From 9be7f0e474b49e6e8e4dcedcdb41e84a45171aa7 Mon Sep 17 00:00:00 2001
From: Garth <244253+xgp@users.noreply.github.com>
Date: Tue, 2 Jan 2024 11:46:43 +0100
Subject: [PATCH] added permission checking to ui-ext realm resource so realm
 names are not leaked to users without the appropriate permissions. #25679
 (#25683)

Closes: #25392
Closes: #25679

Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
---
 .../keycloak/admin/ui/rest/AdminExtResource.java   |  2 +-
 .../keycloak/admin/ui/rest/UIRealmsResource.java   | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AdminExtResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AdminExtResource.java
index a9e9fbeff4..b0c48c8625 100644
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AdminExtResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AdminExtResource.java
@@ -47,7 +47,7 @@ public final class AdminExtResource {
 
     @Path("/realms")
     public UIRealmsResource realms() {
-        return new UIRealmsResource(session);
+        return new UIRealmsResource(session, auth);
     }
 
     @Path("/")
diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java
index 9124ea7136..7f2c680c1e 100644
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/UIRealmsResource.java
@@ -18,13 +18,18 @@ import org.jboss.resteasy.annotations.cache.NoCache;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.services.ForbiddenException;
+import org.keycloak.services.resources.admin.permissions.AdminPermissions;
+import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
+import org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator;
 
 public class UIRealmsResource {
 
     private final KeycloakSession session;
+    private final AdminPermissionEvaluator auth;
 
-    public UIRealmsResource(KeycloakSession session) {
+    public UIRealmsResource(KeycloakSession session, AdminPermissionEvaluator auth) {
         this.session = session;
+        this.auth = auth;
     }
 
     @GET
@@ -46,7 +51,12 @@ public class UIRealmsResource {
             )}
     )
     public Stream<String> getRealmNames() {
-        Stream<String> realms = session.realms().getRealmsStream().filter(Objects::nonNull).map(RealmModel::getName);
+        Stream<String> realms = session.realms().getRealmsStream()
+                                .filter(realm -> {
+                                    RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
+                                    return eval.canView(realm) || eval.isAdmin(realm);
+                                  })
+                                .map(RealmModel::getName);
         return throwIfEmpty(realms, new ForbiddenException());
     }
 }