-
Notifications
You must be signed in to change notification settings - Fork 1
/
WasmPolicyProvider.java
144 lines (127 loc) · 5.31 KB
/
WasmPolicyProvider.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
package org.keycloak.authorization.policy;
import java.io.File;
import java.util.List;
import java.util.Map;
import com.dylibso.chicory.runtime.ExportFunction;
import com.dylibso.chicory.runtime.HostFunction;
import com.dylibso.chicory.runtime.HostImports;
import com.dylibso.chicory.runtime.Instance;
import com.dylibso.chicory.runtime.Module;
import com.dylibso.chicory.runtime.WasmFunctionHandle;
import com.dylibso.chicory.wasm.types.Value;
import com.dylibso.chicory.wasm.types.ValueType;
import org.keycloak.authorization.identity.Identity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.policy.evaluation.Evaluation;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.policy.provider.PolicyProvider;
/**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
*/
public class WasmPolicyProvider implements PolicyProvider {
public final static String WASM_FILE = "wasm-file";
public final static String MODULE_NAME = "env";
private static final Value[] TRUE_RES = new Value[]{Value.TRUE};
private static final Value[] FALSE_RES = new Value[]{Value.FALSE};
@Override
public void evaluate(Evaluation evaluation) {
EvaluationContext context = evaluation.getContext();
Identity identity = context.getIdentity();
Policy policy = evaluation.getPolicy();
Map<String, String> config = policy.getConfig();
if (config.containsKey(WASM_FILE)) {
System.out.println("The selected wasm module is " + config.get(WASM_FILE));
}
// From Classpath:
// Module module = Module.builder("wasm/" + config.get(WASM_FILE) + ".wasm").build();
// From file to have fully dynamic loading:
Module module = Module.builder(new File("src/main/resources/wasm/" + config.get(WASM_FILE) + ".wasm")).build();
HostImports imports = new HostImports(
new HostFunction[]{
new HostFunction(
evaluationGrant(evaluation),
MODULE_NAME,
"evaluation_grant",
List.of(),
List.of()),
new HostFunction(
evaluationDeny(evaluation),
MODULE_NAME,
"evaluation_deny",
List.of(),
List.of()),
new HostFunction(
identityHasRealmRole(identity),
MODULE_NAME,
"identity_has_realm_role",
List.of(ValueType.I32, ValueType.I32),
List.of(ValueType.I32)),
new HostFunction(
identityHasAttributeValue(identity),
MODULE_NAME,
"identity_has_attribute_value",
List.of(ValueType.I32, ValueType.I32),
List.of(ValueType.I32))
}
);
Instance instance = module.instantiate(imports);
ExportFunction evaluate = instance.export("evaluate");
evaluate.apply();
// // RBAC
// if (identity.hasRealmRole("myrole")) {
// evaluation.grant();
// }
//
// // ABAC
// if (identity.getAttributes().containsValue("myplan", "premium")) {
// evaluation.grant();
// }
}
private WasmFunctionHandle evaluationGrant(Evaluation evaluation) {
return (Instance instance, Value ... args) -> {
System.out.println("FUNCTION: GRANT");
evaluation.grant();
return null;
};
}
private WasmFunctionHandle evaluationDeny(Evaluation evaluation) {
return (Instance instance, Value ... args) -> {
System.out.println("FUNCTION: DENY");
evaluation.deny();
return null;
};
}
private WasmFunctionHandle identityHasRealmRole(Identity identity) {
return (Instance instance, Value ... args) -> {
final int addr = args[0].asInt();
final int size = args[1].asInt();
String realmRole = instance.memory().readString(addr, size);
System.out.println("FUNCTION: HAS REALM ROLE " + realmRole);
if (identity.hasRealmRole(realmRole)) {
return TRUE_RES;
} else {
return FALSE_RES;
}
};
}
private WasmFunctionHandle identityHasAttributeValue(Identity identity) {
return (Instance instance, Value ... args) -> {
final int keyAddr = args[0].asInt();
final int keySize = args[1].asInt();
final int valueAddr = args[2].asInt();
final int valueSize = args[3].asInt();
String key = instance.memory().readString(keyAddr, keySize);
String value = instance.memory().readString(valueAddr, valueSize);
System.out.println("FUNCTION: HAS ATTRIBUTE VALUE " + key + " : " + value);
if (identity.getAttributes().containsValue(key, value)) {
return TRUE_RES;
} else {
return FALSE_RES;
}
};
}
@Override
public void close() {
// method called at the end of the request lifecycle
}
}