Removed '*' role

This commit is contained in:
Stian Thorgersen 2013-11-15 12:43:17 +00:00
parent a923f44619
commit 45424e5eba
21 changed files with 56 additions and 77 deletions

View file

@ -489,16 +489,28 @@ module.filter('remove', function() {
for ( var i = 0; i < input.length; i++) { for ( var i = 0; i < input.length; i++) {
var e = input[i]; var e = input[i];
for (var j = 0; j < remove.length; j++) { if (Array.isArray(remove)) {
for (var j = 0; j < remove.length; j++) {
if (attribute) {
if (remove[j][attribute] == e[attribute]) {
e = null;
break;
}
} else {
if (remove[j] == e) {
e = null;
break;
}
}
}
} else {
if (attribute) { if (attribute) {
if (remove[j][attribute] == e[attribute]) { if (remove[attribute] == e[attribute]) {
e = null; e = null;
break;
} }
} else { } else {
if (remove[j] == e) { if (remove == e) {
e = null; e = null;
break;
} }
} }
} }

View file

@ -208,7 +208,6 @@ module.controller('RealmRequiredCredentialsCtrl', function($scope, Realm, realm,
module.controller('RealmRegistrationCtrl', function ($scope, Realm, realm, applications, roles, Notifications, ApplicationRole, Application) { module.controller('RealmRegistrationCtrl', function ($scope, Realm, realm, applications, roles, Notifications, ApplicationRole, Application) {
console.log('RealmRegistrationCtrl'); console.log('RealmRegistrationCtrl');
var systemRoles = ["*", "KEYCLOAK_APPLICATION", "KEYCLOAK_IDENTITY_REQUESTER"];
$scope.realm = realm; $scope.realm = realm;
@ -230,7 +229,7 @@ module.controller('RealmRegistrationCtrl', function ($scope, Realm, realm, appli
for (var i = 0; i < roles.length; i++) { for (var i = 0; i < roles.length; i++) {
var item = roles[i].name; var item = roles[i].name;
if ((systemRoles.indexOf(item) < 0) && ($scope.realm.defaultRoles.indexOf(item) < 0)) { if ($scope.realm.defaultRoles.indexOf(item) < 0) {
$scope.availableRealmRoles.push(item); $scope.availableRealmRoles.push(item);
} }
} }

View file

@ -56,7 +56,7 @@
<label for="applications">Application</label> <label for="applications">Application</label>
<div class="input-group"> <div class="input-group">
<div class="select-rcue"> <div class="select-rcue">
<select id="applications" name="applications" ng-change="changeApplication()" ng-model="targetApp" ng-options="a.name for a in applications"> <select id="applications" name="applications" ng-change="changeApplication()" ng-model="targetApp" ng-options="a.name for a in (applications|remove:application:'id')">
<option value="" selected> Select an Application </option> <option value="" selected> Select an Application </option>
</select> </select>
</div> </div>

View file

@ -14,7 +14,6 @@ public class ApplicationRepresentation {
protected String adminUrl; protected String adminUrl;
protected String baseUrl; protected String baseUrl;
protected boolean surrogateAuthRequired; protected boolean surrogateAuthRequired;
protected boolean useRealmMappings;
protected boolean enabled; protected boolean enabled;
protected List<CredentialRepresentation> credentials; protected List<CredentialRepresentation> credentials;
protected List<RoleRepresentation> roles; protected List<RoleRepresentation> roles;
@ -142,14 +141,6 @@ public class ApplicationRepresentation {
return this; return this;
} }
public boolean isUseRealmMappings() {
return useRealmMappings;
}
public void setUseRealmMappings(boolean useRealmMappings) {
this.useRealmMappings = useRealmMappings;
}
public List<String> getRedirectUris() { public List<String> getRedirectUris() {
return redirectUris; return redirectUris;
} }

View file

@ -65,7 +65,6 @@
"name": "customer-portal", "name": "customer-portal",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8080/customer-portal/j_admin_request", "adminUrl": "http://localhost:8080/customer-portal/j_admin_request",
"useRealmMappings": true,
"credentials": [ "credentials": [
{ {
"type": "password", "type": "password",
@ -77,7 +76,6 @@
"name": "product-portal", "name": "product-portal",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8080/product-portal/j_admin_request", "adminUrl": "http://localhost:8080/product-portal/j_admin_request",
"useRealmMappings": true,
"credentials": [ "credentials": [
{ {
"type": "password", "type": "password",

