commit
286fb688eb
5 changed files with 110 additions and 10 deletions
|
@ -19,6 +19,7 @@ package org.keycloak.forms.account.freemarker.model;
|
|||
|
||||
import org.keycloak.common.util.MultivaluedHashMap;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.ProtocolMapperModel;
|
||||
import org.keycloak.models.RealmModel;
|
||||
|
@ -27,8 +28,10 @@ import org.keycloak.models.UserConsentModel;
|
|||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.protocol.oidc.TokenManager;
|
||||
import org.keycloak.services.managers.UserSessionManager;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
@ -51,11 +54,18 @@ public class ApplicationsBean {
|
|||
continue;
|
||||
}
|
||||
|
||||
Set<RoleModel> availableRoles = TokenManager.getAccess(null, false, client, user);
|
||||
Set<RoleModel> availableRoles = new HashSet<>();
|
||||
if (client.getClientId().equals(Constants.ADMIN_CLI_CLIENT_ID)
|
||||
|| client.getClientId().equals(Constants.ADMIN_CONSOLE_CLIENT_ID)) {
|
||||
if (!AdminPermissions.realms(session, realm, user).isAdmin()) continue;
|
||||
|
||||
} else {
|
||||
availableRoles = TokenManager.getAccess(null, false, client, user);
|
||||
// Don't show applications, which user doesn't have access into (any available roles)
|
||||
if (availableRoles.isEmpty()) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
List<RoleModel> realmRolesAvailable = new LinkedList<RoleModel>();
|
||||
MultivaluedHashMap<String, ClientRoleEntry> resourceRolesAvailable = new MultivaluedHashMap<String, ClientRoleEntry>();
|
||||
processRoles(availableRoles, realmRolesAvailable, resourceRolesAvailable);
|
||||
|
|
|
@ -46,6 +46,10 @@ public class AdminPermissions {
|
|||
return new MgmtPermissions(session, auth);
|
||||
}
|
||||
|
||||
public static RealmsPermissionEvaluator realms(KeycloakSession session, RealmModel adminsRealm, UserModel admin) {
|
||||
return new MgmtPermissions(session, adminsRealm, admin);
|
||||
}
|
||||
|
||||
public static AdminPermissionManagement management(KeycloakSession session, RealmModel realm) {
|
||||
return new MgmtPermissions(session, realm);
|
||||
}
|
||||
|
|
|
@ -107,6 +107,14 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
|
|||
this.identity = new KeycloakIdentity(auth.getToken(), session);
|
||||
}
|
||||
}
|
||||
|
||||
MgmtPermissions(KeycloakSession session, RealmModel adminsRealm, UserModel admin) {
|
||||
this.session = session;
|
||||
this.admin = admin;
|
||||
this.adminsRealm = adminsRealm;
|
||||
this.identity = new UserModelIdentity(adminsRealm, admin);
|
||||
}
|
||||
|
||||
MgmtPermissions(KeycloakSession session, RealmModel realm, RealmModel adminsRealm, UserModel admin) {
|
||||
this(session, realm);
|
||||
this.admin = admin;
|
||||
|
|
|
@ -28,6 +28,9 @@ import org.keycloak.admin.client.resource.RealmResource;
|
|||
import org.keycloak.events.Details;
|
||||
import org.keycloak.events.Errors;
|
||||
import org.keycloak.events.EventType;
|
||||
import org.keycloak.models.AccountRoles;
|
||||
import org.keycloak.models.AdminRoles;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.PasswordPolicy;
|
||||
import org.keycloak.models.utils.TimeBasedOTP;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
|
@ -83,6 +86,13 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
|
|||
.email("test-user-no-access@localhost")
|
||||
.password("password")
|
||||
.build();
|
||||
UserRepresentation realmAdmin = UserBuilder.create()
|
||||
.enabled(true)
|
||||
.username("realm-admin")
|
||||
.password("password")
|
||||
.role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN)
|
||||
.role(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID, AccountRoles.MANAGE_ACCOUNT)
|
||||
.build();
|
||||
|
||||
