keycloak-aplcache
Changes
services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java 32(+20 -12)
services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java 5(+3 -2)
services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java 3(+2 -1)
Details
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
index 30381d2..bbb7bf4 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java
@@ -40,9 +40,13 @@ import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
+import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_FROM_SCOPE;
+import static org.keycloak.services.resources.admin.permissions.AdminPermissionManagement.EXCHANGE_TO_SCOPE;
+
/**
* Manages default policies for all users.
*
@@ -88,11 +92,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
}
private String getExchangeToPermissionName(ClientModel client) {
- return AdminPermissionManagement.EXCHANGE_TO_SCOPE + ".permission.client." + client.getId();
+ return EXCHANGE_TO_SCOPE + ".permission.client." + client.getId();
}
private String getExchangeFromPermissionName(ClientModel client) {
- return AdminPermissionManagement.EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId();
+ return EXCHANGE_FROM_SCOPE + ".permission.client." + client.getId();
}
private void initialize(ClientModel client) {
@@ -112,8 +116,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
Scope mapRoleClientScope = root.initializeScope(MAP_ROLES_CLIENT_SCOPE, server);
Scope mapRoleCompositeScope = root.initializeScope(MAP_ROLES_COMPOSITE_SCOPE, server);
Scope configureScope = root.initializeScope(CONFIGURE_SCOPE, server);
- Scope exchangeFromScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server);
- Scope exchangeToScope = root.initializeScope(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server);
+ Scope exchangeFromScope = root.initializeScope(EXCHANGE_FROM_SCOPE, server);
+ Scope exchangeToScope = root.initializeScope(EXCHANGE_TO_SCOPE, server);
String resourceName = getResourceName(client);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(resourceName, server.getId());
@@ -190,6 +194,8 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
deletePolicy(getMapRolesClientScopePermissionName(client), server);
deletePolicy(getMapRolesCompositePermissionName(client), server);
deletePolicy(getConfigurePermissionName(client), server);
+ deletePolicy(getExchangeToPermissionName(client), server);
+ deletePolicy(getExchangeFromPermissionName(client), server);
Resource resource = authz.getStoreFactory().getResourceStore().findByName(getResourceName(client), server.getId());;
if (resource != null) authz.getStoreFactory().getResourceStore().delete(resource.getId());
}
@@ -218,11 +224,11 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
}
private Scope exchangeFromScope(ResourceServer server) {
- return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_FROM_SCOPE, server.getId());
+ return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_FROM_SCOPE, server.getId());
}
private Scope exchangeToScope(ResourceServer server) {
- return authz.getStoreFactory().getScopeStore().findByName(AdminPermissionManagement.EXCHANGE_TO_SCOPE, server.getId());
+ return authz.getStoreFactory().getScopeStore().findByName(EXCHANGE_TO_SCOPE, server.getId());
}
private Scope configureScope(ResourceServer server) {
@@ -301,13 +307,15 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
@Override
public Map<String, String> getPermissions(ClientModel client) {
initialize(client);
- Map<String, String> scopes = new HashMap<>();
- scopes.put(MAP_ROLES_SCOPE, mapRolesPermission(client).getId());
- scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId());
- scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
+ Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(client).getId());
scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(client).getId());
scopes.put(CONFIGURE_SCOPE, configurePermission(client).getId());
+ scopes.put(MAP_ROLES_SCOPE, mapRolesPermission(client).getId());
+ scopes.put(MAP_ROLES_CLIENT_SCOPE, mapRolesClientScopePermission(client).getId());
+ scopes.put(MAP_ROLES_COMPOSITE_SCOPE, mapRolesCompositePermission(client).getId());
+ scopes.put(EXCHANGE_FROM_SCOPE, exchangeFromPermission(client).getId());
+ scopes.put(EXCHANGE_TO_SCOPE, exchangeToPermission(client).getId());
return scopes;
}
@@ -341,7 +349,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
Scope scope = exchangeFromScope(server);
if (scope == null) {
- logger.debug(AdminPermissionManagement.EXCHANGE_FROM_SCOPE + " not initialized");
+ logger.debug(EXCHANGE_FROM_SCOPE + " not initialized");
return false;
}
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
@@ -390,7 +398,7 @@ class ClientPermissions implements ClientPermissionEvaluator, ClientPermissionMa
Scope scope = exchangeToScope(server);
if (scope == null) {
- logger.debug(AdminPermissionManagement.EXCHANGE_TO_SCOPE + " not initialized");
+ logger.debug(EXCHANGE_TO_SCOPE + " not initialized");
return false;
}
ClientModelIdentity identity = new ClientModelIdentity(session, authorizedClient);
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
index 425edb4..722ea1c 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissions.java
@@ -31,6 +31,7 @@ import org.keycloak.services.ForbiddenException;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
@@ -243,11 +244,11 @@ class GroupPermissions implements GroupPermissionEvaluator, GroupPermissionManag
@Override
public Map<String, String> getPermissions(GroupModel group) {
initialize(group);
- Map<String, String> scopes = new HashMap<>();
+ Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission(group).getId());
scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission(group).getId());
- scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId());
scopes.put(VIEW_MEMBERS_SCOPE, viewMembersPermission(group).getId());
+ scopes.put(MANAGE_MEMBERS_SCOPE, manageMembersPermission(group).getId());
scopes.put(MANAGE_MEMBERSHIP_SCOPE, manageMembershipPermission(group).getId());
return scopes;
}
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
index 33f99db..0e12861 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissions.java
@@ -36,6 +36,7 @@ import org.keycloak.services.ForbiddenException;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
@@ -88,7 +89,7 @@ class RolePermissions implements RolePermissionEvaluator, RolePermissionManageme
@Override
public Map<String, String> getPermissions(RoleModel role) {
initialize(role);
- Map<String, String> scopes = new HashMap<>();
+ Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(RolePermissionManagement.MAP_ROLE_SCOPE, mapRolePermission(role).getId());
scopes.put(RolePermissionManagement.MAP_ROLE_CLIENT_SCOPE_SCOPE, mapClientScopePermission(role).getId());
scopes.put(RolePermissionManagement.MAP_ROLE_COMPOSITE_SCOPE, mapCompositePermission(role).getId());
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
index 14cf844..3ac26ed 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java
@@ -34,6 +34,7 @@ import org.keycloak.services.ForbiddenException;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
@@ -122,9 +123,9 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
@Override
public Map<String, String> getPermissions() {
initialize();
- Map<String, String> scopes = new HashMap<>();
- scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
+ Map<String, String> scopes = new LinkedHashMap<>();
scopes.put(AdminPermissionManagement.VIEW_SCOPE, viewPermission().getId());
+ scopes.put(AdminPermissionManagement.MANAGE_SCOPE, managePermission().getId());
scopes.put(MAP_ROLES_SCOPE, mapRolesPermission().getId());
scopes.put(MANAGE_GROUP_MEMBERSHIP_SCOPE, manageGroupMembershipPermission().getId());
scopes.put(IMPERSONATE_SCOPE, adminImpersonatingPermission().getId());
diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
index a2c8d5b..f261105 100644
--- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
+++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
@@ -1340,6 +1340,8 @@ manage-permissions-group.tooltip=Fine grain permssions for admins that want to m
manage-authz-group-scope-description=Policies that decide if an admin can manage this group
view-authz-group-scope-description=Policies that decide if an admin can view this group
view-members-authz-group-scope-description=Policies that decide if an admin can manage the members of this group
+exchange-to-authz-client-scope-description=Policies that decide which clients are allowed exchange tokens for a token that is targeted to this client.
+exchange-from-authz-client-scope-description=Policies that decide which clients are allowed to exchange tokens that were generated for this client.
manage-authz-client-scope-description=Policies that decide if an admin can manage this client
configure-authz-client-scope-description=Reduced management permissions for admin. Cannot set scope, template, or protocol mappers.
view-authz-client-scope-description=Policies that decide if an admin can view this client