libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

only add realm access to the current realm (#21554)

Browse source 
fixes: #21553
This commit is contained in:
Erik Jan de Wit 2023-08-10 12:43:15 +02:00 committed by GitHub
parent 6c070d587f
commit 874d2063b8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 26 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
js/apps/admin-ui/src/App.tsx
View file

@ -22,9 +22,9 @@ import { AuthWall } from "./root/AuthWall";
export const mainPageContentId = "kc-main-content-page-container"; export const mainPageContentId = "kc-main-content-page-container";
const AppContexts = ({ children }: PropsWithChildren) => ( const AppContexts = ({ children }: PropsWithChildren) => (
<WhoAmIContextProvider> <RealmsProvider>
<RealmsProvider> <RealmContextProvider>
<RealmContextProvider> <WhoAmIContextProvider>
<RecentRealmsProvider> <RecentRealmsProvider>
<AccessContextProvider> <AccessContextProvider>
<Help> <Help>
@ -34,9 +34,9 @@ const AppContexts = ({ children }: PropsWithChildren) => (
</Help> </Help>
</AccessContextProvider> </AccessContextProvider>
</RecentRealmsProvider> </RecentRealmsProvider>
</RealmContextProvider> </WhoAmIContextProvider>
</RealmsProvider> </RealmContextProvider>
</WhoAmIContextProvider> </RealmsProvider>
); );
export const App = () => { export const App = () => {

10
js/apps/admin-ui/src/context/whoami/WhoAmI.tsx
View file

@ -7,6 +7,7 @@ import { adminClient } from "../../admin-client";
import environment from "../../environment"; import environment from "../../environment";
import { DEFAULT_LOCALE, i18n } from "../../i18n/i18n"; import { DEFAULT_LOCALE, i18n } from "../../i18n/i18n";
import { useFetch } from "../../utils/useFetch"; import { useFetch } from "../../utils/useFetch";
import { useRealm } from "../realm-context/RealmContext";
export class WhoAmI { export class WhoAmI {
constructor(private me?: WhoAmIRepresentation) { constructor(private me?: WhoAmIRepresentation) {
@ -66,15 +67,20 @@ export const useWhoAmI = () => useRequiredContext(WhoAmIContext);
export const WhoAmIContextProvider = ({ children }: PropsWithChildren) => { export const WhoAmIContextProvider = ({ children }: PropsWithChildren) => {
const [whoAmI, setWhoAmI] = useState<WhoAmI>(new WhoAmI()); const [whoAmI, setWhoAmI] = useState<WhoAmI>(new WhoAmI());
const { realm } = useRealm();
const [key, setKey] = useState(0); const [key, setKey] = useState(0);
useFetch( useFetch(
() => adminClient.whoAmI.find({ realm: environment.loginRealm }), () =>
adminClient.whoAmI.find({
realm: environment.loginRealm,
currentRealm: realm!,
}),
(me) => { (me) => {
const whoAmI = new WhoAmI(me); const whoAmI = new WhoAmI(me);
setWhoAmI(whoAmI); setWhoAmI(whoAmI);
}, },
[key], [key, realm],
); );
return ( return (

6
js/libs/keycloak-admin-client/src/resources/whoAmI.ts
View file

@ -13,8 +13,12 @@ export class WhoAmI extends Resource<{ realm?: string }> {
}); });
} }
public find = this.makeRequest<{}, WhoAmIRepresentation>({ public find = this.makeRequest<
{ currentRealm: string },
WhoAmIRepresentation
>({
method: "GET", method: "GET",
path: "/whoami", path: "/whoami",
queryParamKeys: ["currentRealm"],
}); });
} }

12
services/src/main/java/org/keycloak/services/resources/admin/AdminConsole.java
View file

