KEYCLOAK-3667
This commit is contained in:
Stian Thorgersen
parent
69dddfa73a
commit
3d46b4c425
3 changed files with 161 additions and 2 deletions
|
|
@ -274,6 +274,10 @@ public class UserCacheSession implements UserCache {
|
|||
}
|
||||
|
||||
protected UserModel validateCache(RealmModel realm, CachedUser cached) {
|
||||
if (!realm.getId().equals(cached.getRealm())) {
|
||||
return null;
|
||||
}
|
||||
|
||||
StorageId storageId = new StorageId(cached.getId());
|
||||
if (!storageId.isLocal()) {
|
||||
ComponentModel component = realm.getComponent(storageId.getProviderId());
|
||||
|
|
|
|||
|
|
@ -152,10 +152,10 @@ public class UsersResource {
|
|||
try {
|
||||
UserModel user = session.users().getUserById(id, realm);
|
||||
if (user == null) {
|
||||
throw new NotFoundException("User not found");
|
||||
return Response.status(Status.NOT_FOUND).build();
|
||||
}
|
||||
|
||||
Set<String> attrsToRemove;
|
||||
Set<String> attrsToRemove;
|
||||
if (rep.getAttributes() != null) {
|
||||
attrsToRemove = new HashSet<>(user.getAttributes().keySet());
|
||||
attrsToRemove.removeAll(rep.getAttributes().keySet());
|
||||
|
|
|
|||
|
|
@ -0,0 +1,155 @@
|
|||
/*
|
||||
* Copyright 2016 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.testsuite.admin;
|
||||
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.Keycloak;
|
||||
import org.keycloak.admin.client.resource.RealmResource;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.models.AdminRoles;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.representations.idm.RoleRepresentation;
|
||||
import org.keycloak.representations.idm.UserRepresentation;
|
||||
import org.keycloak.services.resources.admin.RealmAuth.Resource;
|
||||
import org.keycloak.testsuite.AbstractKeycloakTest;
|
||||
import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
|
||||
import org.keycloak.testsuite.util.ClientBuilder;
|
||||
import org.keycloak.testsuite.util.CredentialBuilder;
|
||||
import org.keycloak.testsuite.util.GreenMailRule;
|
||||
import org.keycloak.testsuite.util.RealmBuilder;
|
||||
import org.keycloak.testsuite.util.UserBuilder;
|
||||
|
||||
import javax.ws.rs.ClientErrorException;
|
||||
import javax.ws.rs.core.Response;
|
||||
import java.lang.reflect.Method;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.concurrent.atomic.AtomicReference;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNull;
|
||||
import static org.junit.Assert.fail;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
*/
|
||||
public class CrossRealmPermissionsTest extends AbstractKeycloakTest {
|
||||
|
||||
private static final String REALM_NAME = "crossrealm-test";
|
||||
private static final String REALM2_NAME = "crossrealm2-test";
|
||||
|
||||
private RealmResource realm1;
|
||||
private RealmResource realm2;
|
||||
|
||||
@Rule public GreenMailRule greenMailRule = new GreenMailRule();
|
||||
|
||||
@Override
|
||||
public void addTestRealms(List<RealmRepresentation> testRealms) {
|
||||
RealmBuilder builder = RealmBuilder.create().name(REALM_NAME).testMail();
|
||||
builder.client(ClientBuilder.create().clientId("test-client").publicClient().directAccessGrants());
|
||||
|
||||
builder.user(UserBuilder.create()
|
||||
.username(AdminRoles.REALM_ADMIN)
|
||||
.role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN)
|
||||
.addPassword("password"));
|
||||
testRealms.add(builder.build());
|
||||
|
||||
realm1 = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM_NAME, AdminRoles.REALM_ADMIN, "password", "test-client", "secret").realm(REALM_NAME);
|
||||
|
||||
builder = RealmBuilder.create().name(REALM2_NAME).testMail();
|
||||
builder.client(ClientBuilder.create().clientId("test-client").publicClient().directAccessGrants());
|
||||
|
||||
builder.user(UserBuilder.create()
|
||||
.username(AdminRoles.REALM_ADMIN)
|
||||
.role(Constants.REALM_MANAGEMENT_CLIENT_ID, AdminRoles.REALM_ADMIN)
|
||||
.addPassword("password"));
|
||||
|
||||
testRealms.add(builder.build());
|
||||
|
||||
realm2 = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", REALM2_NAME, AdminRoles.REALM_ADMIN, "password", "test-client", "secret").realm(REALM2_NAME);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void users() {
|
||||
UserRepresentation user = UserBuilder.create().username("randomuser-" + Time.currentTimeMillis()).build();
|
||||
Response response = realm1.users().create(user);
|
||||
String userId = ApiUtil.getCreatedId(response);
|
||||
response.close();
|
||||
|
||||
realm1.users().get(userId).toRepresentation();
|
||||
|
||||
expectNotFound(new PermissionsTest.Invocation() {
|
||||
@Override
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.users().get(userId).toRepresentation();
|
||||
}
|
||||
}, realm2);
|
||||
|
||||
expectNotFound(new PermissionsTest.Invocation() {
|
||||
@Override
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.users().get(userId).update(new UserRepresentation());
|
||||
}
|
||||
}, realm2);
|
||||
|
||||
expectNotFound(new PermissionsTest.Invocation() {
|
||||
@Override
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.users().get(userId).remove();
|
||||
}
|
||||
}, realm2);
|
||||
|
||||
expectNotFound(new PermissionsTest.Invocation() {
|
||||
@Override
|
||||
public void invoke(RealmResource realm) {
|
||||
realm.users().get(userId).getUserSessions();
|
||||
}
|
||||
}, realm2);
|
||||
}
|
||||
|
||||
private void expectNotFound(final PermissionsTest.Invocation invocation, RealmResource realm) {
|
||||
expectNotFound(new PermissionsTest.InvocationWithResponse() {
|
||||
public void invoke(RealmResource realm, AtomicReference<Response> response) {
|
||||
invocation.invoke(realm);
|
||||
}
|
||||
}, realm);
|
||||
}
|
||||
|
||||
private void expectNotFound(PermissionsTest.InvocationWithResponse invocation, RealmResource realm) {
|
||||
int statusCode = 0;
|
||||
try {
|
||||
AtomicReference<Response> responseReference = new AtomicReference<>();
|
||||
invocation.invoke(realm, responseReference);
|
||||
Response response = responseReference.get();
|
||||
if (response != null) {
|
||||
statusCode = response.getStatus();
|
||||
} else {
|
||||
fail("Expected failure");
|
||||
}
|
||||
} catch (ClientErrorException e) {
|
||||
statusCode = e.getResponse().getStatus();
|
||||
}
|
||||
|
||||
assertEquals(404, statusCode);
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Reference in a new issue