Missing auth checks in some admin endpoints (#166)

Closes keycloak/keycloak-private#156

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc 2024-06-04 08:49:30 +02:00 committed by Alexander Schwartz
parent d5e82356f9
commit eedfd0ef51
4 changed files with 19 additions and 3 deletions

View file

@ -16,9 +16,7 @@
*/
package org.keycloak.services.resources.admin;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.ClientConnection;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.LDAPConstants;
import org.keycloak.models.RealmModel;
@ -89,6 +87,7 @@ public class TestLdapConnectionResource {
@NoCache
@Consumes(MediaType.APPLICATION_JSON)
public Response testLDAPConnection(TestLdapConnectionRepresentation config) {
auth.realm().requireManageRealm();
try {
LDAPServerCapabilitiesManager.testLDAP(config, session, realm);
return Response.noContent().build();

View file

@ -74,6 +74,7 @@ public class ClientRegistrationPolicyResource {
@Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_REGISTRATION_POLICY)
@Operation( summary="Base path for retrieve providers with the configProperties properly filled")
public Stream<ComponentTypeRepresentation> getProviders() {
auth.realm().requireViewRealm();
return session.getKeycloakSessionFactory().getProviderFactoriesStream(ClientRegistrationPolicy.class)
.map((ProviderFactory factory) -> {
ClientRegistrationPolicyFactory clientRegFactory = (ClientRegistrationPolicyFactory) factory;

View file

@ -1062,6 +1062,7 @@ public class UserResource {
@Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
@Operation()
public Map<String, List<String>> getUnmanagedAttributes() {
auth.users().requireView(user);
UserProfileProvider provider = session.getProvider(UserProfileProvider.class);
UserProfile profile = provider.create(USER_API, user);

View file

@ -51,6 +51,7 @@ import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RequiredActionProviderRepresentation;
import org.keycloak.representations.idm.RequiredActionProviderSimpleRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.TestLdapConnectionRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
@ -375,7 +376,11 @@ public class PermissionsTest extends AbstractKeycloakTest {
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
response.set(realm.testLDAPConnection("nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch"));
TestLdapConnectionRepresentation config = new TestLdapConnectionRepresentation(
"nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch");
response.set(realm.testLDAPConnection(config.getAction(), config.getConnectionUrl(), config.getBindDn(),
config.getBindCredential(), config.getUseTruststoreSpi(), config.getConnectionTimeout()));
response.set(realm.testLDAPConnection(config));
}
}, Resource.REALM, true);
@ -1458,6 +1463,11 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.users().get(user.getId()).toRepresentation();
}
}, Resource.USER, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.users().get(user.getId()).getUnmanagedAttributes();
}
}, Resource.USER, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.users().get(user.getId()).update(user);
@ -1757,6 +1767,11 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.components().query("nosuch");
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.clientRegistrationPolicy().getProviders();
}
}, Resource.REALM, false);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
response.set(realm.components().add(new ComponentRepresentation()));