Merge pull request #346 from stianst/master
KEYCLOAK-347 Link realm and realm-permissions application
This commit is contained in:
commit
ce6652efb1
14 changed files with 100 additions and 42 deletions
|
@ -25,8 +25,4 @@ public class AdminRoles {
|
||||||
|
|
||||||
public static String[] ALL_REALM_ROLES = {VIEW_REALM, VIEW_USERS, VIEW_APPLICATIONS, VIEW_CLIENTS, VIEW_AUDIT, MANAGE_REALM, MANAGE_USERS, MANAGE_APPLICATIONS, MANAGE_CLIENTS, MANAGE_AUDIT};
|
public static String[] ALL_REALM_ROLES = {VIEW_REALM, VIEW_USERS, VIEW_APPLICATIONS, VIEW_CLIENTS, VIEW_AUDIT, MANAGE_REALM, MANAGE_USERS, MANAGE_APPLICATIONS, MANAGE_CLIENTS, MANAGE_AUDIT};
|
||||||
|
|
||||||
public static String getAdminApp(RealmModel realm) {
|
|
||||||
return realm.getName() + APP_SUFFIX;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -233,4 +233,9 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
|
||||||
Set<String> getAuditListeners();
|
Set<String> getAuditListeners();
|
||||||
|
|
||||||
void setAuditListeners(Set<String> listeners);
|
void setAuditListeners(Set<String> listeners);
|
||||||
|
|
||||||
|
ApplicationModel getAdminApp();
|
||||||
|
|
||||||
|
void setAdminApp(ApplicationModel app);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -260,4 +260,8 @@ public class ApplicationAdapter extends ClientAdapter implements ApplicationMode
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return getName();
|
return getName();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ApplicationEntity getJpaEntity() {
|
||||||
|
return applicationEntity;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1276,4 +1276,16 @@ public class RealmAdapter implements RealmModel {
|
||||||
realm.setAuditListeners(listeners);
|
realm.setAuditListeners(listeners);
|
||||||
em.flush();
|
em.flush();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ApplicationModel getAdminApp() {
|
||||||
|
return new ApplicationAdapter(this, em, realm.getAdminApp());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void setAdminApp(ApplicationModel app) {
|
||||||
|
realm.setAdminApp(((ApplicationAdapter) app).getJpaEntity());
|
||||||
|
em.flush();
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
package org.keycloak.models.jpa.entities;
|
package org.keycloak.models.jpa.entities;
|
||||||
|
|
||||||
|
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
|
|
||||||
import javax.persistence.CascadeType;
|
import javax.persistence.CascadeType;
|
||||||
import javax.persistence.CollectionTable;
|
import javax.persistence.CollectionTable;
|
||||||
import javax.persistence.Column;
|
import javax.persistence.Column;
|
||||||
|
@ -13,6 +15,7 @@ import javax.persistence.MapKeyColumn;
|
||||||
import javax.persistence.NamedQueries;
|
import javax.persistence.NamedQueries;
|
||||||
import javax.persistence.NamedQuery;
|
import javax.persistence.NamedQuery;
|
||||||
import javax.persistence.OneToMany;
|
import javax.persistence.OneToMany;
|
||||||
|
import javax.persistence.OneToOne;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
@ -114,6 +117,9 @@ public class RealmEntity {
|
||||||
@ElementCollection
|
@ElementCollection
|
||||||
private Set<String> auditListeners= new HashSet<String>();
|
private Set<String> auditListeners= new HashSet<String>();
|
||||||
|
|
||||||
|
@OneToOne
|
||||||
|
private ApplicationEntity adminApp;
|
||||||
|
|
||||||
public String getId() {
|
public String getId() {
|
||||||
return id;
|
return id;
|
||||||
}
|
}
|
||||||
|
@ -432,5 +438,14 @@ public class RealmEntity {
|
||||||
public void setAuditListeners(Set<String> auditListeners) {
|
public void setAuditListeners(Set<String> auditListeners) {
|
||||||
this.auditListeners = auditListeners;
|
this.auditListeners = auditListeners;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public ApplicationEntity getAdminApp() {
|
||||||
|
return adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setAdminApp(ApplicationEntity adminApp) {
|
||||||
|
this.adminApp = adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -207,4 +207,5 @@ public class ApplicationAdapter extends ClientAdapter<ApplicationEntity> impleme
|
||||||
getMongoEntity().setDefaultRoles(roleNames);
|
getMongoEntity().setDefaultRoles(roleNames);
|
||||||
updateMongoEntity();
|
updateMongoEntity();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,7 @@ import org.keycloak.models.mongo.keycloak.entities.ClientEntity;
|
||||||
*/
|
*/
|
||||||
public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<T> implements ClientModel {
|
public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<T> implements ClientModel {
|
||||||
|
|
||||||
private final T clientEntity;
|
protected final T clientEntity;
|
||||||
private final RealmModel realm;
|
private final RealmModel realm;
|
||||||
|
|
||||||
