From 65fcd44fe10e90a496857305b597ad06e4cdc8d5 Mon Sep 17 00:00:00 2001 From: Hynek Mlnarik Date: Tue, 21 May 2024 10:28:18 +0200 Subject: [PATCH] Use admin console correctly in KeycloakIdentity Fixes: #29688 Signed-off-by: Hynek Mlnarik --- .../cypress/e2e/client_authorization_test.spec.ts | 12 ++++++------ .../keycloak/admin/ui/rest/UIRealmsResource.java | 3 ++- .../admin/permissions/MgmtPermissions.java | 13 +++++++++---- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts b/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts index d155e6645b..7af2b6b1ae 100644 --- a/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts +++ b/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts @@ -195,7 +195,7 @@ describe("Client authentication subtab", () => { ); }); - describe.skip("Client authorization tab access for view-realm-authorization", () => { + describe("Client authorization tab access for view-realm-authorization", () => { const clientId = "realm-view-authz-client-" + uuid(); beforeEach(async () => { @@ -241,11 +241,11 @@ describe("Client authentication subtab", () => { loginPage.logIn("test-view-authz-user", "password"); keycloakBefore(); - sidebarPage - .waitForPageLoad() - .goToRealm("realm-view-authz") - .waitForPageLoad() - .goToClients(); + sidebarPage.waitForPageLoad().goToRealm("realm-view-authz"); + + cy.reload(); + + sidebarPage.waitForPageLoad().goToClients(); listingPage .searchItem(clientId, true, "realm-view-authz") diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java index 0680d09c6c..e84bb904ea 100644 --- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java +++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java @@ -52,9 +52,10 @@ public class UIRealmsResource { )} ) public Stream getRealms() { + final RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth()); + Stream realms = session.realms().getRealmsStream() .filter(realm -> { - RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth()); return eval.canView(realm) || eval.isAdmin(realm); }) .map((RealmModel realm) -> { diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java index 89a92fc9e6..619d3605cb 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java @@ -97,12 +97,17 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage } private void initIdentity(KeycloakSession session, AdminAuth auth) { - if (Constants.ADMIN_CLI_CLIENT_ID.equals(auth.getToken().getIssuedFor()) - || Constants.ADMIN_CONSOLE_CLIENT_ID.equals(auth.getToken().getIssuedFor())) { - this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser()); + final String issuedFor = auth.getToken().getIssuedFor(); + if (Constants.ADMIN_CLI_CLIENT_ID.equals(issuedFor) || Constants.ADMIN_CONSOLE_CLIENT_ID.equals(issuedFor)) { + this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser()); } else { - this.identity = new KeycloakIdentity(auth.getToken(), session); + ClientModel client = session.clients().getClientByClientId(auth.getRealm(), issuedFor); + if (client != null && Boolean.parseBoolean(client.getAttribute(Constants.SECURITY_ADMIN_CONSOLE_ATTR))) { + this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser()); + } else { + this.identity = new KeycloakIdentity(auth.getToken(), session); + } } }