

boolean	isAdminSameRealm ()

AdminAuth	adminAuth ()

Identity	identity ()

UserModel	admin ()

RealmModel	adminsRealm ()

RolePermissions	roles ()

UserPermissions	users ()

RealmPermissions	realm ()

ClientPermissions	clients ()

IdentityProviderPermissions	idps ()

GroupPermissions	groups ()

ResourceServer	findOrCreateResourceServer (ClientModel client)

ResourceServer	resourceServer (ClientModel client)

ResourceServer	realmResourceServer ()

ResourceServer	initializeRealmResourceServer ()

void	initializeRealmDefaultScopes ()

Scope	initializeRealmScope (String name)

Scope	initializeScope (String name, ResourceServer server)

Scope	realmManageScope ()

Scope	realmViewScope ()

Scope	realmScope (String scope)

boolean	evaluatePermission (Resource resource, Scope scope, ResourceServer resourceServer)

boolean	evaluatePermission (Resource resource, Scope scope, ResourceServer resourceServer, Identity identity)

boolean	evaluatePermission (Resource resource, Scope scope, ResourceServer resourceServer, EvaluationContext context)

boolean	canView (RealmModel realm)

boolean	isAdmin (RealmModel realm)

boolean	isAdmin ()

boolean	canCreateRealm ()

void	requireCreateRealm ()

静的公開変数類
static final String	MANAGE_SCOPE = "manage"

static final String	VIEW_SCOPE = "view"

static final String	TOKEN_EXCHANGE ="token-exchange"

限定公開変数類
RealmModel	realm

KeycloakSession	session

AuthorizationProvider	authz

AdminAuth	auth

Identity	identity

UserModel	admin

RealmModel	adminsRealm

ResourceServer	realmResourceServer

UserPermissions	users

GroupPermissions	groups

RealmPermissions	realmPermissions

ClientPermissions	clientPermissions

IdentityProviderPermissions	idpPermissions

Scope	manageScope

Scope	viewScope

関数
	MgmtPermissions (KeycloakSession session, RealmModel realm)

	MgmtPermissions (KeycloakSession session, RealmModel realm, AdminAuth auth)

	MgmtPermissions (KeycloakSession session, AdminAuth auth)

	MgmtPermissions (KeycloakSession session, RealmModel adminsRealm, UserModel admin)

	MgmtPermissions (KeycloakSession session, RealmModel realm, RealmModel adminsRealm, UserModel admin)

非公開メンバ関数
void	initIdentity (KeycloakSession session, AdminAuth auth)

静的非公開変数類
static final Logger	logger = Logger.getLogger(MgmtPermissions.class)

詳解

著者: Bill Burke

バージョン

Revision: 1

構築子と解体子

◆ MgmtPermissions() [1/5]

org.keycloak.services.resources.admin.permissions.MgmtPermissions.MgmtPermissions	(	KeycloakSession	session,
		RealmModel	realm
	)

inlinepackage

                                                                {
         this.session = session;
         this.realm = realm;
         KeycloakSessionFactory keycloakSessionFactory = session.getKeycloakSessionFactory();
         AuthorizationProviderFactory factory = (AuthorizationProviderFactory) keycloakSessionFactory.getProviderFactory(AuthorizationProvider.class);
         this.authz = factory.create(session, realm);
     }

◆ MgmtPermissions() [2/5]

org.keycloak.services.resources.admin.permissions.MgmtPermissions.MgmtPermissions	(	KeycloakSession	session,
		RealmModel	realm,
		AdminAuth	auth
	)

inlinepackage

                                                                                {
         this(session, realm);
         this.auth = auth;
         this.admin = auth.getUser();
         this.adminsRealm = auth.getRealm();
         if (!auth.getRealm().equals(realm)
                 && !auth.getRealm().equals(new RealmManager(session).getKeycloakAdminstrationRealm())) {
             throw new ForbiddenException();
         }
         initIdentity(session, auth);
     }

◆ MgmtPermissions() [3/5]

org.keycloak.services.resources.admin.permissions.MgmtPermissions.MgmtPermissions	(	KeycloakSession	session,
		AdminAuth	auth
	)

inlinepackage

                                                              {
         this.session = session;
         this.auth = auth;
         this.admin = auth.getUser();
         this.adminsRealm = auth.getRealm();
         initIdentity(session, auth);
     }