View file

@ -65,7 +65,6 @@
"name": "customer-portal", "name": "customer-portal",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8080/customer-portal/j_admin_request", "adminUrl": "http://localhost:8080/customer-portal/j_admin_request",
"useRealmMappings": true,
"webOrigins" : [ "http://localhost1:8080"], "webOrigins" : [ "http://localhost1:8080"],
"credentials": [ "credentials": [
{ {
@ -78,7 +77,6 @@
"name": "product-portal", "name": "product-portal",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8080/product-portal/j_admin_request", "adminUrl": "http://localhost:8080/product-portal/j_admin_request",
"useRealmMappings": true,
"credentials": [ "credentials": [
{ {
"type": "password", "type": "password",

View file

@ -48,7 +48,6 @@
"name": "test-app", "name": "test-app",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8081/app/logout", "adminUrl": "http://localhost:8081/app/logout",
"useRealmMappings": true,
"webOrigins": [ "http://localhost", "http://localhost:8000", "http://localhost:8080" ], "webOrigins": [ "http://localhost", "http://localhost:8000", "http://localhost:8080" ],
"credentials": [ "credentials": [
{ {

View file

@ -11,11 +11,8 @@ public interface Constants {
String ADMIN_CONSOLE_ADMIN_ROLE = "admin"; String ADMIN_CONSOLE_ADMIN_ROLE = "admin";
String APPLICATION_ROLE = INTERNAL_ROLE + "_APPLICATION"; String APPLICATION_ROLE = INTERNAL_ROLE + "_APPLICATION";
String IDENTITY_REQUESTER_ROLE = INTERNAL_ROLE + "_IDENTITY_REQUESTER"; String IDENTITY_REQUESTER_ROLE = INTERNAL_ROLE + "_IDENTITY_REQUESTER";
String WILDCARD_ROLE = "*";
String ACCOUNT_APPLICATION = "Account"; String ACCOUNT_APPLICATION = "Account";
String ACCOUNT_PROFILE_ROLE = "view-profile"; String ACCOUNT_PROFILE_ROLE = "view-profile";
String ACCOUNT_MANAGE_ROLE = "manage-account"; String ACCOUNT_MANAGE_ROLE = "manage-account";
String ACCOUNT_MANAGEMENT_APPLICATION = "Account Management";
} }

View file

@ -568,8 +568,6 @@ public class RealmAdapter implements RealmModel {
em.persist(applicationData); em.persist(applicationData);
em.flush(); em.flush();
ApplicationModel resource = new ApplicationAdapter(em, applicationData); ApplicationModel resource = new ApplicationAdapter(em, applicationData);
resource.addRole("*");
resource.addScopeMapping(new UserAdapter(user), "*");
em.flush(); em.flush();
return resource; return resource;
} }

View file

@ -451,8 +451,6 @@ public class RealmAdapter implements RealmModel {
noSQL.saveObject(appData); noSQL.saveObject(appData);
ApplicationModel resource = new ApplicationAdapter(appData, noSQL); ApplicationModel resource = new ApplicationAdapter(appData, noSQL);
resource.addRole("*");
resource.addScopeMapping(resourceUser, "*");
return resource; return resource;
} }

View file

@ -625,8 +625,6 @@ public class RealmAdapter implements RealmModel {
resourceRelationship.setApplication(applicationData.getName()); resourceRelationship.setApplication(applicationData.getName());
getRelationshipManager().add(resourceRelationship); getRelationshipManager().add(resourceRelationship);
ApplicationModel resource = new ApplicationAdapter(applicationData, this, partitionManager); ApplicationModel resource = new ApplicationAdapter(applicationData, this, partitionManager);
resource.addRole("*");
resource.addScopeMapping(new UserAdapter(resourceUser, idm), "*");
return resource; return resource;
} }

View file

@ -102,7 +102,6 @@ public class ApplicationManager {
} }
} }
} }
if (resourceRep.isUseRealmMappings()) realm.addScopeMapping(applicationModel.getApplicationUser(), "*");
return applicationModel; return applicationModel;
} }

