[KEYCLOAK-8694] - Mark Drools policy as tech preview

Leasen · Nov 9, 2018 · 02b9fe6 · 02b9fe6
1 parent d6791de
commit 02b9fe6
Show file tree

Hide file tree

Showing 13 changed files with 315 additions and 334 deletions.
diff --git a/app-authz-uma-photoz/README.md b/app-authz-uma-photoz/README.md
@@ -18,7 +18,6 @@ Basically, it is a project containing three modules:
 
 * **photoz-restful-api**, a simple RESTFul API based on JAX-RS and acting as a resource server.
 * **photoz-html5-client**, a HTML5 + AngularJS client that will consume the RESTful API published by a resource server.
-* **photoz-authz-policy**, a simple project with some rule-based policies using JBoss Drools.
 
 For this application, users can be regular users or administrators. Regular users can create/view/delete their albums 
 and administrators can do anything. Regular users are also allowed to share their albums with other users.
@@ -54,7 +53,6 @@ That said, this quickstart will show you how to use the Keycloak to define polic
 
 * Role-based Access Control
 * Attribute-based Access Control
-* Rule-based policies using JBoss Drools
 * Rule-based policies using JavaScript 
 
 This quickstart demonstrates how to enable User-Managed Access (UMA) in an application in order to allow users to manage access
@@ -80,28 +78,6 @@ into Keycloak, check the Keycloak's reference documentation.
 
 After importing that file, you'll have a new realm called `photoz`. 
 
-Back to the command-line, build the quickstart. This step is necessary given that we're using policies based on
-JBoss Drools, which require `photoz-authz-policy` artifact installed into your local maven repository.
-
-To build the quickstart, open a terminal and navigate to the root of this quickstart. Then run the following command:
-
-   ````
-   mvn clean install 
-   ````
-
-> Please make sure you have the environment variable M2_HOME set. It should reference the path for your Maven installation. If not set, you will see some WARN messages in the logs when booting Keycloak.
-
-Now, let's import another configuration using the Administration Console in order to configure the client application ``photoz-restful-api`` as a resource server with all resources, scopes, permissions and policies.
-
-Click on `Clients` on the left side menu. Click on the `photoz-restful-api` on the client listing page. This will
-open the `Client Details` page. Once there, click on the `Authorization` tab. 
-
-Click on the `Select file` button, which means you want to import a resource server configuration. Now select the file that is located at:
-
-    keycloak-quickstarts/app-authz-uma-photoz/photoz-restful-api/target/classes/photoz-restful-api-authz-service.json
-
-Now click `Upload` and the resource server will be updated accordingly.
-
 Deploy and Run the quickstart applications
 -----------
 

