mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-11 17:59:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

Make sure searches by identifiers are filtered

Browse Source 
Closes #38679

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor
2025-04-07 09:59:43 -03:00
committed by GitHub
parent a4ca92ab4d
commit d98ca0a2a2
4 changed files with 37 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
services/src/main/java/org/keycloak/services/resources/admin/ClientsResource.java
View File

@@ -138,7 +138,11 @@ public class ClientsResource {
} else {
ClientModel client = realm.getClientByClientId(clientId);
if (client != null) {
clientModels = Stream.of(client);
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
clientModels = Stream.of(client).filter(auth.clients()::canView);
} else {
clientModels = Stream.of(client);
}
}
}

3
services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java
View File

@@ -303,6 +303,9 @@ public class UsersResource {
session.users().getUserById(realm, search.substring(SEARCH_ID_PARAMETER.length()).trim());
if (userModel != null) {
userModels = Stream.of(userModel);
if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm)) {
userModels = userModels.filter(userPermissionEvaluator::canView);
}
}
} else {
Map<String, String> attributes = new HashMap<>();

14
tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/ClientResourceTypeFilteringTest.java
View File

@@ -136,4 +136,18 @@ public class ClientResourceTypeFilteringTest extends AbstractPermissionTest {
assertFalse(search.isEmpty());
assertTrue(search.stream().map(ClientRepresentation::getId).noneMatch(notAllowedClients::contains));
}
@Test
public void testSearchByClientId() {
String expectedClientId = "client-0";
List<ClientRepresentation> search = realmAdminClient.realm(realm.getName()).clients().findByClientId(expectedClientId);
assertTrue(search.isEmpty());
UserPolicyRepresentation allowPolicy = createUserPolicy(realm, client,"Only My Admin User Policy", realm.admin().users().search("myadmin").get(0).getId());
createPermission(client, expectedClientId, CLIENTS_RESOURCE_TYPE, Set.of(VIEW), allowPolicy);
search = realmAdminClient.realm(realm.getName()).clients().findByClientId(expectedClientId);
assertFalse(search.isEmpty());
assertEquals(1, search.size());
assertEquals(search.get(0).getClientId(), expectedClientId);
}
}

15
tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/UserResourceTypeFilteringTest.java
View File

@@ -20,6 +20,7 @@ package org.keycloak.tests.admin.authz.fgap;
import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.hamcrest.Matchers.empty;
import static org.hamcrest.Matchers.hasSize;
import static org.hamcrest.Matchers.not;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -337,4 +338,18 @@ public class UserResourceTypeFilteringTest extends AbstractPermissionTest {
assertThat(realmAdminClient.realm(realm.getName()).users().list(), not(empty()));
}
@Test
public void testSearchById() {
UserRepresentation expected = realm.admin().users().search("user-0").get(0);
assertThat(realmAdminClient.realm(realm.getName()).users().search("id:" + expected.getId(), -1, -1), hasSize(0));
UserPolicyRepresentation negativePolicy = createUserPolicy(realm, client,"Only My Admin User Policy", realm.admin().users().search("myadmin").get(0).getId());
createPermission(client, expected.getId(), USERS_RESOURCE_TYPE, Set.of(VIEW), negativePolicy);
List<UserRepresentation> search = realmAdminClient.realm(realm.getName()).users().search(null, 0, 10);
assertFalse(search.isEmpty());
assertThat(search, Matchers.hasSize(1));
UserRepresentation user = search.get(0);
assertThat(user.getUsername(), Matchers.is("user-0"));
assertThat(realmAdminClient.realm(realm.getName()).users().search("id:" + user.getId(), -1, -1), hasSize(1));
}
}