KEYCLOAK-14189 Client Policy : Basics

johngrimes · Jul 21, 2020 · e0fbfa7 · e0fbfa7
1 parent 6d54951
commit e0fbfa7
Show file tree

Hide file tree

Showing 62 changed files with 3,657 additions and 9 deletions.
diff --git a/common/src/main/java/org/keycloak/common/Profile.java b/common/src/main/java/org/keycloak/common/Profile.java
@@ -53,7 +53,8 @@ public enum Feature {
         SCRIPTS(Type.PREVIEW),
         TOKEN_EXCHANGE(Type.PREVIEW),
         UPLOAD_SCRIPTS(DEPRECATED),
-        WEB_AUTHN(Type.DEFAULT, Type.PREVIEW);
+        WEB_AUTHN(Type.DEFAULT, Type.PREVIEW),
+        CLIENT_POLICIES(Type.PREVIEW);
 
         private Type typeProject;
         private Type typeProduct;

diff --git a/common/src/test/java/org/keycloak/common/ProfileTest.java b/common/src/test/java/org/keycloak/common/ProfileTest.java
@@ -21,8 +21,8 @@ public class ProfileTest {
     @Test
     public void checkDefaultsKeycloak() {
         Assert.assertEquals("community", Profile.getName());
-        assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS);
-        assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION);
+        assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS, Profile.Feature.CLIENT_POLICIES);
+        assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.CLIENT_POLICIES);
         assertEquals(Profile.getDeprecatedFeatures(), Profile.Feature.UPLOAD_SCRIPTS);
 
         Assert.assertTrue(Profile.Feature.WEB_AUTHN.hasDifferentProductType());
@@ -37,8 +37,8 @@ public void checkDefaultsRH_SSO() {
         Profile.init();
 
         Assert.assertEquals("product", Profile.getName());
-        assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS, Profile.Feature.WEB_AUTHN);
-        assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.WEB_AUTHN);
+        assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS, Profile.Feature.WEB_AUTHN, Profile.Feature.CLIENT_POLICIES);
+        assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ACCOUNT2, Profile.Feature.ACCOUNT_API, Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.WEB_AUTHN, Profile.Feature.CLIENT_POLICIES);
         assertEquals(Profile.getDeprecatedFeatures(), Profile.Feature.UPLOAD_SCRIPTS);
 
         Assert.assertTrue(Profile.Feature.WEB_AUTHN.hasDifferentProductType());