View file

@ -68,7 +68,6 @@ public class RealmManager {
public RealmModel createRealm(String id, String name) { public RealmModel createRealm(String id, String name) {
RealmModel realm = identitySession.createRealm(id, name); RealmModel realm = identitySession.createRealm(id, name);
realm.setName(name); realm.setName(name);
realm.addRole(Constants.WILDCARD_ROLE);
realm.addRole(Constants.APPLICATION_ROLE); realm.addRole(Constants.APPLICATION_ROLE);
realm.addRole(Constants.IDENTITY_REQUESTER_ROLE); realm.addRole(Constants.IDENTITY_REQUESTER_ROLE);
return realm; return realm;
@ -245,7 +244,10 @@ public class RealmManager {
} }
if (rep.getApplications() != null) { if (rep.getApplications() != null) {
createApplications(rep, newRealm); Map<String, ApplicationModel> appMap = createApplications(rep, newRealm);
for (ApplicationModel app : appMap.values()) {
userMap.put(app.getApplicationUser().getLoginName(), app.getApplicationUser());
}
} }
if (rep.getRoleMappings() != null) { if (rep.getRoleMappings() != null) {
@ -406,12 +408,15 @@ public class RealmManager {
} }
protected void createApplications(RealmRepresentation rep, RealmModel realm) { protected Map<String, ApplicationModel> createApplications(RealmRepresentation rep, RealmModel realm) {
Map<String, ApplicationModel> appMap = new HashMap<String, ApplicationModel>();
RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE); RoleModel loginRole = realm.getRole(Constants.APPLICATION_ROLE);
ApplicationManager manager = new ApplicationManager(this); ApplicationManager manager = new ApplicationManager(this);
for (ApplicationRepresentation resourceRep : rep.getApplications()) { for (ApplicationRepresentation resourceRep : rep.getApplications()) {
manager.createApplication(realm, loginRole, resourceRep); ApplicationModel app = manager.createApplication(realm, loginRole, resourceRep);
appMap.put(app.getName(), app);
} }
return appMap;
} }
public static UserRepresentation toRepresentation(UserModel user) { public static UserRepresentation toRepresentation(UserModel user) {

View file

@ -46,6 +46,8 @@ public class TokenManager {
public AccessCodeEntry createAccessCode(String scopeParam, String state, String redirect, RealmModel realm, UserModel client, UserModel user) { public AccessCodeEntry createAccessCode(String scopeParam, String state, String redirect, RealmModel realm, UserModel client, UserModel user) {
boolean applicationResource = realm.hasRole(client, realm.getRole(Constants.APPLICATION_ROLE));
AccessCodeEntry code = new AccessCodeEntry(); AccessCodeEntry code = new AccessCodeEntry();
SkeletonKeyScope scopeMap = null; SkeletonKeyScope scopeMap = null;
if (scopeParam != null) scopeMap = decodeScope(scopeParam); if (scopeParam != null) scopeMap = decodeScope(scopeParam);
@ -56,42 +58,26 @@ public class TokenManager {
if (realmMapping != null && realmMapping.size() > 0 && (scopeMap == null || scopeMap.containsKey("realm"))) { if (realmMapping != null && realmMapping.size() > 0 && (scopeMap == null || scopeMap.containsKey("realm"))) {
Set<String> scope = realm.getScopeMappingValues(client); Set<String> scope = realm.getScopeMappingValues(client);
if (scope.size() > 0) { if (scope.size() > 0) {
Set<String> scopeRequest = null; Set<String> scopeRequest = scopeMap != null ? new HashSet<String>(scopeMap.get("realm")) : null;
if (scopeMap != null) {
if (scopeRequest == null) {
scopeRequest = new HashSet<String>();
}
scopeRequest.addAll(scopeMap.get("realm"));
if (scopeRequest.contains(Constants.WILDCARD_ROLE)) scopeRequest = null;
}
for (String role : realmMapping) { for (String role : realmMapping) {
if ( if ((scopeRequest == null || scopeRequest.contains(role)) && scope.contains(role))
(scopeRequest == null || scopeRequest.contains(role)) &&
(scope.contains("*") || scope.contains(role))
)
realmRolesRequested.add(realm.getRole(role)); realmRolesRequested.add(realm.getRole(role));
} }
} }
} }
for (ApplicationModel resource : realm.getApplications()) { for (ApplicationModel resource : realm.getApplications()) {
Set<String> mapping = resource.getRoleMappingValues(user); if (applicationResource && resource.getApplicationUser().getLoginName().equals(client.getLoginName())) {
if (mapping != null && mapping.size() > 0 && (scopeMap == null || scopeMap.containsKey(resource.getName()))) { resourceRolesRequested.addAll(resource.getName(), resource.getRoles());
Set<String> scope = resource.getScopeMappingValues(client); } else {
if (scope.size() > 0) { Set<String> mapping = resource.getRoleMappingValues(user);
Set<String> scopeRequest = null; if (mapping != null && mapping.size() > 0 && (scopeMap == null || scopeMap.containsKey(resource.getName()))) {
if (scopeMap != null) { Set<String> scope = resource.getScopeMappingValues(client);
if (scopeRequest == null) { if (scope.size() > 0) {
scopeRequest = new HashSet<String>(); Set<String> scopeRequest = scopeMap != null ? new HashSet<String>(scopeMap.get(resource.getName())) : null;
for (String role : mapping) {
if ((scopeRequest == null || scopeRequest.contains(role)) && scope.contains(role))
resourceRolesRequested.add(resource.getName(), resource.getRole(role));
} }
scopeRequest.addAll(scopeMap.get(resource.getName()));
if (scopeRequest.contains(Constants.WILDCARD_ROLE)) scopeRequest = null;
}
for (String role : mapping) {
if (
(scopeRequest == null || scopeRequest.contains(role)) &&
(scope.contains("*") || scope.contains(role))
)
resourceRolesRequested.add(resource.getName(), resource.getRole(role));
} }
} }
} }

