8000 Use MgmtPermissionsV2 by default by vramik · Pull Request #40835 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Use MgmtPermissionsV2 by default #40835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 7, 2025
Merged

Use MgmtPermissionsV2 by default #40835

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/BruteForceUsersResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
import org.jboss.logging.Logger;
import org.keycloak.admin.ui.rest.model.BruteUser;
import org.keycloak.authorization.fgap.AdminPermissionsSchema;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Time;
import org.keycloak.models.Constants;
import org.keycloak.models.KeycloakSession;
Expand Down Expand Up @@ -148,7 +149,7 @@ public final Stream<BruteUser> searchUser(@QueryParam("search") String search,
private Stream<BruteUser> searchForUser(Map<String, String> attributes, RealmModel realm, UserPermissionEvaluator usersEvaluator, Boolean briefRepresentation, Integer firstResult, Integer maxResults, Boolean includeServiceAccounts) {
attributes.put(UserModel.INCLUDE_SERVICE_ACCOUNT, includeServiceAccounts.toString());

if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
Set<String> groupIds = auth.groups().getGroupIdsWithViewPermission();
if (!groupIds.isEmpty()) {
session.setAttribute(UserModel.GROUPS, groupIds);
Expand Down
19 changes: 10 additions & 9 deletions services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -442,10 +442,10 @@ public Integer getUsersCount(
if (userPermissionEvaluator.canView()) {
return session.users().getUsersCount(realm, parameters);
} else {
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
return session.users().getUsersCount(realm, parameters);
} else {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
return session.users().getUsersCount(realm, parameters, auth.groups().getGroupIdsWithViewPermission());
} else {
return session.users().getUsersCount(realm, parameters);
}
}
} else if (last != null || first != null || email != null || username != null || emailVerified != null || enabled != null || !searchAttributes.isEmpty()) {
Expand Down Expand Up @@ -482,19 +482,20 @@ public Integer getUsersCount(
if (userPermissionEvaluator.canView()) {
return session.users().getUsersCount(realm, parameters);
} else {
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
return session.users().getUsersCount(realm, parameters);
} else {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
return session.users().getUsersCount(realm, parameters, auth.groups().getGroupIdsWithViewPermission());
} else {
return session.users().getUsersCount(realm, parameters);
}
}
} else if (userPermissionEvaluator.canView()) {
return session.users().getUsersCount(realm);
} else {
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
return session.users().getUsersCount(realm, auth.groups().getGroupIdsWithViewPermission());
} else {
return session.users().getUsersCount(realm);
}
return session.users().getUsersCount(realm, auth.groups().getGroupIdsWithViewPermission());
}
}

Expand All @@ -512,7 +513,7 @@ public UserProfileResource userProfile() {
private Stream<UserRepresentation> searchForUser(Map<String, String> attributes, RealmModel realm, UserPermissionEvaluator usersEvaluator, Boolean briefRepresentation, Integer firstResult, Integer maxResults, Boolean includeServiceAccounts) {
attributes.put(UserModel.INCLUDE_SERVICE_ACCOUNT, includeServiceAccounts.toString());

if (!AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)) {
Set<String> groupIds = auth.groups().getGroupIdsWithViewPermission();
if (!groupIds.isEmpty()) {
session.setAttribute(UserModel.GROUPS, groupIds);
Expand Down
10 changes: 4 additions & 6 deletions services/src/main/java/org/keycloak/services/resources/admin/fgap/AdminPermissions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
*/
package org.keycloak.services.resources.admin.fgap;

import org.keycloak.authorization.fgap.AdminPermissionsSchema;
import org.keycloak.common.Profile;
import org.keycloak.models.ClientModel;
import org.keycloak.models.GroupModel;
Expand All @@ -36,28 +35,27 @@ public class AdminPermissions {


public static AdminPermissionEvaluator evaluator(KeycloakSession session, RealmModel realm, AdminAuth auth) {
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ_V2)) {
return new MgmtPermissionsV2(session, realm, auth);
}
return new MgmtPermissions(session, realm, auth);
}
public static AdminPermissionEvaluator evaluator(KeycloakSession session, RealmModel realm, RealmModel adminsRealm, UserModel admin) {
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ_V2)) {
return new MgmtPermissionsV2(session, adminsRealm, admin);
}
return new MgmtPermissions(session, realm, adminsRealm, admin);
}

