libre.sh/keycloak-scim
2
0
Fork 0
Code Issues 14 Pull requests Releases Packages Activity Actions 6

fine grain tests

Browse source
This commit is contained in:
Bill Burke 2017-05-08 13:48:51 -04:00
parent c3b44e61d4
commit f760427c5c
29 changed files with 1160 additions and 362 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
core/src/main/java/org/keycloak/representations/idm/ManagementPermissionReference.java Normal file
View file

@ -0,0 +1,53 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.representations.idm;
import java.util.Map;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class ManagementPermissionReference {
private boolean enabled;
private String resource;
private Map<String, String> scopePermissions;
public boolean isEnabled() {
return enabled;
}
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
public String getResource() {
return resource;
}
public void setResource(String resource) {
this.resource = resource;
}
public Map<String, String> getScopePermissions() {
return scopePermissions;
}
public void setScopePermissions(Map<String, String> scopePermissions) {
this.scopePermissions = scopePermissions;
}
}

16
services/src/main/java/org/keycloak/authorization/admin/permissions/MgmtPermissions.java
View file

@ -25,7 +25,9 @@ import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.admin.AdminAuth;
@ -47,7 +49,8 @@ public class MgmtPermissions {
public MgmtPermissions(KeycloakSession session, RealmModel realm) {
this.session = session;
this.realm = realm;
AuthorizationProviderFactory factory = (AuthorizationProviderFactory)session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
KeycloakSessionFactory keycloakSessionFactory = session.getKeycloakSessionFactory();
AuthorizationProviderFactory factory = (AuthorizationProviderFactory) keycloakSessionFactory.getProviderFactory(AuthorizationProvider.class);
this.authz = factory.create(session, realm);
}
public MgmtPermissions(KeycloakSession session, RealmModel realm, AdminAuth auth) {
@ -57,10 +60,11 @@ public class MgmtPermissions {
}
public boolean isAdminSameRealm() {
return realm.getId().equals(auth.getRealm().getId());
return auth == null || realm.getId().equals(auth.getRealm().getId());
}
public RealmAuth getRealmAuth() {
if (auth == null) return null;
RealmManager realmManager = new RealmManager(session);
if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
return new RealmAuth(auth, realm.getMasterAdminClient());
@ -71,7 +75,7 @@ public class MgmtPermissions {
public Identity identity() {
if (identity != null) return identity;
if (auth.getClient().getClientId().equals(Constants.REALM_MANAGEMENT_CLIENT_ID)) {
if (auth.getClient().getClientId().equals(Constants.ADMIN_CLI_CLIENT_ID)) {
this.identity = new UserModelIdentity(realm, auth.getUser());
} else {
@ -80,11 +84,17 @@ public class MgmtPermissions {
return this.identity;
}
public void setIdentity(UserModel user) {
this.identity = new UserModelIdentity(realm, user);
}
public RoleMgmtPermissions roles() {
return new RoleMgmtPermissions(session, realm, authz, this);
}
public UsersPermissions users() { return new UsersPermissions(session, realm, authz, this); }
public ResourceServer findOrCreateResourceServer(ClientModel client) {
ResourceServer server = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
if (server == null) {

90
services/src/main/java/org/keycloak/authorization/admin/permissions/RoleMgmtPermissions.java
View file

@ -29,6 +29,7 @@ import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.permission.evaluator.PermissionEvaluator;
import org.keycloak.authorization.policy.evaluation.DecisionResult;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.store.ResourceStore;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
@ -59,16 +60,7 @@ public class RoleMgmtPermissions {
}
public boolean isPermissionsEnabled(RoleModel role) {
ClientModel client = getRoleClient(role);
ResourceServer server = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
if (server == null) return false;
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(role), server.getId());
if (resource == null) return false;
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRoleScopePermissionName(role), server.getId());
return policy != null;
return mapRolePermission(role) != null;
}
public void setPermissionsEnabled(RoleModel role, boolean enable) {
@ -79,8 +71,7 @@ public class RoleMgmtPermissions {
}
createResource(role);
} else {
ClientModel client = getRoleClient(role);
ResourceServer server = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
ResourceServer server = resourceServer(role);
if (server == null) return;
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(role), server.getId());
if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
@ -89,6 +80,44 @@ public class RoleMgmtPermissions {
}
}
public Policy mapRolePermission(RoleModel role) {
ResourceServer server = resourceServer(role);
if (server == null) return null;
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(role), server.getId());
if (resource == null) return null;
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getMapRoleScopePermissionName(role), server.getId());
return authz.getStoreFactory().getPolicyStore().findById(policy.getId(), server.getId());
}
public Resource resource(RoleModel role) {
ResourceStore resourceStore = authz.getStoreFactory().getResourceStore();
ResourceServer server = resourceServer(role);
if (server == null) return null;
Resource resource = resourceStore.findByName(getRoleResourceName(role), server.getId());
if (resource == null) return null;
return resourceStore.findById(resource.getId(), server.getId());
}
public ResourceServer resourceServer(RoleModel role) {
ClientModel client = getRoleClient(role);
return authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
}
/**
* Is admin allowed to map this role? In Authz terms, does the user have the "map-role" scope for the role's Authz resource?
*
* This method is hardcoded to return TRUE if any of these conditions are met:
* - The admin is from the master realm managing a different realm
* - If the Authz objects are not set up correctly for this role (resource server, resource, permission)
* - If the role's mapRole permission does not have a policy associated with it.
*
* Otherwise, it will use the Authz policy engine to resolve this answer.
*
* @param role
* @return
*/
public boolean canMapRole(RoleModel role) {
if (!root.isAdminSameRealm()) {
return true;
@ -101,22 +130,27 @@ public class RoleMgmtPermissions {
return true; // if no policies applied, just ignore
}
RealmModel oldRealm = session.getContext().getRealm();
try {
session.getContext().setRealm(realm);
Identity identity = root.identity();
Identity identity = root.identity();
EvaluationContext context = new DefaultEvaluationContext(identity, session);
DecisionResult decisionCollector = new DecisionResult();
Resource roleResource = resource(role);
Scope mapRoleScope = getMapRoleScope(resourceServer);
EvaluationContext context = new DefaultEvaluationContext(identity, session);
DecisionResult decisionCollector = new DecisionResult();
Resource roleResource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(role), resourceServer.getId());
Scope mapRoleScope = getMapRoleScope(resourceServer);
List<ResourcePermission> permissions = Permissions.permission(resourceServer, roleResource, mapRoleScope);
PermissionEvaluator from = authz.evaluators().from(permissions, context);
from.evaluate(decisionCollector);
if (!decisionCollector.completed()) {
logger.error("Failed to run map role policy check", decisionCollector.getError());
return false;
List<ResourcePermission> permissions = Permissions.permission(resourceServer, roleResource, mapRoleScope);
PermissionEvaluator from = authz.evaluators().from(permissions, context);
from.evaluate(decisionCollector);
if (!decisionCollector.completed()) {
logger.error("Failed to run map role policy check", decisionCollector.getError());
return false;
}
return decisionCollector.getResults().get(0).getEffect() == Decision.Effect.PERMIT;
} finally {
session.getContext().setRealm(oldRealm);
}
return decisionCollector.getResults().get(0).getEffect() == Decision.Effect.PERMIT;
}
@ -130,12 +164,12 @@ public class RoleMgmtPermissions {
return client;
}
public Policy getManageUsersPolicy(ResourceServer server) {
public Policy manageUsersPolicy(ResourceServer server) {
RoleModel role = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).getRole(AdminRoles.MANAGE_USERS);
return getRolePolicy(server, role);
return rolePolicy(server, role);
}
public Policy getRolePolicy(ResourceServer server, RoleModel role) {
public Policy rolePolicy(ResourceServer server, RoleModel role) {
String policyName = Helper.getRolePolicyName(role);
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(policyName, server.getId());
if (policy != null) return policy;

144
services/src/main/java/org/keycloak/authorization/admin/permissions/UsersPermissions.java
View file

