keycloak-memoizeit
Changes
services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java 4(+2 -2)
services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java 8(+4 -4)
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java 4(+4 -0)
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionManagement.java 3(+3 -0)
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java 78(+70 -8)
services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java 6(+3 -3)
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java 2(+1 -1)
services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java 1(+1 -0)
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java 70(+62 -8)
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html 4(+2 -2)
themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html 4(+2 -2)
themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-generic.html 4(+2 -2)
themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-export.html 4(+2 -2)
themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-import.html 2(+1 -1)
themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-secret.html 4(+2 -2)
themes/src/main/resources/theme/base/admin/resources/partials/client-registration-access-token.html 4(+2 -2)
Details
diff --git a/core/src/test/java/org/keycloak/RSAVerifierTest.java b/core/src/test/java/org/keycloak/RSAVerifierTest.java
index 58e1f38..e606e35 100755
--- a/core/src/test/java/org/keycloak/RSAVerifierTest.java
+++ b/core/src/test/java/org/keycloak/RSAVerifierTest.java
@@ -234,13 +234,16 @@ public class RSAVerifierTest {
public void testTokenAuth() throws Exception {
token = new AccessToken();
token.subject("CN=Client")
- .issuer("domain")
+ .issuer("http://localhost:8080/auth/realms/demo")
.addAccess("service").addRole("admin").verifyCaller(true);
+ token.setEmail("bill@jboss.org");
String encoded = new JWSBuilder()
.jsonContent(token)
.rsa256(idpPair.getPrivate());
+ System.out.println("token size: " + encoded.length());
+
AccessToken v = null;
try {
v = verifySkeletonKeyToken(encoded);
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java b/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java
index 88650c1..61f6254 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java
@@ -137,7 +137,7 @@ public class AuthenticationManagementResource {
@NoCache
@Produces(MediaType.APPLICATION_JSON)
public List<Map<String, Object>> getClientAuthenticatorProviders() {
- auth.realm().requireViewRealm();
+ auth.requireAnyAdminRole();
List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
return buildProviderMetadata(factories);
@@ -959,7 +959,7 @@ public class AuthenticationManagementResource {
@Produces(MediaType.APPLICATION_JSON)
@NoCache
public Map<String, List<ConfigPropertyRepresentation>> getPerClientConfigDescription() {
- auth.realm().requireViewRealm();
+ auth.requireAnyAdminRole();
List<ProviderFactory> factories = session.getKeycloakSessionFactory().getProviderFactories(ClientAuthenticator.class);
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
index e3dda51..a798414 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
@@ -115,7 +115,7 @@ public class ClientAttributeCertificateResource {
@Path("generate")
@Produces(MediaType.APPLICATION_JSON)
public CertificateRepresentation generate() {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
CertificateRepresentation info = KeycloakModelUtils.generateKeyPairCertificate(client.getClientId());
@@ -139,7 +139,7 @@ public class ClientAttributeCertificateResource {
@Consumes(MediaType.MULTIPART_FORM_DATA)
@Produces(MediaType.APPLICATION_JSON)
public CertificateRepresentation uploadJks(@Context final UriInfo uriInfo, MultipartFormDataInput input) throws IOException {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
try {
CertificateRepresentation info = getCertFromRequest(input);
@@ -165,7 +165,7 @@ public class ClientAttributeCertificateResource {
@Consumes(MediaType.MULTIPART_FORM_DATA)
@Produces(MediaType.APPLICATION_JSON)
public CertificateRepresentation uploadJksCertificate(@Context final UriInfo uriInfo, MultipartFormDataInput input) throws IOException {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
try {
CertificateRepresentation info = getCertFromRequest(input);
@@ -306,7 +306,7 @@ public class ClientAttributeCertificateResource {
@Produces(MediaType.APPLICATION_OCTET_STREAM)
@Consumes(MediaType.APPLICATION_JSON)
public byte[] generateAndGetKeystore(final KeyStoreConfig config) {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
if (config.getFormat() != null && !config.getFormat().equals("JKS") && !config.getFormat().equals("PKCS12")) {
throw new NotAcceptableException("Only support jks or pkcs12 format.");
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
index 77440be..e7d611e 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
@@ -27,6 +27,7 @@ import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
+import org.keycloak.models.ClientTemplateModel;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ModelDuplicateException;
@@ -41,6 +42,7 @@ import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.protocol.ClientInstallationProvider;
import org.keycloak.representations.adapters.action.GlobalRequestResult;
import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.ClientTemplateRepresentation;
import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.ManagementPermissionReference;
import org.keycloak.representations.idm.UserRepresentation;
@@ -134,7 +136,7 @@ public class ClientResource {
@PUT
@Consumes(MediaType.APPLICATION_JSON)
public Response update(final ClientRepresentation rep) {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
ValidationMessages validationMessages = new ValidationMessages();
if (!ClientValidator.validate(rep, validationMessages) || !PairwiseClientValidator.validate(session, rep, validationMessages)) {
@@ -227,7 +229,7 @@ public class ClientResource {
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
public CredentialRepresentation regenerateSecret() {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
logger.debug("regenerateSecret");
UserCredentialModel cred = KeycloakModelUtils.generateSecret(client);
@@ -326,7 +328,7 @@ public class ClientResource {
@POST
@Produces(MediaType.APPLICATION_JSON)
public GlobalRequestResult pushRevocation() {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
adminEvent.operation(OperationType.ACTION).resourcePath(uriInfo).resource(ResourceType.CLIENT).success();
return new ResourceAdminManager(session).pushClientRevocationPolicy(uriInfo.getRequestUri(), realm, client);
@@ -456,7 +458,7 @@ public class ClientResource {
@POST
@Consumes(MediaType.APPLICATION_JSON)
public void registerNode(Map<String, String> formParams) {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
String node = formParams.get("node");
if (node == null) {
@@ -476,7 +478,7 @@ public class ClientResource {
@DELETE
@NoCache
public void unregisterNode(final @PathParam("node") String node) {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
if (logger.isDebugEnabled()) logger.debug("Unregister node: " + node);
@@ -500,7 +502,7 @@ public class ClientResource {
@NoCache
@Produces(MediaType.APPLICATION_JSON)
public GlobalRequestResult testNodesAvailable() {
- auth.clients().requireManage(client);
+ auth.clients().requireConfigure(client);
logger.debug("Test availability of cluster nodes");
GlobalRequestResult result = new ResourceAdminManager(session).testNodesAvailability(uriInfo.getRequestUri(), realm, client);
@@ -583,6 +585,30 @@ public class ClientResource {
new ClientManager(new RealmManager(session)).clientIdChanged(client, rep.getClientId());
}
+ if (rep.isFullScopeAllowed() != null && rep.isFullScopeAllowed().booleanValue() != client.isFullScopeAllowed()) {
+ auth.clients().requireManage(client);
+ }
+
+ if (rep.getClientTemplate() != null) {
+ ClientTemplateModel currTemplate = client.getClientTemplate();
+ if (currTemplate == null) {
+ if (!rep.getClientTemplate().equals(ClientTemplateRepresentation.NONE)) {
+ auth.clients().requireManage(client);
+ }
+ } else if (!rep.getClientTemplate().equals(currTemplate.getName())){
+ auth.clients().requireManage(client);
+ }
+ if ((rep.isUseTemplateConfig() != null && rep.isUseTemplateConfig().booleanValue() != client.useTemplateConfig())
+ || (rep.isUseTemplateScope() != null && rep.isUseTemplateScope().booleanValue() != client.useTemplateScope())
+ || (rep.isUseTemplateMappers() != null && rep.isUseTemplateMappers().booleanValue() != client.useTemplateMappers())
+
+ ) {
+ auth.clients().requireManage(client);
+ }
+ }
+
+
+
RepresentationToModel.updateClient(rep, client);
}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java
index 25da468..3b64a27 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java
@@ -56,6 +56,10 @@ public interface ClientPermissionEvaluator {
boolean canManage(ClientModel client);
+ boolean canConfigure(ClientModel client);
+
+ void requireConfigure(ClientModel client);
+
void requireManage(ClientModel client);
boolean canView(ClientModel client);
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionManagement.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionManagement.java
index d967443..8a6b76d 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionManagement.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionManagement.java
@@ -31,6 +31,7 @@ public interface ClientPermissionManagement {
public static final String MAP_ROLES_SCOPE = "map-roles";
public static final String MAP_ROLES_CLIENT_SCOPE = "map-roles-client-scope";
public static final String MAP_ROLES_COMPOSITE_SCOPE = "map-roles-composite";
+ public static final String CONFIGURE_SCOPE = "configure";
boolean isPermissionsEnabled(ClientModel client);
@@ -48,6 +49,8 @@ public interface ClientPermissionManagement {
Policy managePermission(ClientModel client);
+ Policy configurePermission(ClientModel client);
+
Policy viewPermission(ClientModel client);
ResourceServer resourceServer(ClientModel client);
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
index 95e440e..2b1e234 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
@@ -63,6 +63,9 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
private String getManagePermissionName(ClientModel client) {
return "manage.permission.client." + client.getId();
}
+ private String getConfigurePermissionName(ClientModel client) {
+ return "configure.permission.client." + client.getId();
+ }
private String getViewPermissionName(ClientModel client) {
return "view.permission.client." + client.getId();
}
@@ -98,6 +101,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
if (mapRoleCompositeScope == null) {
mapRoleCompositeScope = authz.getStoreFactory().getScopeStore().create(MAP_ROLES_COMPOSITE_SCOPE, server);
}
+ Scope configureScope = authz.getStoreFactory().getScopeStore().findByName(CONFIGURE_SCOPE, server.getId());
+ if (configureScope == null) {
+ configureScope = authz.getStoreFactory().getScopeStore().create(CONFIGURE_SCOPE, server);
+ }
String resourceName = getResourceName(client);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
@@ -105,6 +112,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
resource = authz.getStoreFactory().getResourceStore().create(resourceName, server, server.getClientId());
resource.setType("Client");
Set<Scope> scopeset = new HashSet<>();
+ scopeset.add(configureScope);
scopeset.add(manageScope);
scopeset.add(viewScope);
scopeset.add(mapRoleScope);
@@ -117,6 +125,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
if (managePermission == null) {
Helper.addEmptyScopePermission(authz, server, managePermissionName, resource, manageScope);
}
+ String configurePermissionName = getConfigurePermissionName(client);
+ Policy configurePermission = authz.getStoreFactory().getPolicyStore().findByName(configurePermissionName, server.getId());
+ if (configurePermission == null) {
+ Helper.addEmptyScopePermission(authz, server, configurePermissionName, resource, configureScope);
+ }
String viewPermissionName = getViewPermissionName(client);
Policy viewPermission = authz.getStoreFactory().getPolicyStore().findByName(viewPermissionName, server.getId());
if (viewPermission == null) {
@@ -139,8 +152,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
}
}
- private void deletePolicy(String name, ClientModel client, ResourceServer server) {
- Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getViewPermissionName(client), server.getId());
+ private void deletePolicy(String name, ResourceServer server) {
+ Policy policy = authz.getStoreFactory().getPolicyStore().findByName(name, server.getId());
if (policy != null) {
authz.getStoreFactory().getPolicyStore().delete(policy.getId());
}
@@ -150,11 +163,12 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
private void deletePermissions(ClientModel client) {
ResourceServer server = resourceServer(client);
if (server == null) return;
- deletePolicy(getManagePermissionName(client), client, server);
- deletePolicy(getViewPermissionName(client), client, server);
- deletePolicy(getMapRolesPermissionName(client), client, server);
- deletePolicy(getMapRolesClientScopePermissionName(client), client, server);
- deletePolicy(getMapRolesCompositePermissionName(client), client, server);
+ deletePolicy(getManagePermissionName(client), server);
+ deletePolicy(getViewPermissionName(client), server);
+ deletePolicy(getMapRolesPermissionName(client), server);
+ deletePolicy(getMapRolesClientScopePermissionName(client), server);
+ deletePolicy(getMapRolesCompositePermissionName(client), server);
+ deletePolicy(getConfigurePermissionName(client), server);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());;
if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
}
@@ -182,6 +196,10 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.MANAGE_SCOPE, server.getId());
}
+ private Scope configureScope(ResourceServer server) {
+ return authz.getStoreFactory().getScopeStore().findByName(CONFIGURE_SCOPE, server.getId());
+ }
+
private Scope viewScope(ResourceServer server) {
return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.VIEW_SCOPE, server.getId());
}
@@ -259,6 +277,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId());
scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(client).getId());
+ scopes.put(CONFIGURE_SCOPE, configurePermission(client).getId());
return scopes;
}
@@ -292,6 +311,41 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
}
@Override
+ public boolean canConfigure(ClientModel client) {
+ if (canManage(client)) return true;
+ if (!root.isAdminSameRealm()) {
+ return false;
+ }
+
+ ResourceServer server = resourceServer(client);
+ if (server == null) return false;
+
+ Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());
+ if (resource == null) return false;
+
+ Policy policy = authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId());
+ if (policy == null) {
+ return false;
+ }
+
+ Set<Policy> associatedPolicies = policy.getAssociatedPolicies();
+ // if no policies attached to permission then just do default behavior
+ if (associatedPolicies == null || associatedPolicies.isEmpty()) {
+ return false;
+ }
+
+ Scope scope = configureScope(server);
+ return root.evaluatePermission(resource, scope, server);
+ }
+ @Override
+ public void requireConfigure(ClientModel client) {
+ if (!canConfigure(client)) {
+ throw new ForbiddenException();
+ }
+ }
+
+
+ @Override
public void requireManage(ClientModel client) {
if (!canManage(client)) {
throw new ForbiddenException();
@@ -300,7 +354,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
@Override
public boolean canView(ClientModel client) {
- return hasView(client) || canManage(client);
+ return hasView(client) || canConfigure(client);
}
private boolean hasView(ClientModel client) {
@@ -438,6 +492,13 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
}
@Override
+ public Policy configurePermission(ClientModel client) {
+ ResourceServer server = resourceServer(client);
+ if (server == null) return null;
+ return authz.getStoreFactory().getPolicyStore().findByName(getConfigurePermissionName(client), server.getId());
+ }
+
+ @Override
public Policy viewPermission(ClientModel client) {
ResourceServer server = resourceServer(client);
if (server == null) return null;
@@ -499,6 +560,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
Map<String, Boolean> map = new HashMap<>();
map.put("view", canView(client));
map.put("manage", canManage(client));
+ map.put("configure", canConfigure(client));
return map;
}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
index d586c36..a7e9f37 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
@@ -41,9 +41,9 @@ import java.util.Set;
class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManagement {
private static final Logger logger = Logger.getLogger(GroupPermissions.class);
public static final String MAP_ROLE_SCOPE = "map-role";
- public static final String MANAGE_MEMBERSHIP_SCOPE = "manage.membership";
- public static final String MANAGE_MEMBERS_SCOPE = "manage.members";
- public static final String VIEW_MEMBERS_SCOPE = "view.members";
+ public static final String MANAGE_MEMBERSHIP_SCOPE = "manage-membership";
+ public static final String MANAGE_MEMBERS_SCOPE = "manage-members";
+ public static final String VIEW_MEMBERS_SCOPE = "view-members";
protected final KeycloakSession session;
protected final RealmModel realm;
protected final AuthorizationProvider authz;
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
index ddc27ee..091d7a5 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@@ -319,7 +319,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
if (container instanceof RealmModel) {
return root.realm().canManageRealm();
} else {
- return root.clients().canManage((ClientModel)container);
+ return root.clients().canConfigure((ClientModel)container);
}
}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
index 80bf07f..149e526 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
@@ -127,6 +127,7 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId());
scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());
+ scopes.put(USER_IMPERSONATED_SCOPE, userImpersonatedPermission().getId());
return scopes;
}
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
index 452e81f..fc39267 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@@ -22,9 +22,11 @@ import org.keycloak.admin.client.Keycloak;
import org.keycloak.authorization.AuthorizationProvider;
import org.keycloak.authorization.AuthorizationProviderFactory;
import org.keycloak.authorization.model.Resource;
+import org.keycloak.models.ClientTemplateModel;
import org.keycloak.models.GroupModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.models.utils.RepresentationToModel;
+import org.keycloak.representations.idm.ClientTemplateRepresentation;
import org.keycloak.representations.idm.authorization.Logic;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
@@ -85,6 +87,8 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
RoleModel salesAppsAdminRole = realm.addRole("sales-apps-admin");
salesAppsAdminRole.addCompositeRole(clientAdmin);
salesAppsAdminRole.addCompositeRole(client2Admin);
+ ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
+ RoleModel queryClient = realmManagementClient.getRole(AdminRoles.QUERY_CLIENTS);
UserModel admin = session.users().addUser(realm, "salesManager");
@@ -99,6 +103,10 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
admin = session.users().addUser(realm, "sales-pipeline-admin");
admin.setEnabled(true);
session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
+ admin = session.users().addUser(realm, "client-admin");
+ admin.setEnabled(true);
+ admin.grantRole(queryClient);
+ session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
UserModel user = session.users().addUser(realm, "salesman");
user.setEnabled(true);
@@ -115,6 +123,8 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
RoleModel realmRole = realm.addRole("realm-role");
RoleModel realmRole2 = realm.addRole("realm-role2");
ClientModel client1 = realm.addClient(CLIENT_NAME);
+ ClientTemplateModel template = realm.addClientTemplate("template");
+ client1.setFullScopeAllowed(false);
RoleModel client1Role = client1.addRole("client-role");
GroupModel group = realm.createGroup("top");
@@ -280,6 +290,19 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
clientManagerPolicy.addAssociatedPolicy(userPolicy);
+ UserModel clientConfigurer = session.users().addUser(realm, "clientConfigurer");
+ clientConfigurer.setEnabled(true);
+ clientConfigurer.grantRole(queryClientsRole);
+ session.userCredentialManager().updateCredential(realm, clientConfigurer, UserCredentialModel.password("password"));
+
+ Policy clientConfigurePolicy = permissions.clients().configurePermission(client);
+ userRep = new UserPolicyRepresentation();
+ userRep.setName("clientConfigure");
+ userRep.addUser("clientConfigurer");
+ userPolicy = permissions.authz().getStoreFactory().getPolicyStore().create(userRep, permissions.clients().resourceServer(client));
+ clientConfigurePolicy.addAssociatedPolicy(userPolicy);
+
+
@@ -364,20 +387,13 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
protected boolean isImportAfterEachMethod() {
return true;
}
- //@Test
+ @Test
public void testDemo() throws Exception {
testingClient.server().run(FineGrainAdminUnitTest::setupDemo);
Thread.sleep(1000000000);
}
- //@Test
- public void testUI() throws Exception {
- testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
- testingClient.server().run(FineGrainAdminUnitTest::setupUsers);
- Thread.sleep(1000000000);
- }
-
@Test
public void testEvaluationLocal() throws Exception {
testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
@@ -400,10 +416,48 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
List<RoleRepresentation> realmRole2Set = new LinkedList<>();
realmRole2Set.add(realmRole2);
ClientRepresentation client = adminClient.realm(TEST).clients().findByClientId(CLIENT_NAME).get(0);
+ ClientTemplateRepresentation template = adminClient.realm(TEST).clientTemplates().findAll().get(0);
RoleRepresentation clientRole = adminClient.realm(TEST).clients().get(client.getId()).roles().get("client-role").toRepresentation();
List<RoleRepresentation> clientRoleSet = new LinkedList<>();
clientRoleSet.add(clientRole);
+ // test configure client
+ {
+ Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
+ TEST, "clientConfigurer", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
+ client.setAdminUrl("http://nowhere");
+ realmClient.realm(TEST).clients().get(client.getId()).update(client);
+ client.setFullScopeAllowed(true);
+ try {
+ realmClient.realm(TEST).clients().get(client.getId()).update(client);
+ Assert.fail("should fail with forbidden exception");
+ } catch (ClientErrorException e) {
+ Assert.assertEquals(e.getResponse().getStatus(), 403);
+
+ }
+ client.setFullScopeAllowed(false);
+ realmClient.realm(TEST).clients().get(client.getId()).update(client);
+
+ client.setClientTemplate(template.getName());
+ try {
+ realmClient.realm(TEST).clients().get(client.getId()).update(client);
+ Assert.fail("should fail with forbidden exception");
+ } catch (ClientErrorException e) {
+ Assert.assertEquals(e.getResponse().getStatus(), 403);
+
+ }
+ client.setClientTemplate(null);
+ realmClient.realm(TEST).clients().get(client.getId()).update(client);
+
+ try {
+ realmClient.realm(TEST).clients().get(client.getId()).getScopeMappings().realmLevel().add(realmRoleSet);
+ Assert.fail("should fail with forbidden exception");
+ } catch (ClientErrorException e) {
+ Assert.assertEquals(e.getResponse().getStatus(), 403);
+
+ }
+ }
+
// test illegal impersonation
{
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index 94d214e..28a985c 100644
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -1326,9 +1326,9 @@ manage-permissions-client.tooltip=Fine grain permssions for admins that want to
manage-permissions-group.tooltip=Fine grain permssions for admins that want to manage this group or the members of this group.
manage-authz-group-scope-description=Policies that decide if an admin can manage this group
view-authz-group-scope-description=Policies that decide if an admin can view this group
-view.members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
-manage.members-authz-group-scope-description=Policies that decide if an admin can view the members of this group
+view-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
manage-authz-client-scope-description=Policies that decide if an admin can manage this client
+configure-authz-client-scope-description=Reduced management permissions for admin. Cannot set scope, template, or protocol mappers.
view-authz-client-scope-description=Policies that decide if an admin can view this client
map-roles-authz-client-scope-description=Policies that decide if an admin can map roles defined by this client
map-roles-client-scope-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client to the client scope of another client
@@ -1336,6 +1336,11 @@ map-roles-composite-authz-client-scope-description=Policies that decide if an ad
map-role-authz-role-scope-description=Policies that decide if an admin can map role this role to a user or group
map-role-client-scope-authz-role-scope-description=Policies that decide if an admin can apply this role to the client scope of a client
map-role-composite-authz-role-scope-description=Policies that decide if an admin can apply this role as a composite to another role
-
+manage-group-membership-authz-users-scope-description=Policies that decide if an admin can manage group membership for all users in the realm. This is used in conjunction with specific group policy
+impersonate-authz-users-scope-description=Policies that decide if admin can impersonate other users
+map-roles-authz-users-scope-description=Policies that decide if admin can map roles for all users
+user-impersonated-authz-users-scope-description=Policies that decide which users can be impersonated. These policies are applied to the user being impersonated.
+manage-membership-authz-group-scope-description=Policies that decide if admin can add or remove users from this group
+manage-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
index 86444b8..034d595 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
@@ -2507,7 +2507,7 @@ module.controller('RealmRolePermissionsCtrl', function($scope, $http, $route, $l
});
-module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $location, realm, client, role, RoleManagementPermissions, Client, Notifications) {
+module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $location, realm, client, role, Client, RoleManagementPermissions, Client, Notifications) {
console.log('RealmRolePermissionsCtrl');
$scope.client = client;
$scope.role = role;
@@ -2515,6 +2515,9 @@ module.controller('ClientRolePermissionsCtrl', function($scope, $http, $route, $
RoleManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
$scope.permissions = data;
});
+ Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
+ $scope.realmManagementClientId = data[0].id;
+ });
$scope.setEnabled = function() {
console.log('perssions enabled: ' + $scope.permissions.enabled);
var param = { enabled: $scope.permissions.enabled};
@@ -2542,12 +2545,15 @@ module.controller('UsersPermissionsCtrl', function($scope, $http, $route, $locat
});
-module.controller('ClientPermissionsCtrl', function($scope, $http, $route, $location, realm, client, ClientManagementPermissions, Notifications) {
+module.controller('ClientPermissionsCtrl', function($scope, $http, $route, $location, realm, client, Client, ClientManagementPermissions, Notifications) {
$scope.client = client;
$scope.realm = realm;
ClientManagementPermissions.get({realm: realm.realm, client: client.id}, function(data) {
$scope.permissions = data;
});
+ Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
+ $scope.realmManagementClientId = data[0].id;
+ });
$scope.setEnabled = function() {
var param = { enabled: $scope.permissions.enabled};
$scope.permissions = ClientManagementPermissions.update({realm: realm.realm, client: client.id}, param);
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html
index bb6d7b6..abc21a4 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-permissions.html
@@ -27,9 +27,9 @@
</thead>
<tbody>
<tr ng-repeat="(scopeName, scopeId) in permissions.scopePermissions">
- <td><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
+ <td><a href="#/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
<td translate="{{scopeName}}-authz-client-scope-description"></td>
- <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
+ <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
</tr>
</tbody>
</table>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html
index 5b423d0..c5f37ea 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/authz/mgmt/client-role-permissions.html
@@ -28,9 +28,9 @@
</thead>
<tbody>
<tr ng-repeat="(scopeName, scopeId) in permissions.scopePermissions">
- <td><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
+ <td><a href="#/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{scopeName}}</a></td>
<td translate="{{scopeName}}-authz-role-scope-description"></td>
- <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
+ <td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{realmManagementClientId}}/authz/resource-server/permission/scope/{{scopeId}}">{{:: 'edit' | translate}}</td>
</tr>
</tbody>
</table>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering.html
index e729582..72ff437 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering.html
@@ -7,7 +7,7 @@
<kc-tabs-client></kc-tabs-client>
- <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.configure">
<legend><span class="text">{{:: 'basic-configuration' | translate}}</span></legend>
<fieldset >
<div class="form-group clearfix">
@@ -31,7 +31,7 @@
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button data-kc-save data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
<button data-kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
</div>
@@ -43,7 +43,7 @@
<table class="table table-striped table-bordered">
<thead>
<tr>
- <th class="kc-table-actions" colspan="5" data-ng-show="client.access.manage">
+ <th class="kc-table-actions" colspan="5" data-ng-show="client.access.configure">
<div class="pull-right">
<a class="btn btn-default" tooltip="Manually register cluster node. This is usually not needed as cluster node should be registered automatically by adapter"
tooltip-trigger="mouseover mouseout" tooltip-placement="bottom" href="#/register-node/realms/{{realm.realm}}/clients/{{client.id}}/clustering">{{:: 'register-node-manually' | translate}}</a>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html
index 98820eb..7df3a42 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-clustering-node.html
@@ -10,10 +10,10 @@
<h1 data-ng-show="create">{{:: 'add-node' | translate}}</h1>
<h1 data-ng-hide="create">
{{node.host|capitalize}}
- <i id="removeClient" class="pficon pficon-delete clickable" data-ng-show="client.access.manage" data-ng-click="unregisterNode()"></i>
+ <i id="removeClient" class="pficon pficon-delete clickable" data-ng-show="client.access.configure" data-ng-click="unregisterNode()"></i>
</h1>
- <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.manage" data-ng-show="create || registered">
+ <form class="form-horizontal" name="clusteringForm" novalidate kc-read-only="!client.access.configure" data-ng-show="create || registered">
<div class="form-group">
<label class="col-md-2 control-label" for="host">{{:: 'host' | translate}}</label>
<div class="col-sm-6">
@@ -27,7 +27,7 @@
</div>
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button data-kc-save data-ng-show="create">{{:: 'save' | translate}}</button>
</div>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials.html
index 3871774..e6865a3 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials.html
@@ -7,7 +7,7 @@
<kc-tabs-client></kc-tabs-client>
- <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.configure">
<fieldset class="border-top">
<div class="form-group clearfix">
<label class="col-md-2 control-label" for="clientAuthenticatorType"> {{:: 'client-authenticator' | translate}}</label>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-generic.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-generic.html
index a2d59e1..39e9ebc 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-generic.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-generic.html
@@ -1,11 +1,11 @@
<div>
- <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.manage" data-ng-show="currentAuthenticatorConfigProperties.length > 0" data-ng-controller="ClientGenericCredentialsCtrl">
+ <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.configure" data-ng-show="currentAuthenticatorConfigProperties.length > 0" data-ng-controller="ClientGenericCredentialsCtrl">
<fieldset>
<kc-provider-config realm="realm" config="client.attributes" properties="currentAuthenticatorConfigProperties"></kc-provider-config>
</fieldset>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button kc-save data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
<button kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html
index 8df035c..b2a5bf4 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt.html
@@ -1,4 +1,4 @@
- <div class="form-horizontal no-margin-top" name="keyForm" novalidate kc-read-only="!client.access.manage" data-ng-controller="ClientSignedJWTCtrl">
+ <div class="form-horizontal no-margin-top" name="keyForm" novalidate kc-read-only="!client.access.configure" data-ng-controller="ClientSignedJWTCtrl">
<div class="form-group">
<label class="col-md-2 control-label" for="useJwksUrl">{{:: 'use-jwks-url' | translate}}</label>
@@ -63,7 +63,7 @@
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button class="btn btn-default" type="submit" data-ng-click="generateSigningKey()">{{:: 'gen-new-keys-and-cert' | translate}}</button>
<button data-ng-disabled="useJwksUrl" class="btn btn-default" type="submit" data-ng-click="importCertificate()">{{:: 'import-certificate' | translate}}</button>
<button kc-save data-ng-disabled="!changed" data-ng-click="save()">{{:: 'save' | translate}}</button>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-export.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-export.html
index 8fbd079..82e50b7 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-export.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-export.html
@@ -9,7 +9,7 @@
<h1>{{:: 'generate-private-key' | translate}}</h1>
- <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
<input type="text" readonly value="this is not a login form" style="display: none;">
<input type="password" readonly value="this is not a login form" style="display: none;">
@@ -48,7 +48,7 @@
<kc-tooltip>{{:: 'store-password.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button class="btn btn-primary" type="submit" data-ng-click="download()">{{:: 'generate-and-download' | translate}}</button>
<button class="btn btn-default" type="submit" data-ng-click="cancel()">{{:: 'cancel' | translate}}</button>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-import.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-import.html
index f96c4f0..ec88cd6 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-import.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-jwt-key-import.html
@@ -9,7 +9,7 @@
<h1>{{:: 'import-client-certificate' | translate}}</h1>
- <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
<input type="text" readonly value="this is not a login form" style="display: none;">
<input type="password" readonly value="this is not a login form" style="display: none;">
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-secret.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-secret.html
index d4fb071..7cf5bf1 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-secret.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-credentials-secret.html
@@ -1,5 +1,5 @@
<div>
- <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.manage" data-ng-controller="ClientSecretCtrl">
+ <form class="form-horizontal no-margin-top" name="credentialForm" novalidate kc-read-only="!client.access.configure" data-ng-controller="ClientSecretCtrl">
<div class="form-group">
<label class="col-md-2 control-label" for="secret">{{:: 'secret' | translate}}</label>
<div class="col-sm-6">
@@ -7,7 +7,7 @@
<div class="col-sm-6">
<input readonly kc-select-action="click" class="form-control" type="text" id="secret" name="secret" data-ng-model="secret">
</div>
- <div class="col-sm-6" data-ng-show="client.access.manage">
+ <div class="col-sm-6" data-ng-show="client.access.configure">
<button type="submit" data-ng-click="changePassword()" class="btn btn-default">{{:: 'regenerate-secret' | translate}}</button>
</div>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html
index 5f24b21..cd6e271 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-detail.html
@@ -7,7 +7,7 @@
<kc-tabs-client></kc-tabs-client>
- <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="clientForm" novalidate kc-read-only="!client.access.configure">
<fieldset class="border-top">
<div class="form-group">
<label class="col-md-2 control-label" for="clientId">{{:: 'client-id' | translate}}</label>
@@ -57,7 +57,7 @@
</div>
<kc-tooltip>{{:: 'client-protocol.tooltip' | translate}}</kc-tooltip>
</div>
- <div class="form-group">
+ <div class="form-group" kc-read-only="!client.access.manage">
<label class="col-md-2 control-label" for="protocol">{{:: 'client-template' | translate}}</label>
<div class="col-sm-6">
<div>
@@ -391,7 +391,7 @@
</fieldset>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button kc-save data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
<button kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-keys.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-keys.html
index e8d6259..c74f54f 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-keys.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-keys.html
@@ -7,7 +7,7 @@
<kc-tabs-client></kc-tabs-client>
- <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
<input type="text" readonly value="this is not a login form" style="display: none;">
<input type="password" readonly value="this is not a login form" style="display: none;">
@@ -137,7 +137,7 @@
kc-select-action="click" readonly>{{keyInfo.certificate}}</textarea>
</div>
</div>
- <div class="form-group" data-ng-show="client.access.manage">
+ <div class="form-group" data-ng-show="client.access.configure">
<div class="pull-right">
<button class="btn btn-primary" type="submit" data-ng-click="generate()">Generate new keys</button>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-registration-access-token.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-registration-access-token.html
index 55a3546..327b70d 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-registration-access-token.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-registration-access-token.html
@@ -1,5 +1,5 @@
<div>
- <form class="form-horizontal" name="registrationAccessTokenForm" novalidate kc-read-only="!access.manageClients">
+ <form class="form-horizontal" name="registrationAccessTokenForm" novalidate kc-read-only="!client.access.configure">
<div class="form-group">
<label class="col-md-2 control-label" for="registrationAccessToken">{{:: 'registrationAccessToken' | translate}}</label>
<div class="col-sm-6">
@@ -7,7 +7,7 @@
<div class="col-sm-6">
<input readonly kc-select-action="click" class="form-control" type="text" id="registrationAccessToken" name="registrationAccessToken" data-ng-model="client.registrationAccessToken">
</div>
- <div class="col-sm-6" data-ng-show="access.manageClients">
+ <div class="col-sm-6" data-ng-show="client.access.configure">
<button type="submit" data-ng-click="regenerateRegistrationAccessToken()" class="btn btn-default">{{:: 'registrationAccessToken.regenerate' | translate}}</button>
