From f68754290f52ea8e8e2a7539e582a8f3e4c80643 Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Fri, 14 Jul 2017 14:14:38 -0400
Subject: [PATCH] KEYCLOAK-5152

---
 .../admin/permissions/RolePermissions.java    |  8 +++++++-
 .../admin/FineGrainAdminUnitTest.java         | 19 ++++++++-----------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
index 091d7a58f7..951e724e7e 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@@ -136,10 +136,13 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
             if (root.admin().hasRole(role)) return true;
 
             ClientModel adminClient = root.getRealmManagementClient();
+            // is this an admin role in 'realm-management' client of the realm we are managing?
             if (adminClient.equals(role.getContainer())) {
                 // if this is realm admin role, then check to see if admin has similar permissions
                 // we do this so that the authz service is invoked
-                if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
+                if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)
+                        || role.getName().equals(AdminRoles.CREATE_CLIENT)
+                        ) {
                     if (!root.clients().canManage()) {
                         return adminConflictMessage(role);
                     } else {
@@ -151,6 +154,9 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
                     } else {
                         return true;
                     }
+
+                } else if (role.getName().equals(AdminRoles.QUERY_REALMS)) {
+                    return true;
                 } else if (role.getName().equals(AdminRoles.QUERY_CLIENTS)) {
                     return true;
                 } else if (role.getName().equals(AdminRoles.QUERY_USERS)) {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
index 5ea5797cea..6a737c89d9 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@@ -658,13 +658,12 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         adminClient.realm(TEST).roles().create(composite);
         composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
 
-        RoleRepresentation compositePart = new RoleRepresentation();
-        compositePart.setName("composite-part");
-        adminClient.realm(TEST).roles().create(compositePart);
-        compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
-
+        ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
+        RoleRepresentation createClient = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
+        RoleRepresentation queryRealms = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.QUERY_REALMS).toRepresentation();
         List<RoleRepresentation> composites = new LinkedList<>();
-        composites.add(compositePart);
+        composites.add(createClient);
+        composites.add(queryRealms);
         adminClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
     }
 
@@ -693,13 +692,11 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
         realmClient.realm(TEST).roles().create(composite);
         composite = adminClient.realm(TEST).roles().get("composite").toRepresentation();
 
-        RoleRepresentation compositePart = new RoleRepresentation();
-        compositePart.setName("composite-part");
-        realmClient.realm(TEST).roles().create(compositePart);
-        compositePart = adminClient.realm(TEST).roles().get("composite-part").toRepresentation();
+        ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0);
+        RoleRepresentation viewUsers = adminClient.realm(TEST).clients().get(client.getId()).roles().get(AdminRoles.CREATE_CLIENT).toRepresentation();
 
         List<RoleRepresentation> composites = new LinkedList<>();
-        composites.add(compositePart);
+        composites.add(viewUsers);
         realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
     }
     // testRestEvaluationMasterRealm