External-Mirrors/keycloak
2
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-01-09 23:12:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

[FGAP] AvailableRoleMappings do not consider all-clients permissions

Browse Source 
Closes #38913

(cherry picked from commit 5c7e0c25f5cd44e9f0a0a0074c6bc98b7da91121)

Signed-off-by: vramik <vramik@redhat.com>
This commit is contained in:
Vlasta Ramik 2025-04-16 12:59:42 +02:00 committed by GitHub
parent 2b360d6484
commit bb801a85bc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
View File

@ -239,9 +239,14 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
}
private Set<String> getRoleIdsWithPermissions(String roleResourceScope, String clientResourceScope) {
Set<String> roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope);
Set<String> clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope);
clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId()));
Set<String> roleIds;
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm) && canPerformOnAllClients(clientResourceScope)) {
roleIds = session.clients().getClientsStream(realm).flatMap(client -> client.getRolesStream()).map(RoleModel::getId).collect(Collectors.toSet());
} else {
roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope);
Set<String> clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope);
clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId()));
}
return roleIds;
}
@ -254,4 +259,17 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
Stream<RoleModel> result = session.roles().searchForClientRolesStream(realm, search, excludedIds, first, max);
return result.map(role -> RoleMapper.convertToModel(role, realm)).collect(Collectors.toList());
}
private boolean canPerformOnAllClients(String scope) {
switch (scope) {
case MAP_ROLES:
return auth.clients().canMapRoles(null);
case MAP_ROLES_COMPOSITE:
return auth.clients().canMapCompositeRoles(null);
case MAP_ROLES_CLIENT_SCOPE:
return auth.clients().canMapClientScopeRoles(null);
default:
return false;
}
}
}