keycloak · hmlnarik · May 6, 2022 · Feb 1, 2022
@@ -19,6 +19,11 @@
 
 import org.jboss.logging.Logger;
 import org.keycloak.Config;
+import org.keycloak.authorization.model.PermissionTicket;
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.Resource;
+import org.keycloak.authorization.model.ResourceServer;
+import org.keycloak.authorization.model.Scope;
 import org.keycloak.common.Profile;
 import org.keycloak.component.AmphibianProviderFactory;
 import org.keycloak.models.AuthenticatedClientSessionModel;
@@ -32,6 +37,11 @@
 import org.keycloak.models.UserLoginFailureModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
+import org.keycloak.models.map.authorization.entity.MapPermissionTicketEntity;
+import org.keycloak.models.map.authorization.entity.MapPolicyEntity;
+import org.keycloak.models.map.authorization.entity.MapResourceEntity;
+import org.keycloak.models.map.authorization.entity.MapResourceServerEntity;
+import org.keycloak.models.map.authorization.entity.MapScopeEntity;
 import org.keycloak.models.map.authSession.MapAuthenticationSessionEntity;
 import org.keycloak.models.map.authSession.MapRootAuthenticationSessionEntity;
 import org.keycloak.models.map.clientscope.MapClientScopeEntity;
@@ -53,6 +63,16 @@
 import org.keycloak.models.map.storage.hotRod.authSession.HotRodAuthenticationSessionEntityDelegate;
 import org.keycloak.models.map.storage.hotRod.authSession.HotRodRootAuthenticationSessionEntity;
 import org.keycloak.models.map.storage.hotRod.authSession.HotRodRootAuthenticationSessionEntityDelegate;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodPermissionTicketEntity;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodPermissionTicketEntityDelegate;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodPolicyEntity;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodPolicyEntityDelegate;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodResourceEntity;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodResourceEntityDelegate;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodResourceServerEntity;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodResourceServerEntityDelegate;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodScopeEntity;
+import org.keycloak.models.map.storage.hotRod.authorization.HotRodScopeEntityDelegate;
 import org.keycloak.models.map.storage.hotRod.loginFailure.HotRodUserLoginFailureEntity;
 import org.keycloak.models.map.storage.hotRod.loginFailure.HotRodUserLoginFailureEntityDelegate;
 import org.keycloak.models.map.storage.hotRod.role.HotRodRoleEntity;
@@ -113,15 +133,21 @@ public class HotRodMapStorageProviderFactory implements AmphibianProviderFactory
     private final static DeepCloner CLONER = new DeepCloner.Builder()
             .constructor(MapRootAuthenticationSessionEntity.class,  HotRodRootAuthenticationSessionEntityDelegate::new)
             .constructor(MapAuthenticationSessionEntity.class,      HotRodAuthenticationSessionEntityDelegate::new)
+
             .constructor(MapClientEntity.class,                     HotRodClientEntityDelegate::new)
             .constructor(MapProtocolMapperEntity.class,             HotRodProtocolMapperEntityDelegate::new)
+
             .constructor(MapClientScopeEntity.class,                HotRodClientScopeEntityDelegate::new)
+
             .constructor(MapGroupEntity.class,                      HotRodGroupEntityDelegate::new)
+
             .constructor(MapRoleEntity.class,                       HotRodRoleEntityDelegate::new)
+
             .constructor(MapUserEntity.class,                       HotRodUserEntityDelegate::new)
             .constructor(MapUserCredentialEntity.class,             HotRodUserCredentialEntityDelegate::new)
             .constructor(MapUserFederatedIdentityEntity.class,      HotRodUserFederatedIdentityEntityDelegate::new)
             .constructor(MapUserConsentEntity.class,                HotRodUserConsentEntityDelegate::new)
+
             .constructor(MapUserLoginFailureEntity.class,           HotRodUserLoginFailureEntityDelegate::new)
 
             .constructor(MapRealmEntity.class,                      HotRodRealmEntityDelegate::new)
@@ -136,8 +162,16 @@ public class HotRodMapStorageProviderFactory implements AmphibianProviderFactory
             .constructor(MapRequiredActionProviderEntity.class,     HotRodRequiredActionProviderEntityDelegate::new)
             .constructor(MapRequiredCredentialEntity.class,         HotRodRequiredCredentialEntityDelegate::new)
             .constructor(MapWebAuthnPolicyEntity.class,             HotRodWebAuthnPolicyEntityDelegate::new)
+
             .constructor(MapUserSessionEntity.class,                HotRodUserSessionEntityDelegate::new)
             .constructor(MapAuthenticatedClientSessionEntity.class, HotRodAuthenticatedClientSessionEntityDelegate::new)
+
+            .constructor(MapResourceServerEntity.class,             HotRodResourceServerEntityDelegate::new)
+            .constructor(MapResourceEntity.class,                   HotRodResourceEntityDelegate::new)
+            .constructor(MapScopeEntity.class,                      HotRodScopeEntityDelegate::new)
+            .constructor(MapPolicyEntity.class,                     HotRodPolicyEntityDelegate::new)
+            .constructor(MapPermissionTicketEntity.class,           HotRodPermissionTicketEntityDelegate::new)
+
             .build();
 
