KEYCLOAK-1218 Better security for ServerInfoAdminResource
This commit is contained in:
parent
955967f78a
commit
b5f3efe272
1 changed files with 27 additions and 0 deletions
|
@ -9,11 +9,13 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
|||
import org.jboss.resteasy.spi.UnauthorizedException;
|
||||
import org.keycloak.ClientConnection;
|
||||
import org.keycloak.jose.jws.JWSInput;
|
||||
import org.keycloak.models.AdminRoles;
|
||||
import org.keycloak.models.ClientModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.protocol.oidc.TokenManager;
|
||||
import org.keycloak.representations.AccessToken;
|
||||
import org.keycloak.services.ForbiddenException;
|
||||
import org.keycloak.services.managers.AppAuthManager;
|
||||
import org.keycloak.services.managers.AuthenticationManager;
|
||||
import org.keycloak.services.managers.RealmManager;
|
||||
|
@ -200,9 +202,14 @@ public class AdminRoot {
|
|||
handlePreflightRequest();
|
||||
|
||||
AdminAuth auth = authenticateRealmAdminRequest(headers);
|
||||
if (!isAdmin(auth)) {
|
||||
throw new ForbiddenException();
|
||||
}
|
||||
|
||||
if (auth != null) {
|
||||
logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
|
||||
}
|
||||
|
||||
Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
|
||||
|
||||
ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
|
||||
|
@ -210,6 +217,26 @@ public class AdminRoot {
|
|||
return adminResource;
|
||||
}
|
||||
|
||||
protected boolean isAdmin(AdminAuth auth) {
|
||||
if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
RealmManager realmManager = new RealmManager(session);
|
||||
if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
|
||||
for (RealmModel realm : session.realms().getRealms()) {
|
||||
ClientModel client = realm.getMasterAdminClient();
|
||||
if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
} else {
|
||||
ClientModel client = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
|
||||
return auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES);
|
||||
}
|
||||
}
|
||||
|
||||
protected void handlePreflightRequest() {
|
||||
if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
|
||||
logger.debug("Cors admin pre-flight");
|
||||
|
|
Loading…
Reference in a new issue