@ -30,14 +30,13 @@ import org.keycloak.authorization.permission.evaluator.PermissionEvaluator;
import org.keycloak.authorization.policy.evaluation.DecisionResult;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.admin.AdminAuth;
import org.keycloak.services.resources.admin.RealmAuth;
import java.util.HashSet;
@ -45,11 +44,16 @@ import java.util.List;
import java.util.Set;
/**
* Manages default policies for all users.
*
*
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
public class UsersPermissions {
private static final Logger logger = Logger.getLogger(UsersPermissions.class);
public static final String MANAGE_PERMISSION_USERS = "manage.permission.users";
public static final String USERS_RESOURCE = "Users";
protected final KeycloakSession session;
protected final RealmModel realm;
protected final AuthorizationProvider authz;
@ -70,45 +74,44 @@ public class UsersPermissions {
manageScope = authz.getStoreFactory().getScopeStore().create(MgmtPermissions.MANAGE_SCOPE, server);
}
Resource usersResource = authz.getStoreFactory().getResourceStore().findByName("Users", server.getId());
Resource usersResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
if (usersResource == null) {
usersResource = authz.getStoreFactory().getResourceStore().create("Users", server, server.getClientId());
usersResource = authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, server, server.getClientId());
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName("manage.permissions.users", server.getId());
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
if (policy == null) {
Set<Scope> scopeset = new HashSet<>();
scopeset.add(manageScope);
usersResource.updateScopes(scopeset);
Policy manageUsersPolicy = root.roles().getManageUsersPolicy(server);
Helper.addScopePermission(authz, server, "manage.permission.users", usersResource, manageScope, manageUsersPolicy);
Policy manageUsersPolicy = root.roles().manageUsersPolicy(server);
Helper.addScopePermission(authz, server, MANAGE_PERMISSION_USERS, usersResource, manageScope, manageUsersPolicy);
}
}
public boolean isPermissionsEnabled() {
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
ResourceServer server = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
ResourceServer server = resourceServer();
if (server == null) return false;
Resource resource = authz.getStoreFactory().getResourceStore().findByName("Users", server.getId());
Resource resource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
if (resource == null) return false;
Policy policy = authz.getStoreFactory().getPolicyStore().findByName("manage.permissions.users", server.getId());
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
return policy != null;
}
public void setPermissionsEnabled(RoleModel role, boolean enable) {
public void setPermissionsEnabled(boolean enable) {
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
if (enable) {
initialize();
} else {
ResourceServer server = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
if (server == null) return;
Resource usersResource = authz.getStoreFactory().getResourceStore().findByName("Users", server.getId());
Resource usersResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
if (usersResource == null) {
authz.getStoreFactory().getResourceStore().delete(usersResource.getId());
}
Policy policy = authz.getStoreFactory().getPolicyStore().findByName("manage.permissions.users", server.getId());
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
if (policy == null) {
authz.getStoreFactory().getPolicyStore().delete(policy.getId());
@ -117,9 +120,9 @@ public class UsersPermissions {
}
private Resource getUsersResource(ResourceServer server) {
Resource usersResource = authz.getStoreFactory().getResourceStore().findByName("Users", server.getId());
Resource usersResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
if (usersResource == null) {
usersResource = authz.getStoreFactory().getResourceStore().create("Users", server, server.getClientId());
usersResource = authz.getStoreFactory().getResourceStore().create(USERS_RESOURCE, server, server.getClientId());
}
return usersResource;
}
@ -138,51 +141,108 @@ public class UsersPermissions {
return root.findOrCreateResourceServer(client);
}
private boolean canManageDefault() {
private boolean canManageDefault(UserModel admin) {
RealmAuth auth = root.getRealmAuth();
auth.init(RealmAuth.Resource.USER);
return auth.hasManage();
if (auth != null) {
auth.init(RealmAuth.Resource.USER);
return auth.hasManage();
} else {
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
RoleModel manageUsers = client.getRole(AdminRoles.MANAGE_USERS);
return admin.hasRole(manageUsers);
}
}
public boolean canManage(UserModel user) {
public boolean canManage() {
if (root.getRealmAuth() == null) {
throw new NullPointerException("Realm auth null");
}
return canManage(root.getRealmAuth().getAuth().getUser());
}
public Resource resource() {
ResourceServer server = resourceServer();
if (server == null) return null;
Resource resource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
if (resource == null) return null;
return authz.getStoreFactory().getResourceStore().findById(resource.getId(), server.getId());
}
/**
* Is admin allowed to manage users? In Authz terms, does the admin have the "map-role" scope for the role's Authz resource?
*
* This method will follow the old default behavior (does the admin have the manage-users role) if any of these conditions
* are met.:
* - The admin is from the master realm managing a different realm
* - If the Authz objects are not set up correctly for the Users resource in Authz
* - The "manage" permission for the Users resource has an empty associatedPolicy list.
*
* Otherwise, it will use the Authz policy engine to resolve this answer.
*
* @param admin
* @return
*/
public boolean canManage(UserModel admin) {
if (!root.isAdminSameRealm()) {
return canManageDefault();
return canManageDefault(admin);
}
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
ResourceServer server = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
if (server == null) return canManageDefault();
ResourceServer server = resourceServer();
if (server == null) return canManageDefault(admin);
Resource resource = authz.getStoreFactory().getResourceStore().findByName("Users", server.getId());
if (resource == null) return canManageDefault();
Resource resource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, server.getId());
if (resource == null) return canManageDefault(admin);
Policy policy = authz.getStoreFactory().getPolicyStore().findByName("manage.permissions.users", server.getId());
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
if (policy == null) {
return canManageDefault();
return canManageDefault(admin);
}
Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
// if no policies attached to permission then just do default behavior
if (associatedPolicies == null || associatedPolicies.isEmpty()) {
return canManageDefault();
return canManageDefault(admin);
}
Identity identity = root.identity();
EvaluationContext context = new DefaultEvaluationContext(identity, session);
DecisionResult decisionCollector = new DecisionResult();
ResourceServer resourceServer = getRealmManagementResourceServer();
Resource roleResource = authz.getStoreFactory().getResourceStore().findByName("Users", resourceServer.getId());
Scope manageScope = getManageScope(resourceServer);
RealmModel oldRealm = session.getContext().getRealm();
try {
session.getContext().setRealm(realm);
Identity identity = root.identity();
EvaluationContext context = new DefaultEvaluationContext(identity, session);
DecisionResult decisionCollector = new DecisionResult();
ResourceServer resourceServer = getRealmManagementResourceServer();
Resource roleResource = authz.getStoreFactory().getResourceStore().findByName(USERS_RESOURCE, resourceServer.getId());
Scope manageScope = getManageScope(resourceServer);
List<ResourcePermission> permissions = Permissions.permission(resourceServer, roleResource, manageScope);
PermissionEvaluator from = authz.evaluators().from(permissions, context);
from.evaluate(decisionCollector);
if (!decisionCollector.completed()) {
logger.error("Failed to run Users manage check", decisionCollector.getError());
return false;
List<ResourcePermission> permissions = Permissions.permission(resourceServer, roleResource, manageScope);
PermissionEvaluator from = authz.evaluators().from(permissions, context);
from.evaluate(decisionCollector);
if (!decisionCollector.completed()) {
logger.error("Failed to run Users manage check", decisionCollector.getError());
return false;
}
return decisionCollector.getResults().get(0).getEffect() == Decision.Effect.PERMIT;
} finally {
session.getContext().setRealm(oldRealm);
}
return decisionCollector.getResults().get(0).getEffect() == Decision.Effect.PERMIT;
}
public ResourceServer resourceServer() {
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
return authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
}
public Policy managePermission() {
ResourceServer server = resourceServer();
Policy policy = authz.getStoreFactory().getPolicyStore().findByName(MANAGE_PERMISSION_USERS, server.getId());
// have to do this because findByName returns a Jpa Entity todo change when fixed
return authz.getStoreFactory().getPolicyStore().findById(policy.getId(), server.getId());
}
}

2
services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
View file

@ -328,7 +328,7 @@ public class ClientResource {
@Path("roles")
public RoleContainerResource getRoleContainerResource() {
return new RoleContainerResource(uriInfo, realm, auth, client, adminEvent);
return new RoleContainerResource(session, uriInfo, realm, auth, client, adminEvent);
}
/**

44
services/src/main/java/org/keycloak/services/resources/admin/ClientRoleMappingsResource.java
View file