◆ MgmtPermissions() [4/5]

org.keycloak.services.resources.admin.permissions.MgmtPermissions.MgmtPermissions	(	KeycloakSession	session,
		RealmModel	adminsRealm,
		UserModel	admin
	)

inlinepackage

                                                                                       {
         this.session = session;
         this.admin = admin;
         this.adminsRealm = adminsRealm;
         this.identity = new UserModelIdentity(adminsRealm, admin);
     }

◆ MgmtPermissions() [5/5]

org.keycloak.services.resources.admin.permissions.MgmtPermissions.MgmtPermissions	(	KeycloakSession	session,
		RealmModel	realm,
		RealmModel	adminsRealm,
		UserModel	admin
	)

inlinepackage

                                                                                                         {
         this(session, realm);
         this.admin = admin;
         this.adminsRealm = adminsRealm;
         this.identity = new UserModelIdentity(realm, admin);
     }

関数詳解

◆ admin()

UserModel org.keycloak.services.resources.admin.permissions.MgmtPermissions.admin ( )

inline

                              {
         return admin;
     }

◆ adminAuth()

AdminAuth org.keycloak.services.resources.admin.permissions.MgmtPermissions.adminAuth ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluatorを実装しています。

                                  {
         return auth;
     }

◆ adminsRealm()

RealmModel org.keycloak.services.resources.admin.permissions.MgmtPermissions.adminsRealm ( )

inline

                                     {
         return adminsRealm;
     }

◆ authz()

AuthorizationProvider org.keycloak.services.resources.admin.permissions.MgmtPermissions.authz ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionManagementを実装しています。

                                          {
         return authz;
     }

◆ canCreateRealm()

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.canCreateRealm ( )

inline

org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluatorを実装しています。

                                     {
         RealmManager realmManager = new RealmManager(session);
         if (!auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
            return false;
         }
         return identity.hasRealmRole(AdminRoles.CREATE_REALM);
     }

◆ canView()

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.canView ( RealmModel realm )

inline

org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluatorを実装しています。

                                              {
         return hasOneAdminRole(realm, AdminRoles.VIEW_REALM, AdminRoles.MANAGE_REALM);
     }

◆ clients()

ClientPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.clients ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluatorを実装しています。

                                        {
         if (clientPermissions != null) return clientPermissions;
         clientPermissions = new ClientPermissions(session, realm, authz, this);
         return clientPermissions;
     }

◆ evaluatePermission() [1/3]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.evaluatePermission	(	Resource	resource,
		Scope	scope,
		ResourceServer	resourceServer
	)

inline

                                                                                                      {
         Identity identity = identity();
         if (identity == null) {
             throw new RuntimeException("Identity of admin is not set for permission query");
         }
         return evaluatePermission(resource, scope, resourceServer, identity);
     }

◆ evaluatePermission() [2/3]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.evaluatePermission	(	Resource	resource,
		Scope	scope,
		ResourceServer	resourceServer,
		Identity	identity
	)

inline

                                                                                                                         {
         EvaluationContext context = new DefaultEvaluationContext(identity, session);
         return evaluatePermission(resource, scope, resourceServer, context);
     }

◆ evaluatePermission() [3/3]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.evaluatePermission	(	Resource	resource,
		Scope	scope,
		ResourceServer	resourceServer,
		EvaluationContext	context
	)

inline

                                                                                                                                 {
         RealmModel oldRealm = session.getContext().getRealm();
         try {
             session.getContext().setRealm(realm);
             ResourcePermission permission = Permissions.permission(resourceServer, resource, scope);
             return !authz.evaluators().from(Arrays.asList(permission), context).evaluate(resourceServer, null).isEmpty();
         } finally {
             session.getContext().setRealm(oldRealm);
         }
     }

◆ findOrCreateResourceServer()

ResourceServer org.keycloak.services.resources.admin.permissions.MgmtPermissions.findOrCreateResourceServer ( ClientModel client )

inline

                                                                          {
          return initializeRealmResourceServer();
     }

◆ getRealmManagementClient()

