Assign default roles to users when they register instead of directly to tokens
This commit is contained in:
Stian Thorgersen
parent
f3c52247c8
commit
fd2bfee7d9
6 changed files with 53 additions and 60 deletions
|
|
@ -52,7 +52,6 @@ public class TokenManager {
|
|||
List<RoleModel> realmRolesRequested = code.getRealmRolesRequested();
|
||||
MultivaluedMap<String, RoleModel> resourceRolesRequested = code.getResourceRolesRequested();
|
||||
Set<String> realmMapping = realm.getRoleMappingValues(user);
|
||||
realmMapping.addAll(realm.getDefaultRoles());
|
||||
|
||||
if (realmMapping != null && realmMapping.size() > 0 && (scopeMap == null || scopeMap.containsKey("realm"))) {
|
||||
Set<String> scope = realm.getScopeMappingValues(client);
|
||||
|
|
@ -76,7 +75,6 @@ public class TokenManager {
|
|||
}
|
||||
for (ApplicationModel resource : realm.getApplications()) {
|
||||
Set<String> mapping = resource.getRoleMappingValues(user);
|
||||
mapping.addAll(resource.getDefaultRoles());
|
||||
if (mapping != null && mapping.size() > 0 && (scopeMap == null || scopeMap.containsKey(resource.getName()))) {
|
||||
Set<String> scope = resource.getScopeMappingValues(client);
|
||||
if (scope.size() > 0) {
|
||||
|
|
|
|||
|
|
@ -373,7 +373,8 @@ public class AccountService {
|
|||
UserModel client = auth.getClient();
|
||||
if (realm.hasRole(client, Constants.APPLICATION_ROLE)) {
|
||||
// Tokens from cookies don't have roles
|
||||
if (hasRole(client, Constants.ACCOUNT_MANAGE_ROLE) || (role != null && hasRole(client, role))) {
|
||||
UserModel user = auth.getUser();
|
||||
if (hasRole(user, Constants.ACCOUNT_MANAGE_ROLE) || (role != null && hasRole(user, role))) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
|
@ -389,9 +390,6 @@ public class AccountService {
|
|||
}
|
||||
|
||||
private boolean hasRole(UserModel user, String role) {
|
||||
if (application.getDefaultRoles().contains(role)) {
|
||||
return true;
|
||||
}
|
||||
return application.hasRole(user, role);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import org.jboss.resteasy.jwt.JsonSerialization;
|
|||
import org.jboss.resteasy.logging.Logger;
|
||||
import org.jboss.resteasy.spi.HttpRequest;
|
||||
import org.jboss.resteasy.spi.HttpResponse;
|
||||
import org.keycloak.models.ApplicationModel;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakTransaction;
|
||||
|
|
@ -323,6 +324,17 @@ public class TokenService {
|
|||
realm.updateCredential(user, credentials);
|
||||
}
|
||||
|
||||
for (String r : realm.getDefaultRoles()) {
|
||||
realm.grantRole(user, realm.getRole(r));
|
||||
}
|
||||
|
||||
for (ApplicationModel application : realm.getApplications()) {
|
||||
for (String r : application.getDefaultRoles()) {
|
||||
application.grantRole(user, application.getRole(r));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -12,7 +12,9 @@ import org.junit.Rule;
|
|||
import org.junit.Test;
|
||||
import org.keycloak.models.ApplicationModel;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.UserCredentialModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.representations.idm.CredentialRepresentation;
|
||||
import org.keycloak.services.managers.RealmManager;
|
||||
import org.keycloak.testsuite.Constants;
|
||||
import org.keycloak.testsuite.OAuthClient;
|
||||
|
|
@ -52,6 +54,16 @@ public class ProfileTest {
|
|||
user.setAttribute("key2", "value2");
|
||||
|
||||
ApplicationModel accountApp = appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
|
||||
for (String r : accountApp.getDefaultRoles()) {
|
||||
accountApp.grantRole(user, accountApp.getRole(r));
|
||||
}
|
||||
|
||||
UserModel user2 = appRealm.addUser("test-user-no-access@localhost");
|
||||
user2.setEnabled(true);
|
||||
UserCredentialModel creds = new UserCredentialModel();
|
||||
creds.setType(CredentialRepresentation.PASSWORD);
|
||||
creds.setValue("password");
|
||||
appRealm.updateCredential(user2, creds);
|
||||
|
||||
ApplicationModel app = appRealm.getApplicationNameMap().get("test-app");
|
||||
accountApp.addScopeMapping(app.getApplicationUser(), org.keycloak.models.Constants.ACCOUNT_PROFILE_ROLE);
|
||||
|
|
@ -81,8 +93,6 @@ public class ProfileTest {
|
|||
@WebResource
|
||||
protected OAuthGrantPage grantPage;
|
||||
|
||||
private List<String> defaultRoles;
|
||||
|
||||
@Test
|
||||
public void getProfile() throws Exception {
|
||||
oauth.doLogin("test-user@localhost", "password");
|
||||
|
|
@ -154,31 +164,13 @@ public class ProfileTest {
|
|||
|
||||
@Test
|
||||
public void getProfileNoAccess() throws Exception {
|
||||
try {
|
||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
||||
@Override
|
||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||
