Merge pull request #4320 from patriot1burke/master

KEYCLOAK-5155

services/src/main/java/org/keycloak/forms/account/freemarker/model/ApplicationsBean.java

@@ -19,6 +19,7 @@ package org.keycloak.forms.account.freemarker.model;
 
 import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.models.ClientModel;
+import org.keycloak.models.Constants;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.RealmModel;
@@ -27,8 +28,10 @@ import org.keycloak.models.UserConsentModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.services.managers.UserSessionManager;
+import org.keycloak.services.resources.admin.permissions.AdminPermissions;
 
 import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Set;
@@ -51,10 +54,17 @@ public class ApplicationsBean {
                 continue;
             }
 
-            Set<RoleModel> availableRoles = TokenManager.getAccess(null, false, client, user);
+            Set<RoleModel> availableRoles = new HashSet<>();
-            // Don't show applications, which user doesn't have access into (any available roles)
+            if (client.getClientId().equals(Constants.ADMIN_CLI_CLIENT_ID)
-            if (availableRoles.isEmpty()) {
+                    || client.getClientId().equals(Constants.ADMIN_CONSOLE_CLIENT_ID)) {
-                continue;
+                if (!AdminPermissions.realms(session, realm, user).isAdmin()) continue;
+
+            } else {
+                availableRoles = TokenManager.getAccess(null, false, client, user);
+                // Don't show applications, which user doesn't have access into (any available roles)
+                if (availableRoles.isEmpty()) {
+                    continue;
+                }
             }
             List<RoleModel> realmRolesAvailable = new LinkedList<RoleModel>();
             MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable = new MultivaluedHashMap<String, ClientRoleEntry>();

services/src/main/java/org/keycloak/services/resources/admin/permissions/AdminPermissions.java

@@ -46,6 +46,10 @@ public class AdminPermissions {
         return new MgmtPermissions(session, auth);
     }
 
+    public static RealmsPermissionEvaluator realms(KeycloakSession session, RealmModel adminsRealm, UserModel admin) {
+        return new MgmtPermissions(session, adminsRealm, admin);
+    }
+
     public static AdminPermissionManagement management(KeycloakSession session, RealmModel realm) {
         return new MgmtPermissions(session, realm);
     }

services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java

@@ -107,6 +107,14 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
             this.identity = new KeycloakIdentity(auth.getToken(), session);
         }
     }
+
+    MgmtPermissions(KeycloakSession session, RealmModel adminsRealm, UserModel admin) {
+        this.session = session;
+        this.admin = admin;
+        this.adminsRealm = adminsRealm;
+        this.identity = new UserModelIdentity(adminsRealm, admin);
+    }
+
     MgmtPermissions(KeycloakSession session, RealmModel realm, RealmModel adminsRealm, UserModel admin) {
         this(session, realm);
         this.admin = admin;

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountTest.java

@@ -28,6 +28,9 @@ import org.keycloak.admin.client.resource.RealmResource;
 import org.keycloak.events.Details;
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventType;
+import org.keycloak.models.AccountRoles;
+import org.keycloak.models.AdminRoles;
+import org.keycloak.models.Constants;
 import org.keycloak.models.PasswordPolicy;
 import org.keycloak.models.utils.TimeBasedOTP;
 import org.keycloak.representations.idm.ClientRepresentation;
@@ -78,11 +81,18 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
         //UserRepresentation user = findUserInRealmRep(testRealm, "test-user@localhost");
         //ClientRepresentation accountApp = findClientInRealmRep(testRealm, ACCOUNT_MANAGEMENT_CLIENT_ID);
         UserRepresentation user2 = UserBuilder.create()
-                                              .enabled(true)
+                .enabled(true)
-                                              .username("test-user-no-access@localhost")
+                .username("test-user-no-access@localhost")
-                                              .email("test-user-no-access@localhost")
+                .email("test-user-no-access@localhost")
-                                              .password("password")
+                .password("password")
-                                              .build();
+                .build();
+        UserRepresentation realmAdmin = UserBuilder.create()
+                .enabled(true)
+                .username("realm-admin")
+                .password("password")
+                .role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN)
+                .role(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID, AccountRoles.MANAGE_ACCOUNT)
+                .build();
 
         testRealm.addIdentityProvider(IdentityProviderBuilder.create()
                                               .providerId("github")
@@ -105,7 +115,8 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
                                               .build());
 
         RealmBuilder.edit(testRealm)
-                    .user(user2);
+                    .user(user2)
+                    .user(realmAdmin);
     }
 
     private static final UriBuilder BASE = UriBuilder.fromUri("http://localhost:8180/auth");
@@ -870,6 +881,19 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
         }
     }
 
+    // KEYCLOAK-5155
+    @Test
+    public void testConsoleListedInApplications() {
+        applicationsPage.open();
+        loginPage.login("realm-admin", "password");
+        Assert.assertTrue(applicationsPage.isCurrent());
+        Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
+        Assert.assertThat(apps.keySet(), hasItems("Admin CLI", "Security Admin Console"));
+        events.clear();
+    }
+
+
+
     // More tests (including revoke) are in OAuthGrantTest and OfflineTokenTest
     @Test
     public void applications() {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java

@@ -648,6 +648,60 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         }
 
     }
+
+    // KEYCLOAK-5152
+    @Test
+    public void testMasterRealmWithComposites() throws Exception {
+        RoleRepresentation composite = new RoleRepresentation();
+        composite.setName("composite");
+        composite.setComposite(true);
+        adminClient.realm(TEST).roles().create(composite);
+        composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
+
+        RoleRepresentation compositePart = new RoleRepresentation();
+        compositePart.setName("composite-part");
+        adminClient.realm(TEST).roles().create(compositePart);
+        compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
+
+        List<RoleRepresentation> composites = new LinkedList<>();
+        composites.add(compositePart);
+        adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
+    }
+
+    public static void setup5152(KeycloakSession session) {
+        RealmModel realm = session.realms().getRealmByName(TEST);
+        ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
+        RoleModel realmAdminRole = realmAdminClient.getRole(AdminRoles.REALM_ADMIN);
+
+        UserModel realmUser = session.users().addUser(realm, "realm-admin");
+        realmUser.grantRole(realmAdminRole);
+        realmUser.setEnabled(true);
+        session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
+    }
+
+    // KEYCLOAK-5152
+    @Test
+    public void testRealmWithComposites() throws Exception {
+        testingClient.server().run(FineGrainAdminUnitTest::setup5152);
+
+        Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
+                TEST, "realm-admin", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
+
+        RoleRepresentation composite = new RoleRepresentation();
+        composite.setName("composite");
+        composite.setComposite(true);
+        realmClient.realm(TEST).roles().create(composite);
+        composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
+
+        RoleRepresentation compositePart = new RoleRepresentation();
+        compositePart.setName("composite-part");
+        realmClient.realm(TEST).roles().create(compositePart);
+        compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
+
+        List<RoleRepresentation> composites = new LinkedList<>();
+        composites.add(compositePart);
+        realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
+    }
     // testRestEvaluationMasterRealm
     // testRestEvaluationMasterAdminTestRealm