libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-5152

Browse source
This commit is contained in:
Bill Burke 2017-07-14 14:14:38 -04:00
parent b0a33c9765
commit f68754290f
2 changed files with 15 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
View file

@ -136,10 +136,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
if (root.admin().hasRole(role)) return true;
ClientModel adminClient = root.getRealmManagementClient();
// is this an admin role in 'realm-management' client of the realm we are managing?
if (adminClient.equals(role.getContainer())) {
// if this is realm admin role, then check to see if admin has similar permissions
// we do this so that the authz service is invoked
if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
|| role.getName().equals(AdminRoles.CREATE_CLIENT)
) {
if (!root.clients().canManage()) {
return adminConflictMessage(role);
} else {
@ -151,6 +154,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
} else {
return true;
}
} else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
return true;
} else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
return true;
} else if (role.getName().equals(AdminRoles.QUERY_USERS)) {

19
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
View file

@ -658,13 +658,12 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
adminClient.realm(TEST).roles().create(composite);
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
RoleRepresentation compositePart = new RoleRepresentation();
compositePart.setName("composite-part");
adminClient.realm(TEST).roles().create(compositePart);
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
RoleRepresentation createClient = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
RoleRepresentation queryRealms = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.QUERY_REALMS).toRepresentation();
List<RoleRepresentation> composites = new LinkedList<>();
composites.add(compositePart);
composites.add(createClient);
composites.add(queryRealms);
adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
}
@ -693,13 +692,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
realmClient.realm(TEST).roles().create(composite);
composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
RoleRepresentation compositePart = new RoleRepresentation();
compositePart.setName("composite-part");
realmClient.realm(TEST).roles().create(compositePart);
compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
RoleRepresentation viewUsers = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
List<RoleRepresentation> composites = new LinkedList<>();
composites.add(compositePart);
composites.add(viewUsers);
realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
}
// testRestEvaluationMasterRealm