From 916cfbbaf1af808a28a1134683da1167d4aab9f1 Mon Sep 17 00:00:00 2001 From: Sebastian Schuster Date: Fri, 12 Aug 2022 09:42:29 +0200 Subject: [PATCH] 13647 Added null checks and some comments/questions for discussions. Will be squashed later if accepted. --- .../admin/permissions/ClientPermissions.java | 2 ++ .../admin/permissions/GroupPermissions.java | 7 ++++--- .../permissions/IdentityProviderPermissions.java | 2 ++ .../admin/permissions/MgmtPermissions.java | 16 +++++++++++----- .../admin/permissions/RolePermissions.java | 9 +++------ .../admin/permissions/UserPermissions.java | 7 ++++--- 6 files changed, 26 insertions(+), 17 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java index eb0ba99423..ce39376ee1 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java @@ -93,6 +93,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM private void initialize(ClientModel client) { ResourceServer server = root.findOrCreateResourceServer(client); + if (server==null) return; Scope manageScope = manageScope(server); if (manageScope == null) { manageScope = authz.getStoreFactory().getScopeStore().create(server, AdminPermissionManagement.MANAGE_SCOPE); @@ -291,6 +292,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionM @Override public Map getPermissions(ClientModel client) { + if (authz == null) return null; initialize(client); Map scopes = new LinkedHashMap<>(); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId()); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java index 382ec2c0b6..6e5f0699ff 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java @@ -61,7 +61,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag GroupPermissions(AuthorizationProvider authz, MgmtPermissions root) { this.authz = authz; this.root = root; - if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) { + if (authz!=null) { resourceStore = authz.getStoreFactory().getResourceStore(); policyStore = authz.getStoreFactory().getPolicyStore(); } else { @@ -96,9 +96,9 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag } private void initialize(GroupModel group) { - root.initializeRealmResourceServer(); + ResourceServer server = root.initializeRealmResourceServer(); + if (server == null) return; root.initializeRealmDefaultScopes(); - ResourceServer server = root.realmResourceServer(); Scope manageScope = root.realmManageScope(); Scope viewScope = root.realmViewScope(); Scope manageMembersScope = root.initializeRealmScope(MANAGE_MEMBERS_SCOPE); @@ -221,6 +221,7 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag @Override public Map getPermissions(GroupModel group) { + if (authz == null) return null; initialize(group); Map scopes = new LinkedHashMap<>(); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId()); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java index a4a90a33b0..4349b14041 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/IdentityProviderPermissions.java @@ -70,6 +70,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme private void initialize(IdentityProviderModel idp) { ResourceServer server = root.initializeRealmResourceServer(); + if (server == null) return; Scope exchangeToScope = root.initializeScope(TOKEN_EXCHANGE, server); String resourceName = getResourceName(idp); @@ -139,6 +140,7 @@ class IdentityProviderPermissions implements IdentityProviderPermissionManageme @Override public Map getPermissions(IdentityProviderModel idp) { + if (authz==null) return null; initialize(idp); Map scopes = new LinkedHashMap<>(); scopes.put(TOKEN_EXCHANGE, exchangeToPermission(idp).getId()); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java index 772c4d4928..1f805103a6 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java @@ -67,6 +67,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage protected RealmPermissions realmPermissions; protected ClientPermissions clientPermissions; protected IdentityProviderPermissions idpPermissions; + protected RolePermissions rolePermissions; MgmtPermissions(KeycloakSession session, RealmModel realm) { @@ -203,7 +204,9 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage @Override public RolePermissions roles() { - return new RolePermissions(session, realm, authz, this); + if (rolePermissions!=null) return rolePermissions; + rolePermissions = new RolePermissions(session, realm, authz, this); + return rolePermissions; } @Override @@ -251,20 +254,20 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage @Override public ResourceServer realmResourceServer() { - if (!Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) return null; + if (authz == null) return null; if (realmResourceServer != null) return realmResourceServer; ClientModel client = getRealmManagementClient(); if (client == null) return null; - ResourceServerStore resourceServerStore = authz.getStoreFactory().getResourceServerStore(); - realmResourceServer = resourceServerStore.findByClient(client); + realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client); return realmResourceServer; } public ResourceServer initializeRealmResourceServer() { - if (!Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) return null; + if (authz == null) return null; if (realmResourceServer != null) return realmResourceServer; ClientModel client = getRealmManagementClient(); + if (client == null) return null; realmResourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client); if (realmResourceServer == null) { realmResourceServer = authz.getStoreFactory().getResourceServerStore().create(client); @@ -277,12 +280,14 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage public void initializeRealmDefaultScopes() { ResourceServer server = initializeRealmResourceServer(); + if (server == null) return; manageScope = initializeRealmScope(MgmtPermissions.MANAGE_SCOPE); viewScope = initializeRealmScope(MgmtPermissions.VIEW_SCOPE); } public Scope initializeRealmScope(String name) { ResourceServer server = initializeRealmResourceServer(); + if (server == null) return null; Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name); if (scope == null) { scope = authz.getStoreFactory().getScopeStore().create(server, name); @@ -291,6 +296,7 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage } public Scope initializeScope(String name, ResourceServer server) { + if (authz == null) return null; Scope scope = authz.getStoreFactory().getScopeStore().findByName(server, name); if (scope == null) { scope = authz.getStoreFactory().getScopeStore().create(server, name); diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java index f045a38d26..7477aff8b1 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java @@ -90,6 +90,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme @Override public Map getPermissions(RoleModel role) { + if (authz == null) return null; initialize(role); Map scopes = new LinkedHashMap<>(); scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId()); @@ -123,9 +124,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme @Override public Resource resource(RoleModel role) { - ResourceStore resourceStore = authz.getStoreFactory().getResourceStore(); ResourceServer server = resourceServer(role); if (server == null) return null; + ResourceStore resourceStore = authz.getStoreFactory().getResourceStore(); return resourceStore.findByName(server, getRoleResourceName(role)); } @@ -546,6 +547,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme if (server == null) { ClientModel client = getRoleClient(role); server = root.findOrCreateResourceServer(client); + if (server == null ) return; } Scope mapRoleScope = mapRoleScope(server); if (mapRoleScope == null) { @@ -602,11 +604,6 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme return MAP_ROLE_COMPOSITE_SCOPE + ".permission." + role.getId(); } - private ResourceServer sdfgetResourceServer(RoleModel role) { - ClientModel client = getRoleClient(role); - return root.findOrCreateResourceServer(client); - } - private static String getRoleResourceName(RoleModel role) { return "role.resource." + role.getId(); } diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java index 1154894390..2835b64a8b 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java @@ -83,7 +83,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme this.session = session; this.authz = authz; this.root = root; - if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) { + if (authz != null) { policyStore = authz.getStoreFactory().getPolicyStore(); resourceStore = authz.getStoreFactory().getResourceStore(); } else { @@ -94,9 +94,9 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme private void initialize() { - root.initializeRealmResourceServer(); + ResourceServer server = root.initializeRealmResourceServer(); + if (server == null) return; root.initializeRealmDefaultScopes(); - ResourceServer server = root.realmResourceServer(); Scope manageScope = root.realmManageScope(); Scope viewScope = root.realmViewScope(); Scope mapRolesScope = root.initializeRealmScope(MAP_ROLES_SCOPE); @@ -144,6 +144,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme @Override public Map getPermissions() { + if (authz == null) return null; initialize(); Map scopes = new LinkedHashMap<>(); scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());