diff --git a/...er-spi-private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyProvider.java b/...er-spi-private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyProvider.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy;
+
+import java.util.List;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider;
+import org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider;
+
+/**
+ * Provides Client Policy which accommodates several Conditions and Executors.
+ */
+public interface ClientPolicyProvider extends Provider {
+
+    /**
+     * returns the list of conditions which this provider accommodates.
+     *
+     * @return list of conditions
+     */
+    List<ClientPolicyConditionProvider> getConditions();
+
+    /**
+     * returns the list of executors which this provider accommodates.
+     *
+     * @return list of executors
+     */
+    List<ClientPolicyExecutorProvider> getExecutors();
+
+    String getName();
+
+    String getProviderId();
+}
diff --git a/...private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyProviderFactory.java b/...private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyProviderFactory.java
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy;
+
+import org.keycloak.component.ComponentFactory;
+
+public interface ClientPolicyProviderFactory extends ComponentFactory<ClientPolicyProvider, ClientPolicyProvider> {
+}
diff --git a/server-spi-private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicySpi.java b/server-spi-private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicySpi.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.provider.ProviderFactory;
+import org.keycloak.provider.Spi;
+
+public class ClientPolicySpi implements Spi {
+
+    @Override
+    public boolean isInternal() {
+        return true;
+    }
+
+    @Override
+    public String getName() {
+        return "client-policy";
+    }
+
+    @Override
+    public Class<? extends Provider> getProviderClass() {
+        return ClientPolicyProvider.class;
+    }
+
+    @Override
+    public Class<? extends ProviderFactory> getProviderFactoryClass() {
+        return ClientPolicyProviderFactory.class;
+    }
+
+}
diff --git a/server-spi-private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyVote.java b/server-spi-private/src/main/java/org/keycloak/services/clientpolicy/ClientPolicyVote.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy;
+
+public enum ClientPolicyVote {
+    YES,
+    NO,
+    ABSTAIN
+}
diff --git a/...main/java/org/keycloak/services/clientpolicy/condition/ClientPolicyConditionProvider.java b/...main/java/org/keycloak/services/clientpolicy/condition/ClientPolicyConditionProvider.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.condition;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.services.clientpolicy.ClientPolicyContext;
+import org.keycloak.services.clientpolicy.ClientPolicyEvent;
+import org.keycloak.services.clientpolicy.ClientPolicyException;
+import org.keycloak.services.clientpolicy.ClientPolicyVote;
+
+/**
+ * This condition determines to which client a {@link ClientPolicyProvider} is adopted.
+ * The condition can be evaluated on the events defined in {@link ClientPolicyEvent}.
+ * It is sufficient for the implementer of this condition to implement methods in which they are interested
+ * and {@link isEvaluatedOnEvent} method.
+ */
+public interface ClientPolicyConditionProvider extends Provider {
+
+    @Override
+    default void close() {
+    }
+
+    /**
+     * returns ABSTAIN if this condition is not evaluated due to its nature.
+     * returns YES if the client satisfies this condition on the event defined in {@link ClientPolicyEvent}.
+     * If not, returns NO.
+     *
+     * @param context - the context of the event.
+     * @return returns ABSTAIN if this condition is not evaluated due to its nature.
+     * @throws {@link ClientPolicyException} - thrown if the condition is not evaluated in its nature on the event specified by context.
+     */
+    default ClientPolicyVote applyPolicy(ClientPolicyContext context) throws ClientPolicyException {
+        return ClientPolicyVote.ABSTAIN;
+    }
+
+    String getName();
+
+    String getProviderId();
+}
diff --git a/...va/org/keycloak/services/clientpolicy/condition/ClientPolicyConditionProviderFactory.java b/...va/org/keycloak/services/clientpolicy/condition/ClientPolicyConditionProviderFactory.java
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.condition;
+
+import org.keycloak.component.ComponentFactory;
+
+public interface ClientPolicyConditionProviderFactory extends ComponentFactory<ClientPolicyConditionProvider, ClientPolicyConditionProvider> { 
+}
diff --git a/.../src/main/java/org/keycloak/services/clientpolicy/condition/ClientPolicyConditionSpi.java b/.../src/main/java/org/keycloak/services/clientpolicy/condition/ClientPolicyConditionSpi.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.condition;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.provider.ProviderFactory;
+import org.keycloak.provider.Spi;
+
+public class ClientPolicyConditionSpi implements Spi {
+
+    @Override
+    public boolean isInternal() {
+        return true;
+    }
+
+    @Override
+    public String getName() {
+        return "client-policy-condition";
+    }
+
+    @Override
+    public Class<? extends Provider> getProviderClass() {
+        return ClientPolicyConditionProvider.class;
+    }
+
+    @Override
+    public Class<? extends ProviderFactory> getProviderFactoryClass() {
+        return ClientPolicyConditionProviderFactory.class;
+    }
+
+}
diff --git a/...c/main/java/org/keycloak/services/clientpolicy/executor/ClientPolicyExecutorProvider.java b/...c/main/java/org/keycloak/services/clientpolicy/executor/ClientPolicyExecutorProvider.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.executor;
+
+import org.keycloak.provider.Provider;
+import org.keycloak.services.clientpolicy.ClientPolicyException;
+import org.keycloak.services.clientpolicy.ClientPolicyContext;
+import org.keycloak.services.clientpolicy.ClientPolicyEvent;
+
+/**
+ * This executor specifies what action is executed on the client to which {@link ClientPolicyProvider} is adopted.
+ * The executor can be executed on the events defined in {@link ClientPolicyEvent}.
+ * It is sufficient for the implementer of this executor to implement methods in which they are interested
+ * and {@link isEvaluatedOnEvent} method.
+ */
+public interface ClientPolicyExecutorProvider extends Provider {
+
+    @Override
+    default void close() {
+    }
+
+    /**
+     * execute actions against the client on the event defined in {@link ClientPolicyEvent}.
+     * 
+     * @param context - the context of the event.
+     * @throws {@link ClientPolicyException} - if something wrong happens when execution actions.
+     */
+    default void executeOnEvent(ClientPolicyContext context) throws ClientPolicyException {
+    }
+
+    String getName();
+
+    String getProviderId();
+}
diff --git a/...java/org/keycloak/services/clientpolicy/executor/ClientPolicyExecutorProviderFactory.java b/...java/org/keycloak/services/clientpolicy/executor/ClientPolicyExecutorProviderFactory.java
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.services.clientpolicy.executor;
+
+import org.keycloak.component.ComponentFactory;
+
+public interface ClientPolicyExecutorProviderFactory extends ComponentFactory<ClientPolicyExecutorProvider, ClientPolicyExecutorProvider> {
+}