Merge pull request #4450 from pedroigor/master
[KEYCLOAK-4653] - Identity.hasClientRole(String) and Identity.hasRole(String) break role namespaces and should be removed
This commit is contained in:
Pedro Igor
GitHub
commit
bb9a1335ec
10 changed files with 7 additions and 55 deletions
|
|
@ -7,7 +7,7 @@ rule "Authorize Admin Resources"
|
|||
when
|
||||
$evaluation : Evaluation(
|
||||
$identity : context.identity,
|
||||
$identity.hasRole("admin")
|
||||
$identity.hasRealmRole("admin")
|
||||
)
|
||||
then
|
||||
$evaluation.grant();
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ rule "Authorize View User Album"
|
|||
when
|
||||
$evaluation : Evaluation(
|
||||
$identity : context.identity,
|
||||
$identity.hasRole("user")
|
||||
$identity.hasRealmRole("user")
|
||||
)
|
||||
then
|
||||
$evaluation.grant();
|
||||
|
|
|
|||
|
|
@ -113,7 +113,7 @@
|
|||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
||||
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRealmRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -44,17 +44,6 @@ public interface Identity {
|
|||
*/
|
||||
Attributes getAttributes();
|
||||
|
||||
/**
|
||||
* Indicates if this identity is granted with a role (realm or client) with the given <code>roleName</code>.
|
||||
*
|
||||
* @param roleName the name of the role
|
||||
*
|
||||
* @return true if the identity has the given role. Otherwise, it returns false.
|
||||
*/
|
||||
default boolean hasRole(String roleName) {
|
||||
return hasRealmRole(roleName) || hasClientRole(roleName);
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicates if this identity is granted with a realm role with the given <code>roleName</code>.
|
||||
*
|
||||
|
|
@ -77,21 +66,4 @@ public interface Identity {
|
|||
default boolean hasClientRole(String clientId, String roleName) {
|
||||
return getAttributes().containsValue("kc.client." + clientId + ".roles", roleName);
|
||||
}
|
||||
|
||||
/**
|
||||
* Indicates if this identity is granted with a client role with the given <code>roleName</code>.
|
||||
*
|
||||
* @param roleName the name of the role
|
||||
*
|
||||
* @return true if the identity has the given role. Otherwise, it returns false.
|
||||
*/
|
||||
default boolean hasClientRole(String roleName) {
|
||||
return getAttributes().toMap().entrySet().stream().filter(entry -> {
|
||||
String key = entry.getKey();
|
||||
if (key.startsWith("kc.client") && key.endsWith(".roles")) {
|
||||
return getAttributes().containsValue(key, roleName);
|
||||
}
|
||||
return false;
|
||||
}).findFirst().isPresent();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -70,14 +70,4 @@ public class ClientModelIdentity implements Identity {
|
|||
if (role == null) return false;
|
||||
return serviceAccount.hasRole(role);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasRole(String roleName) {
|
||||
throw new RuntimeException("Should not execute");
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasClientRole(String roleName) {
|
||||
throw new RuntimeException("Should not execute");
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -64,14 +64,4 @@ public class UserModelIdentity implements Identity {
|
|||
if (role == null) return false;
|
||||
return user.hasRole(role);
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasRole(String roleName) {
|
||||
throw new RuntimeException("Should not execute");
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean hasClientRole(String roleName) {
|
||||
throw new RuntimeException("Should not execute");
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ rule "Authorize Admin Resources"
|
|||
when
|
||||
$evaluation : Evaluation(
|
||||
$identity : context.identity,
|
||||
$identity.hasRole("admin")
|
||||
$identity.hasRealmRole("admin")
|
||||
)
|
||||
then
|
||||
$evaluation.grant();
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ rule "Authorize View User Album"
|
|||
when
|
||||
$evaluation : Evaluation(
|
||||
$identity : context.identity,
|
||||
$identity.hasRole("user")
|
||||
$identity.hasRealmRole("user")
|
||||
)
|
||||
then
|
||||
$evaluation.grant();
|
||||
|
|
|
|||
|
|
@ -118,7 +118,7 @@
|
|||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"applyPolicies": "[]",
|
||||
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
||||
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRealmRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
|
|||
|
|
@ -159,7 +159,7 @@
|
|||
"logic": "POSITIVE",
|
||||
"decisionStrategy": "UNANIMOUS",
|
||||
"config": {
|
||||
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
||||
"code": "var context = $evaluation.getContext();\nvar identity = context.getIdentity();\nvar attributes = identity.getAttributes();\nvar email = attributes.getValue('email').asString(0);\n\nif (identity.hasRealmRole('admin') || email.endsWith('@keycloak.org')) {\n $evaluation.grant();\n}"
|
||||
}
|
||||
},
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue