Prosoft Git

keycloak-uncached

Merge pull request #1170 from stianst/master KEYCLOAK-1218

4/22/2015 4:43:11 AM
Stian Thorgersen

Stian Thorgersen

Commit: 136fd37

Tree: ba88f4a

Parents: 955967f
b5f3efe

Changes

services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java 27(+27 -0)

Details

services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java 27(+27 -0) 

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
index 2ece39b..bdde097 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@@ -9,11 +9,13 @@ import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.jboss.resteasy.spi.UnauthorizedException;
 import org.keycloak.ClientConnection;
 import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.models.AdminRoles;
 import org.keycloak.models.ClientModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.protocol.oidc.TokenManager;
 import org.keycloak.representations.AccessToken;
+import org.keycloak.services.ForbiddenException;
 import org.keycloak.services.managers.AppAuthManager;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.RealmManager;
@@ -200,9 +202,14 @@ public class AdminRoot {
         handlePreflightRequest();
 
         AdminAuth auth = authenticateRealmAdminRequest(headers);
+        if (!isAdmin(auth)) {
+            throw new ForbiddenException();
+        }
+
         if (auth != null) {
             logger.debug("authenticated admin access for: " + auth.getUser().getUsername());
         }
+
         Cors.add(request).allowedOrigins(auth.getToken()).allowedMethods("GET", "PUT", "POST", "DELETE").auth().build(response);
 
         ServerInfoAdminResource adminResource = new ServerInfoAdminResource();
@@ -210,6 +217,26 @@ public class AdminRoot {
         return adminResource;
     }
 
+    protected boolean isAdmin(AdminAuth auth) {
+        if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
+            return true;
+        }
+
+        RealmManager realmManager = new RealmManager(session);
+        if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
+            for (RealmModel realm : session.realms().getRealms()) {
+                ClientModel client = realm.getMasterAdminClient();
+                if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
+                    return true;
+                }
+            }
+            return false;
+        } else {
+            ClientModel client = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
+            return auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES);
+        }
+    }
+
     protected void handlePreflightRequest() {
         if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
             logger.debug("Cors admin pre-flight");

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github