     public static final Map<Class<?>, HotRodEntityDescriptor<?, ?>> ENTITY_DESCRIPTOR_MAP = new HashMap<>();
@@ -200,6 +234,57 @@ public class HotRodMapStorageProviderFactory implements AmphibianProviderFactory
                 new HotRodEntityDescriptor<>(AuthenticatedClientSessionModel.class,
                         HotRodAuthenticatedClientSessionEntity.class,
                         HotRodAuthenticatedClientSessionEntityDelegate::new));
+
+        // authz
+        ENTITY_DESCRIPTOR_MAP.put(ResourceServer.class,
+                new HotRodEntityDescriptor<HotRodResourceServerEntity, HotRodResourceServerEntityDelegate>(ResourceServer.class,
+                        HotRodResourceServerEntity.class,
+                        HotRodResourceServerEntityDelegate::new) {
+                    @Override
+                    public String getCacheName() {
+                        return "authz";
+                    }
+                });
+
+        ENTITY_DESCRIPTOR_MAP.put(Resource.class,
+                new HotRodEntityDescriptor<HotRodResourceEntity, HotRodResourceEntityDelegate>(Resource.class,
+                        HotRodResourceEntity.class,
+                        HotRodResourceEntityDelegate::new){
+                    @Override
+                    public String getCacheName() {
+                        return "authz";
+                    }
+                });
+
+        ENTITY_DESCRIPTOR_MAP.put(Scope.class,
+                new HotRodEntityDescriptor<HotRodScopeEntity, HotRodScopeEntityDelegate>(Scope.class,
+                        HotRodScopeEntity.class,
+                        HotRodScopeEntityDelegate::new){
+                    @Override
+                    public String getCacheName() {
+                        return "authz";
+                    }
+                });
+
+        ENTITY_DESCRIPTOR_MAP.put(Policy.class,
+                new HotRodEntityDescriptor<HotRodPolicyEntity, HotRodPolicyEntityDelegate>(Policy.class,
+                        HotRodPolicyEntity.class,
+                        HotRodPolicyEntityDelegate::new){
+                    @Override
+                    public String getCacheName() {
+                        return "authz";
+                    }
+                });
+
+        ENTITY_DESCRIPTOR_MAP.put(PermissionTicket.class,
+                new HotRodEntityDescriptor<HotRodPermissionTicketEntity, HotRodPermissionTicketEntityDelegate>(PermissionTicket.class,
+                        HotRodPermissionTicketEntity.class,
+                        HotRodPermissionTicketEntityDelegate::new){
+                    @Override
+                    public String getCacheName() {
+                        return "authz";
+                    }
+                });
     }
 
     @Override

@@ -17,6 +17,8 @@
 
 package org.keycloak.models.map.storage.hotRod;
 
+import org.keycloak.authorization.model.Policy;
+import org.keycloak.authorization.model.Resource;
 import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.GroupModel;
@@ -78,6 +80,13 @@ public class IckleQueryMapModelCriteriaBuilder<E extends AbstractHotRodEntity, M
         INFINISPAN_NAME_OVERRIDES.put(UserSessionModel.SearchableFields.IS_OFFLINE, "offline");
         INFINISPAN_NAME_OVERRIDES.put(UserSessionModel.SearchableFields.CLIENT_ID, "authenticatedClientSessions.key");
         INFINISPAN_NAME_OVERRIDES.put(AuthenticatedClientSessionModel.SearchableFields.IS_OFFLINE, "offline");
+
+        INFINISPAN_NAME_OVERRIDES.put(Resource.SearchableFields.SCOPE_ID, "scopeIds");
+
+        INFINISPAN_NAME_OVERRIDES.put(Policy.SearchableFields.RESOURCE_ID, "resourceIds");
+        INFINISPAN_NAME_OVERRIDES.put(Policy.SearchableFields.SCOPE_ID, "scopeIds");
+        INFINISPAN_NAME_OVERRIDES.put(Policy.SearchableFields.ASSOCIATED_POLICY_ID, "associatedPolicyIds");
+        INFINISPAN_NAME_OVERRIDES.put(Policy.SearchableFields.CONFIG, "configs");
     }
 
     static {
@@ -86,6 +95,8 @@ public class IckleQueryMapModelCriteriaBuilder<E extends AbstractHotRodEntity, M
         ANALYZED_MODEL_FIELDS.add(UserModel.SearchableFields.FIRST_NAME);
         ANALYZED_MODEL_FIELDS.add(UserModel.SearchableFields.LAST_NAME);
         ANALYZED_MODEL_FIELDS.add(UserModel.SearchableFields.EMAIL);
+        ANALYZED_MODEL_FIELDS.add(Policy.SearchableFields.TYPE);
+        ANALYZED_MODEL_FIELDS.add(Resource.SearchableFields.TYPE);
     }
 
     public IckleQueryMapModelCriteriaBuilder(Class<E> hotRodEntityClass, StringBuilder whereClauseBuilder, Map<String, Object> parameters) {