@ -198,7 +198,7 @@ public class AdminConsole {
@GET @GET
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
@NoCache @NoCache
public Response whoAmI() { public Response whoAmI(@QueryParam("currentRealm") String currentRealm) {
RealmManager realmManager = new RealmManager(session); RealmManager realmManager = new RealmManager(session);
AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session) AuthenticationManager.AuthResult authResult = new AppAuthManager.BearerTokenAuthenticator(session)
.setRealm(realm) .setRealm(realm)
@ -231,7 +231,7 @@ public class AdminConsole {
if (createRealmRole != null) { if (createRealmRole != null) {
createRealm = user.hasRole(createRealmRole); createRealm = user.hasRole(createRealmRole);
} }
addMasterRealmAccess(user, realmAccess); addMasterRealmAccess(user, currentRealm, realmAccess);
} else { } else {
logger.debug("setting up realm access for a realm user"); logger.debug("setting up realm access for a realm user");
addRealmAccess(realm, user, realmAccess); addRealmAccess(realm, user, realmAccess);
@ -251,11 +251,9 @@ public class AdminConsole {
getRealmAdminAccess(realm, realmAdminApp, user, realmAdminAccess); getRealmAdminAccess(realm, realmAdminApp, user, realmAdminAccess);
} }
private void addMasterRealmAccess(UserModel user, Map<String, Set<String>> realmAdminAccess) { private void addMasterRealmAccess(UserModel user, String currentRealm, Map<String, Set<String>> realmAdminAccess) {
session.realms().getRealmsStream().forEach(realm -> { final RealmModel realm = session.realms().getRealmByName(currentRealm);
ClientModel realmAdminApp = realm.getMasterAdminClient(); getRealmAdminAccess(realm, realm.getMasterAdminClient(), user, realmAdminAccess);
getRealmAdminAccess(realm, realmAdminApp, user, realmAdminAccess);
});
} }
private static <T> HashSet<T> union(Set<T> set1, Set<T> set2) { private static <T> HashSet<T> union(Set<T> set1, Set<T> set2) {

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AdminConsolePermissionsCalculatedTest.java
View file

@ -16,13 +16,13 @@
*/ */
package org.keycloak.testsuite.admin; package org.keycloak.testsuite.admin;
import org.keycloak.Config;
import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.JsonNode;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClientBuilder;
import org.junit.After; import org.junit.After;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.keycloak.Config;
import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.Keycloak;
import org.keycloak.broker.provider.util.SimpleHttp; import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.representations.AccessTokenResponse; import org.keycloak.representations.AccessTokenResponse;
@ -69,12 +69,11 @@ public class AdminConsolePermissionsCalculatedTest extends AbstractKeycloakTest
AccessTokenResponse accessToken = adminClient.tokenManager().getAccessToken(); AccessTokenResponse accessToken = adminClient.tokenManager().getAccessToken();
assertNotNull(adminClient.realms().findAll()); assertNotNull(adminClient.realms().findAll());
String whoAmiUrl = suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth/admin/master/console/whoami"; String whoAmiUrl = suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth/admin/master/console/whoami?currentRealm=master";
JsonNode jsonNode = SimpleHttp.doGet(whoAmiUrl, client).auth(accessToken.getToken()).asJson(); JsonNode jsonNode = SimpleHttp.doGet(whoAmiUrl, client).auth(accessToken.getToken()).asJson();
assertTrue("Permissions for " + Config.getAdminRealm() + " realm.", jsonNode.at("/realm_access/" + Config.getAdminRealm()).isArray()); assertTrue("Permissions for " + Config.getAdminRealm() + " realm.", jsonNode.at("/realm_access/" + Config.getAdminRealm()).isArray());
assertTrue("Permissions for " + REALM_NAME + " realm.", jsonNode.at("/realm_access/" + REALM_NAME).isArray());
} }
} }

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AdminSignatureAlgorithmTest.java
View file

@ -57,12 +57,6 @@ public class AdminSignatureAlgorithmTest extends AbstractKeycloakTest {
assertEquals(Algorithm.ES256, verifier.getHeader().getAlgorithm().name()); assertEquals(Algorithm.ES256, verifier.getHeader().getAlgorithm().name());
assertNotNull(adminClient.realms().findAll()); assertNotNull(adminClient.realms().findAll());
String whoAmiUrl = suiteContext.getAuthServerInfo().getContextRoot().toString() + "/auth/admin/master/console/whoami";
JsonNode jsonNode = SimpleHttp.doGet(whoAmiUrl, client).auth(accessToken.getToken()).asJson();
assertNotNull(jsonNode.get("realm"));
assertNotNull(jsonNode.get("userId"));
} finally { } finally {
TokenSignatureUtil.changeRealmTokenSignatureProvider("master", adminClient, defaultSignatureAlgorithm); TokenSignatureUtil.changeRealmTokenSignatureProvider("master", adminClient, defaultSignatureAlgorithm);
} }