diff --git a/app-authz-uma-photoz/photoz-authz-policy/pom.xml b/app-authz-uma-photoz/photoz-authz-policy/pom.xml
diff --git a/app-authz-uma-photoz/photoz-authz-policy/src/main/resources/META-INF/kmodule.xml b/app-authz-uma-photoz/photoz-authz-policy/src/main/resources/META-INF/kmodule.xml
diff --git a/...-uma-photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.admin/Main.drl b/...-uma-photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.admin/Main.drl
diff --git a/...oz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl b/...oz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.resource.owner/Main.drl
diff --git a/...z-uma-photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.user/Main.drl b/...z-uma-photoz/photoz-authz-policy/src/main/resources/com.photoz.authz.policy.user/Main.drl
diff --git a/...photoz/photoz-authz-policy/src/main/resources/com/photoz/authz/policy/contextual/Main.drl b/...photoz/photoz-authz-policy/src/main/resources/com/photoz/authz/policy/contextual/Main.drl
diff --git a/app-authz-uma-photoz/photoz-realm.json b/app-authz-uma-photoz/photoz-realm.json
@@ -129,7 +129,153 @@
       "redirectUris": [
         "http://localhost:8080/photoz-html5-client"
       ],
-      "webOrigins" : ["http://localhost:8080"]
+      "webOrigins" : ["http://localhost:8080"],
+      "authorizationSettings": {
+        "allowRemoteResourceManagement": true,
+        "policyEnforcementMode": "ENFORCING",
+        "resources": [
+          {
+            "name": "Admin Resources",
+            "uri": "/admin/*",
+            "type": "http://photoz.com/admin",
+            "scopes": [
+              {
+                "name": "admin:manage"
+              }
+            ]
+          },
+          {
+            "name": "User Profile Resource",
+            "uri": "/profile",
+            "type": "http://photoz.com/profile",
+            "scopes": [
+              {
+                "name": "profile:view"
+              }
+            ]
+          },
+          {
+            "name": "Album Resource",
+            "uri": "/album/*",
+            "type": "http://photoz.com/album",
+            "scopes": [
+              {
+                "name": "album:delete"
+              },
+              {
+                "name": "album:view"
+              }
+            ]
+          }
+        ],
+        "policies": [
+          {
+            "name": "Only Owner and Administrators Policy",
+            "description": "Defines that only the resource owner and administrators can do something",
+            "type": "aggregate",
+            "logic": "POSITIVE",
+            "decisionStrategy": "AFFIRMATIVE",
+            "config": {
+              "applyPolicies": "[\"Administration Policy\",\"Only Owner Policy\"]"
+            }
+          },
+          {
+            "name": "Administration Policy",
+            "description": "Defines that only administrators from a specific network address can do something.",
+            "type": "aggregate",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "applyPolicies": "[\"Any Admin Policy\",\"Only From a Specific Client Address\"]"
+            }
+          },
+          {
+            "name": "Only From @keycloak.org or Admin",
+            "description": "Defines that only users from @keycloak.org",
+            "type": "js",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRealmRole('admin') || email.endsWith('@keycloak.org')) {\n    $evaluation.grant();\n}"
+            }
+          },
+          {
+            "name": "Only Owner Policy",
+            "description": "Defines that only the resource owner is allowed to do something",
+            "type": "js",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "code": "var permission = $evaluation.getPermission();\nvar identity = $evaluation.getContext().getIdentity();\nvar resource = permission.getResource();\nif (resource) {\nif (resource.getOwner().equals(identity.getId())) {\n$evaluation.grant();\n}}"
+            }
+          },
+          {
+            "name": "Any Admin Policy",
+            "description": "Defines that adminsitrators can do something",
+            "type": "role",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "roles": "[{\"id\":\"admin\",\"required\":true}]"
+            }
+          },
+          {
+            "name": "Only From a Specific Client Address",
+            "description": "Defines that only clients from a specific address can do something",
+            "type": "js",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "code": "var contextAttributes = $evaluation.getContext().getAttributes();\n\nif (contextAttributes.containsValue('kc.client.network.ip_address', '127.0.0.1')) {\n    $evaluation.grant();\n}"
+            }
+          },
+          {
+            "name": "Any User Policy",
+            "description": "Defines that only users from well known clients are allowed to access",
+            "type": "role",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "roles": "[{\"id\":\"user\",\"required\":false},{\"id\":\"photoz-restful-api/manage-albums\",\"required\":true}]"
+            }
+          },
+          {
+            "name": "Admin Resource Permission",
+            "description": "General policy for any administrative resource.",
+            "type": "resource",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "defaultResourceType": "http://photoz.com/admin",
+              "applyPolicies": "[\"Administration Policy\"]",
+              "default": "true"
+            }
+          },
+          {
+            "name": "Album Resource Permission",
+            "description": "A default permission that defines access for any album resource",
+            "type": "scope",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "resources": "[\"Album Resource\"]",
+              "scopes": "[\"album:view\",\"album:delete\"]",
+              "applyPolicies": "[\"Only Owner and Administrators Policy\"]"
+            }
+          },
+          {
+            "name": "View User Permission",
+            "description": "Defines who is allowed to view an user profile",
+            "type": "scope",
+            "logic": "POSITIVE",
+            "decisionStrategy": "UNANIMOUS",
+            "config": {
+              "scopes": "[\"profile:view\"]",
+              "applyPolicies": "[\"Only From @keycloak.org or Admin\"]"
+            }
+          }
+        ]
+      }
     }
   ]
 }