ClientModel org.keycloak.services.resources.admin.permissions.MgmtPermissions.getRealmManagementClient ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionManagementを実装しています。

                                                   {
         ClientModel client = null;
         if (realm.getName().equals(Config.getAdminRealm())) {
             client = realm.getClientByClientId(Config.getAdminRealm() + "-realm");
         } else {
             client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
 
         }
         return client;
     }

◆ groups()

GroupPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.groups ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluatorを実装しています。

                                      {
         if (groups != null) return groups;
         groups = new GroupPermissions(session, realm, authz, this);
         return groups;
     }

◆ hasAnyAdminRole() [1/2]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.hasAnyAdminRole ( )

inline

                                      {
         return hasOneAdminRole(AdminRoles.ALL_REALM_ROLES);
     }

◆ hasAnyAdminRole() [2/2]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.hasAnyAdminRole ( RealmModel realm )

inline

                                                      {
         return hasOneAdminRole(realm, AdminRoles.ALL_REALM_ROLES);
     }

◆ hasOneAdminRole() [1/2]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.hasOneAdminRole ( String... adminRoles )

inline

                                                          {
         String clientId;
         RealmModel realm = this.realm;
         return hasOneAdminRole(realm, adminRoles);
     }

◆ hasOneAdminRole() [2/2]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.hasOneAdminRole	(	RealmModel	realm,
		String...	adminRoles
	)

inline

                                                                            {
         String clientId;
         RealmManager realmManager = new RealmManager(session);
         if (adminsRealm.equals(realmManager.getKeycloakAdminstrationRealm())) {
             clientId = realm.getMasterAdminClient().getClientId();
         } else if (adminsRealm.equals(realm)) {
             clientId = realm.getClientByClientId(realmManager.getRealmAdminClientId(realm)).getClientId();
         } else {
             return false;
         }
         for (String adminRole : adminRoles) {
             if (identity.hasClientRole(clientId, adminRole)) return true;
         }
         return false;
     }

◆ identity()

Identity org.keycloak.services.resources.admin.permissions.MgmtPermissions.identity ( )

inline

                                {
         return identity;
     }

◆ idps()

IdentityProviderPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.idps ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionManagementを実装しています。

                                               {
         if (idpPermissions != null) return idpPermissions;
         idpPermissions = new IdentityProviderPermissions(session, realm, authz, this);
         return idpPermissions;
     }

◆ initializeRealmDefaultScopes()

void org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmDefaultScopes ( )

inline

                                                {
         ResourceServer server = initializeRealmResourceServer();
         manageScope = initializeRealmScope(MgmtPermissions.MANAGE_SCOPE);
         viewScope = initializeRealmScope(MgmtPermissions.VIEW_SCOPE);
     }

◆ initializeRealmResourceServer()

ResourceServer org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmResourceServer ( )

inline

                                                           {
         if (realmResourceServer != null) return realmResourceServer;
         ClientModel client = getRealmManagementClient();
         realmResourceServer = authz.getStoreFactory().getResourceServerStore().findById(client.getId());
         if (realmResourceServer == null) {
             realmResourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
         }
         return realmResourceServer;
     }

◆ initializeRealmScope()

Scope org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeRealmScope ( String name )

inline

                                                    {
         ResourceServer server = initializeRealmResourceServer();
         Scope scope  = authz.getStoreFactory().getScopeStore().findByName(name, server.getId());
         if (scope == null) {
             scope = authz.getStoreFactory().getScopeStore().create(name, server);
         }
         return scope;
     }

◆ initializeScope()

Scope org.keycloak.services.resources.admin.permissions.MgmtPermissions.initializeScope	(	String	name,
		ResourceServer	server
	)

inline

                                                                      {
         Scope scope  = authz.getStoreFactory().getScopeStore().findByName(name, server.getId());
         if (scope == null) {
             scope = authz.getStoreFactory().getScopeStore().create(name, server);
         }
         return scope;
     }