@@ -17,6 +17,7 @@
 
 package org.keycloak.models.map.storage.hotRod;
 
+import org.keycloak.authorization.model.Policy;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
@@ -56,6 +57,7 @@ public class IckleQueryWhereClauses {
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserModel.SearchableFields.IDP_AND_USER, IckleQueryWhereClauses::whereClauseForUserIdpAlias);
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserModel.SearchableFields.CONSENT_CLIENT_FEDERATION_LINK, IckleQueryWhereClauses::whereClauseForConsentClientFederationLink);
         WHERE_CLAUSE_PRODUCER_OVERRIDES.put(UserSessionModel.SearchableFields.CORRESPONDING_SESSION_ID, IckleQueryWhereClauses::whereClauseForCorrespondingSessionId);
+        WHERE_CLAUSE_PRODUCER_OVERRIDES.put(Policy.SearchableFields.CONFIG, IckleQueryWhereClauses::whereClauseForPolicyConfig);
     }
 
     @FunctionalInterface
@@ -172,4 +174,34 @@ private static String whereClauseForCorrespondingSessionId(String modelFieldName
 
         return "(" + nameClause + ")" + " AND " + "(" + valueClause + ")";
     }
+
+    private static String whereClauseForPolicyConfig(String modelFieldName, ModelCriteriaBuilder.Operator op, Object[] values, Map<String, Object> parameters) {
+        if (values == null || values.length == 0) {
+            throw new CriterionNotSupportedException(Policy.SearchableFields.CONFIG, op, "Invalid arguments, expected (config_name, config_value_operator_arguments), got: " + Arrays.toString(values));
+        }
+
+        final Object attrName = values[0];
+        if (!(attrName instanceof String)) {
+            throw new CriterionNotSupportedException(Policy.SearchableFields.CONFIG, op, "Invalid arguments, expected (String config_name), got: " + Arrays.toString(values));
+        }
+
+        String attrNameS = (String) attrName;
+        Object[] realValues = new Object[values.length - 1];
+        System.arraycopy(values, 1, realValues, 0, values.length - 1);
+
+        boolean isNotExists = op.equals(ModelCriteriaBuilder.Operator.NOT_EXISTS);
+        if (isNotExists || op.equals(ModelCriteriaBuilder.Operator.EXISTS)) {
+            ModelCriteriaBuilder.Operator o = isNotExists ? ModelCriteriaBuilder.Operator.NE : ModelCriteriaBuilder.Operator.EQ;
+            return IckleQueryOperators.combineExpressions(o, modelFieldName + ".key", new String[] { attrNameS }, parameters);
+        }
+
+        String nameClause = IckleQueryOperators.combineExpressions(ModelCriteriaBuilder.Operator.EQ, modelFieldName + ".key", new String[] { attrNameS }, parameters);
+
+        if (realValues.length == 0) {
+            return nameClause;
+        }
+
+        String valueClause = IckleQueryOperators.combineExpressions(op, modelFieldName + ".value", realValues, parameters);
+        return "(" + nameClause + ")" + " AND " + "(" + valueClause + ")";
+    }
 }
@@ -0,0 +1,41 @@
+/*
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.map.storage.hotRod.authorization;
+
+import org.infinispan.protostream.annotations.ProtoEnumValue;
+
+public enum HotRodDecisionStrategy {
+    /**
+     * Defines that at least one policy must evaluate to a positive decision in order to the overall decision be also positive.
+     */
+    @ProtoEnumValue(number = 0)
+    AFFIRMATIVE,
+
+    /**
+     * Defines that all policies must evaluate to a positive decision in order to the overall decision be also positive.
+     */
+    @ProtoEnumValue(number = 1)
+    UNANIMOUS,
+
+    /**
+     * Defines that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same,
+     * the final decision will be negative.
+     */
+    @ProtoEnumValue(number = 2)
+    CONSENSUS
+}
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.models.map.storage.hotRod.authorization;
+
+import org.infinispan.protostream.annotations.ProtoEnumValue;
+
+public enum HotRodLogic {
+    /**
+     * Defines that this policy follows a positive logic. In other words, the final decision is the policy outcome.
+     */
+    @ProtoEnumValue(number = 0)
+    POSITIVE,
+
+    /**
+     * Defines that this policy uses a logical negation. In other words, the final decision would be a negative of the policy outcome.
+     */
+    @ProtoEnumValue(number = 1)
+    NEGATIVE,
+}