@ -19,6 +19,7 @@ package org.keycloak.services.resources.admin;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.NotFoundException;
import org.keycloak.authorization.admin.permissions.MgmtPermissions;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.ClientModel;
@ -30,6 +31,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.ForbiddenException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
@ -63,6 +65,8 @@ public class ClientRoleMappingsResource {
protected ClientModel client;
protected AdminEventBuilder adminEvent;
private UriInfo uriInfo;
private RoleMapperResource.ManageResourcePermissionCheck manageResourcePermissionCheck;
public ClientRoleMappingsResource(UriInfo uriInfo, KeycloakSession session, RealmModel realm, RealmAuth auth, RoleMapperModel user, ClientModel client, AdminEventBuilder adminEvent) {
this.uriInfo = uriInfo;
@ -74,6 +78,12 @@ public class ClientRoleMappingsResource {
this.adminEvent = adminEvent.resource(ResourceType.CLIENT_ROLE_MAPPING);
}
public void setManageCheck(RoleMapperResource.ManageResourcePermissionCheck mapperPermissions) {
this.manageResourcePermissionCheck = mapperPermissions;
}
/**
* Get client-level role mappings for the user, and the app
*
@ -157,6 +167,17 @@ public class ClientRoleMappingsResource {
return mappings;
}
private void checkManagePermission() {
if (manageResourcePermissionCheck == null) {
auth.requireManage();
} else {
if (!manageResourcePermissionCheck.canManage()) {
throw new ForbiddenException();
}
}
}
/**
* Add client-level roles to the user role mapping
*
@ -165,7 +186,7 @@ public class ClientRoleMappingsResource {
@POST
@Consumes(MediaType.APPLICATION_JSON)
public void addClientRoleMapping(List<RoleRepresentation> roles) {
auth.requireManage();
checkManagePermission();
if (user == null || client == null) {
throw new NotFoundException("Not found");
@ -176,21 +197,28 @@ public class ClientRoleMappingsResource {
if (roleModel == null || !roleModel.getId().equals(role.getId())) {
throw new NotFoundException("Role not found");
}
checkMapRolePermission(roleModel);
user.grantRole(roleModel);
}
adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(roles).success();
}
/**
* Delete client-level roles from user role mapping
*
* @param roles
*/
private void checkMapRolePermission(RoleModel roleModel) {
if (!new MgmtPermissions(session, realm, auth.getAuth()).roles().canMapRole(roleModel)) {
throw new ForbiddenException();
}
}
/**
* Delete client-level roles from user role mapping
*
* @param roles
*/
@DELETE
@Consumes(MediaType.APPLICATION_JSON)
public void deleteClientRoleMapping(List<RoleRepresentation> roles) {
auth.requireManage();
checkManagePermission();
if (user == null || client == null) {
throw new NotFoundException("Not found");
@ -205,6 +233,7 @@ public class ClientRoleMappingsResource {
ClientModel client = (ClientModel) roleModel.getContainer();
if (!client.getId().equals(this.client.getId())) continue;
}
checkMapRolePermission(roleModel);
user.deleteRoleMapping(roleModel);
roles.add(ModelToRepresentation.toRepresentation(roleModel));
}
@ -216,6 +245,7 @@ public class ClientRoleMappingsResource {
throw new NotFoundException("Role not found");
}
checkMapRolePermission(roleModel);
try {
user.deleteRoleMapping(roleModel);
} catch (ModelException me) {

53
services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
View file

@ -23,6 +23,9 @@ import org.jboss.resteasy.spi.NotFoundException;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.Config;
import org.keycloak.KeyPairVerifier;
import org.keycloak.authorization.admin.permissions.MgmtPermissions;
import org.keycloak.authorization.admin.permissions.RoleMgmtPermissions;
import org.keycloak.authorization.admin.permissions.UsersPermissions;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.PemUtils;
@ -44,6 +47,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.LDAPConstants;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.cache.CacheRealmProvider;
import org.keycloak.models.cache.UserCache;
@ -61,6 +65,7 @@ import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.GroupRepresentation;
import org.keycloak.representations.idm.ManagementPermissionReference;
import org.keycloak.representations.idm.PartialImportRepresentation;
import org.keycloak.representations.idm.RealmEventsConfigRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
@ -132,7 +137,6 @@ public class RealmAdminResource {
this.adminEvent = adminEvent.realm(realm).resource(ResourceType.REALM);
auth.init(RealmAuth.Resource.REALM);
auth.requireAny();
}
/**
@ -234,7 +238,7 @@ public class RealmAdminResource {
*/
@Path("roles")
public RoleContainerResource getRoleContainerResource() {
return new RoleContainerResource(uriInfo, realm, auth, realm, adminEvent);
return new RoleContainerResource(session, uriInfo, realm, auth, realm, adminEvent);
}
/**
@ -360,6 +364,51 @@ public class RealmAdminResource {
return users;
}
@NoCache
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("users-management-permissions")
public ManagementPermissionReference getUserMgmtPermissions() {
auth.requireView();
MgmtPermissions permissions = new MgmtPermissions(session, realm);
if (permissions.users().isPermissionsEnabled()) {
return toUsersMgmtRef(permissions);
} else {
return new ManagementPermissionReference();
}
}
@PUT
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@NoCache
@Path("users-management-permissions")
public ManagementPermissionReference setUsersManagementPermissionsEnabled(ManagementPermissionReference ref) {
auth.requireManage();
MgmtPermissions permissions = new MgmtPermissions(session, realm);
permissions.users().setPermissionsEnabled(ref.isEnabled());
if (ref.isEnabled()) {
return toUsersMgmtRef(permissions);
} else {
return new ManagementPermissionReference();
}
}
public static ManagementPermissionReference toUsersMgmtRef(MgmtPermissions permissions) {
ManagementPermissionReference ref = new ManagementPermissionReference();
ref.setEnabled(true);
ref.setResource(permissions.users().resource().getId());
Map<String, String> scopes = new HashMap<>();
scopes.put(MgmtPermissions.MANAGE_SCOPE, permissions.users().managePermission().getId());
ref.setScopePermissions(scopes);
return ref;
}
@Path("user-storage")
public UserStorageProviderResource userStorage() {
UserStorageProviderResource fed = new UserStorageProviderResource(realm, auth, adminEvent);

64
services/src/main/java/org/keycloak/services/resources/admin/RoleByIdResource.java
View file

@ -19,6 +19,8 @@ package org.keycloak.services.resources.admin;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.NotFoundException;
import org.keycloak.authorization.admin.permissions.MgmtPermissions;
import org.keycloak.authorization.admin.permissions.RoleMgmtPermissions;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.ClientModel;
@ -26,6 +28,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.ManagementPermissionReference;
import org.keycloak.representations.idm.RoleRepresentation;
import javax.ws.rs.Consumes;
@ -39,7 +42,9 @@ import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.UriInfo;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
@ -244,4 +249,63 @@ public class RoleByIdResource extends RoleResource {
deleteComposites(adminEvent, uriInfo, roles, role);
}
/**
* Return object stating whether role Authoirzation permissions have been initialized or not and a reference
*
*
* @param id
* @return
*/
@Path("{role-id}/management/permissions")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public ManagementPermissionReference getManagementPermissions(final @PathParam("role-id") String id) {
auth.requireView();
RoleModel role = getRoleModel(id);
MgmtPermissions permissions = new MgmtPermissions(session, realm);
if (!permissions.roles().isPermissionsEnabled(role)) {
return new ManagementPermissionReference();
}
return toMgmtRef(role, permissions);
}
public static ManagementPermissionReference toMgmtRef(RoleModel role, MgmtPermissions permissions) {
ManagementPermissionReference ref = new ManagementPermissionReference();
ref.setEnabled(true);
ref.setResource(permissions.roles().resource(role).getId());
Map<String, String> scopes = new HashMap<>();
scopes.put(RoleMgmtPermissions.MAP_ROLE_SCOPE, permissions.roles().mapRolePermission(role).getId());
ref.setScopePermissions(scopes);
return ref;
}
/**
* Return object stating whether role Authoirzation permissions have been initialized or not and a reference
*
*
* @param id
* @return initialized manage permissions reference
*/
@Path("{role-id}/management/permissions")
@PUT
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@NoCache
public ManagementPermissionReference setManagementPermissionsEnabled(final @PathParam("role-id") String id, ManagementPermissionReference ref) {
auth.requireManage();
RoleModel role = getRoleModel(id);
MgmtPermissions permissions = new MgmtPermissions(session, realm);
permissions.roles().setPermissionsEnabled(role, ref.isEnabled());
if (ref.isEnabled()) {
return toMgmtRef(role, permissions);
} else {
return new ManagementPermissionReference();
}
}
}

