Assign default roles to users when they register instead of directly to tokens
This commit is contained in:
Stian Thorgersen
parent
f3c52247c8
commit
fd2bfee7d9
6 changed files with 53 additions and 60 deletions
|
|
@ -52,7 +52,6 @@ public class TokenManager {
|
||||||
List<RoleModel> realmRolesRequested = code.getRealmRolesRequested();
|
List<RoleModel> realmRolesRequested = code.getRealmRolesRequested();
|
||||||
MultivaluedMap<String, RoleModel> resourceRolesRequested = code.getResourceRolesRequested();
|
MultivaluedMap<String, RoleModel> resourceRolesRequested = code.getResourceRolesRequested();
|
||||||
Set<String> realmMapping = realm.getRoleMappingValues(user);
|
Set<String> realmMapping = realm.getRoleMappingValues(user);
|
||||||
realmMapping.addAll(realm.getDefaultRoles());
|
|
||||||
|
|
||||||
if (realmMapping != null && realmMapping.size() > 0 && (scopeMap == null || scopeMap.containsKey("realm"))) {
|
if (realmMapping != null && realmMapping.size() > 0 && (scopeMap == null || scopeMap.containsKey("realm"))) {
|
||||||
Set<String> scope = realm.getScopeMappingValues(client);
|
Set<String> scope = realm.getScopeMappingValues(client);
|
||||||
|
|
@ -76,7 +75,6 @@ public class TokenManager {
|
||||||
}
|
}
|
||||||
for (ApplicationModel resource : realm.getApplications()) {
|
for (ApplicationModel resource : realm.getApplications()) {
|
||||||
Set<String> mapping = resource.getRoleMappingValues(user);
|
Set<String> mapping = resource.getRoleMappingValues(user);
|
||||||
mapping.addAll(resource.getDefaultRoles());
|
|
||||||
if (mapping != null && mapping.size() > 0 && (scopeMap == null || scopeMap.containsKey(resource.getName()))) {
|
if (mapping != null && mapping.size() > 0 && (scopeMap == null || scopeMap.containsKey(resource.getName()))) {
|
||||||
Set<String> scope = resource.getScopeMappingValues(client);
|
Set<String> scope = resource.getScopeMappingValues(client);
|
||||||
if (scope.size() > 0) {
|
if (scope.size() > 0) {
|
||||||
|
|
|
||||||
|
|
@ -373,7 +373,8 @@ public class AccountService {
|
||||||
UserModel client = auth.getClient();
|
UserModel client = auth.getClient();
|
||||||
if (realm.hasRole(client, Constants.APPLICATION_ROLE)) {
|
if (realm.hasRole(client, Constants.APPLICATION_ROLE)) {
|
||||||
// Tokens from cookies don't have roles
|
// Tokens from cookies don't have roles
|
||||||
if (hasRole(client, Constants.ACCOUNT_MANAGE_ROLE) || (role != null && hasRole(client, role))) {
|
UserModel user = auth.getUser();
|
||||||
|
if (hasRole(user, Constants.ACCOUNT_MANAGE_ROLE) || (role != null && hasRole(user, role))) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -389,9 +390,6 @@ public class AccountService {
|
||||||
}
|
}
|
||||||
|
|
||||||
private boolean hasRole(UserModel user, String role) {
|
private boolean hasRole(UserModel user, String role) {
|
||||||
if (application.getDefaultRoles().contains(role)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
return application.hasRole(user, role);
|
return application.hasRole(user, role);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ import org.jboss.resteasy.jwt.JsonSerialization;
|
||||||
import org.jboss.resteasy.logging.Logger;
|
import org.jboss.resteasy.logging.Logger;
|
||||||
import org.jboss.resteasy.spi.HttpRequest;
|
import org.jboss.resteasy.spi.HttpRequest;
|
||||||
import org.jboss.resteasy.spi.HttpResponse;
|
import org.jboss.resteasy.spi.HttpResponse;
|
||||||
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.Constants;
|
import org.keycloak.models.Constants;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.KeycloakTransaction;
|
import org.keycloak.models.KeycloakTransaction;
|
||||||
|
|
@ -323,6 +324,17 @@ public class TokenService {
|
||||||
realm.updateCredential(user, credentials);
|
realm.updateCredential(user, credentials);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
for (String r : realm.getDefaultRoles()) {
|
||||||
|
realm.grantRole(user, realm.getRole(r));
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ApplicationModel application : realm.getApplications()) {
|
||||||
|
