Merge pull request #4323 from patriot1burke/master

KEYCLOAK-5152
This commit is contained in:
Bill Burke 2017-07-14 15:35:48 -04:00 committed by GitHub
commit b10e7b8c31
2 changed files with 15 additions and 12 deletions

View file

@ -136,10 +136,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
if (root.admin().hasRole(role)) return true;
ClientModel adminClient = root.getRealmManagementClient();
// is this an admin role in 'realm-management' client of the realm we are managing?
if (adminClient.equals(role.getContainer())) {
// if this is realm admin role, then check to see if admin has similar permissions
// we do this so that the authz service is invoked
if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
|| role.getName().equals(AdminRoles.CREATE_CLIENT)
) {
if (!root.clients().canManage()) {
return adminConflictMessage(role);
} else {
@ -151,6 +154,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
} else {
return true;
}
} else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
return true;
} else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
return true;
} else if (role.getName().equals(AdminRoles.QUERY_USERS)) {

View file

@ -658,13 +658,12 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
adminClient.realm(TEST).roles().create(composite);
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
RoleRepresentation compositePart = new RoleRepresentation();
compositePart.setName("composite-part");
adminClient.realm(TEST).roles().create(compositePart);
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
RoleRepresentation createClient = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
RoleRepresentation queryRealms = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.QUERY_REALMS).toRepresentation();
List<RoleRepresentation> composites = new LinkedList<>();
composites.add(compositePart);
composites.add(createClient);
composites.add(queryRealms);
adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
}
@ -693,13 +692,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
realmClient.realm(TEST).roles().create(composite);
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
RoleRepresentation compositePart = new RoleRepresentation();
compositePart.setName("composite-part");
realmClient.realm(TEST).roles().create(compositePart);
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
RoleRepresentation viewUsers = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
List<RoleRepresentation> composites = new LinkedList<>();
composites.add(compositePart);
composites.add(viewUsers);
realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
}
// testRestEvaluationMasterRealm