Merge pull request #346 from stianst/master
KEYCLOAK-347 Link realm and realm-permissions application
This commit is contained in:
commit
ce6652efb1
14 changed files with 100 additions and 42 deletions
|
@ -25,8 +25,4 @@ public class AdminRoles {
|
||||||
|
|
||||||
public static String[] ALL_REALM_ROLES = {VIEW_REALM, VIEW_USERS, VIEW_APPLICATIONS, VIEW_CLIENTS, VIEW_AUDIT, MANAGE_REALM, MANAGE_USERS, MANAGE_APPLICATIONS, MANAGE_CLIENTS, MANAGE_AUDIT};
|
public static String[] ALL_REALM_ROLES = {VIEW_REALM, VIEW_USERS, VIEW_APPLICATIONS, VIEW_CLIENTS, VIEW_AUDIT, MANAGE_REALM, MANAGE_USERS, MANAGE_APPLICATIONS, MANAGE_CLIENTS, MANAGE_AUDIT};
|
||||||
|
|
||||||
public static String getAdminApp(RealmModel realm) {
|
|
||||||
return realm.getName() + APP_SUFFIX;
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -233,4 +233,9 @@ public interface RealmModel extends RoleContainerModel, RoleMapperModel, ScopeMa
|
||||||
Set<String> getAuditListeners();
|
Set<String> getAuditListeners();
|
||||||
|
|
||||||
void setAuditListeners(Set<String> listeners);
|
void setAuditListeners(Set<String> listeners);
|
||||||
|
|
||||||
|
ApplicationModel getAdminApp();
|
||||||
|
|
||||||
|
void setAdminApp(ApplicationModel app);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -260,4 +260,8 @@ public class ApplicationAdapter extends ClientAdapter implements ApplicationMode
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return getName();
|
return getName();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ApplicationEntity getJpaEntity() {
|
||||||
|
return applicationEntity;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1276,4 +1276,16 @@ public class RealmAdapter implements RealmModel {
|
||||||
realm.setAuditListeners(listeners);
|
realm.setAuditListeners(listeners);
|
||||||
em.flush();
|
em.flush();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ApplicationModel getAdminApp() {
|
||||||
|
return new ApplicationAdapter(this, em, realm.getAdminApp());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void setAdminApp(ApplicationModel app) {
|
||||||
|
realm.setAdminApp(((ApplicationAdapter) app).getJpaEntity());
|
||||||
|
em.flush();
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
package org.keycloak.models.jpa.entities;
|
package org.keycloak.models.jpa.entities;
|
||||||
|
|
||||||
|
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
|
|
||||||
import javax.persistence.CascadeType;
|
import javax.persistence.CascadeType;
|
||||||
import javax.persistence.CollectionTable;
|
import javax.persistence.CollectionTable;
|
||||||
import javax.persistence.Column;
|
import javax.persistence.Column;
|
||||||
|
@ -13,6 +15,7 @@ import javax.persistence.MapKeyColumn;
|
||||||
import javax.persistence.NamedQueries;
|
import javax.persistence.NamedQueries;
|
||||||
import javax.persistence.NamedQuery;
|
import javax.persistence.NamedQuery;
|
||||||
import javax.persistence.OneToMany;
|
import javax.persistence.OneToMany;
|
||||||
|
import javax.persistence.OneToOne;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
|
@ -114,6 +117,9 @@ public class RealmEntity {
|
||||||
@ElementCollection
|
@ElementCollection
|
||||||
private Set<String> auditListeners= new HashSet<String>();
|
private Set<String> auditListeners= new HashSet<String>();
|
||||||
|
|
||||||
|
@OneToOne
|
||||||
|
private ApplicationEntity adminApp;
|
||||||
|
|
||||||
public String getId() {
|
public String getId() {
|
||||||
return id;
|
return id;
|
||||||
}
|
}
|
||||||
|
@ -432,5 +438,14 @@ public class RealmEntity {
|
||||||
public void setAuditListeners(Set<String> auditListeners) {
|
public void setAuditListeners(Set<String> auditListeners) {
|
||||||
this.auditListeners = auditListeners;
|
this.auditListeners = auditListeners;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public ApplicationEntity getAdminApp() {
|
||||||
|
return adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setAdminApp(ApplicationEntity adminApp) {
|
||||||
|
