keycloak-aplcache
Changes
services/src/main/java/org/keycloak/services/resources/admin/ClientRoleMappingsResource.java 12(+10 -2)
Details
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientRoleMappingsResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientRoleMappingsResource.java
index 8cc456f..b5f1996 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientRoleMappingsResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientRoleMappingsResource.java
@@ -49,6 +49,7 @@ import java.util.LinkedList;
import java.util.List;
import java.util.Properties;
import java.util.Set;
+import java.util.stream.Collectors;
/**
* @resource Client Role Mappings
@@ -150,6 +151,9 @@ public class ClientRoleMappingsResource {
}
Set<RoleModel> available = client.getRoles();
+ available = available.stream().filter(r ->
+ canMapRole(r)
+ ).collect(Collectors.toSet());
return getAvailableRoles(user, available);
}
@@ -205,12 +209,16 @@ public class ClientRoleMappingsResource {
}
private void checkMapRolePermission(RoleModel roleModel) {
- if (!new MgmtPermissions(session, realm, auth.getAuth()).roles().canMapRole(roleModel)) {
+ if (!canMapRole(roleModel)) {
throw new ForbiddenException();
}
}
- /**
+ private boolean canMapRole(RoleModel roleModel) {
+ return new MgmtPermissions(session, realm, auth.getAuth()).roles().canMapRole(roleModel);
+ }
+
+ /**
* Delete client-level roles from user role mapping
*
* @param roles
diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RoleMapperResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RoleMapperResource.java
index 51b1847..93d4cb6 100644
--- a/services/src/main/java/org/keycloak/services/resources/admin/RoleMapperResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RoleMapperResource.java
@@ -52,11 +52,13 @@ import javax.ws.rs.core.UriInfo;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
+import java.util.stream.Collectors;
/**
* Base resource for managing users
@@ -230,7 +232,10 @@ public class RoleMapperResource {
}
Set<RoleModel> available = realm.getRoles();
- return ClientRoleMappingsResource.getAvailableRoles(roleMapper, available);
+ Set<RoleModel> set = available.stream().filter(r ->
+ canMapRole(r)
+ ).collect(Collectors.toSet());
+ return ClientRoleMappingsResource.getAvailableRoles(roleMapper, set);
}
/**
@@ -321,11 +326,15 @@ public class RoleMapperResource {
}
private void checkMapRolePermission(RoleModel roleModel) {
- if (!new MgmtPermissions(session, realm, auth.getAuth()).roles().canMapRole(roleModel)) {
+ if (!canMapRole(roleModel)) {
throw new ForbiddenException();
}
}
+ private boolean canMapRole(RoleModel roleModel) {
+ return new MgmtPermissions(session, realm, auth.getAuth()).roles().canMapRole(roleModel);
+ }
+
@Path("clients/{client}")
public ClientRoleMappingsResource getUserClientRoleMappingsResource(@PathParam("client") String client) {
ClientModel clientModel = realm.getClientById(client);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
index add91cc..e1488e0 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
@@ -87,17 +87,17 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
// realm-role and role-namespace.client-role will have a role policy associated with their map-role permission
{
- permissions.roles().setPermissionsEnabled(realmRole, true);
- Policy mapRolePermission = permissions.roles().mapRolePermission(realmRole);
- ResourceServer server = permissions.roles().resourceServer(realmRole);
+ permissions.roles().setPermissionsEnabled(client1Role, true);
+ Policy mapRolePermission = permissions.roles().mapRolePermission(client1Role);
+ ResourceServer server = permissions.roles().resourceServer(client1Role);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
{
- permissions.roles().setPermissionsEnabled(client1Role, true);
- Policy mapRolePermission = permissions.roles().mapRolePermission(client1Role);
- ResourceServer server = permissions.roles().resourceServer(client1Role);
+ permissions.roles().setPermissionsEnabled(realmRole, true);
+ Policy mapRolePermission = permissions.roles().mapRolePermission(realmRole);
+ ResourceServer server = permissions.roles().resourceServer(realmRole);
Policy mapperPolicy = permissions.roles().rolePolicy(server, mapperRole);
mapRolePermission.addAssociatedPolicy(mapperPolicy);
}
@@ -128,6 +128,13 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
RoleModel mapperRole = realm.getRole("mapper");
RoleModel managerRole = realm.getRole("manager");
RoleModel compositeRole = realm.getRole("composite-role");
+ ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
+ RoleModel adminRole = realmManagementClient.getRole(AdminRoles.REALM_ADMIN);
+
+ UserModel nomapAdmin = session.users().addUser(realm, "nomap-admin");
+ nomapAdmin.setEnabled(true);
+ session.userCredentialManager().updateCredential(realm, nomapAdmin, UserCredentialModel.password("password"));
+ nomapAdmin.grantRole(adminRole);
UserModel authorizedUser = session.users().addUser(realm, "authorized");
authorizedUser.setEnabled(true);
@@ -220,7 +227,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
}
- @Test
+ //@Test
public void testUI() throws Exception {
testingClient.server().run(FineGrainAdminUnitTest::setupPolices);
testingClient.server().run(FineGrainAdminUnitTest::setupUsers);
@@ -332,5 +339,8 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
}
+ // testRestEvaluationMasterRealm
+ // testRestEvaluationMasterAdminTestRealm
+
}
diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
index 69c4ec2..32d07a8 100644
--- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
+++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
@@ -2355,6 +2355,14 @@ module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $locatio
}
});
+getManageClientId = function(realm) {
+ if (realm.realm == masterRealm) {
+ return 'master-realm';
+ } else {
+ return 'realm-management';
+ }
+}
+
module.controller('RealmRolePermissionsCtrl', function($scope, $http, $route, $location, realm, role, RoleManagementPermissions, Client, Notifications) {
console.log('RealmRolePermissionsCtrl');
$scope.role = role;
@@ -2362,7 +2370,7 @@ module.controller('RealmRolePermissionsCtrl', function($scope, $http, $route, $l
RoleManagementPermissions.get({realm: realm.realm, role: role.id}, function(data) {
$scope.permissions = data;
});
- Client.query({realm: realm.realm, clientId: 'realm-management'}, function(data) {
+ Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
$scope.setEnabled = function() {
@@ -2394,7 +2402,7 @@ module.controller('UsersPermissionsCtrl', function($scope, $http, $route, $locat
UsersManagementPermissions.get({realm: realm.realm}, function(data) {
$scope.permissions = data;
});
- Client.query({realm: realm.realm, clientId: 'realm-management'}, function(data) {
+ Client.query({realm: realm.realm, clientId: getManageClientId(realm)}, function(data) {
$scope.realmManagementClientId = data[0].id;
});
$scope.changeIt = function() {