public static RealmsPermissionEvaluator realms(KeycloakSession session, AdminAuth auth) {
RealmModel realm = session.getContext().getRealm();
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ_V2)) {
return new MgmtPermissionsV2(session, auth);
}
return new MgmtPermissions(session, auth);
}

public static AdminPermissionManagement management(KeycloakSession session, RealmModel realm) {
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
if (Profile.isFeatureEnabled(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ_V2)) {
return new MgmtPermissionsV2(session, realm);
}
return new MgmtPermissions(session, realm);
Expand Down EDBE
81 changes: 0 additions & 81 deletions tests/base/src/test/java/org/keycloak/tests/admin/PermissionsTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
import org.hamcrest.Matchers;
import org.jgroups.util.UUID;
import org.junit.jupiter.api.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.Constants;
Expand All @@ -41,11 +40,6 @@
import org.keycloak.representations.idm.RealmEventsConfigRepresentation;
import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.services.resources.admin.AdminAuth.Resource;
import org.keycloak.testframework.annotations.InjectRealm;
import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
Expand All @@ -58,14 +52,11 @@
import org.keycloak.testsuite.util.IdentityProviderBuilder;
import org.keycloak.testsuite.util.RoleBuilder;

import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;

import static org.hamcrest.MatcherAssert.assertThat;
import static org.keycloak.services.resources.admin.AdminAuth.Resource.AUTHORIZATION;
import static org.keycloak.services.resources.admin.AdminAuth.Resource.CLIENT;

/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
Expand Down Expand Up @@ -297,75 +288,6 @@ public void clientInitialAccess() {
invoke(realm -> realm.clientInitialAccess().delete("nosuch"), Resource.CLIENT, true);
}

@Test
public void clientAuthorization() {
String fooAuthzClientUuid = ApiUtil.getCreatedId(managedRealm1.admin().clients().create(ClientConfigBuilder.create().clientId("foo-authz").build()));
ClientRepresentation foo = managedRealm1.admin().clients().get(fooAuthzClientUuid).toRepresentation();

invoke((realm, response) -> {
foo.setServiceAccountsEnabled(true);
foo.setAuthorizationServicesEnabled(true);
realm.clients().get(foo.getId()).update(foo);
}, CLIENT, true);
invoke(realm -> realm.clients().get(foo.getId()).authorization().getSettings(), AUTHORIZATION, false);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
ResourceServerRepresentation settings = authorization.getSettings();
authorization.update(settings);
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resources();
}, AUTHORIZATION, false);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scopes();
}, AUTHORIZATION, false);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policies();
}, AUTHORIZATION, false);
invoke((realm, response) -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
}, AUTHORIZATION, true);
invoke((realm, response) -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
}, AUTHORIZATION, true);
invoke((realm, response) -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
representation.setName("Test PermissionsTest");
representation.addResource("Default Resource");
response.set(authorization.permissions().resource().create(representation));
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").update(new ResourceRepresentation());
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").update(new PolicyRepresentation());
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").remove();
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").remove();
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").remove();
}, AUTHORIZATION, true);
}

@Test
public void roles() {
RoleRepresentation newRole = RoleBuilder.create().name("sample-role").build();
Expand Down Expand Up @@ -544,9 +466,6 @@ public void users() {
invoke(realm -> realm.users().get(user.getId()).update(user), clients.get(AdminRoles.QUERY_CLIENTS), false);
// users with query-user role should be able to query required actions so the user detail page can be rendered successfully when fine-grained permissions are enabled.
invoke(realm -> realm.flows().getRequiredActions(), clients.get(AdminRoles.QUERY_USERS), true);
// users with query-user role should be able to query clients so the user detail page can be rendered successfully when fine-grained permissions are enabled.
// if the admin wants to restrict the clients that an user can see he can define permissions for these clients
invoke(realm -> clients.get(AdminRoles.QUERY_USERS).realm(REALM_NAME).clients().findAll(), clients.get(AdminRoles.QUERY_USERS), true);
invoke(realm -> clients.get(AdminRoles.VIEW_USERS).realm(REALM_NAME).users().get(user.getId()).getConfiguredUserStorageCredentialTypes(),
clients.get(AdminRoles.VIEW_USERS), true);
}
Expand Down
120 changes: 120 additions & 0 deletions tests/base/src/test/java/org/keycloak/tests/admin/PermissionsTestV1.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.keycloak.tests.admin;

import org.junit.jupiter.api.Test;
import org.keycloak.admin.client.resource.AuthorizationResource;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.authorization.PolicyRepresentation;
import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.representations.idm.authorization.ResourceServerRepresentation;
import org.keycloak.representations.idm.authorization.ScopeRepresentation;
import org.keycloak.testframework.annotations.InjectRealm;
import org.keycloak.testframework.annotations.KeycloakIntegrationTest;
import org.keycloak.testframework.realm.ClientConfigBuilder;
import org.keycloak.testframework.realm.ManagedRealm;
import org.keycloak.tests.admin.authz.fgap.KeycloakAdminPermissionsV1ServerConfig;
import org.keycloak.tests.utils.admin.ApiUtil;

import java.util.Collections;

import static org.keycloak.services.resources.admin.AdminAuth.Resource.AUTHORIZATION;
import static org.keycloak.services.resources.admin.AdminAuth.Resource.CLIENT;

/**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
*/
@KeycloakIntegrationTest(config = KeycloakAdminPermissionsV1ServerConfig.class)
public class PermissionsTestV1 extends AbstractPermissionsTest {

@InjectRealm(config = PermissionsTestRealmConfig1.class, ref = "realm1")
ManagedRealm managedRealm1;

@InjectRealm(config = PermissionsTestRealmConfig2.class, ref = "realm2")
ManagedRealm managedRealm2;

@Test
public void clientAuthorization() {
String fooAuthzClientUuid = ApiUtil.getCreatedId(managedRealm1.admin().clients().create(ClientConfigBuilder.create().clientId("foo-authz").build()));
ClientRepresentation foo = managedRealm1.admin().clients().get(fooAuthzClientUuid).toRepresentation();

invoke((realm, response) -> {
foo.setServiceAccountsEnabled(true);
foo.setAuthorizationServicesEnabled(true);
realm.clients().get(foo.getId()).update(foo);
}, CLIENT, true);
invoke(realm -> realm.clients().get(foo.getId()).authorization().getSettings(), AUTHORIZATION, false);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
ResourceServerRepresentation settings = authorization.getSettings();
authorization.update(settings);
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resources();
}, AUTHORIZATION, false);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scopes();
}, AUTHORIZATION, false);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policies();
}, AUTHORIZATION, false);
invoke((realm, response) -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.resources().create(new ResourceRepresentation("Test", Collections.emptySet())));
}, AUTHORIZATION, true);
invoke((realm, response) -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
response.set(authorization.scopes().create(new ScopeRepresentation("Test")));
}, AUTHORIZATION, true);
invoke((realm, response) -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
ResourcePermissionRepresentation representation = new ResourcePermissionRepresentation();
representation.setName("Test PermissionsTest");
representation.addResource("Default Resource");
response.set(authorization.permissions().resource().create(representation));
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").update(new ResourceRepresentation());
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").update(new ScopeRepresentation());
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").update(new PolicyRepresentation());
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.resources().resource("nosuch").remove();
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.scopes().scope("nosuch").remove();
}, AUTHORIZATION, true);
invoke(realm -> {
AuthorizationResource authorization = realm.clients().get(foo.getId()).authorization();
authorization.policies().policy("nosuch").remove();
}, AUTHORIZATION, true);
}
}
3 changes: 3 additions & 0 deletions ...illian/tests/base/src/test/java/org/keycloak/testsuite/admin/IllegalAdminUpgradeTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,15 @@
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.hamcrest.MatcherAssert.assertThat;
import org.keycloak.common.Profile;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;

/**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
* @version $Revision: 1 $
*/
@EnableFeature(Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ)
public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {

public static final String CLIENT_NAME = "application";
Expand Down
Loading
Loading
0