testRealm.addIdentityProvider(IdentityProviderBuilder.create()
|
||||
.providerId("github")
|
||||
|
@ -105,7 +115,8 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
|
|||
.build());
|
||||
|
||||
RealmBuilder.edit(testRealm)
|
||||
.user(user2);
|
||||
.user(user2)
|
||||
.user(realmAdmin);
|
||||
}
|
||||
|
||||
private static final UriBuilder BASE = UriBuilder.fromUri("http://localhost:8180/auth");
|
||||
|
@ -870,6 +881,19 @@ public class AccountTest extends AbstractTestRealmKeycloakTest {
|
|||
}
|
||||
}
|
||||
|
||||
// KEYCLOAK-5155
|
||||
@Test
|
||||
public void testConsoleListedInApplications() {
|
||||
applicationsPage.open();
|
||||
loginPage.login("realm-admin", "password");
|
||||
Assert.assertTrue(applicationsPage.isCurrent());
|
||||
Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
|
||||
Assert.assertThat(apps.keySet(), hasItems("Admin CLI", "Security Admin Console"));
|
||||
events.clear();
|
||||
}
|
||||
|
||||
|
||||
|
||||
// More tests (including revoke) are in OAuthGrantTest and OfflineTokenTest
|
||||
@Test
|
||||
public void applications() {
|
||||
|
|
|
@ -648,6 +648,60 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
|
|||
}
|
||||
|
||||
}
|
||||
|
||||
// KEYCLOAK-5152
|
||||
@Test
|
||||
public void testMasterRealmWithComposites() throws Exception {
|
||||
RoleRepresentation composite = new RoleRepresentation();
|
||||
composite.setName("composite");
|
||||
composite.setComposite(true);
|
||||
adminClient.realm(TEST).roles().create(composite);
|
||||
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
|
||||
|
||||
RoleRepresentation compositePart = new RoleRepresentation();
|
||||
compositePart.setName("composite-part");
|
||||
adminClient.realm(TEST).roles().create(compositePart);
|
||||
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
|
||||
|
||||
List<RoleRepresentation> composites = new LinkedList<>();
|
||||
composites.add(compositePart);
|
||||
adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
|
||||
}
|
||||
|
||||
public static void setup5152(KeycloakSession session) {
|
||||
RealmModel realm = session.realms().getRealmByName(TEST);
|
||||
ClientModel realmAdminClient = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
|
||||
RoleModel realmAdminRole = realmAdminClient.getRole(AdminRoles.REALM_ADMIN);
|
||||
|
||||
UserModel realmUser = session.users().addUser(realm, "realm-admin");
|
||||
realmUser.grantRole(realmAdminRole);
|
||||
realmUser.setEnabled(true);
|
||||
session.userCredentialManager().updateCredential(realm, realmUser, UserCredentialModel.password("password"));
|
||||
}
|
||||
|
||||
// KEYCLOAK-5152
|
||||
@Test
|
||||
public void testRealmWithComposites() throws Exception {
|
||||
testingClient.server().run(FineGrainAdminUnitTest::setup5152);
|
||||
|
||||
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
|
||||
TEST, "realm-admin", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
|
||||
|
||||
RoleRepresentation composite = new RoleRepresentation();
|
||||
composite.setName("composite");
|
||||
composite.setComposite(true);
|
||||
realmClient.realm(TEST).roles().create(composite);
|
||||
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
|
||||
|
||||
RoleRepresentation compositePart = new RoleRepresentation();
|
||||
compositePart.setName("composite-part");
|
||||
realmClient.realm(TEST).roles().create(compositePart);
|
||||
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
|
||||
|
||||
List<RoleRepresentation> composites = new LinkedList<>();
|
||||
composites.add(compositePart);
|
||||
realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
|
||||
}
|
||||
// testRestEvaluationMasterRealm
|
||||
// testRestEvaluationMasterAdminTestRealm
|
||||
|
||||
|
|
Loading…
Reference in a new issue