for (String r : application.getDefaultRoles()) {
|
||||||
|
application.grantRole(user, application.getRole(r));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,9 @@ import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.models.ApplicationModel;
|
import org.keycloak.models.ApplicationModel;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
|
import org.keycloak.models.UserCredentialModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
|
import org.keycloak.representations.idm.CredentialRepresentation;
|
||||||
import org.keycloak.services.managers.RealmManager;
|
import org.keycloak.services.managers.RealmManager;
|
||||||
import org.keycloak.testsuite.Constants;
|
import org.keycloak.testsuite.Constants;
|
||||||
import org.keycloak.testsuite.OAuthClient;
|
import org.keycloak.testsuite.OAuthClient;
|
||||||
|
|
@ -52,6 +54,16 @@ public class ProfileTest {
|
||||||
user.setAttribute("key2", "value2");
|
user.setAttribute("key2", "value2");
|
||||||
|
|
||||||
ApplicationModel accountApp = appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
|
ApplicationModel accountApp = appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
|
||||||
|
for (String r : accountApp.getDefaultRoles()) {
|
||||||
|
accountApp.grantRole(user, accountApp.getRole(r));
|
||||||
|
}
|
||||||
|
|
||||||
|
UserModel user2 = appRealm.addUser("test-user-no-access@localhost");
|
||||||
|
user2.setEnabled(true);
|
||||||
|
UserCredentialModel creds = new UserCredentialModel();
|
||||||
|
creds.setType(CredentialRepresentation.PASSWORD);
|
||||||
|
creds.setValue("password");
|
||||||
|
appRealm.updateCredential(user2, creds);
|
||||||
|
|
||||||
ApplicationModel app = appRealm.getApplicationNameMap().get("test-app");
|
ApplicationModel app = appRealm.getApplicationNameMap().get("test-app");
|
||||||
accountApp.addScopeMapping(app.getApplicationUser(), org.keycloak.models.Constants.ACCOUNT_PROFILE_ROLE);
|
accountApp.addScopeMapping(app.getApplicationUser(), org.keycloak.models.Constants.ACCOUNT_PROFILE_ROLE);
|
||||||
|
|
@ -81,8 +93,6 @@ public class ProfileTest {
|
||||||
@WebResource
|
@WebResource
|
||||||
protected OAuthGrantPage grantPage;
|
protected OAuthGrantPage grantPage;
|
||||||
|
|
||||||
private List<String> defaultRoles;
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void getProfile() throws Exception {
|
public void getProfile() throws Exception {
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
oauth.doLogin("test-user@localhost", "password");
|
||||||
|
|
@ -154,31 +164,13 @@ public class ProfileTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void getProfileNoAccess() throws Exception {
|
public void getProfileNoAccess() throws Exception {
|
||||||
try {
|
oauth.doLogin("test-user-no-access@localhost", "password");
|
||||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
|
||||||
@Override
|
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
|
||||||
ApplicationModel app = appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
|
|
||||||
defaultRoles = app.getDefaultRoles();
|
|
||||||
app.updateDefaultRoles(new String[0]);
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
oauth.doLogin("test-user@localhost", "password");
|
String code = oauth.getCurrentQuery().get("code");
|
||||||
|
String token = oauth.doAccessTokenRequest(code, "password").getAccessToken();
|
||||||
|
|
||||||
String code = oauth.getCurrentQuery().get("code");
|
HttpResponse response = doGetProfile(token, null);
|
||||||
String token = oauth.doAccessTokenRequest(code, "password").getAccessToken();
|
assertEquals(403, response.getStatusLine().getStatusCode());
|
||||||
|
|
||||||
HttpResponse response = doGetProfile(token, null);
|
|
||||||
assertEquals(403, response.getStatusLine().getStatusCode());
|
|
||||||
} finally {
|
|
||||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
|
||||||
@Override
|
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
|
||||||
appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION).updateDefaultRoles((String[]) defaultRoles.toArray(new String[0]));