73
services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
View file

@ -19,14 +19,18 @@ package org.keycloak.services.resources.admin;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.NotFoundException;
import org.keycloak.authorization.admin.permissions.MgmtPermissions;
import org.keycloak.authorization.admin.permissions.RoleMgmtPermissions;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleContainerModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.ManagementPermissionReference;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.ErrorResponse;
@ -44,7 +48,9 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
/**
@ -58,14 +64,16 @@ public class RoleContainerResource extends RoleResource {
protected RoleContainerModel roleContainer;
private AdminEventBuilder adminEvent;
private UriInfo uriInfo;
private KeycloakSession session;
public RoleContainerResource(UriInfo uriInfo, RealmModel realm, RealmAuth auth, RoleContainerModel roleContainer, AdminEventBuilder adminEvent) {
public RoleContainerResource(KeycloakSession session, UriInfo uriInfo, RealmModel realm, RealmAuth auth, RoleContainerModel roleContainer, AdminEventBuilder adminEvent) {
super(realm);
this.uriInfo = uriInfo;
this.realm = realm;
this.auth = auth;
this.roleContainer = roleContainer;
this.adminEvent = adminEvent;
this.session = session;
}
/**
@ -355,4 +363,67 @@ public class RoleContainerResource extends RoleResource {
deleteComposites(adminEvent, uriInfo, roles, role);
}
/**
* Return object stating whether role Authoirzation permissions have been initialized or not and a reference
*
*
* @param roleName
* @return
*/
@Path("{role-name}/management/permissions")
@GET
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public ManagementPermissionReference getManagementPermissions(final @PathParam("role-name") String roleName) {
auth.requireView();
if (roleContainer == null) {
throw new NotFoundException("Could not find client");
}
RoleModel role = roleContainer.getRole(roleName);
if (role == null) {
throw new NotFoundException("Could not find role");
}
MgmtPermissions permissions = new MgmtPermissions(session, realm);
if (!permissions.roles().isPermissionsEnabled(role)) {
return new ManagementPermissionReference();
}
return RoleByIdResource.toMgmtRef(role, permissions);
}
/**
* Return object stating whether role Authoirzation permissions have been initialized or not and a reference
*
*
* @param roleName
* @return initialized manage permissions reference
*/
@Path("{role-name}/management/permissions")
@PUT
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@NoCache
public ManagementPermissionReference setManagementPermissionsEnabled(final @PathParam("role-name") String roleName, ManagementPermissionReference ref) {
auth.requireManage();
if (roleContainer == null) {
throw new NotFoundException("Could not find client");
}
RoleModel role = roleContainer.getRole(roleName);
if (role == null) {
throw new NotFoundException("Could not find role");
}
if (ref.isEnabled()) {
MgmtPermissions permissions = new MgmtPermissions(session, realm);
permissions.roles().setPermissionsEnabled(role, ref.isEnabled());
return RoleByIdResource.toMgmtRef(role, permissions);
} else {
return new ManagementPermissionReference();
}
}
}

48
services/src/main/java/org/keycloak/services/resources/admin/RoleMapperResource.java
View file

@ -19,6 +19,7 @@ package org.keycloak.services.resources.admin;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.NotFoundException;
import org.keycloak.authorization.admin.permissions.MgmtPermissions;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
@ -33,6 +34,7 @@ import org.keycloak.representations.idm.ClientMappingsRepresentation;
import org.keycloak.representations.idm.MappingsRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.ForbiddenException;
import org.keycloak.services.managers.RealmManager;
import javax.ws.rs.Consumes;
@ -64,6 +66,17 @@ import java.util.Set;
* @version $Revision: 1 $
*/
public class RoleMapperResource {
/**
* RoleMapperResource is reused bewteen GroupResource and UserResource to manage role mappings.
* We don't know what type of resource we're managing here (user or group), so we don't know how to query the policy engine to determine
* if an action is allowed.
*
*/
public interface ManageResourcePermissionCheck {
boolean canManage();
}
protected static final Logger logger = Logger.getLogger(RoleMapperResource.class);
protected RealmModel realm;
@ -74,6 +87,8 @@ public class RoleMapperResource {
private AdminEventBuilder adminEvent;
private ManageResourcePermissionCheck manageResourcePermissionCheck;
@Context
protected ClientConnection clientConnection;
@ -94,6 +109,9 @@ public class RoleMapperResource {
}
public void setManageCheck(ManageResourcePermissionCheck mapperPermissions) {
this.manageResourcePermissionCheck = mapperPermissions;
}
/**
* Get role mappings
@ -224,7 +242,7 @@ public class RoleMapperResource {
@POST
@Consumes(MediaType.APPLICATION_JSON)
public void addRealmRoleMappings(List<RoleRepresentation> roles) {
auth.requireManage();
checkManagePermission();
if (roleMapper == null) {
throw new NotFoundException("User not found");
@ -237,12 +255,23 @@ public class RoleMapperResource {
if (roleModel == null || !roleModel.getId().equals(role.getId())) {
throw new NotFoundException("Role not found");
}
checkMapRolePermission(roleModel);
roleMapper.grantRole(roleModel);
}
adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(roles).success();
}
private void checkManagePermission() {
if (manageResourcePermissionCheck == null) {
auth.requireManage();
} else {
if (!manageResourcePermissionCheck.canManage()) {
throw new ForbiddenException();
}
}
}
/**
* Delete realm-level role mappings
*
@ -252,7 +281,7 @@ public class RoleMapperResource {
@DELETE
@Consumes(MediaType.APPLICATION_JSON)
public void deleteRealmRoleMappings(List<RoleRepresentation> roles) {
auth.requireManage();
checkManagePermission();
if (roleMapper == null) {
throw new NotFoundException("User not found");
@ -264,6 +293,7 @@ public class RoleMapperResource {
roles = new LinkedList<>();
for (RoleModel roleModel : roleModels) {
checkMapRolePermission(roleModel);
roleMapper.deleteRoleMapping(roleModel);
roles.add(ModelToRepresentation.toRepresentation(roleModel));
}
@ -274,7 +304,7 @@ public class RoleMapperResource {
if (roleModel == null || !roleModel.getId().equals(role.getId())) {
throw new NotFoundException("Role not found");
}
checkMapRolePermission(roleModel);
try {
roleMapper.deleteRoleMapping(roleModel);
} catch (ModelException me) {
@ -290,10 +320,20 @@ public class RoleMapperResource {
}
private void checkMapRolePermission(RoleModel roleModel) {
if (!new MgmtPermissions(session, realm, auth.getAuth()).roles().canMapRole(roleModel)) {
throw new ForbiddenException();
}
}
@Path("clients/{client}")
public ClientRoleMappingsResource getUserClientRoleMappingsResource(@PathParam("client") String client) {
ClientModel clientModel = realm.getClientById(client);
return new ClientRoleMappingsResource(uriInfo, session, realm, auth, roleMapper, clientModel, adminEvent);
ClientRoleMappingsResource resource = new ClientRoleMappingsResource(uriInfo, session, realm, auth, roleMapper, clientModel, adminEvent);
resource.setManageCheck(() -> {
return new MgmtPermissions(session, realm, auth.getAuth()).users().canManage();
});
return resource;
}
}

6
services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
View file

@ -22,6 +22,7 @@ import org.jboss.resteasy.spi.BadRequestException;
import org.jboss.resteasy.spi.NotFoundException;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.authentication.RequiredActionProvider;
import org.keycloak.authorization.admin.permissions.MgmtPermissions;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Time;
@ -48,9 +49,7 @@ import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserLoginFailureModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.credential.PasswordUserCredentialModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.provider.ProviderFactory;
@ -723,6 +722,9 @@ public class UsersResource {
UserModel user = session.users().getUserById(id, realm);
RoleMapperResource resource = new RoleMapperResource(realm, auth, user, adminEvent);
resource.setManageCheck(() -> {
return new MgmtPermissions(session, realm, auth.getAuth()).users().canManage();
});
ResteasyProviderFactory.getInstance().injectProperties(resource);
return resource;

