From b5f3efe27290d99270743526dc8e4849463f6384 Mon Sep 17 00:00:00 2001
From: Stian Thorgersen <stianst@gmail.com>
Date: Wed, 22 Apr 2015 08:58:47 +0200
Subject: [PATCH] KEYCLOAK-1218 Better security for ServerInfoAdminResource

---
 .../services/resources/admin/AdminRoot.java   | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
index 2ece39b9c6..bdde097a6e 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@@ -9,11 +9,13 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.jboss.resteasy.spi.UnauthorizedException;
 import org.keycloak.ClientConnection;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.models.AdminRoles;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.representations.AccessToken;
+import org.keycloak.services.ForbiddenException;
 import org.keycloak.services.managers.AppAuthManager;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.RealmManager;
@@ -200,9 +202,14 @@ public class AdminRoot {
         handlePreflightRequest();
 
         AdminAuth auth = authenticateRealmAdminRequest(headers);
+        if (!isAdmin(auth)) {
+            throw new ForbiddenException();
+        }
+
         if (auth != null) {
             logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
         }
+
         Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
 
         ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
@@ -210,6 +217,26 @@ public class AdminRoot {
         return adminResource;
     }
 
+    protected boolean isAdmin(AdminAuth auth) {
+        if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
+            return true;
+        }
+
+        RealmManager realmManager = new RealmManager(session);
+        if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
+            for (RealmModel realm : session.realms().getRealms()) {
+                ClientModel client = realm.getMasterAdminClient();
+                if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
+                    return true;
+                }
+            }
+            return false;
+        } else {
+            ClientModel client = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
+            return auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES);
+        }
+    }
+
     protected void handlePreflightRequest() {
         if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
             logger.debug("Cors admin pre-flight");