From 2fce06ffcad952b54cd9410fb92eaf81117283cc Mon Sep 17 00:00:00 2001
From: Stian Thorgersen <stianst@gmail.com>
Date: Thu, 25 Feb 2016 09:54:34 +0100
Subject: [PATCH] KEYCLOAK-2522 master realm admin can't use client
 registration api

---
 .../ClientRegistrationAuth.java               | 25 +++++++++++++------
 .../client/ClientRegistrationTest.java        | 19 ++++++++++++++
 2 files changed, 37 insertions(+), 7 deletions(-)

diff --git a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
index 8434593001..5dc72854a1 100644
--- a/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
+++ b/services/src/main/java/org/keycloak/services/clientregistration/ClientRegistrationAuth.java
@@ -17,7 +17,9 @@
 
 package org.keycloak.services.clientregistration;
 
+import com.sun.xml.bind.v2.runtime.reflect.opt.Const;
 import org.jboss.resteasy.spi.UnauthorizedException;
+import org.keycloak.Config;
 import org.keycloak.common.util.Time;
 import org.keycloak.events.Errors;
 import org.keycloak.events.EventBuilder;
@@ -28,6 +30,7 @@ import org.keycloak.util.TokenUtil;
 
 import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.UriInfo;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 
@@ -39,6 +42,7 @@ public class ClientRegistrationAuth {
     private KeycloakSession session;
     private EventBuilder event;
 
+    private RealmModel realm;
     private JsonWebToken jwt;
     private ClientInitialAccessModel initialAccessModel;
 
@@ -50,7 +54,7 @@ public class ClientRegistrationAuth {
     }
 
     private void init() {
-        RealmModel realm = session.getContext().getRealm();
+        realm = session.getContext().getRealm();
         UriInfo uri = session.getContext().getUri();
 
         String authorizationHeader = session.getContext().getRequestHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
@@ -174,18 +178,25 @@ public class ClientRegistrationAuth {
                     return false;
                 }
 
-                Map<String, List<String>> realmManagement = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
-                if (realmManagement == null) {
-                    return false;
+                List<String> roles = null;
+
+                Map<String, List<String>> map;
+                if (realm.getName().equals(Config.getAdminRealm())) {
+                    map = resourceAccess.get(realm.getMasterAdminClient().getClientId());
+                } else {
+                    map = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
                 }
 
-                List<String> resources = realmManagement.get("roles");
-                if (resources == null) {
+                if (map != null) {
+                    roles = map.get("roles");
+                }
+
+                if (roles == null) {
                     return false;
                 }
 
                 for (String r : role) {
-                    if (resources.contains(r)) {
+                    if (roles.contains(r)) {
                         return true;
                     }
                 }
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
index 73e79c5ed1..70bfed0e0a 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/ClientRegistrationTest.java
@@ -19,8 +19,10 @@ package org.keycloak.testsuite.client;
 
 import org.junit.Test;
 import org.keycloak.client.registration.Auth;
+import org.keycloak.client.registration.ClientRegistration;
 import org.keycloak.client.registration.ClientRegistrationException;
 import org.keycloak.client.registration.HttpErrorException;
+import org.keycloak.models.Constants;
 import org.keycloak.representations.idm.ClientRepresentation;
 
 import javax.ws.rs.NotFoundException;
@@ -56,6 +58,23 @@ public class ClientRegistrationTest extends AbstractClientRegistrationTest {
         registerClient();
     }
 
+    @Test
+    public void registerClientInMasterRealm() throws ClientRegistrationException {
+        ClientRegistration masterReg = ClientRegistration.create().url(suiteContext.getAuthServerInfo().getContextRoot() + "/auth", "master").build();
+
+        String token = oauthClient.getToken("master", Constants.ADMIN_CLI_CLIENT_ID, null, "admin", "admin").getToken();
+        masterReg.auth(Auth.token(token));
+
+        ClientRepresentation client = new ClientRepresentation();
+        client.setClientId(CLIENT_ID);
+        client.setSecret(CLIENT_SECRET);
+
+        ClientRepresentation createdClient = masterReg.create(client);
+        assertNotNull(createdClient);
+
+        adminClient.realm("master").clients().get(createdClient.getId()).remove();
+    }
+
     @Test
     public void registerClientAsAdminWithCreateOnly() throws ClientRegistrationException {
         authCreateClients();