Ok I figured out it, it needs to be:
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();
var anotherStatus = attributes.get('status');
On Fri, 26 Oct 2018 at 08:21, Melissa Palmer <melissa.palmer(a)gmail.com>
wrote:
Thanks Pedro
I had figured that out before your email and tried it, unfortunately I am
always getting a null for the resource, any pointers on that one?
- I don't know how to debug this, any pointers
[image: image.png]
*CODE in JS PREMISSION*
var permission = $evaluation.getPermission();
var resource = permission.getResource();
var attributes = resource.getAttributes();
var anotherStatus = attributes.getValue('status');
if (anotherStatus.equals('APPROVED')) {
$evaluation.grant();
}
*ERROR*
Caused by: java.lang.RuntimeException: Error evaluating JS Policy [Album
Resource status.APPROVED].
at
org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:56)
at
org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.lambda$evaluate$1(AbstractPermissionProvider.java:51)
at java.lang.Iterable.forEach(Iterable.java:75)
at
java.util.Collections$UnmodifiableCollection.forEach(Collections.java:1080)
at
org.keycloak.authorization.policy.provider.permission.AbstractPermissionProvider.evaluate(AbstractPermissionProvider.java:43)
at
org.keycloak.authorization.policy.provider.permission.ScopePolicyProvider.evaluate(ScopePolicyProvider.java:52)
at
org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.lambda$createPolicyEvaluator$0(DefaultPolicyEvaluator.java:107)
at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.cacheQuery(StoreFactoryCacheSession.java:939)
at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$PolicyCache.findByResource(StoreFactoryCacheSession.java:863)
at
org.keycloak.authorization.AuthorizationProvider$3.findByResource(AuthorizationProvider.java:390)
at
org.keycloak.authorization.policy.evaluation.DefaultPolicyEvaluator.evaluate(DefaultPolicyEvaluator.java:75)
at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:59)
... 75 more
Caused by: java.lang.RuntimeException: javax.script.ScriptException:
TypeError: null is not a function in <eval> at line number 5
at
org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:47)
at
org.keycloak.authorization.policy.provider.js.JSPolicyProvider.evaluate(JSPolicyProvider.java:53)
... 86 more
Caused by: javax.script.ScriptException: TypeError: null is not a function
in <eval> at line number 5
at
jdk.nashorn.api.scripting.NashornScriptEngine.throwAsScriptException(NashornScriptEngine.java:467)
at
jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:423)
at
jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73)
at
jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:511)
at
org.keycloak.scripting.CompiledEvaluatableScriptAdapter.eval(CompiledEvaluatableScriptAdapter.java:45)
... 87 more
Caused by: <eval>:5 TypeError: null is not a function
at
jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57)
at
jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:213)
at
jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:185)
at
jdk.nashorn.internal.runtime.ECMAErrors.typeError(ECMAErrors.java:172)
at
jdk.nashorn.internal.runtime.linker.NashornBottomLinker.linkNull(NashornBottomLinker.java:177)
at
jdk.nashorn.internal.runtime.linker.NashornBottomLinker.getGuardedInvocation(NashornBottomLinker.java:66)
at
jdk.internal.dynalink.support.CompositeGuardingDynamicLinker.getGuardedInvocation(CompositeGuardingDynamicLinker.java:124)
at
jdk.internal.dynalink.support.LinkerServicesImpl.getGuardedInvocation(LinkerServicesImpl.java:154)
at
jdk.internal.dynalink.DynamicLinker.relink(DynamicLinker.java:253)
at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(<eval>:5)
at
jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637)
at
jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494)
at
jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393)
at
jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:418)
... 90 more
On Thu, 25 Oct 2018 at 21:12, Pedro Igor Silva <psilva(a)redhat.com> wrote:
> You can check both the Evaluation API[1] and JS Policy[2] documentation.
> I'll update docs with some examples of fetching resources/scopes and
> attributes from JS policies, meanwhile here it is:
>
> var permission = $evaluation.getPermission();
> var resource = permission.getResource();
> var attributes = resource.getAttributes();
>
> For more information about methods that you can use to fetch attributes,
> check
>
https://github.com/keycloak/keycloak/blob/b4b3527df7656bfaaee351ec414e56c...
> .
>
> Regards.
