KEYCLOAK-1218 Better security for ServerInfoAdminResource

This commit is contained in:
Stian Thorgersen 2015-04-22 08:58:47 +02:00
parent 955967f78a
commit b5f3efe272

View file

@ -9,11 +9,13 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.jboss.resteasy.spi.UnauthorizedException; import org.jboss.resteasy.spi.UnauthorizedException;
import org.keycloak.ClientConnection; import org.keycloak.ClientConnection;
import org.keycloak.jose.jws.JWSInput; import org.keycloak.jose.jws.JWSInput;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenManager; import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.AppAuthManager; import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager; import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager; import org.keycloak.services.managers.RealmManager;
@ -200,9 +202,14 @@ public class AdminRoot {
handlePreflightRequest(); handlePreflightRequest();
AdminAuth auth = authenticateRealmAdminRequest(headers); AdminAuth auth = authenticateRealmAdminRequest(headers);
if (!isAdmin(auth)) {
throw new ForbiddenException();
}
if (auth != null) { if (auth != null) {
logger.debug("authenticated admin access for: " + auth.getUser().getUsername()); logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
} }
Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response); Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
ServerInfoAdminResource adminResource = new ServerInfoAdminResource(); ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
@ -210,6 +217,26 @@ public class AdminRoot {
return adminResource; return adminResource;
} }
protected boolean isAdmin(AdminAuth auth) {
if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
return true;
}
RealmManager realmManager = new RealmManager(session);
if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
for (RealmModel realm : session.realms().getRealms()) {
ClientModel client = realm.getMasterAdminClient();
if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
return true;
}
}
return false;
} else {
ClientModel client = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
return auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES);
}
}
protected void handlePreflightRequest() { protected void handlePreflightRequest() {
if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) { if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
logger.debug("Cors admin pre-flight"); logger.debug("Cors admin pre-flight");