public ClientAdapter(RealmModel realm, T clientEntity, MongoStoreInvocationContext invContext) {
|
public ClientAdapter(RealmModel realm, T clientEntity, MongoStoreInvocationContext invContext) {
|
||||||
|
@ -157,4 +157,5 @@ public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<
|
||||||
clientEntity.setNotBefore(notBefore);
|
clientEntity.setNotBefore(notBefore);
|
||||||
updateMongoEntity();
|
updateMongoEntity();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1240,6 +1240,16 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
updateRealm();
|
updateRealm();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ApplicationModel getAdminApp() {
|
||||||
|
return new ApplicationAdapter(this, realm.getAdminApp(), invocationContext);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void setAdminApp(ApplicationModel app) {
|
||||||
|
realm.setAdminApp(((ApplicationAdapter) app).getMongoEntity());
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public RealmEntity getMongoEntity() {
|
public RealmEntity getMongoEntity() {
|
||||||
return realm;
|
return realm;
|
||||||
|
|
|
@ -2,6 +2,7 @@ package org.keycloak.models.mongo.keycloak.entities;
|
||||||
|
|
||||||
import com.mongodb.DBObject;
|
import com.mongodb.DBObject;
|
||||||
import com.mongodb.QueryBuilder;
|
import com.mongodb.QueryBuilder;
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.mongo.api.AbstractMongoIdentifiableEntity;
|
import org.keycloak.models.mongo.api.AbstractMongoIdentifiableEntity;
|
||||||
import org.keycloak.models.mongo.api.MongoCollection;
|
import org.keycloak.models.mongo.api.MongoCollection;
|
||||||
import org.keycloak.models.mongo.api.MongoEntity;
|
import org.keycloak.models.mongo.api.MongoEntity;
|
||||||
|
@ -69,6 +70,8 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
|
||||||
private long auditExpiration;
|
private long auditExpiration;
|
||||||
private List<String> auditListeners = new ArrayList<String>();
|
private List<String> auditListeners = new ArrayList<String>();
|
||||||
|
|
||||||
|
private ApplicationEntity adminApp;
|
||||||
|
|
||||||
@MongoField
|
@MongoField
|
||||||
public String getName() {
|
public String getName() {
|
||||||
return name;
|
return name;
|
||||||
|
@ -393,6 +396,15 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
|
||||||
this.auditListeners = auditListeners;
|
this.auditListeners = auditListeners;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@MongoField
|
||||||
|
public ApplicationEntity getAdminApp() {
|
||||||
|
return adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setAdminApp(ApplicationEntity adminApp) {
|
||||||
|
this.adminApp = adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void afterRemove(MongoStoreInvocationContext context) {
|
public void afterRemove(MongoStoreInvocationContext context) {
|
||||||
DBObject query = new QueryBuilder()
|
DBObject query = new QueryBuilder()
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
package org.keycloak.services.managers;
|
package org.keycloak.services.managers;
|
||||||
|
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
|
@ -72,16 +73,16 @@ public class Auth {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean hasAppRole(String app, String role) {
|
public boolean hasAppRole(ApplicationModel app, String role) {
|
||||||
if (cookie) {
|
if (cookie) {
|
||||||
return realm.hasRole(user, realm.getApplicationByName(app).getRole(role));
|
return realm.hasRole(user, app.getRole(role));
|
||||||
} else {
|
} else {
|
||||||
AccessToken.Access access = token.getResourceAccess(app);
|
AccessToken.Access access = token.getResourceAccess(app.getName());
|
||||||
return access != null && access.isUserInRole(role);
|
return access != null && access.isUserInRole(role);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean hasOneOfAppRole(String app, String... roles) {
|
public boolean hasOneOfAppRole(ApplicationModel app, String... roles) {
|
||||||
for (String r : roles) {
|
for (String r : roles) {
|
||||||
if (hasAppRole(app, r)) {
|
if (hasAppRole(app, r)) {
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -108,7 +108,7 @@ public class RealmManager {
|
||||||
RealmModel adminRealm = getKeycloakAdminstrationRealm();
|
RealmModel adminRealm = getKeycloakAdminstrationRealm();
|
||||||
RoleModel adminRole = adminRealm.getRole(AdminRoles.ADMIN);
|
RoleModel adminRole = adminRealm.getRole(AdminRoles.ADMIN);
|
||||||
|
|
||||||
ApplicationModel realmAdminApp = adminRealm.getApplicationByName(AdminRoles.getAdminApp(realm));
|
ApplicationModel realmAdminApp = realm.getAdminApp();
|
||||||
for (RoleModel r : realmAdminApp.getRoles()) {
|
for (RoleModel r : realmAdminApp.getRoles()) {
|
||||||
adminRole.removeCompositeRole(r);
|
adminRole.removeCompositeRole(r);
|
||||||
}
|
}
|
||||||
|
@ -214,7 +214,9 @@ public class RealmManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
