From bb801a85bc60fad2a3d2f75706c47b839b337eb1 Mon Sep 17 00:00:00 2001
From: Vlasta Ramik <vramik@users.noreply.github.com>
Date: Wed, 16 Apr 2025 12:59:42 +0200
Subject: [PATCH] [FGAP] AvailableRoleMappings do not consider all-clients
 permissions

Closes #38913

(cherry picked from commit 5c7e0c25f5cd44e9f0a0a0074c6bc98b7da91121)

Signed-off-by: vramik <vramik@redhat.com>
---
 .../ui/rest/AvailableRoleMappingResource.java | 24 ++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
index 39574d5b592..7d47e3188d7 100644
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java
@@ -239,9 +239,14 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
     }
 
     private Set<String> getRoleIdsWithPermissions(String roleResourceScope, String clientResourceScope) {
-        Set<String> roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope);
-        Set<String> clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope);
-        clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId()));
+        Set<String> roleIds;
+        if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm) && canPerformOnAllClients(clientResourceScope)) {
+            roleIds = session.clients().getClientsStream(realm).flatMap(client -> client.getRolesStream()).map(RoleModel::getId).collect(Collectors.toSet());
+        } else {
+            roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope);
+            Set<String> clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope);
+            clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId()));
+        }
         return roleIds;
     }
 
@@ -254,4 +259,17 @@ public class AvailableRoleMappingResource extends RoleMappingResource {
         Stream<RoleModel> result = session.roles().searchForClientRolesStream(realm, search, excludedIds, first, max);
         return result.map(role -> RoleMapper.convertToModel(role, realm)).collect(Collectors.toList());
     }
+
+    private boolean canPerformOnAllClients(String scope) {
+        switch (scope) {
+            case MAP_ROLES:
+                return auth.clients().canMapRoles(null);
+            case MAP_ROLES_COMPOSITE:
+                return auth.clients().canMapCompositeRoles(null);
+            case MAP_ROLES_CLIENT_SCOPE:
+                return auth.clients().canMapClientScopeRoles(null);
+            default:
+                return false;
+        }
+    }
 }