11
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java
View file

@ -42,6 +42,15 @@ import static org.keycloak.testsuite.util.IOUtil.PROJECT_BUILD_DIRECTORY;
public class AdminClientUtil {
public static Keycloak createAdminClient(boolean ignoreUnknownProperties) throws Exception {
String realmName = MASTER;
String username = ADMIN;
String password = ADMIN;
String clientId = Constants.ADMIN_CLI_CLIENT_ID;
String clientSecret = null;
return createAdminClient(ignoreUnknownProperties, realmName, username, password, clientId, clientSecret);
}
public static Keycloak createAdminClient(boolean ignoreUnknownProperties, String realmName, String username, String password, String clientId, String clientSecret) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
SSLContext ssl = null;
if ("true".equals(System.getProperty("auth.server.ssl.required"))) {
File trustore = new File(PROJECT_BUILD_DIRECTORY, "dependency/keystore/keycloak.truststore");
@ -62,7 +71,7 @@ public class AdminClientUtil {
}
return Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
MASTER, ADMIN, ADMIN, Constants.ADMIN_CLI_CLIENT_ID, null, ssl, jacksonProvider);
realmName, username, password, clientId, clientSecret, ssl, jacksonProvider);
}
public static Keycloak createAdminClient() throws Exception {

260
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminLocalTest.java
View file

@ -1,260 +0,0 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.admin;
import org.junit.Assert;
import org.junit.Ignore;
import org.junit.Test;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.AuthorizationProviderFactory;
import org.keycloak.authorization.Decision;
import org.keycloak.authorization.common.DefaultEvaluationContext;
import org.keycloak.authorization.common.UserModelIdentity;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.Resource;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.authorization.model.Scope;
import org.keycloak.authorization.permission.ResourcePermission;
import org.keycloak.authorization.permission.evaluator.PermissionEvaluator;
import org.keycloak.authorization.policy.evaluation.DecisionResult;
import org.keycloak.authorization.policy.evaluation.EvaluationContext;
import org.keycloak.authorization.util.Permissions;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ScopePermissionRepresentation;
import org.keycloak.testsuite.AbstractKeycloakTest;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
//@Ignore
public class FineGrainAdminLocalTest extends AbstractKeycloakTest {
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmRepresentation testRealmRep = new RealmRepresentation();
testRealmRep.setId(TEST);
testRealmRep.setRealm(TEST);
testRealmRep.setEnabled(true);
testRealms.add(testRealmRep);
}
public static void setupDefaults(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
AuthorizationProviderFactory factory = (AuthorizationProviderFactory)session.getKeycloakSessionFactory().getProviderFactory(AuthorizationProvider.class);
AuthorizationProvider authz = factory.create(session, realm);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().create(client.getId());
Scope mapRoleScope = authz.getStoreFactory().getScopeStore().create("map-role", resourceServer);
Scope manageScope = authz.getStoreFactory().getScopeStore().create("manage", resourceServer);
Policy manageUsersPolicy = null;
Policy manageClientsPolicy = null;
for (RoleModel role : client.getRoles()) {
Policy policy = createRolePolicy(authz, resourceServer, role);
if (role.getName().equals(AdminRoles.MANAGE_USERS)) {
manageUsersPolicy = policy;
} else if (role.getName().equals(AdminRoles.MANAGE_CLIENTS)) {
manageClientsPolicy = policy;
}
Resource resource = createRoleResource(authz, resourceServer, role);
Set<Scope> scopeset = new HashSet<>();
scopeset.add(mapRoleScope);
resource.updateScopes(scopeset);
String name = "map.role.permission." + client.getClientId() + "." + role.getName();
Policy permission = addScopePermission(authz, resourceServer, name, resource, mapRoleScope, policy);
addEmptyScopePermission(authz, resourceServer, "empty. " + name, resource, mapRoleScope);
}
Resource usersResource = authz.getStoreFactory().getResourceStore().create("Users", resourceServer, resourceServer.getClientId());
Set<Scope> scopeset = new HashSet<>();
scopeset.add(manageScope);
usersResource.updateScopes(scopeset);
addScopePermission(authz, resourceServer, "Users.manage.permission", usersResource, manageScope, manageUsersPolicy);
}
private static Policy addScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope, Policy policy) {
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName(name);
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
representation.addResource(resource.getName());
representation.addScope(scope.getName());
representation.addPolicy(policy.getName());
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
private static Policy addEmptyScopePermission(AuthorizationProvider authz, ResourceServer resourceServer, String name, Resource resource, Scope scope) {
ScopePermissionRepresentation representation = new ScopePermissionRepresentation();
representation.setName(name);
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
representation.addResource(resource.getName());
representation.addScope(scope.getName());
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
private static Resource createRoleResource(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
String roleName = getRoleResourceName(role);
Resource resource = authz.getStoreFactory().getResourceStore().create(roleName, resourceServer, resourceServer.getClientId());
resource.setType("Role");
return resource;
}
private static String getRoleResourceName(RoleModel role) {
String roleName = "realm";
if (role.getContainer() instanceof ClientModel) {
ClientModel client = (ClientModel)role.getContainer();
roleName = client.getClientId();
}
roleName = "role.resource." + roleName + "." + role.getName();
return roleName;
}
private static Policy createRolePolicy(AuthorizationProvider authz, ResourceServer resourceServer, RoleModel role) {
String roleName = "realm";
if (role.getContainer() instanceof ClientModel) {
ClientModel client = (ClientModel) role.getContainer();
roleName = client.getClientId() ;
}
roleName = "role.policy." + roleName + "." + role.getName();
PolicyRepresentation representation = new PolicyRepresentation();
representation.setName(roleName);
representation.setType("role");
representation.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
representation.setLogic(Logic.POSITIVE);
String roleValues = "[{\"id\":\"" + role.getId() + "\",\"required\": true}]";
Map<String, String> config = new HashMap<>();
config.put("roles", roleValues);
representation.setConfig(config);
return authz.getStoreFactory().getPolicyStore().create(representation, resourceServer);
}
public static void setupUsers(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
UserModel admin = session.users().addUser(realm, "admin");
admin.grantRole(client.getRole(AdminRoles.REALM_ADMIN));
UserModel manageUserOnlyUser = session.users().addUser(realm, "manage-user");
RoleModel manageUsersRole = client.getRole(AdminRoles.MANAGE_USERS);
manageUserOnlyUser.grantRole(manageUsersRole);
UserModel manageRealmUser = session.users().addUser(realm, "manage-realm");
manageRealmUser.grantRole(manageUsersRole);
RoleModel manageRealmRole = client.getRole(AdminRoles.MANAGE_REALM);
manageRealmUser.grantRole(manageRealmRole);
}
@Test
public void testUI() throws Exception {
testingClient.server().run(FineGrainAdminLocalTest::setupDefaults);
testingClient.server().run(FineGrainAdminLocalTest::setupUsers);
Thread.sleep(1000000000);
}
public static void evaluateAdminHasManageRealmPermissions(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
session.getContext().setRealm(realm);
UserModel admin = session.users().getUserByUsername("admin", realm);
AuthorizationProvider authz = session.getProvider(AuthorizationProvider.class);
ClientModel client = realm.getClientByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID);
ResourceServer resourceServer = authz.getStoreFactory().getResourceServerStore().findByClient(client.getId());
RoleModel manageRealmRole = client.getRole(AdminRoles.MANAGE_REALM);
Resource roleResource = authz.getStoreFactory().getResourceStore().findByName(getRoleResourceName(manageRealmRole), resourceServer.getId());
Scope mapRoleScope = authz.getStoreFactory().getScopeStore().findByName("map-role", resourceServer.getId());
UserModelIdentity identity = new UserModelIdentity(realm, admin);
EvaluationContext context = new DefaultEvaluationContext(identity, session);
DecisionResult decisionCollector = new DecisionResult();
List<ResourcePermission> permissions = Permissions.permission(resourceServer, roleResource, mapRoleScope);
PermissionEvaluator from = authz.evaluators().from(permissions, context);
from.evaluate(decisionCollector);
if (!decisionCollector.completed()) {
decisionCollector.getError().printStackTrace();
}
Assert.assertTrue(decisionCollector.completed());
Assert.assertEquals(decisionCollector.getResults().get(0).getEffect(), Decision.Effect.PERMIT);
}
@Test
public void testEvaluation2() throws Exception {
testingClient.server().run(FineGrainAdminLocalTest::setupDefaults);
testingClient.server().run(FineGrainAdminLocalTest::setupUsers);
testingClient.server().run(FineGrainAdminLocalTest::evaluateAdminHasManageRealmPermissions);
}
@Test
public void testEvaluation() throws Exception {
testingClient.server().run(FineGrainAdminLocalTest::setupDefaults);
testingClient.server().run(FineGrainAdminLocalTest::setupUsers);
RealmResource realm = adminClient.realm(TEST);
String resourceServerId = realm.clients().findByClientId(Constants.REALM_MANAGEMENT_CLIENT_ID).get(0).getId();
UserRepresentation admin = realm.users().search("admin").get(0);
UserRepresentation manageUser = realm.users().search("manage-user").get(0);
UserRepresentation manageRealm = realm.users().search("manage-realm").get(0);
PolicyEvaluationRequest request = new PolicyEvaluationRequest();
request.setUserId(admin.getId());
request.setClientId(resourceServerId);
request.addResource("role.resource." + Constants.REALM_MANAGEMENT_CLIENT_ID + "." + AdminRoles.MANAGE_REALM,
"map-role");
PolicyEvaluationResponse result = realm.clients().get(resourceServerId).authorization().policies().evaluate(request);
Assert.assertEquals(result.getStatus(), DecisionEffect.PERMIT);
}
}

