show permissions

2017-08-09 10:39:59 -04:00 · 2017-08-09 10:39:59 -04:00 · 45eac1093d
commit 45eac1093d
parent 3470b1839d
5 changed files with 30 additions and 17 deletions
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
@ -40,9 +40,13 @@ import java.util.Arrays;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;

+import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_FROM_SCOPE;
+import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_TO_SCOPE;
+
 /**
 * Manages default policies for all users.
 *
@ -88,11 +92,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
    }

    private String getExchangeToPermissionName(ClientModel client) {
-        return AdminPermissionManagement.EXCHANGE_TO_SCOPE + ".permission.client." + client.getId();
+        return EXCHANGE_TO_SCOPE + ".permission.client." + client.getId();
    }

    private String getExchangeFromPermissionName(ClientModel client) {
-        return AdminPermissionManagement.EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId();
+        return EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId();
    }

    private void initialize(ClientModel client) {
@ -112,8 +116,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
        Scope mapRoleClientScope = root.initializeScope(MAP_ROLES_CLIENT_SCOPE, server);
        Scope mapRoleCompositeScope = root.initializeScope(MAP_ROLES_COMPOSITE_SCOPE, server);
        Scope configureScope = root.initializeScope(CONFIGURE_SCOPE, server);
-        Scope exchangeFromScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server);
-        Scope exchangeToScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server);
+        Scope exchangeFromScope = root.initializeScope(EXCHANGE_FROM_SCOPE, server);
+        Scope exchangeToScope = root.initializeScope(EXCHANGE_TO_SCOPE, server);

        String resourceName = getResourceName(client);
        Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
@ -190,6 +194,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
        deletePolicy(getMapRolesClientScopePermissionName(client), server);
        deletePolicy(getMapRolesCompositePermissionName(client), server);
        deletePolicy(getConfigurePermissionName(client), server);
+        deletePolicy(getExchangeToPermissionName(client), server);
+        deletePolicy(getExchangeFromPermissionName(client), server);
        Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());;
        if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
    }
@ -218,11 +224,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
    }

    private Scope exchangeFromScope(ResourceServer server) {
-        return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server.getId());
+        return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_FROM_SCOPE, server.getId());
    }

    private Scope exchangeToScope(ResourceServer server) {
-        return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server.getId());
+        return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_TO_SCOPE, server.getId());
    }

    private Scope configureScope(ResourceServer server) {
@ -301,13 +307,15 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
    @Override
    public Map<String, String> getPermissions(ClientModel client) {
        initialize(client);
-        Map<String, String> scopes = new HashMap<>();
-        scopes.put(MAP_ROLES_SCOPE,  mapRolesPermission(client).getId());
-        scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId());
-        scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
+        Map<String, String> scopes = new LinkedHashMap<>();
        scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId());
        scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(client).getId());
        scopes.put(CONFIGURE_SCOPE, configurePermission(client).getId());
+        scopes.put(MAP_ROLES_SCOPE,  mapRolesPermission(client).getId());
+        scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId());
+        scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
+        scopes.put(EXCHANGE_FROM_SCOPE, exchangeFromPermission(client).getId());
+        scopes.put(EXCHANGE_TO_SCOPE, exchangeToPermission(client).getId());
        return scopes;
    }

@ -341,7 +349,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa

            Scope scope = exchangeFromScope(server);
            if (scope == null) {
-                logger.debug(AdminPermissionManagement.EXCHANGE_FROM_SCOPE + " not initialized");
+                logger.debug(EXCHANGE_FROM_SCOPE + " not initialized");
                return false;
            }
            ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
@ -390,7 +398,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa

            Scope scope = exchangeToScope(server);
            if (scope == null) {
-                logger.debug(AdminPermissionManagement.EXCHANGE_TO_SCOPE + " not initialized");
+                logger.debug(EXCHANGE_TO_SCOPE + " not initialized");
                return false;
            }
            ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
@ -31,6 +31,7 @@ import org.keycloak.services.ForbiddenException;

 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;

@ -243,11 +244,11 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
    @Override
    public Map<String, String> getPermissions(GroupModel group) {
        initialize(group);
-        Map<String, String> scopes = new HashMap<>();
+        Map<String, String> scopes = new LinkedHashMap<>();
        scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId());
        scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(group).getId());
-        scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId());
        scopes.put(VIEW_MEMBERS_SCOPE, viewMembersPermission(group).getId());
+        scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId());
        scopes.put(MANAGE_MEMBERSHIP_SCOPE, manageMembershipPermission(group).getId());
        return scopes;
    }
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@ -36,6 +36,7 @@ import org.keycloak.services.ForbiddenException;

 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;

@ -88,7 +89,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
    @Override
    public Map<String, String> getPermissions(RoleModel role) {
        initialize(role);
-        Map<String, String> scopes = new HashMap<>();
+        Map<String, String> scopes = new LinkedHashMap<>();
        scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId());
        scopes.put(RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE, mapClientScopePermission(role).getId());
        scopes.put(RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE, mapCompositePermission(role).getId());
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
@ -34,6 +34,7 @@ import org.keycloak.services.ForbiddenException;

 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.Set;

@ -122,9 +123,9 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
    @Override
    public Map<String, String> getPermissions() {
        initialize();
-        Map<String, String> scopes = new HashMap<>();
-        scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
+        Map<String, String> scopes = new LinkedHashMap<>();
        scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());
+        scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
        scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId());
        scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
        scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@ -1340,6 +1340,8 @@ manage-permissions-group.tooltip=Fine grain permssions for admins that want to m
 manage-authz-group-scope-description=Policies that decide if an admin can manage this group
 view-authz-group-scope-description=Policies that decide if an admin can view this group
 view-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
+exchange-to-authz-client-scope-description=Policies that decide which clients are allowed exchange tokens for a token that is targeted to this client.
+exchange-from-authz-client-scope-description=Policies that decide which clients are allowed to exchange tokens that were generated for this client.
 manage-authz-client-scope-description=Policies that decide if an admin can manage this client
 configure-authz-client-scope-description=Reduced management permissions for admin.  Cannot set scope, template, or protocol mappers.
 view-authz-client-scope-description=Policies that decide if an admin can view this client