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,23 @@ import static org.junit.Assert.assertEquals;
|
||||||
public class AccountTest {
|
public class AccountTest {
|
||||||
|
|
||||||
@ClassRule
|
@ClassRule
|
||||||
public static KeycloakRule keycloakRule = new KeycloakRule();
|
public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakSetup() {
|
||||||
|
@Override
|
||||||
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
|
UserModel user = appRealm.getUser("test-user@localhost");
|
||||||
|
ApplicationModel accountApp = appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
|
||||||
|
for (String r : accountApp.getDefaultRoles()) {
|
||||||
|
accountApp.grantRole(user, accountApp.getRole(r));
|
||||||
|
}
|
||||||
|
|
||||||
|
UserModel user2 = appRealm.addUser("test-user-no-access@localhost");
|
||||||
|
user2.setEnabled(true);
|
||||||
|
UserCredentialModel creds = new UserCredentialModel();
|
||||||
|
creds.setType(CredentialRepresentation.PASSWORD);
|
||||||
|
creds.setValue("password");
|
||||||
|
appRealm.updateCredential(user2, creds);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
@Rule
|
@Rule
|
||||||
public WebRule webRule = new WebRule(this);
|
public WebRule webRule = new WebRule(this);
|
||||||
|
|
@ -79,8 +95,6 @@ public class AccountTest {
|
||||||
|
|
||||||
private TimeBasedOTP totp = new TimeBasedOTP();
|
private TimeBasedOTP totp = new TimeBasedOTP();
|
||||||
|
|
||||||
private List<String> defaultRoles;
|
|
||||||
|
|
||||||
@After
|
@After
|
||||||
public void after() {
|
public void after() {
|
||||||
keycloakRule.configure(new KeycloakSetup() {
|
keycloakRule.configure(new KeycloakSetup() {
|
||||||
|
|
@ -176,7 +190,7 @@ public class AccountTest {
|
||||||
Assert.assertFalse(driver.getPageSource().contains("Remove Google"));
|
Assert.assertFalse(driver.getPageSource().contains("Remove Google"));
|
||||||
|
|
||||||
// Error with false code
|
// Error with false code
|
||||||
totpPage.configure(totp.generate(totpPage.getTotpSecret()+"123"));
|
totpPage.configure(totp.generate(totpPage.getTotpSecret() + "123"));
|
||||||
|
|
||||||
Assert.assertTrue(profilePage.isError());
|
Assert.assertTrue(profilePage.isError());
|
||||||
|
|
||||||
|
|
@ -189,29 +203,11 @@ public class AccountTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void changeProfileNoAccess() throws Exception {
|
public void changeProfileNoAccess() throws Exception {
|
||||||
try {
|
profilePage.open();
|
||||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
loginPage.login("test-user-no-access@localhost", "password");
|
||||||
@Override
|
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
|
||||||
ApplicationModel app = appRealm.getApplicationNameMap().get(Constants.ACCOUNT_APPLICATION);
|
|
||||||
defaultRoles = app.getDefaultRoles();
|
|
||||||
app.updateDefaultRoles(new String[0]);
|
|
||||||
}
|
|
||||||
});
|
|
||||||
|
|
||||||
profilePage.open();
|
Assert.assertTrue(errorPage.isCurrent());
|
||||||
loginPage.login("test-user@localhost", "password");
|
Assert.assertEquals("No access", errorPage.getError());
|
||||||
|
|
||||||
Assert.assertTrue(errorPage.isCurrent());
|
|
||||||
Assert.assertEquals("No access", errorPage.getError());
|
|
||||||
} finally {
|
|
||||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
|
||||||
@Override
|
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
|
||||||
appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION).updateDefaultRoles((String[]) defaultRoles.toArray(new String[0]));
|
|
||||||
}
|
|
||||||
});
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -103,9 +103,6 @@ public class SocialLoginTest {
|
||||||
SkeletonKeyToken token = oauth.verifyToken(response.getAccessToken());
|
SkeletonKeyToken token = oauth.verifyToken(response.getAccessToken());
|
||||||
|
|
||||||
Assert.assertEquals("dummy-user", token.getPrincipal());
|
Assert.assertEquals("dummy-user", token.getPrincipal());
|
||||||
|
|
||||||
Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
|
|
||||||
Assert.assertTrue(token.getRealmAccess().isUserInRole("user"));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue