From 45eac1093df62aad4f59c095de5df846cfb5d62d Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Wed, 9 Aug 2017 10:39:59 -0400 Subject: [PATCH] show permissions --- .../admin/permissions/ClientPermissions.java | 32 ++++++++++++------- .../admin/permissions/GroupPermissions.java | 5 +-- .../admin/permissions/RolePermissions.java | 3 +- .../admin/permissions/UserPermissions.java | 5 +-- .../messages/admin-messages_en.properties | 2 ++ 5 files changed, 30 insertions(+), 17 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java index 30381d2f64..bbb7bf4d29 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java @@ -40,9 +40,13 @@ import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedHashMap; import java.util.Map; import java.util.Set; +import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_FROM_SCOPE; +import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_TO_SCOPE; + /** * Manages default policies for all users. * @@ -88,11 +92,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa } private String getExchangeToPermissionName(ClientModel client) { - return AdminPermissionManagement.EXCHANGE_TO_SCOPE + ".permission.client." + client.getId(); + return EXCHANGE_TO_SCOPE + ".permission.client." + client.getId(); } private String getExchangeFromPermissionName(ClientModel client) { - return AdminPermissionManagement.EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId(); + return EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId(); } private void initialize(ClientModel client) { @@ -112,8 +116,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa Scope mapRoleClientScope = root.initializeScope(MAP_ROLES_CLIENT_SCOPE, server); Scope mapRoleCompositeScope = root.initializeScope(MAP_ROLES_COMPOSITE_SCOPE, server); Scope configureScope = root.initializeScope(CONFIGURE_SCOPE, server); - Scope exchangeFromScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server); - Scope exchangeToScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server); + Scope exchangeFromScope = root.initializeScope(EXCHANGE_FROM_SCOPE, server); + Scope exchangeToScope = root.initializeScope(EXCHANGE_TO_SCOPE, server); String resourceName = getResourceName(client); Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId()); @@ -190,6 +194,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa deletePolicy(getMapRolesClientScopePermissionName(client), server); deletePolicy(getMapRolesCompositePermissionName(client), server); deletePolicy(getConfigurePermissionName(client), server); + deletePolicy(getExchangeToPermissionName(client), server); + deletePolicy(getExchangeFromPermissionName(client), server); Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());; if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId()); } @@ -218,11 +224,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa } private Scope exchangeFromScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_FROM_SCOPE, server.getId()); } private Scope exchangeToScope(ResourceServer server) { - return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server.getId()); + return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_TO_SCOPE, server.getId()); } private Scope configureScope(ResourceServer server) { @@ -301,13 +307,15 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa @Override public Map getPermissions(ClientModel client) { initialize(client); - Map scopes = new HashMap<>(); - scopes.put(MAP_ROLES_SCOPE, mapRolesPermission(client).getId()); - scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId()); - scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId()); + Map scopes = new LinkedHashMap<>(); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId()); scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(client).getId()); scopes.put(CONFIGURE_SCOPE, configurePermission(client).getId()); + scopes.put(MAP_ROLES_SCOPE, mapRolesPermission(client).getId()); + scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId()); + scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId()); + scopes.put(EXCHANGE_FROM_SCOPE, exchangeFromPermission(client).getId()); + scopes.put(EXCHANGE_TO_SCOPE, exchangeToPermission(client).getId()); return scopes; } @@ -341,7 +349,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa Scope scope = exchangeFromScope(server); if (scope == null) { - logger.debug(AdminPermissionManagement.EXCHANGE_FROM_SCOPE + " not initialized"); + logger.debug(EXCHANGE_FROM_SCOPE + " not initialized"); return false; } ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient); @@ -390,7 +398,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa Scope scope = exchangeToScope(server); if (scope == null) { - logger.debug(AdminPermissionManagement.EXCHANGE_TO_SCOPE + " not initialized"); + logger.debug(EXCHANGE_TO_SCOPE + " not initialized"); return false; } ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java index 425edb4b81..722ea1c7a7 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java @@ -31,6 +31,7 @@ import org.keycloak.services.ForbiddenException; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedHashMap; import java.util.Map; import java.util.Set; @@ -243,11 +244,11 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag @Override public Map getPermissions(GroupModel group) { initialize(group); - Map scopes = new HashMap<>(); + Map scopes = new LinkedHashMap<>(); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId()); scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(group).getId()); - scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId()); scopes.put(VIEW_MEMBERS_SCOPE, viewMembersPermission(group).getId()); + scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId()); scopes.put(MANAGE_MEMBERSHIP_SCOPE, manageMembershipPermission(group).getId()); return scopes; } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java index 33f99db725..0e12861929 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java @@ -36,6 +36,7 @@ import org.keycloak.services.ForbiddenException; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedHashMap; import java.util.Map; import java.util.Set; @@ -88,7 +89,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme @Override public Map getPermissions(RoleModel role) { initialize(role); - Map scopes = new HashMap<>(); + Map scopes = new LinkedHashMap<>(); scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId()); scopes.put(RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE, mapClientScopePermission(role).getId()); scopes.put(RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE, mapCompositePermission(role).getId()); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java index 14cf84472b..3ac26ed5fa 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java @@ -34,6 +34,7 @@ import org.keycloak.services.ForbiddenException; import java.util.HashMap; import java.util.HashSet; +import java.util.LinkedHashMap; import java.util.Map; import java.util.Set; @@ -122,9 +123,9 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme @Override public Map getPermissions() { initialize(); - Map scopes = new HashMap<>(); - scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId()); + Map scopes = new LinkedHashMap<>(); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId()); + scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId()); scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId()); scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId()); scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId()); diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties index a2c8d5bbb9..f261105214 100644 --- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties +++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties @@ -1340,6 +1340,8 @@ manage-permissions-group.tooltip=Fine grain permssions for admins that want to m manage-authz-group-scope-description=Policies that decide if an admin can manage this group view-authz-group-scope-description=Policies that decide if an admin can view this group view-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group +exchange-to-authz-client-scope-description=Policies that decide which clients are allowed exchange tokens for a token that is targeted to this client. +exchange-from-authz-client-scope-description=Policies that decide which clients are allowed to exchange tokens that were generated for this client. manage-authz-client-scope-description=Policies that decide if an admin can manage this client configure-authz-client-scope-description=Reduced management permissions for admin. Cannot set scope, template, or protocol mappers. view-authz-client-scope-description=Policies that decide if an admin can view this client