Exemple #1
0
  protected void addComposites(AccessToken token, RoleModel role) {
    AccessToken.Access access = null;
    if (role.getContainer() instanceof RealmModel) {
      access = token.getRealmAccess();
      if (token.getRealmAccess() == null) {
        access = new AccessToken.Access();
        token.setRealmAccess(access);
      } else if (token.getRealmAccess().getRoles() != null
          && token.getRealmAccess().isUserInRole(role.getName())) return;

    } else {
      ClientModel app = (ClientModel) role.getContainer();
      access = token.getResourceAccess(app.getClientId());
      if (access == null) {
        access = token.addAccess(app.getClientId());
        if (app.isSurrogateAuthRequired()) access.verifyCaller(true);
      } else if (access.isUserInRole(role.getName())) return;
    }
    access.addRole(role.getName());
    if (!role.isComposite()) return;

    for (RoleModel composite : role.getComposites()) {
      addComposites(token, composite);
    }
  }
Exemple #2
0
  public void verifyAccess(AccessToken token, AccessToken newToken) throws OAuthErrorException {
    if (token.getRealmAccess() != null) {
      if (newToken.getRealmAccess() == null)
        throw new OAuthErrorException(
            OAuthErrorException.INVALID_SCOPE, "User no long has permission for realm roles");

      for (String roleName : token.getRealmAccess().getRoles()) {
        if (!newToken.getRealmAccess().getRoles().contains(roleName)) {
          throw new OAuthErrorException(
              OAuthErrorException.INVALID_SCOPE,
              "User no long has permission for realm role: " + roleName);
        }
      }
    }
    if (token.getResourceAccess() != null) {
      for (Map.Entry<String, AccessToken.Access> entry : token.getResourceAccess().entrySet()) {
        AccessToken.Access appAccess = newToken.getResourceAccess(entry.getKey());
        if (appAccess == null && !entry.getValue().getRoles().isEmpty()) {
          throw new OAuthErrorException(
              OAuthErrorException.INVALID_SCOPE,
              "User or client no longer has role permissions for client key: " + entry.getKey());
        }
        for (String roleName : entry.getValue().getRoles()) {
          if (!appAccess.getRoles().contains(roleName)) {
            throw new OAuthErrorException(
                OAuthErrorException.INVALID_SCOPE,
                "User no long has permission for client role " + roleName);
          }
        }
      }
    }
  }
Exemple #3
0
 @Override
 public AccessToken transformAccessToken(
     AccessToken token,
     ProtocolMapperModel mappingModel,
     KeycloakSession session,
     UserSessionModel userSession,
     ClientSessionModel clientSession) {
   String role = mappingModel.getConfig().get(ROLE_CONFIG);
   String[] scopedRole = KeycloakModelUtils.parseRole(role);
   String appName = scopedRole[0];
   String roleName = scopedRole[1];
   if (appName != null) {
     token.addAccess(appName).addRole(roleName);
   } else {
     AccessToken.Access access = token.getRealmAccess();
     if (access == null) {
       access = new AccessToken.Access();
       token.setRealmAccess(access);
     }
     access.addRole(role);
   }
   return token;
 }