this.adminApp = adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -207,4 +207,5 @@ public class ApplicationAdapter extends ClientAdapter<ApplicationEntity> impleme
|
||||||
getMongoEntity().setDefaultRoles(roleNames);
|
getMongoEntity().setDefaultRoles(roleNames);
|
||||||
updateMongoEntity();
|
updateMongoEntity();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -15,7 +15,7 @@ import org.keycloak.models.mongo.keycloak.entities.ClientEntity;
|
||||||
*/
|
*/
|
||||||
public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<T> implements ClientModel {
|
public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<T> implements ClientModel {
|
||||||
|
|
||||||
private final T clientEntity;
|
protected final T clientEntity;
|
||||||
private final RealmModel realm;
|
private final RealmModel realm;
|
||||||
|
|
||||||
public ClientAdapter(RealmModel realm, T clientEntity, MongoStoreInvocationContext invContext) {
|
public ClientAdapter(RealmModel realm, T clientEntity, MongoStoreInvocationContext invContext) {
|
||||||
|
@ -157,4 +157,5 @@ public class ClientAdapter<T extends ClientEntity> extends AbstractMongoAdapter<
|
||||||
clientEntity.setNotBefore(notBefore);
|
clientEntity.setNotBefore(notBefore);
|
||||||
updateMongoEntity();
|
updateMongoEntity();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -642,7 +642,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
.and("name").is(name)
|
.and("name").is(name)
|
||||||
.get();
|
.get();
|
||||||
ApplicationEntity appEntity = getMongoStore().loadSingleEntity(ApplicationEntity.class, query, invocationContext);
|
ApplicationEntity appEntity = getMongoStore().loadSingleEntity(ApplicationEntity.class, query, invocationContext);
|
||||||
return appEntity==null ? null : new ApplicationAdapter(this, appEntity, invocationContext);
|
return appEntity == null ? null : new ApplicationAdapter(this, appEntity, invocationContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -697,7 +697,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void grantRole(UserModel user, RoleModel role) {
|
public void grantRole(UserModel user, RoleModel role) {
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
getMongoStore().pushItemToList(userEntity, "roleIds", role.getId(), true, invocationContext);
|
getMongoStore().pushItemToList(userEntity, "roleIds", role.getId(), true, invocationContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -724,7 +724,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
// Filter to retrieve just realm roles TODO: Maybe improve to avoid filter programmatically... Maybe have separate fields for realmRoles and appRoles on user?
|
// Filter to retrieve just realm roles TODO: Maybe improve to avoid filter programmatically... Maybe have separate fields for realmRoles and appRoles on user?
|
||||||
Set<RoleModel> realmRoles = new HashSet<RoleModel>();
|
Set<RoleModel> realmRoles = new HashSet<RoleModel>();
|
||||||
for (RoleModel role : allRoles) {
|
for (RoleModel role : allRoles) {
|
||||||
RoleEntity roleEntity = ((RoleAdapter)role).getRole();
|
RoleEntity roleEntity = ((RoleAdapter) role).getRole();
|
||||||
|
|
||||||
if (getId().equals(roleEntity.getRealmId())) {
|
if (getId().equals(roleEntity.getRealmId())) {
|
||||||
realmRoles.add(role);
|
realmRoles.add(role);
|
||||||
|
@ -737,7 +737,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
public void deleteRoleMapping(UserModel user, RoleModel role) {
|
public void deleteRoleMapping(UserModel user, RoleModel role) {
|
||||||
if (user == null || role == null) return;
|
if (user == null || role == null) return;
|
||||||
|
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
getMongoStore().pullItemFromList(userEntity, "roleIds", role.getId(), invocationContext);
|
getMongoStore().pullItemFromList(userEntity, "roleIds", role.getId(), invocationContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -764,7 +764,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
// Filter to retrieve just realm roles TODO: Maybe improve to avoid filter programmatically... Maybe have separate fields for realmRoles and appRoles on user?