ApplicationManager applicationManager = new ApplicationManager(new RealmManager(identitySession));
|
ApplicationManager applicationManager = new ApplicationManager(new RealmManager(identitySession));
|
||||||
ApplicationModel realmAdminApp = applicationManager.createApplication(adminRealm, AdminRoles.getAdminApp(realm));
|
|
||||||
|
ApplicationModel realmAdminApp = applicationManager.createApplication(adminRealm, realm.getName() + "-realm");
|
||||||
|
realm.setAdminApp(realmAdminApp);
|
||||||
|
|
||||||
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
||||||
RoleModel role = realmAdminApp.addRole(r);
|
RoleModel role = realmAdminApp.addRole(r);
|
||||||
|
|
|
@ -539,7 +539,7 @@ public class AccountService {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!auth.hasAppRole(application.getName(), role)) {
|
if (!auth.hasAppRole(application, role)) {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -549,7 +549,7 @@ public class AccountService {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!auth.hasOneOfAppRole(application.getName(), roles)) {
|
if (!auth.hasOneOfAppRole(application, roles)) {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package org.keycloak.services.resources.admin;
|
package org.keycloak.services.resources.admin;
|
||||||
|
|
||||||
import org.keycloak.models.AdminRoles;
|
import org.keycloak.models.AdminRoles;
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.services.ForbiddenException;
|
import org.keycloak.services.ForbiddenException;
|
||||||
import org.keycloak.services.managers.Auth;
|
import org.keycloak.services.managers.Auth;
|
||||||
|
|
||||||
|
@ -19,9 +20,9 @@ public class RealmAuth {
|
||||||
}
|
}
|
||||||
|
|
||||||
private Auth auth;
|
private Auth auth;
|
||||||
private String realmAdminApp;
|
private ApplicationModel realmAdminApp;
|
||||||
|
|
||||||
public RealmAuth(Auth auth, String realmAdminApp) {
|
public RealmAuth(Auth auth, ApplicationModel realmAdminApp) {
|
||||||
this.auth = auth;
|
this.auth = auth;
|
||||||
this.realmAdminApp = realmAdminApp;
|
this.realmAdminApp = realmAdminApp;
|
||||||
}
|
}
|
||||||
|
|
|
@ -69,11 +69,9 @@ public class RealmsAdminResource {
|
||||||
List<RealmModel> realms = session.getRealms();
|
List<RealmModel> realms = session.getRealms();
|
||||||
List<RealmRepresentation> reps = new ArrayList<RealmRepresentation>();
|
List<RealmRepresentation> reps = new ArrayList<RealmRepresentation>();
|
||||||
for (RealmModel realm : realms) {
|
for (RealmModel realm : realms) {
|
||||||
String realmAdminApp = AdminRoles.getAdminApp(realm);
|
if (auth.hasAppRole(realm.getAdminApp(), AdminRoles.MANAGE_REALM)) {
|
||||||
|
|
||||||
if (auth.hasAppRole(realmAdminApp, AdminRoles.MANAGE_REALM)) {
|
|
||||||
reps.add(ModelToRepresentation.toRepresentation(realm));
|
reps.add(ModelToRepresentation.toRepresentation(realm));
|
||||||
} else if (auth.hasOneOfAppRole(realmAdminApp, AdminRoles.ALL_REALM_ROLES)) {
|
} else if (auth.hasOneOfAppRole(realm.getAdminApp(), AdminRoles.ALL_REALM_ROLES)) {
|
||||||
RealmRepresentation rep = new RealmRepresentation();
|
RealmRepresentation rep = new RealmRepresentation();
|
||||||
rep.setRealm(realm.getName());
|
rep.setRealm(realm.getName());
|
||||||
reps.add(rep);
|
reps.add(rep);
|
||||||
|
@ -144,7 +142,7 @@ public class RealmsAdminResource {
|
||||||
}
|
}
|
||||||
|
|
||||||
RealmModel adminRealm = new RealmManager(session).getKeycloakAdminstrationRealm();
|
RealmModel adminRealm = new RealmManager(session).getKeycloakAdminstrationRealm();
|
||||||
ApplicationModel realmAdminApp = adminRealm.getApplicationByName(AdminRoles.getAdminApp(realm));
|
ApplicationModel realmAdminApp = realm.getAdminApp();
|
||||||
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
||||||
RoleModel role = realmAdminApp.getRole(r);
|
RoleModel role = realmAdminApp.getRole(r);
|
||||||
adminRealm.grantRole(auth.getUser(), role);
|
adminRealm.grantRole(auth.getUser(), role);
|
||||||
|
@ -159,7 +157,7 @@ public class RealmsAdminResource {
|
||||||
RealmModel realm = realmManager.getRealmByName(name);
|
RealmModel realm = realmManager.getRealmByName(name);
|
||||||
if (realm == null) throw new NotFoundException("{realm} = " + name);
|
if (realm == null) throw new NotFoundException("{realm} = " + name);
|
||||||
|
|
||||||
RealmAuth realmAuth = new RealmAuth(auth, AdminRoles.getAdminApp(realm));
|
RealmAuth realmAuth = new RealmAuth(auth, realm.getAdminApp());
|
||||||
|
|
||||||
RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager);
|
RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager);
|
||||||
ResteasyProviderFactory.getInstance().injectProperties(adminResource);
|
ResteasyProviderFactory.getInstance().injectProperties(adminResource);
|
||||||
|
|
Loading…
Reference in a new issue