</div>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-revocation.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-revocation.html
index 761b337..95db767 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-revocation.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-revocation.html
@@ -7,7 +7,7 @@
<kc-tabs-client></kc-tabs-client>
- <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="credentialForm" novalidate kc-read-only="!client.access.configure">
<fieldset class="border-top">
<div class="form-group">
<label class="col-md-2 control-label" for="notBefore">{{:: 'not-before' | translate}}</label>
@@ -18,7 +18,7 @@
</div>
</fieldset>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button type="submit" data-ng-click="clear()" class="btn btn-default">{{:: 'clear' | translate}}</button>
<button type="submit" data-ng-click="setNotBeforeNow()" class="btn btn-default">{{:: 'set-to-now' | translate}}</button>
<button type="submit" data-ng-click="pushRevocation()" class="btn btn-primary" tooltip-trigger="mouseover mouseout" tooltip="{{:: 'client-revoke.push.tooltip' | translate}}" tooltip-placement="bottom">{{:: 'push' | translate}}</button>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html
index d21d7ef..67c96fc 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-role-detail.html
@@ -10,7 +10,7 @@
<kc-tabs-client-role></kc-tabs-client-role>
- <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.configure">
<fieldset class="border-top">
<div class="form-group">
@@ -47,13 +47,13 @@
</fieldset>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="create && client.access.manages">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="create && client.access.configure">
<button kc-save>{{:: 'save' | translate}}</button>
<button kc-cancel data-ng-click="cancel()">{{:: 'cancel' | translate}}</button>
</div>
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="!create && client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="!create && client.access.configure">
<button kc-save data-ng-disabled="!changed">{{:: 'save' | translate}}</button>
<button kc-reset data-ng-disabled="!changed">{{:: 'cancel' | translate}}</button>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-role-list.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-role-list.html
index 458b412..9906074 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-role-list.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-role-list.html
@@ -10,7 +10,7 @@
<table class="table table-striped table-bordered">
<thead>
<tr>
- <th class="kc-table-actions" colspan="5" data-ng-show="client.access.manage">
+ <th class="kc-table-actions" colspan="5" data-ng-show="client.access.configure">
<div class="pull-right">
<a class="btn btn-default" href="#/create/role/{{realm.realm}}/clients/{{client.id}}">{{:: 'add-role' | translate}}</a>
</div>
@@ -29,7 +29,7 @@
<td translate="{{role.composite}}"></td>
<td>{{role.description}}</td>
<td class="kc-action-cell" kc-open="/realms/{{realm.realm}}/clients/{{client.id}}/roles/{{role.id}}">{{:: 'edit' | translate}}</td>
- <td class="kc-action-cell" data-ng-show="client.access.manage" data-ng-click="removeRole(role)">{{:: 'delete' | translate}}</td>
+ <td class="kc-action-cell" data-ng-show="client.access.configure" data-ng-click="removeRole(role)">{{:: 'delete' | translate}}</td>
</tr>
<tr data-ng-show="!roles || roles.length == 0">
<td>{{:: 'no-client-roles-available' | translate}}</td>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-export.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-export.html
index 753f564..ec51e96 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-export.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-export.html
@@ -9,7 +9,7 @@
<h1>{{:: 'export-saml-key' | translate}} {{client.clientId|capitalize}}</h1>
- <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
<input type="text" readonly value="this is not a login form" style="display: none;">
<input type="password" readonly value="this is not a login form" style="display: none;">
@@ -55,7 +55,7 @@
<kc-tooltip>{{:: 'store-password.tooltip' | translate}}</kc-tooltip>
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button class="btn btn-primary" type="submit" data-ng-click="download()">{{:: 'download' | translate}}</button>
</div>
</div>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-import.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-import.html
index b479058..a580a61 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-import.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-key-import.html
@@ -9,7 +9,7 @@
<h1>{{:: 'import-saml-key' | translate}} {{client.clientId|capitalize}}</h1>
- <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
<input type="text" readonly value="this is not a login form" style="display: none;">
<input type="password" readonly value="this is not a login form" style="display: none;">
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-keys.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-keys.html
index c5374bb..776349d 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-keys.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-saml-keys.html
@@ -7,7 +7,7 @@
<kc-tabs-client></kc-tabs-client>
- <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.manage">
+ <form class="form-horizontal" name="keyForm" novalidate kc-read-only="!client.access.configure">
<fieldset class="form-group col-sm-10" data-ng-show="client.attributes['saml.client.signature'] == 'true'">
<legend uncollapsed><span class="text">{{:: 'signing-key' | translate}}</span> <kc-tooltip>{{:: 'saml-signing-key' | translate}}</kc-tooltip></legend>
<div class="form-group" data-ng-hide="!signingKeyInfo.privateKey">
@@ -27,7 +27,7 @@
</div>
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button class="btn btn-default" type="submit" data-ng-click="generateSigningKey()">{{:: 'generate-new-keys' | translate}}</button>
<button class="btn btn-default" type="submit" data-ng-click="importSigningKey()">{{:: 'import' | translate}}</button>
<button class="btn btn-default" type="submit" data-ng-hide="!signingKeyInfo.certificate" data-ng-click="exportSigningKey()">{{:: 'export' | translate}}</button>
@@ -53,7 +53,7 @@
</div>
</div>
<div class="form-group">
- <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.manage">
+ <div class="col-md-10 col-md-offset-2" data-ng-show="client.access.configure">
<button class="btn btn-default" type="submit" data-ng-click="generateEncryptionKey()">{{:: 'generate-new-keys' | translate}}</button>
<button class="btn btn-default" type="submit" data-ng-click="importEncryptionKey()">{{:: 'import' | translate}}</button>
<button class="btn btn-default" type="submit" data-ng-hide="!encryptionKeyInfo.certificate" data-ng-click="exportEncryptionKey()">{{:: 'export' | translate}}</button>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-scope-mappings.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-scope-mappings.html
index 482ef5b..6cb01f4 100755