View file

@ -350,7 +350,7 @@ public class AdapterTest extends AbstractKeycloakTest {
realmModel.addRole("admin"); realmModel.addRole("admin");
realmModel.addRole("user"); realmModel.addRole("user");
List<RoleModel> roles = realmModel.getRoles(); List<RoleModel> roles = realmModel.getRoles();
Assert.assertEquals(6, roles.size()); Assert.assertEquals(5, roles.size());
UserModel user = realmModel.addUser("bburke"); UserModel user = realmModel.addUser("bburke");
RoleModel role = realmModel.getRole("user"); RoleModel role = realmModel.getRole("user");
realmModel.grantRole(user, role); realmModel.grantRole(user, role);

View file

@ -50,8 +50,7 @@ public class ImportTest extends AbstractKeycloakTest {
UserModel user = realm.getUser("loginclient"); UserModel user = realm.getUser("loginclient");
Assert.assertNotNull(user); Assert.assertNotNull(user);
Set<String> scopes = realm.getScopeMappingValues(user); Set<String> scopes = realm.getScopeMappingValues(user);
System.out.println("Scopes size: " + scopes.size()); Assert.assertEquals(0, scopes.size());
Assert.assertTrue(scopes.contains("*"));
Assert.assertEquals(0, realm.getSocialLinks(user).size()); Assert.assertEquals(0, realm.getSocialLinks(user).size());
List<ApplicationModel> resources = realm.getApplications(); List<ApplicationModel> resources = realm.getApplications();

View file

@ -62,7 +62,6 @@
"name": "customer-portal", "name": "customer-portal",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8080/customer-portal/j_admin_request", "adminUrl": "http://localhost:8080/customer-portal/j_admin_request",
"useRealmMappings": true,
"credentials": [ "credentials": [
{ {
"type": "totp", "type": "totp",
@ -75,7 +74,6 @@
"name": "product-portal", "name": "product-portal",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8080/product-portal/j_admin_request", "adminUrl": "http://localhost:8080/product-portal/j_admin_request",
"useRealmMappings": true,
"credentials": [ "credentials": [
{ {
"type": "totp", "type": "totp",

View file

@ -64,12 +64,6 @@
"roles": ["admin"] "roles": ["admin"]
} }
], ],
"scopeMappings": [
{
"username": "loginclient",
"roles": ["*"]
}
],
"socialMappings": [ "socialMappings": [
{ {
"username": "mySocialUser", "username": "mySocialUser",

View file

@ -145,6 +145,10 @@ public class OAuthClient {
} }
} }
public String getClientId() {
return clientId;
}
public String getCurrentRequest() { public String getCurrentRequest() {
return driver.getCurrentUrl().substring(0, driver.getCurrentUrl().indexOf('?')); return driver.getCurrentUrl().substring(0, driver.getCurrentUrl().indexOf('?'));
} }

View file

@ -73,6 +73,9 @@ public class AccessTokenTest {
Assert.assertEquals(1, token.getRealmAccess().getRoles().size()); Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
Assert.assertTrue(token.getRealmAccess().isUserInRole("user")); Assert.assertTrue(token.getRealmAccess().isUserInRole("user"));
Assert.assertEquals(1, token.getResourceAccess(oauth.getClientId()).getRoles().size());
Assert.assertTrue(token.getResourceAccess(oauth.getClientId()).isUserInRole("customer-user"));
} }
} }

View file

@ -62,6 +62,10 @@
{ {
"username": "third-party", "username": "third-party",
"roles": ["user"] "roles": ["user"]
},
{
"username": "test-app",
"roles": ["user"]
} }
], ],
"applications": [ "applications": [
@ -69,7 +73,6 @@
"name": "test-app", "name": "test-app",
"enabled": true, "enabled": true,
"adminUrl": "http://localhost:8081/app/logout", "adminUrl": "http://localhost:8081/app/logout",
"useRealmMappings": true,
"credentials": [ "credentials": [
{ {
"type": "password", "type": "password",