336
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java Normal file
View file

@ -0,0 +1,336 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.admin;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.authorization.admin.permissions.MgmtPermissions;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.DecisionEffect;
import org.keycloak.representations.idm.authorization.DecisionStrategy;
import org.keycloak.representations.idm.authorization.PolicyEvaluationRequest;
import org.keycloak.representations.idm.authorization.PolicyEvaluationResponse;
import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
import org.keycloak.testsuite.util.AdminClientUtil;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.core.Response;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN;
import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
//@Ignore
public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
RealmRepresentation testRealmRep = new RealmRepresentation();
testRealmRep.setId(TEST);
testRealmRep.setRealm(TEST);
testRealmRep.setEnabled(true);
testRealms.add(testRealmRep);
}
public static void setupPolices(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
MgmtPermissions permissions = new MgmtPermissions(session, realm);
RoleModel realmRole = realm.addRole("realm-role");
RoleModel realmRole2 = realm.addRole("realm-role2");
ClientModel client1 = realm.addClient("role-namespace");
RoleModel client1Role = client1.addRole("client-role");
RoleModel mapperRole = realm.addRole("mapper");
RoleModel managerRole = realm.addRole("manager");
RoleModel compositeRole = realm.addRole("composite-role");
compositeRole.addCompositeRole(mapperRole);
compositeRole.addCompositeRole(managerRole);
// realm-role and role-namespace.client-role will have a role policy associated with their map-role permission
{
permissions.roles().setPermissionsEnabled(realmRole, true);
Policy mapRolePermission = permissions.roles().mapRolePermission(realmRole);
ResourceServer server = permissions.roles().resourceServer(realmRole);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
{
permissions.roles().setPermissionsEnabled(client1Role, true);
Policy mapRolePermission = permissions.roles().mapRolePermission(client1Role);
ResourceServer server = permissions.roles().resourceServer(client1Role);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
// realmRole2 will have an empty map-role policy
{
permissions.roles().setPermissionsEnabled(realmRole2, true);
}
// setup Users manage policies
{
permissions.users().setPermissionsEnabled(true);
ResourceServer server = permissions.users().resourceServer();
Policy managerPolicy = permissions.roles().rolePolicy(server, managerRole);
Policy permission = permissions.users().managePermission();
permission.addAssociatedPolicy(managerPolicy);
permission.setDecisionStrategy(DecisionStrategy.AFFIRMATIVE);
}
}
public static void setupUsers(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
ClientModel client = realm.getClientByClientId("role-namespace");
RoleModel realmRole = realm.getRole("realm-role");
RoleModel realmRole2 = realm.getRole("realm-role2");
RoleModel clientRole = client.getRole("client-role");
RoleModel mapperRole = realm.getRole("mapper");
RoleModel managerRole = realm.getRole("manager");
RoleModel compositeRole = realm.getRole("composite-role");
UserModel authorizedUser = session.users().addUser(realm, "authorized");
authorizedUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, authorizedUser, UserCredentialModel.password("password"));
authorizedUser.grantRole(mapperRole);
authorizedUser.grantRole(managerRole);
UserModel authorizedComposite = session.users().addUser(realm, "authorizedComposite");
authorizedComposite.setEnabled(true);
session.userCredentialManager().updateCredential(realm, authorizedComposite, UserCredentialModel.password("password"));
authorizedComposite.grantRole(compositeRole);
UserModel unauthorizedUser = session.users().addUser(realm, "unauthorized");
unauthorizedUser.setEnabled(true);
session.userCredentialManager().updateCredential(realm, unauthorizedUser, UserCredentialModel.password("password"));
UserModel unauthorizedMapper = session.users().addUser(realm, "unauthorizedMapper");
unauthorizedMapper.setEnabled(true);
session.userCredentialManager().updateCredential(realm, unauthorizedMapper, UserCredentialModel.password("password"));
unauthorizedMapper.grantRole(managerRole);
UserModel user1 = session.users().addUser(realm, "user1");
user1.setEnabled(true);
UserModel user2 = session.users().addUser(realm, "user2");
user2.setEnabled(true);
UserModel user3 = session.users().addUser(realm, "user3");
user3.setEnabled(true);
UserModel user4 = session.users().addUser(realm, "user4");
user4.setEnabled(true);
}
public static void evaluateLocally(KeycloakSession session) {
RealmModel realm = session.realms().getRealmByName(TEST);
RoleModel realmRole = realm.getRole("realm-role");
RoleModel realmRole2 = realm.getRole("realm-role2");
ClientModel client = realm.getClientByClientId("role-namespace");
RoleModel clientRole = client.getRole("client-role");
// test authorized
{
UserModel user = session.users().getUserByUsername("authorized", realm);
MgmtPermissions permissionsForAdmin = new MgmtPermissions(session, realm);
permissionsForAdmin.setIdentity(user);
Assert.assertTrue(permissionsForAdmin.users().canManage(user));
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole));
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole2));
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(clientRole));
}
// test composite role
{
UserModel user = session.users().getUserByUsername("authorizedComposite", realm);
MgmtPermissions permissionsForAdmin = new MgmtPermissions(session, realm);
permissionsForAdmin.setIdentity(user);
Assert.assertTrue(permissionsForAdmin.users().canManage(user));
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole));
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole2));
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(clientRole));
}
// test unauthorized
{
UserModel user = session.users().getUserByUsername("unauthorized", realm);
MgmtPermissions permissionsForAdmin = new MgmtPermissions(session, realm);
permissionsForAdmin.setIdentity(user);
Assert.assertFalse(permissionsForAdmin.users().canManage(user));
Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole));
Assert.assertFalse(permissionsForAdmin.roles().canMapRole(clientRole));
// will result to true because realmRole2 does not have any policies attached to this permission
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole2));
}
// test unauthorized mapper
{
UserModel user = session.users().getUserByUsername("unauthorizedMapper", realm);
MgmtPermissions permissionsForAdmin = new MgmtPermissions(session, realm);
permissionsForAdmin.setIdentity(user);
Assert.assertTrue(permissionsForAdmin.users().canManage(user));
Assert.assertFalse(permissionsForAdmin.roles().canMapRole(realmRole));
Assert.assertFalse(permissionsForAdmin.roles().canMapRole(clientRole));
// will result to true because realmRole2 does not have any policies attached to this permission
Assert.assertTrue(permissionsForAdmin.roles().canMapRole(realmRole2));
}
}
protected boolean isImportAfterEachMethod() {
return true;
}
@Test
public void testUI() throws Exception {
testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
testingClient.server().run(FineGrainAdminUnitTest::setupUsers);
Thread.sleep(1000000000);
}
@Test
public void testEvaluationLocal() throws Exception {
testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
testingClient.server().run(FineGrainAdminUnitTest::setupUsers);
testingClient.server().run(FineGrainAdminUnitTest::evaluateLocally);
}
@Test
public void testRestEvaluation() throws Exception {
testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
testingClient.server().run(FineGrainAdminUnitTest::setupUsers);
UserRepresentation user1 = adminClient.realm(TEST).users().search("user1").get(0);
UserRepresentation user2 = adminClient.realm(TEST).users().search("user2").get(0);
UserRepresentation user3 = adminClient.realm(TEST).users().search("user3").get(0);
UserRepresentation user4 = adminClient.realm(TEST).users().search("user4").get(0);
RoleRepresentation realmRole = adminClient.realm(TEST).roles().get("realm-role").toRepresentation();
List<RoleRepresentation> realmRoleSet = new LinkedList<>();
realmRoleSet.add(realmRole);
RoleRepresentation realmRole2 = adminClient.realm(TEST).roles().get("realm-role2").toRepresentation();
List<RoleRepresentation> realmRole2Set = new LinkedList<>();
realmRole2Set.add(realmRole);
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId("role-namespace").get(0);
RoleRepresentation clientRole = adminClient.realm(TEST).clients().get(client.getId()).roles().get("client-role").toRepresentation();
List<RoleRepresentation> clientRoleSet = new LinkedList<>();
clientRoleSet.add(clientRole);
{
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "authorized", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().remove(realmRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).add(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("client-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).remove(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("client-role");
}));
realmClient.close();
}
{
Keycloak realmClient= AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "authorizedComposite", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().remove(realmRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).add(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("client-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).remove(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("client-role");
}));
}
{
Keycloak realmClient= AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "unauthorized", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
try {
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403);
}
}
{
Keycloak realmClient= AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "unauthorizedMapper", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
try {
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403);
}
}
}
}