◆ initIdentity()

void org.keycloak.services.resources.admin.permissions.MgmtPermissions.initIdentity	(	KeycloakSession	session,
		AdminAuth	auth
	)

inlineprivate

                                                                        {
         if (auth.getToken().hasAudience(Constants.ADMIN_CLI_CLIENT_ID)
                 || auth.getToken().hasAudience(Constants.ADMIN_CONSOLE_CLIENT_ID)) {
             this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser());
 
         } else {
             this.identity = new KeycloakIdentity(auth.getToken(), session);
         }
     }

◆ isAdmin() [1/2]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.isAdmin ( RealmModel realm )

inline

org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluatorを実装しています。

                                              {
         return hasAnyAdminRole(realm);
     }

◆ isAdmin() [2/2]

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.isAdmin ( )

inline

org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluatorを実装しています。

                              {
         RealmManager realmManager = new RealmManager(session);
         if (adminsRealm.equals(realmManager.getKeycloakAdminstrationRealm())) {
             if (identity.hasRealmRole(AdminRoles.ADMIN) || identity.hasRealmRole(AdminRoles.CREATE_REALM)) {
                 return true;
             }
             for (RealmModel realm : session.realms().getRealms()) {
                 if (isAdmin(realm)) return true;
             }
             return false;
         } else {
             return isAdmin(adminsRealm);
         }
     }

◆ isAdminSameRealm()

boolean org.keycloak.services.resources.admin.permissions.MgmtPermissions.isAdminSameRealm ( )

inline

                                       {
         return auth == null || realm.getId().equals(auth.getRealm().getId());
     }

◆ realm()

RealmPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.realm ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluatorを実装しています。

                                     {
         if (realmPermissions != null) return realmPermissions;
         realmPermissions = new RealmPermissions(session, realm, authz, this);
         return realmPermissions;
     }

◆ realmManageScope()

Scope org.keycloak.services.resources.admin.permissions.MgmtPermissions.realmManageScope ( )

inline

                                     {
         if (manageScope != null) return manageScope;
         manageScope = realmScope(MgmtPermissions.MANAGE_SCOPE);
         return manageScope;
     }

◆ realmResourceServer()

ResourceServer org.keycloak.services.resources.admin.permissions.MgmtPermissions.realmResourceServer ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionManagementを実装しています。

                                                 {
         if (realmResourceServer != null) return realmResourceServer;
         ClientModel client = getRealmManagementClient();
         if (client == null) return null;
         ResourceServerStore resourceServerStore = authz.getStoreFactory().getResourceServerStore();
         realmResourceServer = resourceServerStore.findById(client.getId());
         return realmResourceServer;
 
     }

◆ realmScope()

Scope org.keycloak.services.resources.admin.permissions.MgmtPermissions.realmScope ( String scope )

inline

                                           {
         ResourceServer server = realmResourceServer();
         if (server == null) return null;
         return authz.getStoreFactory().getScopeStore().findByName(scope, server.getId());
     }

◆ realmViewScope()

Scope org.keycloak.services.resources.admin.permissions.MgmtPermissions.realmViewScope ( )

inline

                                   {
         if (viewScope != null) return viewScope;
         viewScope = realmScope(MgmtPermissions.VIEW_SCOPE);
         return viewScope;
     }

◆ requireAnyAdminRole()

void org.keycloak.services.resources.admin.permissions.MgmtPermissions.requireAnyAdminRole ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluatorを実装しています。

                                       {
         if (!hasAnyAdminRole()) {
             throw new ForbiddenException();
         }
     }

◆ requireCreateRealm()

void org.keycloak.services.resources.admin.permissions.MgmtPermissions.requireCreateRealm ( )

inline

org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluatorを実装しています。

                                      {
         if (!canCreateRealm()) {
             throw new ForbiddenException();
         }
     }

◆ resourceServer()

ResourceServer org.keycloak.services.resources.admin.permissions.MgmtPermissions.resourceServer ( ClientModel client )

inline

                                                              {
         return realmResourceServer();
     }

◆ roles()

RolePermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.roles ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluatorを実装しています。

                                    {
         return new RolePermissions(session, realm, authz, this);
     }

◆ users()

UserPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.users ( )

inline

org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluatorを実装しています。

                                    {
         if (users != null) return users;
         users = new UserPermissions(session, realm, authz, this);
         return users;
     }

メンバ詳解

◆ admin

UserModel org.keycloak.services.resources.admin.permissions.MgmtPermissions.admin

protected

◆ adminsRealm

RealmModel org.keycloak.services.resources.admin.permissions.MgmtPermissions.adminsRealm

protected

◆ auth

AdminAuth org.keycloak.services.resources.admin.permissions.MgmtPermissions.auth

protected

◆ authz

AuthorizationProvider org.keycloak.services.resources.admin.permissions.MgmtPermissions.authz

protected

◆ clientPermissions

ClientPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.clientPermissions

protected

◆ groups

GroupPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.groups

protected

◆ identity

Identity org.keycloak.services.resources.admin.permissions.MgmtPermissions.identity

protected

◆ idpPermissions

IdentityProviderPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.idpPermissions

protected

◆ logger

final Logger org.keycloak.services.resources.admin.permissions.MgmtPermissions.logger = Logger.getLogger(MgmtPermissions.class)

staticprivate

◆ MANAGE_SCOPE

final String org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.MANAGE_SCOPE = "manage"

staticinherited

◆ manageScope

Scope org.keycloak.services.resources.admin.permissions.MgmtPermissions.manageScope

protected

◆ realm

RealmModel org.keycloak.services.resources.admin.permissions.MgmtPermissions.realm

protected

◆ realmPermissions

RealmPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.realmPermissions

protected

◆ realmResourceServer

ResourceServer org.keycloak.services.resources.admin.permissions.MgmtPermissions.realmResourceServer

protected

◆ session

KeycloakSession org.keycloak.services.resources.admin.permissions.MgmtPermissions.session

protected

◆ TOKEN_EXCHANGE

final String org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.TOKEN_EXCHANGE ="token-exchange"

staticinherited

◆ users

UserPermissions org.keycloak.services.resources.admin.permissions.MgmtPermissions.users

protected

◆ VIEW_SCOPE

final String org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.VIEW_SCOPE = "view"

staticinherited

◆ viewScope

Scope org.keycloak.services.resources.admin.permissions.MgmtPermissions.viewScope

protected

このクラス詳解は次のファイルから抽出されました:

D:/AppData/doxygen/keycloak/rest-service/src/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java

公開メンバ関数

静的公開変数類

限定公開変数類

関数

非公開メンバ関数

静的非公開変数類

詳解

構築子と解体子

◆ MgmtPermissions() [1/5]

◆ MgmtPermissions() [2/5]

◆ MgmtPermissions() [3/5]

◆ MgmtPermissions() [4/5]

◆ MgmtPermissions() [5/5]

関数詳解

◆ admin()

◆ adminAuth()

◆ adminsRealm()

◆ authz()

◆ canCreateRealm()

◆ canView()

◆ clients()

◆ evaluatePermission() [1/3]

◆ evaluatePermission() [2/3]

◆ evaluatePermission() [3/3]

◆ findOrCreateResourceServer()

◆ getRealmManagementClient()

◆ groups()

◆ hasAnyAdminRole() [1/2]

◆ hasAnyAdminRole() [2/2]

◆ hasOneAdminRole() [1/2]

◆ hasOneAdminRole() [2/2]

◆ identity()

◆ idps()

◆ initializeRealmDefaultScopes()

◆ initializeRealmResourceServer()

◆ initializeRealmScope()

◆ initializeScope()

◆ initIdentity()

◆ isAdmin() [1/2]

◆ isAdmin() [2/2]

◆ isAdminSameRealm()

◆ realm()

◆ realmManageScope()

◆ realmResourceServer()

◆ realmScope()

◆ realmViewScope()

◆ requireAnyAdminRole()

◆ requireCreateRealm()

◆ resourceServer()

◆ roles()

◆ users()

メンバ詳解

◆ admin

◆ adminsRealm

◆ auth

◆ authz

◆ clientPermissions

◆ groups

◆ identity

◆ idpPermissions

◆ logger

◆ MANAGE_SCOPE

◆ manageScope

◆ realm

◆ realmPermissions

◆ realmResourceServer

◆ session

◆ TOKEN_EXCHANGE

◆ users

◆ VIEW_SCOPE

◆ viewScope