http://nexus.sonatype.org/oss-repository-hosting.html/vertx-parent/vertx-ext/vertx-ext-parent/vertx-auth/vertx-auth-oauth2: Sonatype helps open source projects to set up Maven repositories on https://oss.sonatype.org/
(Eclipse)
/*
* Copyright 2015 Red Hat, Inc.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* and Apache License v2.0 which accompanies this distribution.
*
* The Eclipse Public License is available at
* http://www.eclipse.org/legal/epl-v10.html
*
* The Apache License v2.0 is available at
* http://www.opensource.org/licenses/apache2.0.php
*
* You may elect to redistribute this code under either of these licenses.
*/
package io.vertx.ext.auth.oauth2.rbac.impl;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.OAuth2Options;
import io.vertx.ext.auth.oauth2.OAuth2RBAC;
import java.util.Collections;
public class KeycloakRBACImpl implements OAuth2RBAC {
private static final JsonObject EMPTY_JSON = new JsonObject(Collections.EMPTY_MAP);
private static final JsonArray EMPTY_ARRAY = new JsonArray(Collections.EMPTY_LIST);
private final OAuth2Options options;
public KeycloakRBACImpl(OAuth2Options options) {
if (options == null) {
throw new IllegalArgumentException("options is a required argument");
}
this.options = options;
}
Determine if this token has an associated role.
This method is only functional if the token is constructed
with a `clientId` parameter.
The parameter matches a role specification using the following rules:
- If the name contains no colons, then the name is taken as the entire
name of a role within the current application, as specified via
`clientId`.
- If the name starts with the literal `realm:`, the subsequent portion
is taken as the name of a _realm-level_ role.
- Otherwise, the name is split at the colon, with the first portion being
taken as the name of an arbitrary application, and the subsequent portion
as the name of a role with that app.
Params: - authority – The role name specifier.
- handler – `true` if this token has the specified role, otherwise `false`.
/**
* Determine if this token has an associated role.
* <p>
* This method is only functional if the token is constructed
* with a `clientId` parameter.
* <p>
* The parameter matches a role specification using the following rules:
* <p>
* - If the name contains no colons, then the name is taken as the entire
* name of a role within the current application, as specified via
* `clientId`.
* - If the name starts with the literal `realm:`, the subsequent portion
* is taken as the name of a _realm-level_ role.
* - Otherwise, the name is split at the colon, with the first portion being
* taken as the name of an arbitrary application, and the subsequent portion
* as the name of a role with that app.
*
* @param authority The role name specifier.
* @param handler `true` if this token has the specified role, otherwise `false`.
*/
@Override
public void isAuthorized(AccessToken user, String authority, Handler<AsyncResult<Boolean>> handler) {
JsonObject accessToken = user.accessToken();
if (accessToken == null) {
handler.handle(Future.failedFuture("AccessToken is not a valid JWT"));
return;
}
String[] parts = authority.split(":");
if (parts.length == 1) {
handler.handle(Future.succeededFuture(hasApplicationRole(accessToken, options.getClientID(), parts[0])));
return;
}
if ("realm".equals(parts[0])) {
handler.handle(Future.succeededFuture(hasRealmRole(accessToken, parts[1])));
return;
}
handler.handle(Future.succeededFuture(hasApplicationRole(accessToken, parts[0], parts[1])));
}
Determine if this token has an associated specific application role.
Even if `clientId` is not set, this method may be used to explicitly test
roles for any given application.
Params: - appName – The identifier of the application to test.
- roleName – The name of the role within that application to test.
Returns: `true` if this token has the specified role, otherwise `false`.
/**
* Determine if this token has an associated specific application role.
* <p>
* Even if `clientId` is not set, this method may be used to explicitly test
* roles for any given application.
*
* @param appName The identifier of the application to test.
* @param roleName The name of the role within that application to test.
* @return `true` if this token has the specified role, otherwise `false`.
*/
private boolean hasApplicationRole(JsonObject accessToken, String appName, String roleName) {
if (accessToken == null) {
return false;
}
JsonObject appRoles = accessToken
.getJsonObject("resource_access", EMPTY_JSON)
.getJsonObject(appName);
if (appRoles == null) {
return false;
}
return appRoles
.getJsonArray("roles", EMPTY_ARRAY)
.contains(roleName);
}
Determine if this token has an associated specific realm-level role.
Even if `clientId` is not set, this method may be used to explicitly test
roles for the realm.
Params: - roleName – The name of the role within that application to test.
Returns: `true` if this token has the specified role, otherwise `false`.
/**
* Determine if this token has an associated specific realm-level role.
* <p>
* Even if `clientId` is not set, this method may be used to explicitly test
* roles for the realm.
*
* @param roleName The name of the role within that application to test.
* @return `true` if this token has the specified role, otherwise `false`.
*/
private boolean hasRealmRole(JsonObject accessToken, String roleName) {
if (accessToken == null) {
return false;
}
return accessToken
.getJsonObject("realm_access", EMPTY_JSON)
.getJsonArray("roles", EMPTY_ARRAY)
.contains(roleName);
}
}