Ensure correct treatment of auth and transient users

This commit establishes consistency in retrieval of users and responses
between `org.keycloak.admin.ui.rest.UsersResource.getUser(String)` and
`org.keycloak.services.resources.admin.UsersResource.user(String)`

Fixes: #28666

Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
This commit is contained in:
Hynek Mlnarik 2024-04-12 12:52:32 +02:00 committed by Hynek Mlnařík
parent 5e0d323304
commit 146204c5cd
2 changed files with 21 additions and 4 deletions

View file

@ -57,6 +57,6 @@ public final class AdminExtResource {
@Path("/users") @Path("/users")
public UsersResource users() { public UsersResource users() {
return new UsersResource(session); return new UsersResource(session, auth);
} }
} }

View file

@ -6,21 +6,38 @@ import jakarta.ws.rs.PathParam;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import jakarta.ws.rs.ForbiddenException;
public class UsersResource { public class UsersResource {
private final KeycloakSession session; private final KeycloakSession session;
public UsersResource(KeycloakSession session) { private final AdminPermissionEvaluator auth;
public UsersResource(KeycloakSession session, AdminPermissionEvaluator auth) {
this.session = session; this.session = session;
this.auth = auth;
} }
@Path("{id}") @Path("{id}")
public UserResource getUser(@PathParam("id") String id) { public UserResource getUser(@PathParam("id") String id) {
RealmModel realm = session.getContext().getRealm(); RealmModel realm = session.getContext().getRealm();
UserModel user = session.users().getUserById(realm, id); UserModel user = null;
if (LightweightUserAdapter.isLightweightUser(id)) {
UserSessionModel userSession = session.sessions().getUserSession(realm, LightweightUserAdapter.getLightweightUserId(id));
if (userSession != null) {
user = userSession.getUser();
}
} else {
user = session.users().getUserById(realm, id);
}
if (user == null) { if (user == null) {
throw new NotFoundException(); // we do this to make sure somebody can't phish ids
if (auth.users().canQuery()) throw new NotFoundException("User not found");
else throw new ForbiddenException();
} }
return new UserResource(session, user); return new UserResource(session, user);