libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-8166

Browse source
This commit is contained in:
Martin Kanis 2018-09-07 16:10:03 +02:00 committed by Stian Thorgersen
parent 72b23c1357
commit 6a23eb19f5
7 changed files with 69 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java
View file

@ -135,7 +135,7 @@ public class AuthenticationManagementResource {
@NoCache
@Produces(MediaType.APPLICATION_JSON)
public List<Map<String, Object>> getClientAuthenticatorProviders() {
auth.requireAnyAdminRole();
auth.realm().requireViewRealm();
List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
return buildProviderMetadata(factories);
@ -900,7 +900,7 @@ public class AuthenticationManagementResource {
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public List<RequiredActionProviderRepresentation> getRequiredActions() {
auth.requireAnyAdminRole();
auth.realm().requireViewRealm();
List<RequiredActionProviderRepresentation> list = new LinkedList<>();
for (RequiredActionProviderModel model : realm.getRequiredActionProviders()) {
@ -1095,7 +1095,7 @@ public class AuthenticationManagementResource {
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Map<String, List<ConfigPropertyRepresentation>> getPerClientConfigDescription() {
auth.requireAnyAdminRole();
auth.realm().requireViewRealm();
List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);

4
services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java
View file

@ -107,7 +107,7 @@ public class ClientsResource {
ClientRepresentation representation = ModelToRepresentation.toRepresentation(clientModel, session);
rep.add(representation);
representation.setAccess(auth.clients().getAccess(clientModel));
} else if (!viewableOnly) {
} else if (!viewableOnly && auth.clients().canView(clientModel)) {
ClientRepresentation client = new ClientRepresentation();
client.setId(clientModel.getId());
client.setClientId(clientModel.getClientId());
@ -122,7 +122,7 @@ public class ClientsResource {
ClientRepresentation representation = ModelToRepresentation.toRepresentation(clientModel, session);
representation.setAccess(auth.clients().getAccess(clientModel));
rep.add(representation);
} else if (!viewableOnly && auth.clients().canList()){
} else if (!viewableOnly && auth.clients().canView(clientModel)){
ClientRepresentation client = new ClientRepresentation();
client.setId(clientModel.getId());
client.setClientId(clientModel.getClientId());

8
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
View file

@ -224,7 +224,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM
@Override
public boolean canList() {
return root.hasAnyAdminRole();
return canView() || root.hasOneAdminRole(AdminRoles.QUERY_CLIENTS);
}
public boolean canList(ClientModel clientModel) {
return canView(clientModel) || root.hasOneAdminRole(AdminRoles.QUERY_CLIENTS);
}
@Override
@ -236,7 +240,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM
@Override
public boolean canListClientScopes() {
return root.hasAnyAdminRole();
return canView() || root.hasOneAdminRole(AdminRoles.QUERY_CLIENTS);
}
@Override

2
services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
View file

@ -141,7 +141,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
@Override
public boolean canList() {
return root.hasOneAdminRole(AdminRoles.VIEW_USERS, AdminRoles.MANAGE_USERS, AdminRoles.QUERY_GROUPS);
return canView() || root.hasOneAdminRole(AdminRoles.VIEW_USERS, AdminRoles.MANAGE_USERS, AdminRoles.QUERY_GROUPS);
}
@Override

2
services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java
View file

@ -77,7 +77,7 @@ class RealmPermissions implements RealmPermissionEvaluator {
@Override
public boolean canListRealms() {
return root.hasAnyAdminRole();
return canViewRealm() || root.hasOneAdminRole(AdminRoles.QUERY_REALMS);
}
@Override

8
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
View file

@ -324,7 +324,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
@Override
public boolean canList(RoleContainerModel container) {
return root.hasAnyAdminRole();
if (canView(container)) {
return true;
} else if (container instanceof RealmModel) {
return root.realm().canListRealms();
} else {
return root.clients().canList((ClientModel)container);
}
}
@Override

52
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
View file

@ -17,6 +17,7 @@
package org.keycloak.testsuite.admin;
import org.hamcrest.Matchers;
import org.jboss.resteasy.plugins.providers.multipart.MultipartFormDataOutput;
import org.junit.AfterClass;
import org.junit.Before;
@ -36,6 +37,7 @@ import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ClientScopeRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.ConfigPropertyRepresentation;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.IdentityProviderMapperRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
@ -293,7 +295,14 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.toRepresentation();
}
}, Resource.REALM, false, true);
assertGettersEmpty(clients.get(AdminRoles.VIEW_USERS).realm(REALM_NAME).toRepresentation());
assertGettersEmpty(clients.get(AdminRoles.QUERY_REALMS).realm(REALM_NAME).toRepresentation());
// this should throw forbidden as "query-users" role isn't enough
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).toRepresentation();
}
}, clients.get(AdminRoles.QUERY_USERS), false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
@ -480,8 +489,18 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.clients().findAll();
}
}, Resource.CLIENT, false, true);
List<ClientRepresentation> l = clients.get(AdminRoles.VIEW_USERS).realm(REALM_NAME).clients().findAll();
assertGettersEmpty(l.get(0));
List<ClientRepresentation> l = clients.get(AdminRoles.QUERY_CLIENTS).realm(REALM_NAME).clients().findAll();
Assert.assertThat(l, Matchers.empty());
l = clients.get(AdminRoles.VIEW_CLIENTS).realm(REALM_NAME).clients().findAll();
Assert.assertThat(l, Matchers.not(Matchers.empty()));
// this should throw forbidden as "query-users" role isn't enough
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clients().findAll();
}
}, clients.get(AdminRoles.QUERY_USERS), false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
@ -808,6 +827,13 @@ public class PermissionsTest extends AbstractKeycloakTest {
invoke((RealmResource realm) -> {
realm.clientScopes().get(scope.getId()).getScopeMappings().clientLevel(realmAccessClient.getId()).remove(Collections.<RoleRepresentation>emptyList());
}, Resource.CLIENT, true);
// this should throw forbidden as "query-users" role isn't enough
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clientScopes().findAll();
}
}, clients.get(AdminRoles.QUERY_USERS), false);
}
@Test
@ -945,6 +971,13 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.roles().list();
}
}, Resource.REALM, false, true);
// this should throw forbidden as "create-client" role isn't enough
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.CREATE_CLIENT).realm(REALM_NAME).roles().list();
}
}, clients.get(AdminRoles.CREATE_CLIENT), false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").toRepresentation();
@ -1155,6 +1188,13 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.flows().updateAuthenticatorConfig("nosuch", new AuthenticatorConfigRepresentation());
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.VIEW_REALM).realm(REALM_NAME).flows().getPerClientConfigDescription();
clients.get(AdminRoles.VIEW_REALM).realm(REALM_NAME).flows().getClientAuthenticatorProviders();
clients.get(AdminRoles.VIEW_REALM).realm(REALM_NAME).flows().getRequiredActions();
}
}, adminClient, true);
// Re-create realm
adminClient.realm(REALM_NAME).remove();
@ -1239,6 +1279,12 @@ public class PermissionsTest extends AbstractKeycloakTest {
GroupRepresentation group = adminClient.realms().realm(REALM_NAME).getGroupByPath("mygroup");
ClientRepresentation realmAccessClient = adminClient.realms().realm(REALM_NAME).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
// this should throw forbidden as "create-client" role isn't enough
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.CREATE_CLIENT).realm(REALM_NAME).groups().groups();
}
}, clients.get(AdminRoles.CREATE_CLIENT), false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {