KEYCLOAK-2522 master realm admin can't use client registration api

This commit is contained in:
Stian Thorgersen 2016-02-25 09:54:34 +01:00
parent 14ea988b24
commit 2fce06ffca
2 changed files with 37 additions and 7 deletions

View file

@ -17,7 +17,9 @@
package org.keycloak.services.clientregistration;
import com.sun.xml.bind.v2.runtime.reflect.opt.Const;
import org.jboss.resteasy.spi.UnauthorizedException;
import org.keycloak.Config;
import org.keycloak.common.util.Time;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
@ -28,6 +30,7 @@ import org.keycloak.util.TokenUtil;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.UriInfo;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@ -39,6 +42,7 @@ public class ClientRegistrationAuth {
private KeycloakSession session;
private EventBuilder event;
private RealmModel realm;
private JsonWebToken jwt;
private ClientInitialAccessModel initialAccessModel;
@ -50,7 +54,7 @@ public class ClientRegistrationAuth {
}
private void init() {
RealmModel realm = session.getContext().getRealm();
realm = session.getContext().getRealm();
UriInfo uri = session.getContext().getUri();
String authorizationHeader = session.getContext().getRequestHeaders().getRequestHeaders().getFirst(HttpHeaders.AUTHORIZATION);
@ -174,18 +178,25 @@ public class ClientRegistrationAuth {
return false;
}
Map<String, List<String>> realmManagement = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
if (realmManagement == null) {
return false;
List<String> roles = null;
Map<String, List<String>> map;
if (realm.getName().equals(Config.getAdminRealm())) {
map = resourceAccess.get(realm.getMasterAdminClient().getClientId());
} else {
map = resourceAccess.get(Constants.REALM_MANAGEMENT_CLIENT_ID);
}
List<String> resources = realmManagement.get("roles");
if (resources == null) {
if (map != null) {
roles = map.get("roles");
}
if (roles == null) {
return false;
}
for (String r : role) {
if (resources.contains(r)) {
if (roles.contains(r)) {
return true;
}
}

View file

@ -19,8 +19,10 @@ package org.keycloak.testsuite.client;
import org.junit.Test;
import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistration;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.client.registration.HttpErrorException;
import org.keycloak.models.Constants;
import org.keycloak.representations.idm.ClientRepresentation;
import javax.ws.rs.NotFoundException;
@ -56,6 +58,23 @@ public class ClientRegistrationTest extends AbstractClientRegistrationTest {
registerClient();
}
@Test
public void registerClientInMasterRealm() throws ClientRegistrationException {
ClientRegistration masterReg = ClientRegistration.create().url(suiteContext.getAuthServerInfo().getContextRoot() + "/auth", "master").build();
String token = oauthClient.getToken("master", Constants.ADMIN_CLI_CLIENT_ID, null, "admin", "admin").getToken();
masterReg.auth(Auth.token(token));
ClientRepresentation client = new ClientRepresentation();
client.setClientId(CLIENT_ID);
client.setSecret(CLIENT_SECRET);
ClientRepresentation createdClient = masterReg.create(client);
assertNotNull(createdClient);
adminClient.realm("master").clients().get(createdClient.getId()).remove();
}
@Test
public void registerClientAsAdminWithCreateOnly() throws ClientRegistrationException {
authCreateClients();