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-scope-mappings.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-scope-mappings.html
@@ -25,14 +25,14 @@
<label class="col-md-2 control-label" for="fullScopeAllowed">{{:: 'full-scope-allowed' | translate}}</label>
<kc-tooltip>{{:: 'full-scope-allowed.tooltip' | translate}}</kc-tooltip>
<div class="col-md-6">
- <input ng-model="client.fullScopeAllowed" ng-click="changeFlag()" name="fullScopeAllowed" id="fullScopeAllowed" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
+ <input kc-read-only="!client.access.manage" ng-model="client.fullScopeAllowed" ng-click="changeFlag()" name="fullScopeAllowed" id="fullScopeAllowed" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}" />
</div>
</div>
<div class="form-group" ng-show="client.useTemplateScope && template && template.fullScopeAllowed">
<label class="col-md-2 control-label" for="fullScopeAllowed">{{:: 'full-scope-allowed' | translate}}</label>
<kc-tooltip>Client template has full scope allowed, which means this client will have the full scope of all roles.</kc-tooltip>
<div class="col-md-1">
- <input ng-model="template.fullScopeAllowed" name="fullScopeAllowed" id="fullScopeAllowed" ng-disabled="true" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
+ <input kc-read-only="!client.access.manage" ng-model="template.fullScopeAllowed" name="fullScopeAllowed" id="fullScopeAllowed" ng-disabled="true" onoffswitch on-text="{{:: 'onText' | translate}}" off-text="{{:: 'offText' | translate}}"/>
</div>
<div class="col-md-1">
<i>inherited</i>
diff --git a/themes/src/main/resources/theme/base/admin/resources/partials/client-service-account-roles.html b/themes/src/main/resources/theme/base/admin/resources/partials/client-service-account-roles.html
index 24b2594..d57873f 100644
--- a/themes/src/main/resources/theme/base/admin/resources/partials/client-service-account-roles.html
+++ b/themes/src/main/resources/theme/base/admin/resources/partials/client-service-account-roles.html
@@ -10,7 +10,7 @@
<h2><span>{{client.clientId}}</span> {{:: 'service-accounts' | translate}} </h2>
<p class="subtitle"></p>
- <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.manage" data-ng-show="client.serviceAccountsEnabled">
+ <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.configure" data-ng-show="client.serviceAccountsEnabled">
<div class="form-group">
<label class="col-md-2 control-label" class="control-label">{{:: 'realm-roles' | translate}}</label>
<div class="col-md-10">
@@ -102,7 +102,7 @@
</div>
</form>
- <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.manage" data-ng-show="!client.serviceAccountsEnabled">
+ <form class="form-horizontal" name="realmForm" novalidate kc-read-only="!client.access.configure" data-ng-show="!client.serviceAccountsEnabled">
<legend><span class="text" translate="service-account-is-not-enabled-for" translate-values="{client: client.clientId}"></span></legend>
</form>
diff --git a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
index cf46c2e..e5b7c21 100755
--- a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
+++ b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
@@ -43,7 +43,7 @@
<a href="#/realms/{{realm.realm}}/clients/{{client.id}}/service-account-roles">{{:: 'service-account-roles' | translate}}</a>
<kc-tooltip>{{:: 'service-account-roles.tooltip' | translate}}</kc-tooltip>
</li>
- <li ng-class="{active: path[4] == 'permissions'}">
+ <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="client.access.manage && access.manageAuthorization">
<a href="#/realms/{{realm.realm}}/clients/{{client.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
<kc-tooltip>{{:: 'manage-permissions-client.tooltip' | translate}}</kc-tooltip>
</li>
diff --git a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group.html b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group.html
index 3aa12bc..e73d998 100755
--- a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group.html
+++ b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-group.html
@@ -1,7 +1,7 @@
<div data-ng-controller="GroupTabCtrl">
<h1>
{{group.name|capitalize}}
- <i id="removeGroup" class="pficon pficon-delete clickable" data-ng-show="access.manageUsers" data-ng-click="removeGroup()"></i>
+ <i id="removeGroup" class="pficon pficon-delete clickable" data-ng-show="group.access.manage" data-ng-click="removeGroup()"></i>
</h1>
<ul class="nav nav-tabs">
@@ -9,7 +9,7 @@
<li ng-class="{active: path[4] == 'attributes'}"><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/attributes">{{:: 'attributes' | translate}}</a></li>
<li ng-class="{active: path[4] == 'role-mappings'}" ><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/role-mappings">{{:: 'role-mappings' | translate}}</a></li>
<li ng-class="{active: path[4] == 'members'}"><a href="#/realms/{{realm.realm}}/groups/{{group.id}}/members">{{:: 'members' | translate}}</a></li>
- <li ng-class="{active: path[4] == 'permissions'}">
+ <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="group.access.manage && access.manageAuthorization">
<a href="#/realms/{{realm.realm}}/groups/{{group.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
<kc-tooltip>{{:: 'manage-permissions-group.tooltip' | translate}}</kc-tooltip>
</li>
diff --git a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-role.html b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-role.html
index 5c2d71d..785c7e9 100755
--- a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-role.html
+++ b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-role.html
@@ -5,7 +5,7 @@
<ul class="nav nav-tabs" data-ng-show="!create">
<li ng-class="{active: !path[4]}"><a href="#/realms/{{realm.realm}}/roles/{{role.id}}">{{:: 'details' | translate}}</a></li>
- <li ng-class="{active: path[4] == 'permissions'}">
+ <li ng-class="{active: path[4] == 'permissions'}" data-ng-show="access.manageRealm && access.manageAuthorization">
<a href="#/realms/{{realm.realm}}/roles/{{role.id}}/permissions">{{:: 'authz-permissions' | translate}}</a>
<kc-tooltip>{{:: 'manage-permissions-role.tooltip' | translate}}</kc-tooltip>
</li>
diff --git a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-users.html b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-users.html
index 1c9dc4a..f641dc0 100755
--- a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-users.html
+++ b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-users.html
@@ -3,7 +3,7 @@
<ul class="nav nav-tabs">
<li ng-class="{active: path[2] == 'users'}"><a href="#/realms/{{realm.realm}}/users">{{:: 'lookup' | translate}}</a></li>
- <li ng-class="{active: path[2] == 'users-permissions'}"data-ng-show="access.viewRealm">
+ <li ng-class="{active: path[2] == 'users-permissions'}" data-ng-show="access.manageUsers && access.manageAuthorization">
<a href="#/realms/{{realm.realm}}/users-permissions">{{:: 'authz-permissions' | translate}}</a>
<kc-tooltip>{{:: 'manage-permissions-users.tooltip' | translate}}</kc-tooltip>
</li>