keycloak-aplcache
Changes
services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java 16(+16 -0)
services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java 2(+2 -0)
Details
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
index 5db1ea4..650ac75 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/AdminRoot.java
@@ -38,6 +38,8 @@ import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.resources.admin.info.ServerInfoAdminResource;
+import org.keycloak.services.resources.admin.permissions.AdminPermissions;
+import org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator;
import org.keycloak.theme.Theme;
import org.keycloak.theme.ThemeProvider;
@@ -229,7 +231,7 @@ public class AdminRoot {
handlePreflightRequest();
AdminAuth auth = authenticateRealmAdminRequest(headers);
- if (!isAdmin(auth)) {
+ if (!AdminPermissions.realms(session, auth).isAdmin()) {
throw new ForbiddenException();
}
@@ -244,26 +246,6 @@ public class AdminRoot {
return adminResource;
}
- protected boolean isAdmin(AdminAuth auth) {
-
- RealmManager realmManager = new RealmManager(session);
- if (auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
- if (auth.hasOneOfRealmRole(AdminRoles.ADMIN, AdminRoles.CREATE_REALM)) {
- return true;
- }
- for (RealmModel realm : session.realms().getRealms()) {
- ClientModel client = realm.getMasterAdminClient();
- if (auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES)) {
- return true;
- }
- }
- return false;
- } else {
- ClientModel client = auth.getRealm().getClientByClientId(realmManager.getRealmAdminClientId(auth.getRealm()));
- return auth.hasOneOfAppRole(client, AdminRoles.ALL_REALM_ROLES);
- }
- }
-
protected void handlePreflightRequest() {
if (request.getHttpMethod().equalsIgnoreCase("OPTIONS")) {
logger.debug("Cors admin pre-flight");
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
index 8c9e584..94fa957 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/MgmtPermissions.java
@@ -318,6 +318,22 @@ class MgmtPermissions implements AdminPermissionEvaluator, AdminPermissionManage
}
@Override
+ public boolean isAdmin() {
+ RealmManager realmManager = new RealmManager(session);
+ if (adminsRealm.equals(realmManager.getKeycloakAdminstrationRealm())) {
+ if (identity.hasRealmRole(AdminRoles.ADMIN) || identity.hasRealmRole(AdminRoles.CREATE_REALM)) {
+ return true;
+ }
+ for (RealmModel realm : session.realms().getRealms()) {
+ if (isAdmin(realm)) return true;
+ }
+ return false;
+ } else {
+ return isAdmin(adminsRealm);
+ }
+ }
+
+ @Override
public boolean canCreateRealm() {
RealmManager realmManager = new RealmManager(session);
if (!auth.getRealm().equals(realmManager.getKeycloakAdminstrationRealm())) {
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java
index b58202f..5286d10 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/permissions/RealmsPermissionEvaluator.java
@@ -27,6 +27,8 @@ public interface RealmsPermissionEvaluator {
boolean isAdmin(RealmModel realm);
+ boolean isAdmin();
+
boolean canCreateRealm();
void requireCreateRealm();
diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java
index 17ff44a..e20485c 100644
--- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java
+++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TestCleanup.java
@@ -116,6 +116,7 @@ public class TestCleanup {
public void executeCleanup() {
+ if (adminClient == null) throw new RuntimeException("ADMIN CLIENT NULL");
RealmResource realm = adminClient.realm(realmName);
if (userIds != null) {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java
index d6d2ad8..262d0b2 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java
@@ -167,6 +167,7 @@ public abstract class AbstractKeycloakTest {
removeRealm(testRealm.getRealm());
}
} else {
+ log.info("calling all TestCleanup");
// Logout all users after the test
List<RealmRepresentation> realms = testContext.getTestRealmReps();
for (RealmRepresentation realm : realms) {
@@ -178,6 +179,7 @@ public abstract class AbstractKeycloakTest {
try {
if (cleanup != null) cleanup.executeCleanup();
} catch (Exception e) {
+ log.error("failed cleanup!", e);
throw new RuntimeException(e);
}
}