|
// Filter to retrieve just realm roles TODO: Maybe improve to avoid filter programmatically... Maybe have separate fields for realmRoles and appRoles on user?
|
||||||
Set<RoleModel> realmRoles = new HashSet<RoleModel>();
|
Set<RoleModel> realmRoles = new HashSet<RoleModel>();
|
||||||
for (RoleModel role : allScopes) {
|
for (RoleModel role : allScopes) {
|
||||||
RoleEntity roleEntity = ((RoleAdapter)role).getRole();
|
RoleEntity roleEntity = ((RoleAdapter) role).getRole();
|
||||||
|
|
||||||
if (getId().equals(roleEntity.getRealmId())) {
|
if (getId().equals(roleEntity.getRealmId())) {
|
||||||
realmRoles.add(role);
|
realmRoles.add(role);
|
||||||
|
@ -787,12 +787,12 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void addScopeMapping(ClientModel client, RoleModel role) {
|
public void addScopeMapping(ClientModel client, RoleModel role) {
|
||||||
getMongoStore().pushItemToList(((AbstractMongoAdapter)client).getMongoEntity(), "scopeIds", role.getId(), true, invocationContext);
|
getMongoStore().pushItemToList(((AbstractMongoAdapter) client).getMongoEntity(), "scopeIds", role.getId(), true, invocationContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void deleteScopeMapping(ClientModel client, RoleModel role) {
|
public void deleteScopeMapping(ClientModel client, RoleModel role) {
|
||||||
getMongoStore().pullItemFromList(((AbstractMongoAdapter)client).getMongoEntity(), "scopeIds", role.getId(), invocationContext);
|
getMongoStore().pullItemFromList(((AbstractMongoAdapter) client).getMongoEntity(), "scopeIds", role.getId(), invocationContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -911,7 +911,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean validatePassword(UserModel user, String password) {
|
public boolean validatePassword(UserModel user, String password) {
|
||||||
for (CredentialEntity cred : ((UserAdapter)user).getUser().getCredentials()) {
|
for (CredentialEntity cred : ((UserAdapter) user).getUser().getCredentials()) {
|
||||||
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
|
if (cred.getType().equals(UserCredentialModel.PASSWORD)) {
|
||||||
return new Pbkdf2PasswordEncoder(cred.getSalt()).verify(password, cred.getValue());
|
return new Pbkdf2PasswordEncoder(cred.getSalt()).verify(password, cred.getValue());
|
||||||
}
|
}
|
||||||
|
@ -922,7 +922,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
@Override
|
@Override
|
||||||
public boolean validateTOTP(UserModel user, String password, String token) {
|
public boolean validateTOTP(UserModel user, String password, String token) {
|
||||||
if (!validatePassword(user, password)) return false;
|
if (!validatePassword(user, password)) return false;
|
||||||
for (CredentialEntity cred : ((UserAdapter)user).getUser().getCredentials()) {
|
for (CredentialEntity cred : ((UserAdapter) user).getUser().getCredentials()) {
|
||||||
if (cred.getType().equals(UserCredentialModel.TOTP)) {
|
if (cred.getType().equals(UserCredentialModel.TOTP)) {
|
||||||
return new TimeBasedOTP().validate(token, cred.getValue().getBytes());
|
return new TimeBasedOTP().validate(token, cred.getValue().getBytes());
|
||||||
}
|
}
|
||||||
|
@ -967,12 +967,12 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
.and("realmId").is(getId())
|
.and("realmId").is(getId())
|
||||||
.get();
|
.get();
|
||||||
UserEntity userEntity = getMongoStore().loadSingleEntity(UserEntity.class, query, invocationContext);
|
UserEntity userEntity = getMongoStore().loadSingleEntity(UserEntity.class, query, invocationContext);
|
||||||
return userEntity==null ? null : new UserAdapter(userEntity, invocationContext);
|
return userEntity == null ? null : new UserAdapter(userEntity, invocationContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Set<SocialLinkModel> getSocialLinks(UserModel user) {
|
public Set<SocialLinkModel> getSocialLinks(UserModel user) {
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
List<SocialLinkEntity> linkEntities = userEntity.getSocialLinks();
|
List<SocialLinkEntity> linkEntities = userEntity.getSocialLinks();
|
||||||
|
|
||||||
if (linkEntities == null) {
|
if (linkEntities == null) {
|
||||||
|
@ -990,12 +990,12 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
@Override
|
@Override
|
||||||
public SocialLinkModel getSocialLink(UserModel user, String socialProvider) {
|
public SocialLinkModel getSocialLink(UserModel user, String socialProvider) {
|
||||||
SocialLinkEntity socialLinkEntity = findSocialLink(user, socialProvider);
|
SocialLinkEntity socialLinkEntity = findSocialLink(user, socialProvider);
|
||||||
return socialLinkEntity!=null ? new SocialLinkModel(socialLinkEntity.getSocialProvider(), socialLinkEntity.getSocialUserId(), socialLinkEntity.getSocialUsername()) : null;
|
return socialLinkEntity != null ? new SocialLinkModel(socialLinkEntity.getSocialProvider(), socialLinkEntity.getSocialUserId(), socialLinkEntity.getSocialUsername()) : null;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void addSocialLink(UserModel user, SocialLinkModel socialLink) {
|
public void addSocialLink(UserModel user, SocialLinkModel socialLink) {
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
SocialLinkEntity socialLinkEntity = new SocialLinkEntity();
|
SocialLinkEntity socialLinkEntity = new SocialLinkEntity();
|
||||||
socialLinkEntity.setSocialProvider(socialLink.getSocialProvider());
|
socialLinkEntity.setSocialProvider(socialLink.getSocialProvider());
|
||||||
socialLinkEntity.setSocialUserId(socialLink.getSocialUserId());
|
socialLinkEntity.setSocialUserId(socialLink.getSocialUserId());
|
||||||
|
@ -1005,18 +1005,18 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean removeSocialLink(UserModel user,String socialProvider) {
|
public boolean removeSocialLink(UserModel user, String socialProvider) {
|
||||||
SocialLinkEntity socialLinkEntity = findSocialLink(user, socialProvider);
|
SocialLinkEntity socialLinkEntity = findSocialLink(user, socialProvider);
|
||||||
if (socialLinkEntity == null) {
|
if (socialLinkEntity == null) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
|
|
||||||
return getMongoStore().pullItemFromList(userEntity, "socialLinks", socialLinkEntity, invocationContext);
|
return getMongoStore().pullItemFromList(userEntity, "socialLinks", socialLinkEntity, invocationContext);
|
||||||
}
|
}
|
||||||
|
|
||||||
private SocialLinkEntity findSocialLink(UserModel user, String socialProvider) {
|
private SocialLinkEntity findSocialLink(UserModel user, String socialProvider) {
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
List<SocialLinkEntity> linkEntities = userEntity.getSocialLinks();
|
List<SocialLinkEntity> linkEntities = userEntity.getSocialLinks();
|
||||||
if (linkEntities == null) {
|
if (linkEntities == null) {
|
||||||
return null;
|
return null;
|
||||||
|
@ -1032,7 +1032,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AuthenticationLinkModel getAuthenticationLink(UserModel user) {
|
public AuthenticationLinkModel getAuthenticationLink(UserModel user) {
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
AuthenticationLinkEntity authLinkEntity = userEntity.getAuthenticationLink();
|
AuthenticationLinkEntity authLinkEntity = userEntity.getAuthenticationLink();
|
||||||
|
|
||||||
if (authLinkEntity == null) {
|
if (authLinkEntity == null) {
|
||||||
|
@ -1044,7 +1044,7 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void setAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink) {
|
public void setAuthenticationLink(UserModel user, AuthenticationLinkModel authenticationLink) {
|
||||||
UserEntity userEntity = ((UserAdapter)user).getUser();
|
UserEntity userEntity = ((UserAdapter) user).getUser();
|
||||||
AuthenticationLinkEntity authLinkEntity = new AuthenticationLinkEntity();
|
AuthenticationLinkEntity authLinkEntity = new AuthenticationLinkEntity();
|
||||||
authLinkEntity.setAuthProvider(authenticationLink.getAuthProvider());
|
authLinkEntity.setAuthProvider(authenticationLink.getAuthProvider());
|
||||||
authLinkEntity.setAuthUserId(authenticationLink.getAuthUserId());
|
authLinkEntity.setAuthUserId(authenticationLink.getAuthUserId());
|
||||||
|
@ -1240,6 +1240,16 @@ public class RealmAdapter extends AbstractMongoAdapter<RealmEntity> implements R
|
||||||
updateRealm();
|
updateRealm();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ApplicationModel getAdminApp() {
|
||||||
|
return new ApplicationAdapter(this, realm.getAdminApp(), invocationContext);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void setAdminApp(ApplicationModel app) {
|
||||||
|
realm.setAdminApp(((ApplicationAdapter) app).getMongoEntity());
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public RealmEntity getMongoEntity() {
|
public RealmEntity getMongoEntity() {
|
||||||
return realm;
|
return realm;
|
||||||
|
|
|
@ -2,6 +2,7 @@ package org.keycloak.models.mongo.keycloak.entities;
|
||||||
|
|
||||||
import com.mongodb.DBObject;
|
import com.mongodb.DBObject;
|
||||||
import com.mongodb.QueryBuilder;
|
import com.mongodb.QueryBuilder;
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.mongo.api.AbstractMongoIdentifiableEntity;
|
import org.keycloak.models.mongo.api.AbstractMongoIdentifiableEntity;
|
||||||
import org.keycloak.models.mongo.api.MongoCollection;
|
import org.keycloak.models.mongo.api.MongoCollection;
|
||||||
import org.keycloak.models.mongo.api.MongoEntity;
|
import org.keycloak.models.mongo.api.MongoEntity;
|
||||||
|
@ -69,6 +70,8 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
|
||||||
private long auditExpiration;
|
private long auditExpiration;
|
||||||
private List<String> auditListeners = new ArrayList<String>();
|
private List<String> auditListeners = new ArrayList<String>();
|
||||||
|
|
||||||
|
private ApplicationEntity adminApp;
|
||||||
|
|
||||||
@MongoField
|
@MongoField
|
||||||
public String getName() {
|
public String getName() {
|
||||||
return name;
|
return name;
|
||||||
|
@ -393,6 +396,15 @@ public class RealmEntity extends AbstractMongoIdentifiableEntity implements Mong
|
||||||
this.auditListeners = auditListeners;
|
this.auditListeners = auditListeners;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@MongoField
|
||||||
|
public ApplicationEntity getAdminApp() {
|
||||||
|
return adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setAdminApp(ApplicationEntity adminApp) {
|
||||||
|
this.adminApp = adminApp;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void afterRemove(MongoStoreInvocationContext context) {
|
public void afterRemove(MongoStoreInvocationContext context) {
|
||||||
DBObject query = new QueryBuilder()
|
DBObject query = new QueryBuilder()
|
||||||
|
|
|
@ -1,5 +1,6 @@
|
||||||
package org.keycloak.services.managers;
|
package org.keycloak.services.managers;
|
||||||
|
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
|
@ -72,16 +73,16 @@ public class Auth {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean hasAppRole(String app, String role) {
|
public boolean hasAppRole(ApplicationModel app, String role) {
|
||||||
if (cookie) {
|
if (cookie) {
|
||||||
return realm.hasRole(user, realm.getApplicationByName(app).getRole(role));
|
return realm.hasRole(user, app.getRole(role));
|
||||||
} else {
|
} else {
|
||||||
AccessToken.Access access = token.getResourceAccess(app);
|
AccessToken.Access access = token.getResourceAccess(app.getName());
|
||||||
return access != null && access.isUserInRole(role);
|
return access != null && access.isUserInRole(role);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean hasOneOfAppRole(String app, String... roles) {
|
public boolean hasOneOfAppRole(ApplicationModel app, String... roles) {
|
||||||
for (String r : roles) {
|
for (String r : roles) {
|
||||||
if (hasAppRole(app, r)) {
|
if (hasAppRole(app, r)) {
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -108,7 +108,7 @@ public class RealmManager {
|
||||||
RealmModel adminRealm = getKeycloakAdminstrationRealm();
|
RealmModel adminRealm = getKeycloakAdminstrationRealm();
|
||||||
RoleModel adminRole = adminRealm.getRole(AdminRoles.ADMIN);
|
RoleModel adminRole = adminRealm.getRole(AdminRoles.ADMIN);
|
||||||
|
|
||||||
ApplicationModel realmAdminApp = adminRealm.getApplicationByName(AdminRoles.getAdminApp(realm));
|
ApplicationModel realmAdminApp = realm.getAdminApp();
|
||||||
for (RoleModel r : realmAdminApp.getRoles()) {
|
for (RoleModel r : realmAdminApp.getRoles()) {
|
||||||
adminRole.removeCompositeRole(r);
|
adminRole.removeCompositeRole(r);
|
||||||
}
|
}
|
||||||
|
@ -214,7 +214,9 @@ public class RealmManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
ApplicationManager applicationManager = new ApplicationManager(new RealmManager(identitySession));
|
ApplicationManager applicationManager = new ApplicationManager(new RealmManager(identitySession));
|
||||||
ApplicationModel realmAdminApp = applicationManager.createApplication(adminRealm, AdminRoles.getAdminApp(realm));
|
|
||||||
|
ApplicationModel realmAdminApp = applicationManager.createApplication(adminRealm, realm.getName() + "-realm");
|
||||||
|
realm.setAdminApp(realmAdminApp);
|
||||||
|
|
||||||
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
||||||
RoleModel role = realmAdminApp.addRole(r);
|
RoleModel role = realmAdminApp.addRole(r);
|
||||||
|
|
|
@ -539,7 +539,7 @@ public class AccountService {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!auth.hasAppRole(application.getName(), role)) {
|
if (!auth.hasAppRole(application, role)) {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -549,7 +549,7 @@ public class AccountService {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!auth.hasOneOfAppRole(application.getName(), roles)) {
|
if (!auth.hasOneOfAppRole(application, roles)) {
|
||||||
throw new ForbiddenException();
|
throw new ForbiddenException();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package org.keycloak.services.resources.admin;
|
package org.keycloak.services.resources.admin;
|
||||||
|
|
||||||
import org.keycloak.models.AdminRoles;
|
import org.keycloak.models.AdminRoles;
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.services.ForbiddenException;
|
import org.keycloak.services.ForbiddenException;
|
||||||
import org.keycloak.services.managers.Auth;
|
import org.keycloak.services.managers.Auth;
|
||||||
|
|
||||||
|
@ -19,9 +20,9 @@ public class RealmAuth {
|
||||||
}
|
}
|
||||||
|
|
||||||
private Auth auth;
|
private Auth auth;
|
||||||
private String realmAdminApp;
|
private ApplicationModel realmAdminApp;
|
||||||
|
|
||||||
public RealmAuth(Auth auth, String realmAdminApp) {
|
public RealmAuth(Auth auth, ApplicationModel realmAdminApp) {
|
||||||
this.auth = auth;
|
this.auth = auth;
|
||||||
this.realmAdminApp = realmAdminApp;
|
this.realmAdminApp = realmAdminApp;
|
||||||
}
|
}
|
||||||
|
|
|
@ -69,11 +69,9 @@ public class RealmsAdminResource {
|
||||||
List<RealmModel> realms = session.getRealms();
|
List<RealmModel> realms = session.getRealms();
|
||||||
List<RealmRepresentation> reps = new ArrayList<RealmRepresentation>();
|
List<RealmRepresentation> reps = new ArrayList<RealmRepresentation>();
|
||||||
for (RealmModel realm : realms) {
|
for (RealmModel realm : realms) {
|
||||||
String realmAdminApp = AdminRoles.getAdminApp(realm);
|
if (auth.hasAppRole(realm.getAdminApp(), AdminRoles.MANAGE_REALM)) {
|
||||||
|
|
||||||
if (auth.hasAppRole(realmAdminApp, AdminRoles.MANAGE_REALM)) {
|
|
||||||
reps.add(ModelToRepresentation.toRepresentation(realm));
|
reps.add(ModelToRepresentation.toRepresentation(realm));
|
||||||
} else if (auth.hasOneOfAppRole(realmAdminApp, AdminRoles.ALL_REALM_ROLES)) {
|
} else if (auth.hasOneOfAppRole(realm.getAdminApp(), AdminRoles.ALL_REALM_ROLES)) {
|
||||||
RealmRepresentation rep = new RealmRepresentation();
|
RealmRepresentation rep = new RealmRepresentation();
|
||||||
rep.setRealm(realm.getName());
|
rep.setRealm(realm.getName());
|
||||||
reps.add(rep);
|
reps.add(rep);
|
||||||
|
@ -144,7 +142,7 @@ public class RealmsAdminResource {
|
||||||
}
|
}
|
||||||
|
|
||||||
RealmModel adminRealm = new RealmManager(session).getKeycloakAdminstrationRealm();
|
RealmModel adminRealm = new RealmManager(session).getKeycloakAdminstrationRealm();
|
||||||
ApplicationModel realmAdminApp = adminRealm.getApplicationByName(AdminRoles.getAdminApp(realm));
|
ApplicationModel realmAdminApp = realm.getAdminApp();
|
||||||
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
for (String r : AdminRoles.ALL_REALM_ROLES) {
|
||||||
RoleModel role = realmAdminApp.getRole(r);
|
RoleModel role = realmAdminApp.getRole(r);
|
||||||
adminRealm.grantRole(auth.getUser(), role);
|
adminRealm.grantRole(auth.getUser(), role);
|
||||||
|
@ -159,7 +157,7 @@ public class RealmsAdminResource {
|
||||||
RealmModel realm = realmManager.getRealmByName(name);
|
RealmModel realm = realmManager.getRealmByName(name);
|
||||||
if (realm == null) throw new NotFoundException("{realm} = " + name);
|
if (realm == null) throw new NotFoundException("{realm} = " + name);
|
||||||
|
|
||||||
RealmAuth realmAuth = new RealmAuth(auth, AdminRoles.getAdminApp(realm));
|
RealmAuth realmAuth = new RealmAuth(auth, realm.getAdminApp());
|
||||||
|
|
||||||
RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager);
|
RealmAdminResource adminResource = new RealmAdminResource(realmAuth, realm, tokenManager);
|
||||||
ResteasyProviderFactory.getInstance().injectProperties(adminResource);
|
ResteasyProviderFactory.getInstance().injectProperties(adminResource);
|
||||||
|
|
Loading…
Reference in a new issue