9
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -1290,8 +1290,13 @@ disable-credentials=Disable Credentials
credential-reset-actions=Credential Reset
ldap-mappers=LDAP Mappers
create-ldap-mapper=Create LDAP mapper
map-role-mgmt-scope-description=Policies that decide if an admin can map this role to a user or group
manage-mgmt-scope-description=Policies that decide if an admin can manage this resource or resources
permissions-enabled-role=Permissions Enabled
permissions-enabled-role.tooltip=Whether or not to enable fine grain permissions for this role. Disabling will delete all current permissions that have been set up.
manage-permissions-role.tooltip=Fine grain permissions for managing roles. For example, you can define different policies for who is allowed to map a role.
lookup=Lookup
manage-permissions-users.tooltip=Fine grain permssions for managing all users in realm. You can define different policies for who is allowed to manage users in the realm.

18
themes/src/main/resources/theme/base/admin/resources/js/app.js
View file

@ -2345,6 +2345,24 @@ module.directive('kcTabsAuthentication', function () {
}
});
module.directive('kcTabsRole', function () {
return {
scope: true,
restrict: 'E',
replace: true,
templateUrl: resourceUrl + '/templates/kc-tabs-role.html'
}
});
module.directive('kcTabsClientRole', function () {
return {
scope: true,
restrict: 'E',
replace: true,
templateUrl: resourceUrl + '/templates/kc-tabs-client-role.html'
}
});
module.directive('kcTabsUser', function () {
return {
scope: true,

36
themes/src/main/resources/theme/base/admin/resources/js/authz/authz-app.js
View file

@ -373,7 +373,41 @@ module.config(['$routeProvider', function ($routeProvider) {
}
},
controller: 'ResourceServerPolicyAggregateDetailCtrl'
});
}).when('/realms/:realm/roles/:role/permissions', {
templateUrl : resourceUrl + '/partials/authz/mgmt/realm-role-permissions.html',
resolve : {
realm : function(RealmLoader) {
return RealmLoader();
},
role : function(RoleLoader) {
return RoleLoader();
}
},
controller : 'RealmRolePermissionsCtrl'
}).when('/realms/:realm/clients/:client/roles/:role/permissions', {
templateUrl : resourceUrl + '/partials/authz/mgmt/client-role-permissions.html',
resolve : {
realm : function(RealmLoader) {
return RealmLoader();
},
client : function(ClientLoader) {
return ClientLoader();
},
role : function(RoleLoader) {
return RoleLoader();
}
},
controller : 'ClientRolePermissionsCtrl'
}).when('/realms/:realm/users-permissions', {
templateUrl : resourceUrl + '/partials/authz/mgmt/users-permissions.html',
resolve : {
realm : function(RealmLoader) {
return RealmLoader();
}
},
controller : 'UsersPermissionsCtrl'
})
;
}]);
module.directive('kcTabsResourceServer', function () {

59
themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
View file

@ -2353,4 +2353,61 @@ module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $locatio
$scope.authzRequest.userId = user.id;
}
});
});
module.controller('RealmRolePermissionsCtrl', function($scope, $http, $route, $location, realm, role, RoleManagementPermissions, Client, Notifications) {
console.log('RealmRolePermissionsCtrl');
$scope.role = role;
$scope.realm = realm;
RoleManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
$scope.permissions = data;
});
Client.query({realm: realm.realm, clientId: 'realm-management'}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
$scope.setEnabled = function() {
var param = { enabled: $scope.permissions.enabled};
RoleManagementPermissions.update({realm: realm.realm, role:role.id}, param, function(data) {
$scope.permissions = data;
})
};
});
module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $location, realm, client, role, RoleManagementPermissions, Client, Notifications) {
console.log('RealmRolePermissionsCtrl');
$scope.client = client;
$scope.role = role;
$scope.realm = realm;
RoleManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
$scope.permissions = data;
});
$scope.setEnabled = function() {
var param = { enabled: $scope.permissions.enabled};
RoleManagementPermissions.update({realm: realm.realm, role:role.id}, param, function(data) {
$scope.permissions = data;
})
};
});
module.controller('UsersPermissionsCtrl', function($scope, $http, $route, $location, realm, UsersManagementPermissions, Client, Notifications) {
console.log('UsersPermissionsCtrl');
$scope.realm = realm;
UsersManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
$scope.permissions = data;
});
Client.query({realm: realm.realm, clientId: 'realm-management'}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
$scope.setEnabled = function() {
var param = { enabled: $scope.permissions.enabled};
UsersManagementPermissions.update({realm: realm.realm, role:role.id}, param, function(data) {
$scope.permissions = data;
})
};
});

15
themes/src/main/resources/theme/base/admin/resources/js/controllers/realm.js
View file

@ -1326,6 +1326,21 @@ module.controller('RealmRevocationCtrl', function($scope, Realm, RealmPushRevoca
});
module.controller('RoleTabCtrl', function(Dialog, $scope, Current, Notifications, $location) {
$scope.removeRole = function() {
Dialog.confirmDelete($scope.role.name, 'role', function() {
RoleById.remove({
realm: realm.realm,
role: $scope.role.id
}, function () {
$route.reload();
Notifications.success("The role has been deleted.");
});
});
};
});
module.controller('RoleListCtrl', function($scope, $route, Dialog, Notifications, realm, roles, RoleById, filterFilter) {
$scope.realm = realm;
$scope.roles = roles;

22
themes/src/main/resources/theme/base/admin/resources/js/services.js
View file

@ -841,6 +841,28 @@ module.factory('Role', function($resource) {
});
});
module.factory('RoleManagementPermissions', function($resource) {
return $resource(authUrl + '/admin/realms/:realm/roles-by-id/:role/management/permissions', {
realm : '@realm',
role : '@role'
}, {
update: {
method: 'PUT'
}
});
});
module.factory('UsersManagementPermissions', function($resource) {
return $resource(authUrl + '/admin/realms/:realm/users-management-permissions', {
realm : '@realm'
}, {
update: {
method: 'PUT'
}
});
});
module.factory('RoleById', function($resource) {
return $resource(authUrl + '/admin/realms/:realm/roles-by-id/:role', {
realm : '@realm',

41
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html Normal file
View file

