From 45424e5ebaed0b5175b2867c5ad40c9fa9852f95 Mon Sep 17 00:00:00 2001 From: Stian Thorgersen Date: Fri, 15 Nov 2013 12:43:17 +0000 Subject: [PATCH] Removed '*' role --- .../META-INF/resources/admin/js/app.js | 22 +++++++--- .../resources/admin/js/controllers/realm.js | 3 +- .../partials/application-scope-mappings.html | 2 +- .../idm/ApplicationRepresentation.java | 9 ---- .../main/resources/META-INF/testrealm.json | 2 - .../main/resources/META-INF/testrealm.json | 2 - examples/js/testrealm.json | 1 - .../java/org/keycloak/models/Constants.java | 3 -- .../org/keycloak/models/jpa/RealmAdapter.java | 2 - .../mongo/keycloak/adapters/RealmAdapter.java | 2 - .../models/picketlink/RealmAdapter.java | 2 - .../services/managers/ApplicationManager.java | 1 - .../services/managers/RealmManager.java | 13 ++++-- .../services/managers/TokenManager.java | 44 +++++++------------ .../java/org/keycloak/test/AdapterTest.java | 2 +- .../java/org/keycloak/test/ImportTest.java | 3 +- .../src/test/resources/testrealm-demo.json | 2 - services/src/test/resources/testrealm.json | 6 --- .../org/keycloak/testsuite/OAuthClient.java | 4 ++ .../testsuite/oauth/AccessTokenTest.java | 3 ++ .../src/test/resources/testrealm.json | 5 ++- 21 files changed, 56 insertions(+), 77 deletions(-) diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js index 439cff4fc0..34a20d62dd 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js +++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/app.js @@ -489,16 +489,28 @@ module.filter('remove', function() { for ( var i = 0; i < input.length; i++) { var e = input[i]; - for (var j = 0; j < remove.length; j++) { + if (Array.isArray(remove)) { + for (var j = 0; j < remove.length; j++) { + if (attribute) { + if (remove[j][attribute] == e[attribute]) { + e = null; + break; + } + } else { + if (remove[j] == e) { + e = null; + break; + } + } + } + } else { if (attribute) { - if (remove[j][attribute] == e[attribute]) { + if (remove[attribute] == e[attribute]) { e = null; - break; } } else { - if (remove[j] == e) { + if (remove == e) { e = null; - break; } } } diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js index 19a08cf548..410d3243f9 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js +++ b/admin-ui/src/main/resources/META-INF/resources/admin/js/controllers/realm.js @@ -208,7 +208,6 @@ module.controller('RealmRequiredCredentialsCtrl', function($scope, Realm, realm, module.controller('RealmRegistrationCtrl', function ($scope, Realm, realm, applications, roles, Notifications, ApplicationRole, Application) { console.log('RealmRegistrationCtrl'); - var systemRoles = ["*", "KEYCLOAK_APPLICATION", "KEYCLOAK_IDENTITY_REQUESTER"]; $scope.realm = realm; @@ -230,7 +229,7 @@ module.controller('RealmRegistrationCtrl', function ($scope, Realm, realm, appli for (var i = 0; i < roles.length; i++) { var item = roles[i].name; - if ((systemRoles.indexOf(item) < 0) && ($scope.realm.defaultRoles.indexOf(item) < 0)) { + if ($scope.realm.defaultRoles.indexOf(item) < 0) { $scope.availableRealmRoles.push(item); } } diff --git a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html index 6ca4b0be39..ebabbd95b5 100755 --- a/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html +++ b/admin-ui/src/main/resources/META-INF/resources/admin/partials/application-scope-mappings.html @@ -56,7 +56,7 @@
-
diff --git a/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java b/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java index 59347ca49c..bab05a0bec 100755 --- a/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java +++ b/core/src/main/java/org/keycloak/representations/idm/ApplicationRepresentation.java @@ -14,7 +14,6 @@ public class ApplicationRepresentation { protected String adminUrl; protected String baseUrl; protected boolean surrogateAuthRequired; - protected boolean useRealmMappings; protected boolean enabled; protected List credentials; protected List roles; @@ -142,14 +141,6 @@ public class ApplicationRepresentation { return this; } - public boolean isUseRealmMappings() { - return useRealmMappings; - } - - public void setUseRealmMappings(boolean useRealmMappings) { - this.useRealmMappings = useRealmMappings; - } - public List getRedirectUris() { return redirectUris; } diff --git a/examples/as7-eap-demo/server/src/main/resources/META-INF/testrealm.json b/examples/as7-eap-demo/server/src/main/resources/META-INF/testrealm.json index c30c9636b0..cc267ee647 100755 --- a/examples/as7-eap-demo/server/src/main/resources/META-INF/testrealm.json +++ b/examples/as7-eap-demo/server/src/main/resources/META-INF/testrealm.json @@ -65,7 +65,6 @@ "name": "customer-portal", "enabled": true, "adminUrl": "http://localhost:8080/customer-portal/j_admin_request", - "useRealmMappings": true, "credentials": [ { "type": "password", @@ -77,7 +76,6 @@ "name": "product-portal", "enabled": true, "adminUrl": "http://localhost:8080/product-portal/j_admin_request", - "useRealmMappings": true, "credentials": [ { "type": "password", diff --git a/examples/as7-eap-dev/server/src/main/resources/META-INF/testrealm.json b/examples/as7-eap-dev/server/src/main/resources/META-INF/testrealm.json index b289fcfc2f..888a518809 100755 --- a/examples/as7-eap-dev/server/src/main/resources/META-INF/testrealm.json +++ b/examples/as7-eap-dev/server/src/main/resources/META-INF/testrealm.json @@ -65,7 +65,6 @@ "name": "customer-portal", "enabled": true, "adminUrl": "http://localhost:8080/customer-portal/j_admin_request", - "useRealmMappings": true, "webOrigins" : [ "http://localhost1:8080"], "credentials": [ { @@ -78,7 +77,6 @@ "name": "product-portal", "enabled": true, "adminUrl": "http://localhost:8080/product-portal/j_admin_request", - "useRealmMappings": true, "credentials": [ { "type": "password", diff --git a/examples/js/testrealm.json b/examples/js/testrealm.json index 38225c618c..ee72300039 100755 --- a/examples/js/testrealm.json +++ b/examples/js/testrealm.json @@ -48,7 +48,6 @@ "name": "test-app", "enabled": true, "adminUrl": "http://localhost:8081/app/logout", - "useRealmMappings": true, "webOrigins": [ "http://localhost", "http://localhost:8000", "http://localhost:8080" ], "credentials": [ { diff --git a/model/api/src/main/java/org/keycloak/models/Constants.java b/model/api/src/main/java/org/keycloak/models/Constants.java index 53f0813f17..fb29037288 100755 --- a/model/api/src/main/java/org/keycloak/models/Constants.java +++ b/model/api/src/main/java/org/keycloak/models/Constants.java @@ -11,11 +11,8 @@ public interface Constants { String ADMIN_CONSOLE_ADMIN_ROLE = "admin"; String APPLICATION_ROLE = INTERNAL_ROLE + "_APPLICATION"; String IDENTITY_REQUESTER_ROLE = INTERNAL_ROLE + "_IDENTITY_REQUESTER"; - String WILDCARD_ROLE = "*"; String ACCOUNT_APPLICATION = "Account"; String ACCOUNT_PROFILE_ROLE = "view-profile"; String ACCOUNT_MANAGE_ROLE = "manage-account"; - - String ACCOUNT_MANAGEMENT_APPLICATION = "Account Management"; } diff --git a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java index 0d4813a76d..9cf12e0b78 100755 --- a/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java +++ b/model/jpa/src/main/java/org/keycloak/models/jpa/RealmAdapter.java @@ -568,8 +568,6 @@ public class RealmAdapter implements RealmModel { em.persist(applicationData); em.flush(); ApplicationModel resource = new ApplicationAdapter(em, applicationData); - resource.addRole("*"); - resource.addScopeMapping(new UserAdapter(user), "*"); em.flush(); return resource; } diff --git a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java index 391334a8c5..7d4aa72690 100755 --- a/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java +++ b/model/mongo/src/main/java/org/keycloak/models/mongo/keycloak/adapters/RealmAdapter.java @@ -451,8 +451,6 @@ public class RealmAdapter implements RealmModel { noSQL.saveObject(appData); ApplicationModel resource = new ApplicationAdapter(appData, noSQL); - resource.addRole("*"); - resource.addScopeMapping(resourceUser, "*"); return resource; } diff --git a/model/picketlink/src/main/java/org/keycloak/models/picketlink/RealmAdapter.java b/model/picketlink/src/main/java/org/keycloak/models/picketlink/RealmAdapter.java index 83a60474fb..9fb4eecde8 100755 --- a/model/picketlink/src/main/java/org/keycloak/models/picketlink/RealmAdapter.java +++ b/model/picketlink/src/main/java/org/keycloak/models/picketlink/RealmAdapter.java @@ -625,8 +625,6 @@ public class RealmAdapter implements RealmModel { resourceRelationship.setApplication(applicationData.getName()); getRelationshipManager().add(resourceRelationship); ApplicationModel resource = new ApplicationAdapter(applicationData, this, partitionManager); - resource.addRole("*"); - resource.addScopeMapping(new UserAdapter(resourceUser, idm), "*"); return resource; } diff --git a/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java b/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java index 67a8286fde..6b97269212 100755 --- a/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/ApplicationManager.java @@ -102,7 +102,6 @@ public class ApplicationManager { } } } - if (resourceRep.isUseRealmMappings()) realm.addScopeMapping(applicationModel.getApplicationUser(), "*"); return applicationModel; } diff --git a/services/src/main/java/org/keycloak/services/managers/RealmManager.java b/services/src/main/java/org/keycloak/services/managers/RealmManager.java index d0422703f9..6c72da6619 100755 --- a/services/src/main/java/org/keycloak/services/managers/RealmManager.java +++ b/services/src/main/java/org/keycloak/services/managers/RealmManager.java @@ -68,7 +68,6 @@ public class RealmManager { public RealmModel createRealm(String id, String name) { RealmModel realm = identitySession.createRealm(id, name); realm.setName(name); - realm.addRole(Constants.WILDCARD_ROLE); realm.addRole(Constants.APPLICATION_ROLE); realm.addRole(Constants.IDENTITY_REQUESTER_ROLE); return realm; @@ -245,7 +244,10 @@ public class RealmManager { } if (rep.getApplications() != null) { - createApplications(rep, newRealm); + Map appMap = createApplications(rep, newRealm); + for (ApplicationModel app : appMap.values()) { + userMap.put(app.getApplicationUser().getLoginName(), app.getApplicationUser()); + } } if (rep.getRoleMappings() != null) { @@ -406,12 +408,15 @@ public class RealmManager { } - protected void createApplications(RealmRepresentation rep, RealmModel realm) { + protected Map createApplications(RealmRepresentation rep, RealmModel realm) { + Map appMap = new HashMap(); RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE); ApplicationManager manager = new ApplicationManager(this); for (ApplicationRepresentation resourceRep : rep.getApplications()) { - manager.createApplication(realm, loginRole, resourceRep); + ApplicationModel app = manager.createApplication(realm, loginRole, resourceRep); + appMap.put(app.getName(), app); } + return appMap; } public static UserRepresentation toRepresentation(UserModel user) { diff --git a/services/src/main/java/org/keycloak/services/managers/TokenManager.java b/services/src/main/java/org/keycloak/services/managers/TokenManager.java index 1fe7768f17..689139e525 100755 --- a/services/src/main/java/org/keycloak/services/managers/TokenManager.java +++ b/services/src/main/java/org/keycloak/services/managers/TokenManager.java @@ -46,6 +46,8 @@ public class TokenManager { public AccessCodeEntry createAccessCode(String scopeParam, String state, String redirect, RealmModel realm, UserModel client, UserModel user) { + boolean applicationResource = realm.hasRole(client, realm.getRole(Constants.APPLICATION_ROLE)); + AccessCodeEntry code = new AccessCodeEntry(); SkeletonKeyScope scopeMap = null; if (scopeParam != null) scopeMap = decodeScope(scopeParam); @@ -56,42 +58,26 @@ public class TokenManager { if (realmMapping != null && realmMapping.size() > 0 && (scopeMap == null || scopeMap.containsKey("realm"))) { Set scope = realm.getScopeMappingValues(client); if (scope.size() > 0) { - Set scopeRequest = null; - if (scopeMap != null) { - if (scopeRequest == null) { - scopeRequest = new HashSet(); - } - scopeRequest.addAll(scopeMap.get("realm")); - if (scopeRequest.contains(Constants.WILDCARD_ROLE)) scopeRequest = null; - } + Set scopeRequest = scopeMap != null ? new HashSet(scopeMap.get("realm")) : null; for (String role : realmMapping) { - if ( - (scopeRequest == null || scopeRequest.contains(role)) && - (scope.contains("*") || scope.contains(role)) - ) + if ((scopeRequest == null || scopeRequest.contains(role)) && scope.contains(role)) realmRolesRequested.add(realm.getRole(role)); } } } for (ApplicationModel resource : realm.getApplications()) { - Set mapping = resource.getRoleMappingValues(user); - if (mapping != null && mapping.size() > 0 && (scopeMap == null || scopeMap.containsKey(resource.getName()))) { - Set scope = resource.getScopeMappingValues(client); - if (scope.size() > 0) { - Set scopeRequest = null; - if (scopeMap != null) { - if (scopeRequest == null) { - scopeRequest = new HashSet(); + if (applicationResource && resource.getApplicationUser().getLoginName().equals(client.getLoginName())) { + resourceRolesRequested.addAll(resource.getName(), resource.getRoles()); + } else { + Set mapping = resource.getRoleMappingValues(user); + if (mapping != null && mapping.size() > 0 && (scopeMap == null || scopeMap.containsKey(resource.getName()))) { + Set scope = resource.getScopeMappingValues(client); + if (scope.size() > 0) { + Set scopeRequest = scopeMap != null ? new HashSet(scopeMap.get(resource.getName())) : null; + for (String role : mapping) { + if ((scopeRequest == null || scopeRequest.contains(role)) && scope.contains(role)) + resourceRolesRequested.add(resource.getName(), resource.getRole(role)); } - scopeRequest.addAll(scopeMap.get(resource.getName())); - if (scopeRequest.contains(Constants.WILDCARD_ROLE)) scopeRequest = null; - } - for (String role : mapping) { - if ( - (scopeRequest == null || scopeRequest.contains(role)) && - (scope.contains("*") || scope.contains(role)) - ) - resourceRolesRequested.add(resource.getName(), resource.getRole(role)); } } } diff --git a/services/src/test/java/org/keycloak/test/AdapterTest.java b/services/src/test/java/org/keycloak/test/AdapterTest.java index ce44f4c479..fff9532566 100755 --- a/services/src/test/java/org/keycloak/test/AdapterTest.java +++ b/services/src/test/java/org/keycloak/test/AdapterTest.java @@ -350,7 +350,7 @@ public class AdapterTest extends AbstractKeycloakTest { realmModel.addRole("admin"); realmModel.addRole("user"); List roles = realmModel.getRoles(); - Assert.assertEquals(6, roles.size()); + Assert.assertEquals(5, roles.size()); UserModel user = realmModel.addUser("bburke"); RoleModel role = realmModel.getRole("user"); realmModel.grantRole(user, role); diff --git a/services/src/test/java/org/keycloak/test/ImportTest.java b/services/src/test/java/org/keycloak/test/ImportTest.java index 9bd13f9578..2645f6d2a5 100755 --- a/services/src/test/java/org/keycloak/test/ImportTest.java +++ b/services/src/test/java/org/keycloak/test/ImportTest.java @@ -50,8 +50,7 @@ public class ImportTest extends AbstractKeycloakTest { UserModel user = realm.getUser("loginclient"); Assert.assertNotNull(user); Set scopes = realm.getScopeMappingValues(user); - System.out.println("Scopes size: " + scopes.size()); - Assert.assertTrue(scopes.contains("*")); + Assert.assertEquals(0, scopes.size()); Assert.assertEquals(0, realm.getSocialLinks(user).size()); List resources = realm.getApplications(); diff --git a/services/src/test/resources/testrealm-demo.json b/services/src/test/resources/testrealm-demo.json index 75173d741c..9e96d211f6 100755 --- a/services/src/test/resources/testrealm-demo.json +++ b/services/src/test/resources/testrealm-demo.json @@ -62,7 +62,6 @@ "name": "customer-portal", "enabled": true, "adminUrl": "http://localhost:8080/customer-portal/j_admin_request", - "useRealmMappings": true, "credentials": [ { "type": "totp", @@ -75,7 +74,6 @@ "name": "product-portal", "enabled": true, "adminUrl": "http://localhost:8080/product-portal/j_admin_request", - "useRealmMappings": true, "credentials": [ { "type": "totp", diff --git a/services/src/test/resources/testrealm.json b/services/src/test/resources/testrealm.json index cfe52159d4..d21823af66 100755 --- a/services/src/test/resources/testrealm.json +++ b/services/src/test/resources/testrealm.json @@ -64,12 +64,6 @@ "roles": ["admin"] } ], - "scopeMappings": [ - { - "username": "loginclient", - "roles": ["*"] - } - ], "socialMappings": [ { "username": "mySocialUser", diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java index c69208f3e1..5b1118fc98 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/OAuthClient.java @@ -145,6 +145,10 @@ public class OAuthClient { } } + public String getClientId() { + return clientId; + } + public String getCurrentRequest() { return driver.getCurrentUrl().substring(0, driver.getCurrentUrl().indexOf('?')); } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java index b5048521e1..0b25e485a5 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/oauth/AccessTokenTest.java @@ -73,6 +73,9 @@ public class AccessTokenTest { Assert.assertEquals(1, token.getRealmAccess().getRoles().size()); Assert.assertTrue(token.getRealmAccess().isUserInRole("user")); + + Assert.assertEquals(1, token.getResourceAccess(oauth.getClientId()).getRoles().size()); + Assert.assertTrue(token.getResourceAccess(oauth.getClientId()).isUserInRole("customer-user")); } } diff --git a/testsuite/integration/src/test/resources/testrealm.json b/testsuite/integration/src/test/resources/testrealm.json index 6ed49493b5..112b8ce50c 100755 --- a/testsuite/integration/src/test/resources/testrealm.json +++ b/testsuite/integration/src/test/resources/testrealm.json @@ -62,6 +62,10 @@ { "username": "third-party", "roles": ["user"] + }, + { + "username": "test-app", + "roles": ["user"] } ], "applications": [ @@ -69,7 +73,6 @@ "name": "test-app", "enabled": true, "adminUrl": "http://localhost:8081/app/logout", - "useRealmMappings": true, "credentials": [ { "type": "password",