External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-09 23:12:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

[FGAP] AvailableRoleMappings do not consider all-clients permissions

Browse Source 
Closes #38913

Signed-off-by: vramik <vramik@redhat.com>
This commit is contained in:
vramik 2025-04-14 10:49:04 +02:00 committed by Pedro Igor
parent 85a43348b6
commit 5c7e0c25f5
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
View File

@ -239,9 +239,14 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
}
private Set<String> getRoleIdsWithPermissions(String roleResourceScope, String clientResourceScope) {
Set<String> roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope);
Set<String> clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope);
clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId()));
Set<String> roleIds;
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm) && canPerformOnAllClients(clientResourceScope)) {
roleIds = session.clients().getClientsStream(realm).flatMap(client -> client.getRolesStream()).map(RoleModel::getId).collect(Collectors.toSet());
} else {
roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope);
Set<String> clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope);
clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId()));
}
return roleIds;
}
@ -254,4 +259,17 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
Stream<RoleModel> result = session.roles().searchForClientRolesStream(realm, search, excludedIds, first, max);
return result.map(role -> RoleMapper.convertToModel(role, realm)).collect(Collectors.toList());
}
private boolean canPerformOnAllClients(String scope) {
switch (scope) {
case MAP_ROLES:
return auth.clients().canMapRoles(null);
case MAP_ROLES_COMPOSITE:
return auth.clients().canMapCompositeRoles(null);
case MAP_ROLES_CLIENT_SCOPE:
return auth.clients().canMapClientScopeRoles(null);
default:
return false;
}
}
}