libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Add userProfileEnabled attribute to realm response if admin can view users

Browse source 
closes https://github.com/keycloak/keycloak/issues/19093
This commit is contained in:
rmartinc 2023-10-27 11:27:00 +02:00 committed by Pedro Igor
parent 1145568324
commit 6484a3e705
2 changed files with 19 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
View file

@ -28,6 +28,7 @@ import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@ -117,7 +118,7 @@ import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.storage.DatastoreProvider;
import org.keycloak.storage.ExportImportManager;
import org.keycloak.storage.LegacyStoreSyncEvent;
import org.keycloak.utils.GroupUtils;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.utils.ProfileHelper;
import org.keycloak.utils.ReservedCharValidator;
@ -384,6 +385,12 @@ public class RealmAdminResource {
if (auth.users().canView()) {
rep.setRegistrationEmailAsUsername(realm.isRegistrationEmailAsUsername());
if (realm.getAttribute(DeclarativeUserProfileProvider.REALM_USER_PROFILE_ENABLED, Boolean.FALSE)) {
// add the user profile attribute if enabled
Map<String, String> attrs = Optional.ofNullable(rep.getAttributes()).orElse(new HashMap<>());
attrs.put(DeclarativeUserProfileProvider.REALM_USER_PROFILE_ENABLED, Boolean.TRUE.toString());
rep.setAttributes(attrs);
}
}
if (auth.realm().canViewIdentityProviders()) {

12
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
View file

@ -59,6 +59,7 @@ import org.keycloak.services.resources.admin.AdminAuth.Resource;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.ProfileAssume;
import org.keycloak.testsuite.updaters.RealmAttributeUpdater;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.CredentialBuilder;
@ -67,6 +68,7 @@ import org.keycloak.testsuite.util.GreenMailRule;
import org.keycloak.testsuite.util.IdentityProviderBuilder;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import jakarta.ws.rs.ClientErrorException;
import jakarta.ws.rs.core.Response;
@ -299,20 +301,28 @@ public class PermissionsTest extends AbstractKeycloakTest {
}
}, Resource.REALM, false, true);
{
try (RealmAttributeUpdater updater = new RealmAttributeUpdater(adminClient.realm(REALM_NAME))
.setAttribute(DeclarativeUserProfileProvider.REALM_USER_PROFILE_ENABLED, Boolean.TRUE.toString())
.update()) {
RealmRepresentation realm = clients.get(AdminRoles.QUERY_REALMS).realm(REALM_NAME).toRepresentation();
assertGettersEmpty(realm);
assertNull(realm.isRegistrationEmailAsUsername());
assertNull(realm.getAttributes());
realm = clients.get(AdminRoles.VIEW_USERS).realm(REALM_NAME).toRepresentation();
assertNotNull(realm.isRegistrationEmailAsUsername());
assertNotNull(realm.getAttributes());
assertNotNull(realm.getAttributes().get(DeclarativeUserProfileProvider.REALM_USER_PROFILE_ENABLED));
realm = clients.get(AdminRoles.MANAGE_USERS).realm(REALM_NAME).toRepresentation();
assertNotNull(realm.isRegistrationEmailAsUsername());
assertNotNull(realm.getAttributes());
assertNotNull(realm.getAttributes().get(DeclarativeUserProfileProvider.REALM_USER_PROFILE_ENABLED));
// query users only if granted through fine-grained admin
realm = clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).toRepresentation();
assertNull(realm.isRegistrationEmailAsUsername());
assertNull(realm.getAttributes());
}
// this should pass given that users granted with "query" roles are allowed to access the realm with limited access