@ -0,0 +1,41 @@
<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
<ol class="breadcrumb">
<li><a href="#/realms/{{realm.realm}}/clients">{{:: 'clients' | translate}}</a></li>
<li><a href="#/realms/{{realm.realm}}/clients/{{client.id}}">{{client.clientId}}</a></li>
<li><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/roles">{{:: 'roles' | translate}}</a></li>
<li>{{role.name}}</li>
</ol>
<kc-tabs-client-role></kc-tabs-client-role>
<form class=form-horizontal" name="enableForm" novalidate kc-read-only="!access.manageAuthorization">
<fieldset class="border-top">
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled-role' | translate}}</label>
<div class="col-md-6">
<input ng-model="permissions.enabled" ng-click="setEnabled()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled-role.tooltip' | translate}}</kc-tooltip>
</div>
</fieldset>
</form>
<table class="datatable table table-striped table-bordered dataTable no-footer" data-ng-show="permissions.enabled">
<thead>
<tr>
<th>{{:: 'scope-name' | translate}}</th>
<th>{{:: 'description' | translate}}</th>
<th colspan="2">{{:: 'actions' | translate}}</th>
</tr>
</thead>
<tbody>
<tr ng-repeat="(scopeName, scopeId) in permissions.scopePermissions">
<td><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
<td translate="{{scopeName}}-mgmt-scope-description"></td>
<td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
</tr>
</tbody>
</table>
</div>
<kc-menu></kc-menu>

39
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/realm-role-permissions.html Normal file
View file

@ -0,0 +1,39 @@
<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
<ol class="breadcrumb">
<li><a href="#/realms/{{realm.realm}}/roles">{{:: 'roles' | translate}}</a></li>
<li>{{role.name}}</li>
</ol>
<kc-tabs-role></kc-tabs-role>
<form class=form-horizontal" name="enableForm" novalidate kc-read-only="!access.manageAuthorization">
<fieldset class="border-top">
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled' | translate}}</label>
<div class="col-md-6">
<input ng-model="permissions.enabled" ng-click="setEnabled()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled.tooltip' | translate}}</kc-tooltip>
</div>
</fieldset>
</form>
<table class="datatable table table-striped table-bordered dataTable no-footer" data-ng-show="permissions.enabled">
<thead>
<tr>
<th>{{:: 'scope-name' | translate}}</th>
<th>{{:: 'description' | translate}}</th>
<th colspan="2">{{:: 'actions' | translate}}</th>
</tr>
</thead>
<tbody>
<tr ng-repeat="(scopeName, scopeId) in permissions.scopePermissions">
<td><a href="#/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
<td translate="{{scopeName}}-mgmt-scope-description"></td>
<td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
</tr>
</tbody>
</table>
</div>
<kc-menu></kc-menu>

35
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/users-permissions.html Normal file
View file

@ -0,0 +1,35 @@
<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2">
<kc-tabs-users></kc-tabs-users>
<form class=form-horizontal" name="enableForm" novalidate kc-read-only="!access.manageAuthorization">
<fieldset class="border-top">
<div class="form-group">
<label class="col-md-2 control-label" for="permissionsEnabled">{{:: 'permissions-enabled' | translate}}</label>
<div class="col-md-6">
<input ng-model="permissions.enabled" ng-click="setEnabled()" name="permissionsEnabled" id="permissionsEnabled" ng-disabled="!access.manageAuthorization" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<kc-tooltip>{{:: 'permissions-enabled.tooltip' | translate}}</kc-tooltip>
</div>
</fieldset>
</form>
<table class="datatable table table-striped table-bordered dataTable no-footer" data-ng-show="permissions.enabled">
<thead>
<tr>
<th>{{:: 'scope-name' | translate}}</th>
<th>{{:: 'description' | translate}}</th>
<th colspan="2">{{:: 'actions' | translate}}</th>
</tr>
</thead>
<tbody>
<tr ng-repeat="(scopeName, scopeId) in permissions.scopePermissions">
<td><a href="#/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
<td translate="{{scopeName}}-mgmt-scope-description"></td>
<td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
</tr>
</tbody>
</table>
</div>
<kc-menu></kc-menu>

4
themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html
View file

@ -8,9 +8,7 @@
<li data-ng-hide="create">{{role.name}}</li>
</ol>
<h1 data-ng-show="create">{{:: 'add-role' | translate}}</h1>
<h1 data-ng-hide="create">{{role.name|capitalize}}<i class="pficon pficon-delete clickable" data-ng-show="!create && access.manageClients"
data-ng-hide="changed" data-ng-click="remove()"></i></h1>
<kc-tabs-client-role></kc-tabs-client-role>
<form class="form-horizontal" name="realmForm" novalidate kc-read-only="!access.manageClients">

4
themes/src/main/resources/theme/base/admin/resources/partials/role-detail.html
View file

@ -6,9 +6,7 @@
<li data-ng-show="create">{{:: 'add-role' | translate}}</li>
</ol>
<h1 data-ng-hide="create">{{role.name|capitalize}} <i id="removeRole" class="pficon pficon-delete clickable" data-ng-show="!create && access.manageRealm"
data-ng-hide="changed" data-ng-click="remove()"></i></h1>
<h1 data-ng-show="create">{{:: 'add-role' | translate}}</h1>
<kc-tabs-role></kc-tabs-role>
<form class="form-horizontal clearfix" name="realmForm" novalidate kc-read-only="!access.manageRealm">
<fieldset>

3
themes/src/main/resources/theme/base/admin/resources/partials/user-list.html
View file

@ -1,5 +1,6 @@
<div class="col-sm-9 col-md-10 col-sm-push-3 col-md-push-2" ng-init="init()">
<h1>{{:: 'users' | translate}}</h1>
<kc-tabs-users></kc-tabs-users>
<table class="table table-striped table-bordered">
<caption data-ng-show="users" class="hidden">{{:: 'table-of-realm-users' | translate}}</caption>

13
themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client-role.html Executable file
View file

@ -0,0 +1,13 @@
<div data-ng-controller="RoleTabCtrl">
<h1 data-ng-show="create">{{:: 'add-role' | translate}}</h1>
<h1 data-ng-hide="create">{{role.name|capitalize}}<i class="pficon pficon-delete clickable" data-ng-show="!create && access.manageClients"
data-ng-hide="changed" data-ng-click="remove()"></i></h1>
<ul class="nav nav-tabs" data-ng-show="!create">
<li ng-class="{active: !path[6]}"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/roles/{{role.id}}">{{:: 'details' | translate}}</a></li>
<li ng-class="{active: path[6] && path[6] == 'permissions'}">
<a href="#/realms/{{realm.realm}}/clients/{{client.id}}/roles/{{role.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
<kc-tooltip>{{:: 'manage-permissions-role.tooltip' | translate}}</kc-tooltip>
</li>
</ul>
</div>

13
themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-role.html Executable file
View file

@ -0,0 +1,13 @@
<div data-ng-controller="RoleTabCtrl">
<h1 data-ng-hide="create">{{role.name|capitalize}} <i id="removeRole" class="pficon pficon-delete clickable" data-ng-show="!create && access.manageRealm"
data-ng-hide="changed" data-ng-click="remove()"></i></h1>
<h1 data-ng-show="create">{{:: 'add-role' | translate}}</h1>
<ul class="nav nav-tabs" data-ng-show="!create">
<li ng-class="{active: !path[4]}"><a href="#/realms/{{realm.realm}}/roles/{{role.id}}">{{:: 'details' | translate}}</a></li>
<li ng-class="{active: path[4] == 'permissions'}">
<a href="#/realms/{{realm.realm}}/roles/{{role.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
<kc-tooltip>{{:: 'manage-permissions-role.tooltip' | translate}}</kc-tooltip>
</li>
</ul>
</div>

11
themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-users.html Executable file
View file

@ -0,0 +1,11 @@
<div >
<h1>{{:: 'users' | translate}}</h1>
<ul class="nav nav-tabs">
<li ng-class="{active: path[2] == 'users'}"><a href="#/realms/{{realm.realm}}/users">{{:: 'lookup' | translate}}</a></li>
<li ng-class="{active: path[2] == 'users-permissions'}">
<a href="#/realms/{{realm.realm}}/users-permissions">{{:: 'authz-permissions' | translate}}</a>
<kc-tooltip>{{:: 'manage-permissions-users.tooltip' | translate}}</kc-tooltip>
</li>
</ul>
</div>