Use admin console correctly in KeycloakIdentity

Fixes: #29688 Signed-off-by: Hynek Mlnarik <hmlnarik@redhat.com>
2024-05-21 10:28:18 +02:00 · 2024-05-21 10:28:18 +02:00 · 65fcd44fe1
commit 65fcd44fe1
parent bb5f308e1d
3 changed files with 17 additions and 11 deletions
--- a/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts
+++ b/js/apps/admin-ui/cypress/e2e/client_authorization_test.spec.ts
@ -195,7 +195,7 @@ describe("Client authentication subtab", () => {
    );
  });

-  describe.skip("Client authorization tab access for view-realm-authorization", () => {
+  describe("Client authorization tab access for view-realm-authorization", () => {
    const clientId = "realm-view-authz-client-" + uuid();

    beforeEach(async () => {
@ -241,11 +241,11 @@ describe("Client authentication subtab", () => {
      loginPage.logIn("test-view-authz-user", "password");
      keycloakBefore();

-      sidebarPage
-        .waitForPageLoad()
-        .goToRealm("realm-view-authz")
-        .waitForPageLoad()
-        .goToClients();
+      sidebarPage.waitForPageLoad().goToRealm("realm-view-authz");
+
+      cy.reload();
+
+      sidebarPage.waitForPageLoad().goToClients();

      listingPage
        .searchItem(clientId, true, "realm-view-authz")
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java
@ -52,9 +52,10 @@ public class UIRealmsResource {
            )}
    )
    public Stream<RealmNameRepresentation> getRealms() {
+        final RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
+        
        Stream<RealmNameRepresentation> realms = session.realms().getRealmsStream()
                .filter(realm -> {
-                    RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
                    return eval.canView(realm) || eval.isAdmin(realm);
                })
                .map((RealmModel realm) -> {
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
@ -97,14 +97,19 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
    }

    private void initIdentity(KeycloakSession session, AdminAuth auth) {
-        if (Constants.ADMIN_CLI_CLIENT_ID.equals(auth.getToken().getIssuedFor())
-                || Constants.ADMIN_CONSOLE_CLIENT_ID.equals(auth.getToken().getIssuedFor())) {
-            this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser());
+        final String issuedFor = auth.getToken().getIssuedFor();

+        if (Constants.ADMIN_CLI_CLIENT_ID.equals(issuedFor) || Constants.ADMIN_CONSOLE_CLIENT_ID.equals(issuedFor)) {
+            this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser());
+        } else {
+            ClientModel client  = session.clients().getClientByClientId(auth.getRealm(), issuedFor);
+            if (client != null && Boolean.parseBoolean(client.getAttribute(Constants.SECURITY_ADMIN_CONSOLE_ATTR))) {
+                this.identity = new UserModelIdentity(auth.getRealm(), auth.getUser());
            } else {
                this.identity = new KeycloakIdentity(auth.getToken(), session);
            }
        }
+    }

    MgmtPermissions(KeycloakSession session, RealmModel adminsRealm, UserModel admin) {
        this.session = session;