added permission checking to ui-ext realm resource so realm names are not leaked to users without the appropriate permissions. #25679 (#25683)

Closes: #25392
Closes: #25679

Signed-off-by: Garth <244253+xgp@users.noreply.github.com>
This commit is contained in:
Garth 2024-01-02 11:46:43 +01:00 committed by GitHub
parent ec29828157
commit 9be7f0e474
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 3 deletions

View file

@ -47,7 +47,7 @@ public final class AdminExtResource {
@Path("/realms")
public UIRealmsResource realms() {
return new UIRealmsResource(session);
return new UIRealmsResource(session, auth);
}
@Path("/")

View file

@ -18,13 +18,18 @@ import org.jboss.resteasy.annotations.cache.NoCache;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator;
public class UIRealmsResource {
private final KeycloakSession session;
private final AdminPermissionEvaluator auth;
public UIRealmsResource(KeycloakSession session) {
public UIRealmsResource(KeycloakSession session, AdminPermissionEvaluator auth) {
this.session = session;
this.auth = auth;
}
@GET
@ -46,7 +51,12 @@ public class UIRealmsResource {
)}
)
public Stream<String> getRealmNames() {
Stream<String> realms = session.realms().getRealmsStream().filter(Objects::nonNull).map(RealmModel::getName);
Stream<String> realms = session.realms().getRealmsStream()
.filter(realm -> {
RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
return eval.canView(realm) || eval.isAdmin(realm);
})
.map(RealmModel::getName);
return throwIfEmpty(realms, new ForbiddenException());
}
}