added permission checking to ui-ext realm resource so realm names are not leaked to users without the appropriate permissions. #25679 (#25683)
Closes: #25392 Closes: #25679 Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
This commit is contained in:
parent
ec29828157
commit
9be7f0e474
2 changed files with 13 additions and 3 deletions
|
@ -47,7 +47,7 @@ public final class AdminExtResource {
|
|||
|
||||
@Path("/realms")
|
||||
public UIRealmsResource realms() {
|
||||
return new UIRealmsResource(session);
|
||||
return new UIRealmsResource(session, auth);
|
||||
}
|
||||
|
||||
@Path("/")
|
||||
|
|
|
@ -18,13 +18,18 @@ import org.jboss.resteasy.annotations.cache.NoCache;
|
|||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.services.ForbiddenException;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
|
||||
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
|
||||
import org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator;
|
||||
|
||||
public class UIRealmsResource {
|
||||
|
||||
private final KeycloakSession session;
|
||||
private final AdminPermissionEvaluator auth;
|
||||
|
||||
public UIRealmsResource(KeycloakSession session) {
|
||||
public UIRealmsResource(KeycloakSession session, AdminPermissionEvaluator auth) {
|
||||
this.session = session;
|
||||
this.auth = auth;
|
||||
}
|
||||
|
||||
@GET
|
||||
|
@ -46,7 +51,12 @@ public class UIRealmsResource {
|
|||
)}
|
||||
)
|
||||
public Stream<String> getRealmNames() {
|
||||
Stream<String> realms = session.realms().getRealmsStream().filter(Objects::nonNull).map(RealmModel::getName);
|
||||
Stream<String> realms = session.realms().getRealmsStream()
|
||||
.filter(realm -> {
|
||||
RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
|
||||
return eval.canView(realm) || eval.isAdmin(realm);
|
||||
})
|
||||
.map(RealmModel::getName);
|
||||
return throwIfEmpty(realms, new ForbiddenException());
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue