From 57cb46148f4458e28aa3e932399490d6c9e39ec5 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Mon, 19 Jun 2017 11:21:59 -0400 Subject: [PATCH] tests --- .../services/resources/admin/AdminRoot.java | 24 +++---------------- .../admin/permissions/MgmtPermissions.java | 16 +++++++++++++ .../RealmsPermissionEvaluator.java | 2 ++ .../keycloak/testsuite/util/TestCleanup.java | 1 + .../testsuite/AbstractKeycloakTest.java | 2 ++ 5 files changed, 24 insertions(+), 21 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java index 5db1ea4475..650ac75d49 100755 --- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java @@ -38,6 +38,8 @@ import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.RealmManager; import org.keycloak.services.resources.Cors; import org.keycloak.services.resources.admin.info.ServerInfoAdminResource; +import org.keycloak.services.resources.admin.permissions.AdminPermissions; +import org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator; import org.keycloak.theme.Theme; import org.keycloak.theme.ThemeProvider; @@ -229,7 +231,7 @@ public class AdminRoot { handlePreflightRequest(); AdminAuth auth = authenticateRealmAdminRequest(headers); - if (!isAdmin(auth)) { + if (!AdminPermissions.realms(session, auth).isAdmin()) { throw new ForbiddenException(); } @@ -244,26 +246,6 @@ public class AdminRoot { return adminResource; } - protected boolean isAdmin(AdminAuth auth) { - - RealmManager realmManager = new RealmManager(session); - if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) { - if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) { - return true; - } - for (RealmModel realm : session.realms().getRealms()) { - ClientModel client = realm.getMasterAdminClient(); - if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) { - return true; - } - } - return false; - } else { - ClientModel client = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm())); - return auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES); - } - } - protected void handlePreflightRequest() { if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) { logger.debug("Cors admin pre-flight"); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java index 8c9e584514..94fa957b1d 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java @@ -317,6 +317,22 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage return hasAnyAdminRole(realm); } + @Override + public boolean isAdmin() { + RealmManager realmManager = new RealmManager(session); + if (adminsRealm.equals(realmManager.getKeycloakAdminstrationRealm())) { + if (identity.hasRealmRole(AdminRoles.ADMIN) || identity.hasRealmRole(AdminRoles.CREATE_REALM)) { + return true; + } + for (RealmModel realm : session.realms().getRealms()) { + if (isAdmin(realm)) return true; + } + return false; + } else { + return isAdmin(adminsRealm); + } + } + @Override public boolean canCreateRealm() { RealmManager realmManager = new RealmManager(session); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java index b58202f189..5286d103d1 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java @@ -27,6 +27,8 @@ public interface RealmsPermissionEvaluator { boolean isAdmin(RealmModel realm); + boolean isAdmin(); + boolean canCreateRealm(); void requireCreateRealm(); diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java index 17ff44a9c6..e20485c37a 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java @@ -116,6 +116,7 @@ public class TestCleanup { public void executeCleanup() { + if (adminClient == null) throw new RuntimeException("ADMIN CLIENT NULL"); RealmResource realm = adminClient.realm(realmName); if (userIds != null) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java index d6d2ad8e15..262d0b27b5 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java @@ -167,6 +167,7 @@ public abstract class AbstractKeycloakTest { removeRealm(testRealm.getRealm()); } } else { + log.info("calling all TestCleanup"); // Logout all users after the test List realms = testContext.getTestRealmReps(); for (RealmRepresentation realm : realms) { @@ -178,6 +179,7 @@ public abstract class AbstractKeycloakTest { try { if (cleanup != null) cleanup.executeCleanup(); } catch (Exception e) { + log.error("failed cleanup!", e); throw new RuntimeException(e); } }