ApplicationModel app = appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
|
||||
defaultRoles = app.getDefaultRoles();
|
||||
app.updateDefaultRoles(new String[0]);
|
||||
}
|
||||
});
|
||||
oauth.doLogin("test-user-no-access@localhost", "password");
|
||||
|
||||
oauth.doLogin("test-user@localhost", "password");
|
||||
String code = oauth.getCurrentQuery().get("code");
|
||||
String token = oauth.doAccessTokenRequest(code, "password").getAccessToken();
|
||||
|
||||
String code = oauth.getCurrentQuery().get("code");
|
||||
String token = oauth.doAccessTokenRequest(code, "password").getAccessToken();
|
||||
|
||||
HttpResponse response = doGetProfile(token, null);
|
||||
assertEquals(403, response.getStatusLine().getStatusCode());
|
||||
} finally {
|
||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
||||
@Override
|
||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||
appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION).updateDefaultRoles((String[]) defaultRoles.toArray(new String[0]));
|
||||
}
|
||||
});
|
||||
}
|
||||
HttpResponse response = doGetProfile(token, null);
|
||||
assertEquals(403, response.getStatusLine().getStatusCode());
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
|
|
@ -48,7 +48,23 @@ import static org.junit.Assert.assertEquals;
|
|||
public class AccountTest {
|
||||
|
||||
@ClassRule
|
||||
public static KeycloakRule keycloakRule = new KeycloakRule();
|
||||
public static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakSetup() {
|
||||
@Override
|
||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||
UserModel user = appRealm.getUser("test-user@localhost");
|
||||
ApplicationModel accountApp = appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION);
|
||||
for (String r : accountApp.getDefaultRoles()) {
|
||||
accountApp.grantRole(user, accountApp.getRole(r));
|
||||
}
|
||||
|
||||
UserModel user2 = appRealm.addUser("test-user-no-access@localhost");
|
||||
user2.setEnabled(true);
|
||||
UserCredentialModel creds = new UserCredentialModel();
|
||||
creds.setType(CredentialRepresentation.PASSWORD);
|
||||
creds.setValue("password");
|
||||
appRealm.updateCredential(user2, creds);
|
||||
}
|
||||
});
|
||||
|
||||
@Rule
|
||||
public WebRule webRule = new WebRule(this);
|
||||
|
|
@ -79,8 +95,6 @@ public class AccountTest {
|
|||
|
||||
private TimeBasedOTP totp = new TimeBasedOTP();
|
||||
|
||||
private List<String> defaultRoles;
|
||||
|
||||
@After
|
||||
public void after() {
|
||||
keycloakRule.configure(new KeycloakSetup() {
|
||||
|
|
@ -176,7 +190,7 @@ public class AccountTest {
|
|||
Assert.assertFalse(driver.getPageSource().contains("Remove Google"));
|
||||
|
||||
// Error with false code
|
||||
totpPage.configure(totp.generate(totpPage.getTotpSecret()+"123"));
|
||||
totpPage.configure(totp.generate(totpPage.getTotpSecret() + "123"));
|
||||
|
||||
Assert.assertTrue(profilePage.isError());
|
||||
|
||||
|
|
@ -189,29 +203,11 @@ public class AccountTest {
|
|||
|
||||
@Test
|
||||
public void changeProfileNoAccess() throws Exception {
|
||||
try {
|
||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
||||
@Override
|
||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||
ApplicationModel app = appRealm.getApplicationNameMap().get(Constants.ACCOUNT_APPLICATION);
|
||||
defaultRoles = app.getDefaultRoles();
|
||||
app.updateDefaultRoles(new String[0]);
|
||||
}
|
||||
});
|
||||
profilePage.open();
|
||||
loginPage.login("test-user-no-access@localhost", "password");
|
||||
|
||||
profilePage.open();
|
||||
loginPage.login("test-user@localhost", "password");
|
||||
|
||||
Assert.assertTrue(errorPage.isCurrent());
|
||||
Assert.assertEquals("No access", errorPage.getError());
|
||||
} finally {
|
||||
keycloakRule.configure(new KeycloakRule.KeycloakSetup() {
|
||||
@Override
|
||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||
appRealm.getApplicationNameMap().get(org.keycloak.models.Constants.ACCOUNT_APPLICATION).updateDefaultRoles((String[]) defaultRoles.toArray(new String[0]));
|
||||
}
|
||||
});
|
||||
}
|
||||
Assert.assertTrue(errorPage.isCurrent());
|
||||
Assert.assertEquals("No access", errorPage.getError());
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -103,9 +103,6 @@ public class SocialLoginTest {
|
|||
SkeletonKeyToken token = oauth.verifyToken(response.getAccessToken());
|
||||
|
||||
Assert.assertEquals("dummy-user", token.getPrincipal());
|
||||
|
||||
Assert.assertEquals(1, token.getRealmAccess().getRoles().size());
|
||||
Assert.assertTrue(token.getRealmAccess().isUserInRole("user"));
|
||||
}
|
||||
|
||||
@Test
|
||||
|
|
|
|||
Loading…
Reference in a new issue