added permission checking to ui-ext realm resource so realm names are not leaked to users without the appropriate permissions. #25679 (#25683) (#25845)

Closes: #25392 Closes: #25679 Signed-off-by: Garth <244253+xgp@users.noreply.github.com> (cherry picked from commit 9be7f0e474) Co-authored-by: Garth <244253+xgp@users.noreply.github.com>
2025-12-17 04:24:48 -06:00 · 2024-01-09 10:25:46 +01:00
parent 1b65d4a0f4
commit 04f2f90c04
2 changed files with 13 additions and 3 deletions
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AdminExtResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AdminExtResource.java
@@ -47,6 +47,6 @@ public final class AdminExtResource {

    @Path("/realms")
    public RealmResource realms() {
-        return new RealmResource(session);
+        return new RealmResource(session, auth);
    }
 }
--- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RealmResource.java
+++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/RealmResource.java
@@ -12,6 +12,9 @@ import org.jboss.resteasy.reactive.NoCache;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.services.ForbiddenException;
+import org.keycloak.services.resources.admin.permissions.AdminPermissions;
+import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
+import org.keycloak.services.resources.admin.permissions.RealmsPermissionEvaluator;

 import java.util.Objects;
 import java.util.stream.Stream;
@@ -20,9 +23,11 @@ import static org.keycloak.utils.StreamsUtil.throwIfEmpty;

 public class RealmResource {
    private final KeycloakSession session;
+    private final AdminPermissionEvaluator auth;

-    public RealmResource(KeycloakSession session) {
+    public RealmResource(KeycloakSession session, AdminPermissionEvaluator auth) {
        this.session = session;
+        this.auth = auth;
    }

    @GET
@@ -43,7 +48,12 @@ public class RealmResource {
            )}
    )
    public Stream<String> realmList() {
-        Stream<String> realms = session.realms().getRealmsStream().filter(Objects::nonNull).map(RealmModel::getName);
+        Stream<String> realms = session.realms().getRealmsStream()
+                                .filter(realm -> {
+                                    RealmsPermissionEvaluator eval = AdminPermissions.realms(session, auth.adminAuth());
+                                    return eval.canView(realm) || eval.isAdmin(realm);
+                                  })
+                                .map(RealmModel::getName);
        return throwIfEmpty(realms, new ForbiddenException());
    }
 }