Prosoft Git

keycloak-uncached

[KEYCLOAK-9489] - User not able to log in to admin console when

2/12/2019 12:17:02 PM
Pedro Igor

Pedro Igor

Commit: 34d8974

Tree: 174def1

Parents: 7afd068

Changes

server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java 1(+1 -0)

services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java 2(+1 -1)

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java 64(+58 -6)

Details

server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java 1(+1 -0) 

diff --git a/server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java b/server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java
index 6178dc8..528b58d 100755
--- a/server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java
+++ b/server-spi-private/src/main/java/org/keycloak/models/AdminRoles.java
@@ -55,6 +55,7 @@ public class AdminRoles {
     public static String QUERY_GROUPS = "query-groups";
 
     public static String[] ALL_REALM_ROLES = {CREATE_CLIENT, VIEW_REALM, VIEW_USERS, VIEW_CLIENTS, VIEW_EVENTS, VIEW_IDENTITY_PROVIDERS, VIEW_AUTHORIZATION, MANAGE_REALM, MANAGE_USERS, MANAGE_CLIENTS, MANAGE_EVENTS, MANAGE_IDENTITY_PROVIDERS, MANAGE_AUTHORIZATION, QUERY_USERS, QUERY_CLIENTS, QUERY_REALMS, QUERY_GROUPS};
+    public static String[] ALL_QUERY_ROLES = {QUERY_USERS, QUERY_CLIENTS, QUERY_REALMS, QUERY_GROUPS};
 
     public static Set<String> ALL_ROLES = new HashSet<>();
     static {

services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java 2(+1 -1) 

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java
index 477fe3a..c24ac3b 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmPermissions.java
@@ -77,7 +77,7 @@ class RealmPermissions implements RealmPermissionEvaluator {
 
     @Override
     public boolean canListRealms() {
-        return canViewRealm() || root.hasOneAdminRole(AdminRoles.QUERY_REALMS);
+        return canViewRealm() || root.hasOneAdminRole(AdminRoles.ALL_QUERY_ROLES);
     }
 
     @Override

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java 64(+58 -6) 

diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
index 1454746..d7c2bf3 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
@@ -295,12 +295,10 @@ public class PermissionsTest extends AbstractKeycloakTest {
         }, Resource.REALM, false, true);
         assertGettersEmpty(clients.get(AdminRoles.QUERY_REALMS).realm(REALM_NAME).toRepresentation());
 
-        // this should throw forbidden as "query-users" role isn't enough
-        invoke(new Invocation() {
-            public void invoke(RealmResource realm) {
-                clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).toRepresentation();
-            }
-        }, clients.get(AdminRoles.QUERY_USERS), false);
+        // this should pass given that users granted with "query" roles are allowed to access the realm with limited access
+        for (String role : AdminRoles.ALL_QUERY_ROLES) {
+            invoke(realm -> clients.get(role).realms().realm(REALM_NAME).toRepresentation(), clients.get(role), true);
+        }
 
         invoke(new Invocation() {
             public void invoke(RealmResource realm) {
@@ -499,6 +497,28 @@ public class PermissionsTest extends AbstractKeycloakTest {
                 clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clients().findAll();
             }
         }, clients.get(AdminRoles.QUERY_USERS), false);
+        ClientRepresentation client = l.get(0);
+        invoke(new InvocationWithResponse() {
+            @Override
+            public void invoke(RealmResource realm, AtomicReference<Response> response) {
+                response.set(clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clients().create(client));
+            }
+        }, clients.get(AdminRoles.QUERY_USERS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clients().get(client.getId()).toRepresentation();
+            }
+        }, clients.get(AdminRoles.QUERY_USERS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clients().get(client.getId()).update(client);
+            }
+        }, clients.get(AdminRoles.QUERY_USERS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clients().get(client.getId()).remove();
+            }
+        }, clients.get(AdminRoles.QUERY_USERS), false);
 
         invoke(new Invocation() {
             public void invoke(RealmResource realm) {
@@ -1551,6 +1571,38 @@ public class PermissionsTest extends AbstractKeycloakTest {
                 realm.users().search("foo", 0, 1);
             }
         }, Resource.USER, false);
+        // this should throw forbidden as "query-client" role isn't enough
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                clients.get(AdminRoles.QUERY_CLIENTS).realm(REALM_NAME).users().list();
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), false);
+        invoke(new InvocationWithResponse() {
+            @Override
+            public void invoke(RealmResource realm, AtomicReference<Response> response) {
+                response.set(clients.get(AdminRoles.QUERY_CLIENTS).realm(REALM_NAME).users().create(user));
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                clients.get(AdminRoles.QUERY_CLIENTS).realm(REALM_NAME).users().search("test");
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.users().get(user.getId()).toRepresentation();
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.users().get(user.getId()).remove();
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.users().get(user.getId()).update(user);
+            }
+        }, clients.get(AdminRoles.QUERY_CLIENTS), false);
     }
 
     @Test

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github