only add realm access to the current realm (#21554)

fixes: #21553
2023-08-10 12:43:15 +02:00 · 2023-08-10 12:43:15 +02:00 · 874d2063b8
commit 874d2063b8
parent 6c070d587f
6 changed files with 26 additions and 25 deletions
--- a/js/apps/admin-ui/src/App.tsx
+++ b/js/apps/admin-ui/src/App.tsx
@ -22,9 +22,9 @@ import { AuthWall } from "./root/AuthWall";
 export const mainPageContentId = "kc-main-content-page-container";

 const AppContexts = ({ children }: PropsWithChildren) => (
-  <WhoAmIContextProvider>
-    <RealmsProvider>
-      <RealmContextProvider>
+  <RealmsProvider>
+    <RealmContextProvider>
+      <WhoAmIContextProvider>
        <RecentRealmsProvider>
          <AccessContextProvider>
            <Help>
@ -34,9 +34,9 @@ const AppContexts = ({ children }: PropsWithChildren) => (
            </Help>
          </AccessContextProvider>
        </RecentRealmsProvider>
-      </RealmContextProvider>
-    </RealmsProvider>
-  </WhoAmIContextProvider>
+      </WhoAmIContextProvider>
+    </RealmContextProvider>
+  </RealmsProvider>
 );

 export const App = () => {
--- a/js/apps/admin-ui/src/context/whoami/WhoAmI.tsx
+++ b/js/apps/admin-ui/src/context/whoami/WhoAmI.tsx
@ -7,6 +7,7 @@ import { adminClient } from "../../admin-client";
 import environment from "../../environment";
 import { DEFAULT_LOCALE, i18n } from "../../i18n/i18n";
 import { useFetch } from "../../utils/useFetch";
+import { useRealm } from "../realm-context/RealmContext";

 export class WhoAmI {
  constructor(private me?: WhoAmIRepresentation) {
@ -66,15 +67,20 @@ export const useWhoAmI = () => useRequiredContext(WhoAmIContext);

 export const WhoAmIContextProvider = ({ children }: PropsWithChildren) => {
  const [whoAmI, setWhoAmI] = useState<WhoAmI>(new WhoAmI());
+  const { realm } = useRealm();
  const [key, setKey] = useState(0);

  useFetch(
-    () => adminClient.whoAmI.find({ realm: environment.loginRealm }),
+    () =>
+      adminClient.whoAmI.find({
+        realm: environment.loginRealm,
+        currentRealm: realm!,
+      }),
    (me) => {
      const whoAmI = new WhoAmI(me);
      setWhoAmI(whoAmI);
    },
-    [key],
+    [key, realm],
  );

  return (
--- a/js/libs/keycloak-admin-client/src/resources/whoAmI.ts
+++ b/js/libs/keycloak-admin-client/src/resources/whoAmI.ts
@ -13,8 +13,12 @@ export class WhoAmI extends Resource<{ realm?: string }> {
    });
  }

-  public find = this.makeRequest<{}, WhoAmIRepresentation>({
+  public find = this.makeRequest<
+    { currentRealm: string },
+    WhoAmIRepresentation
+  >({
    method: "GET",
    path: "/whoami",
+    queryParamKeys: ["currentRealm"],
  });
 }
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java
@ -198,7 +198,7 @@ public class AdminConsole {
    @GET
    @Produces(MediaType.APPLICATION_JSON)
    @NoCache
-    public Response whoAmI() {
+    public Response whoAmI(@QueryParam("currentRealm") String currentRealm) {
        RealmManager realmManager = new RealmManager(session);
        AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session)
                .setRealm(realm)
@ -231,7 +231,7 @@ public class AdminConsole {
            if (createRealmRole != null) {
                createRealm = user.hasRole(createRealmRole);
            }
-            addMasterRealmAccess(user, realmAccess);
+            addMasterRealmAccess(user, currentRealm, realmAccess);
        } else {
            logger.debug("setting up realm access for a realm user");
            addRealmAccess(realm, user, realmAccess);
@ -251,11 +251,9 @@ public class AdminConsole {
        getRealmAdminAccess(realm, realmAdminApp, user, realmAdminAccess);
    }

-    private void addMasterRealmAccess(UserModel user, Map<String, Set<String>> realmAdminAccess) {
-        session.realms().getRealmsStream().forEach(realm -> {
-            ClientModel realmAdminApp = realm.getMasterAdminClient();
-            getRealmAdminAccess(realm, realmAdminApp, user, realmAdminAccess);
-        });
+    private void addMasterRealmAccess(UserModel user, String currentRealm, Map<String, Set<String>> realmAdminAccess) {
+        final RealmModel realm = session.realms().getRealmByName(currentRealm);
+        getRealmAdminAccess(realm, realm.getMasterAdminClient(), user, realmAdminAccess);
    }

    private static <T> HashSet<T> union(Set<T> set1, Set<T> set2) {
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AdminConsolePermissionsCalculatedTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AdminConsolePermissionsCalculatedTest.java
@ -16,13 +16,13 @@
 */
 package org.keycloak.testsuite.admin;

-import org.keycloak.Config;
 import com.fasterxml.jackson.databind.JsonNode;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
+import org.keycloak.Config;
 import org.keycloak.admin.client.Keycloak;
 import org.keycloak.broker.provider.util.SimpleHttp;
 import org.keycloak.representations.AccessTokenResponse;
@ -69,12 +69,11 @@ public class AdminConsolePermissionsCalculatedTest extends AbstractKeycloakTest
            AccessTokenResponse accessToken = adminClient.tokenManager().getAccessToken();
            assertNotNull(adminClient.realms().findAll());

-            String whoAmiUrl = suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth/admin/master/console/whoami";
+            String whoAmiUrl = suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth/admin/master/console/whoami?currentRealm=master";

            JsonNode jsonNode = SimpleHttp.doGet(whoAmiUrl, client).auth(accessToken.getToken()).asJson();

            assertTrue("Permissions for " + Config.getAdminRealm() + " realm.", jsonNode.at("/realm_access/" + Config.getAdminRealm()).isArray());
-            assertTrue("Permissions for " + REALM_NAME + " realm.", jsonNode.at("/realm_access/" + REALM_NAME).isArray());
        }
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AdminSignatureAlgorithmTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AdminSignatureAlgorithmTest.java
@ -57,12 +57,6 @@ public class AdminSignatureAlgorithmTest extends AbstractKeycloakTest {
            assertEquals(Algorithm.ES256, verifier.getHeader().getAlgorithm().name());

            assertNotNull(adminClient.realms().findAll());
-
-            String whoAmiUrl = suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth/admin/master/console/whoami";
-
-            JsonNode jsonNode = SimpleHttp.doGet(whoAmiUrl, client).auth(accessToken.getToken()).asJson();
-            assertNotNull(jsonNode.get("realm"));
-            assertNotNull(jsonNode.get("userId"));
        } finally {
            TokenSignatureUtil.changeRealmTokenSignatureProvider("master", adminClient, defaultSignatureAlgorithm);
        }