libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Missing auth checks in some admin endpoints (#166)

Browse source 
Closes keycloak/keycloak-private#156

Signed-off-by: rmartinc <rmartinc@redhat.com>
This commit is contained in:
rmartinc 2024-06-04 08:49:30 +02:00 committed by Alexander Schwartz
parent d5e82356f9
commit eedfd0ef51
4 changed files with 19 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
federation/ldap/src/main/java/org/keycloak/services/resources/admin/TestLdapConnectionResource.java
View file

@ -16,9 +16,7 @@
*/ */
package org.keycloak.services.resources.admin; package org.keycloak.services.resources.admin;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.NoCache; import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.ClientConnection;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.LDAPConstants; import org.keycloak.models.LDAPConstants;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
@ -89,6 +87,7 @@ public class TestLdapConnectionResource {
@NoCache @NoCache
@Consumes(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON)
public Response testLDAPConnection(TestLdapConnectionRepresentation config) { public Response testLDAPConnection(TestLdapConnectionRepresentation config) {
auth.realm().requireManageRealm();
try { try {
LDAPServerCapabilitiesManager.testLDAP(config, session, realm); LDAPServerCapabilitiesManager.testLDAP(config, session, realm);
return Response.noContent().build(); return Response.noContent().build();

1
services/src/main/java/org/keycloak/services/resources/admin/ClientRegistrationPolicyResource.java
View file

@ -74,6 +74,7 @@ public class ClientRegistrationPolicyResource {
@Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_REGISTRATION_POLICY) @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_REGISTRATION_POLICY)
@Operation( summary="Base path for retrieve providers with the configProperties properly filled") @Operation( summary="Base path for retrieve providers with the configProperties properly filled")
public Stream<ComponentTypeRepresentation> getProviders() { public Stream<ComponentTypeRepresentation> getProviders() {
auth.realm().requireViewRealm();
return session.getKeycloakSessionFactory().getProviderFactoriesStream(ClientRegistrationPolicy.class) return session.getKeycloakSessionFactory().getProviderFactoriesStream(ClientRegistrationPolicy.class)
.map((ProviderFactory factory) -> { .map((ProviderFactory factory) -> {
ClientRegistrationPolicyFactory clientRegFactory = (ClientRegistrationPolicyFactory) factory; ClientRegistrationPolicyFactory clientRegFactory = (ClientRegistrationPolicyFactory) factory;

1
services/src/main/java/org/keycloak/services/resources/admin/UserResource.java
View file

@ -1062,6 +1062,7 @@ public class UserResource {
@Tag(name = KeycloakOpenAPI.Admin.Tags.USERS) @Tag(name = KeycloakOpenAPI.Admin.Tags.USERS)
@Operation() @Operation()
public Map<String, List<String>> getUnmanagedAttributes() { public Map<String, List<String>> getUnmanagedAttributes() {
auth.users().requireView(user);
UserProfileProvider provider = session.getProvider(UserProfileProvider.class); UserProfileProvider provider = session.getProvider(UserProfileProvider.class);
UserProfile profile = provider.create(USER_API, user); UserProfile profile = provider.create(USER_API, user);

17
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
View file

@ -51,6 +51,7 @@ import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RequiredActionProviderRepresentation; import org.keycloak.representations.idm.RequiredActionProviderRepresentation;
import org.keycloak.representations.idm.RequiredActionProviderSimpleRepresentation; import org.keycloak.representations.idm.RequiredActionProviderSimpleRepresentation;
import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.TestLdapConnectionRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation; import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
@ -375,7 +376,11 @@ public class PermissionsTest extends AbstractKeycloakTest {
invoke(new InvocationWithResponse() { invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) { public void invoke(RealmResource realm, AtomicReference<Response> response) {
response.set(realm.testLDAPConnection("nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch")); TestLdapConnectionRepresentation config = new TestLdapConnectionRepresentation(
"nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch");
response.set(realm.testLDAPConnection(config.getAction(), config.getConnectionUrl(), config.getBindDn(),
config.getBindCredential(), config.getUseTruststoreSpi(), config.getConnectionTimeout()));
response.set(realm.testLDAPConnection(config));
} }
}, Resource.REALM, true); }, Resource.REALM, true);
@ -1458,6 +1463,11 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.users().get(user.getId()).toRepresentation(); realm.users().get(user.getId()).toRepresentation();
} }
}, Resource.USER, false); }, Resource.USER, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.users().get(user.getId()).getUnmanagedAttributes();
}
}, Resource.USER, false);
invoke(new Invocation() { invoke(new Invocation() {
public void invoke(RealmResource realm) { public void invoke(RealmResource realm) {
realm.users().get(user.getId()).update(user); realm.users().get(user.getId()).update(user);
@ -1757,6 +1767,11 @@ public class PermissionsTest extends AbstractKeycloakTest {
realm.components().query("nosuch"); realm.components().query("nosuch");
} }
}, Resource.REALM, false); }, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.clientRegistrationPolicy().getProviders();
}
}, Resource.REALM, false);
invoke(new InvocationWithResponse() { invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) { public void invoke(RealmResource realm, AtomicReference<Response> response) {
response.set(realm.components().add(new ComponentRepresentation())); response.set(realm.components().add(new ComponentRepresentation()));