> Pedro Igor
>
> [1]
>
https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...
> [2]
>
https://www.keycloak.org/docs/latest/authorization_services/index.html#ex...
>
> On Thu, Oct 25, 2018 at 2:54 PM Melissa Palmer <melissa.palmer(a)gmail.com>
> wrote:
>
>>
>> Hi Pedro,
>>
>> How do I get get at the resource (and its attributes) via the JS policy?
>> I have tried .. but not working.
>> var resource = context.getResource();
>> var resource = $evaluation.getResource();
>>
>> Thanks
>> Melissa
>>
>>
>>
>> On Wed, 24 Oct 2018 at 15:56, Melissa Palmer <melissa.palmer(a)gmail.com>
>> wrote:
>>
>>> Ok thank you, yes I have seen the Rest API
>>> hadn’t really thought I needed to use the api for this. What you
>>> thinking
>>>
>>> On 24 Oct 2018, at 3:14 PM, Pedro Igor Silva <psilva(a)redhat.com>
wrote:
>>>
>>> Yeah, I think so. I need to document this ... But we also expose
>>> endpoints in Admin REST API which you could use to manage these
>>> permissions/policies from your app.
>>>
>>> On Wed, Oct 24, 2018 at 10:01 AM Melissa Palmer <
>>> melissa.palmer(a)gmail.com> wrote:
>>>
>>>> Thanks Pedro, I will take a closer look.
>>>> Yes I’ll put the work flow in the app. But we do want to manage the
>>>> permissions in KEy,
>>>>
>>>> I tried to align with the QuickStart ti explain. But it’s not
>>>> necessarily on resource that I own with I want to do this. For example
it
>>>> could be against adding products in and ecommerce app, or transactions
for
>>>> a company
>>>>
>>>> It sounds like I should rather use the non
>>>> UMA example to try this against. Would that be better?
>>>>
>>>> Thanks
>>>> Melissa
>>>>
>>>>
>>>> On 24 Oct 2018, at 2:44 PM, Pedro Igor Silva <psilva(a)redhat.com>
>>>> wrote:
>>>>
>>>> Hi Melissa,
>>>>
>>>> I don't think this is very different than what we have in the
>>>> quickstart you mentioned.
>>>>
>>>> On Wed, Oct 24, 2018 at 9:00 AM Melissa Palmer <
>>>> melissa.palmer(a)gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I am trying to do something similar to the following:
>>>>> - have a resource (say album) in app-authz-uma-photoz quickstart
that
>>>>> includes a status attribute against it.
>>>>> - status such as: CREATED, APPROVED, DECLINED,
>>>>>
>>>>
>>>> You probably noticed that resources in Keycloak have attributes, so
>>>> you could set a "status" accordingly. You should be able to
write JS
>>>> policies that can access any attribute associated with a resource.
>>>>
>>>>
>>>>> - a person can then be given a role that allows for permissions (via
a
>>>>> role) such as
>>>>>
>>>>> - album:create
>>>>> - album:approve
>>>>> - album:decline
>>>>>
>>>>
>>>> If you have different authorization requirements for each scope, you
>>>> can create a scope-based permission for each scope. Otherwise, a single
>>>> scope-permission managing access for all of them.
>>>>
>>>>
>>>>>
>>>>> - BUT a person is not allowed to approve any albums they created
>>>>> themselves
>>>>>
>>>>
>>>> I would create a scope-permission specific for album:approve and
>>>> associate it with a JS policy that deny access to the the resource owner
>>>> (considering the owner is the person that created the resource).
>>>>
>>>>
>>>>>
>>>>> Is there a keycloak-quickstarts/example I can start from?
>>>>> Or a recommended way I should attempt to tackle this?
>>>>>
>>>>
>>>> It is worthy to highlight that when using UMA and, specially, the
"My
>>>> Resources" page in the Account Service, resource owners are always
allowed
>>>> to manage their resources. It seems you are more interested in a worflow
>>>> that does not really fit this functionality in particular. I think you
>>>> would need to manage this workflow from your app based on the
permissions
>>>> you have in Keycloak.
>>>>
>>>>
>>>>>
>>>>> Thank You in advance,
>>>>> Melissa
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user(a)lists.jboss.org
>>>>>
https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>