[KEYCLOAK-3130] - Permission checks to authorization admin endpoints

keycloak · Jun 17, 2016 · dd279dd · dd279dd
1 parent 111bcb7
commit dd279dd
Show file tree

Hide file tree

Showing 4 changed files with 250 additions and 222 deletions.
diff --git a/services/src/main/java/org/keycloak/authorization/admin/AuthorizationService.java b/services/src/main/java/org/keycloak/authorization/admin/AuthorizationService.java
@@ -60,11 +60,15 @@ public ResourceServerService resourceServer() {
     }
 
     public void enable() {
-        resourceServer().create();
+        if (!isEnabled()) {
+            resourceServer().create();
+        }
     }
 
     public void disable() {
-        resourceServer().delete();
+        if (isEnabled()) {
+            resourceServer().delete();
+        }
     }
 
     public boolean isEnabled() {

diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyService.java
@@ -31,6 +31,7 @@
 import org.keycloak.authorization.policy.provider.PolicyProviderFactory;
 import org.keycloak.authorization.store.PolicyStore;
 import org.keycloak.authorization.store.StoreFactory;
+import org.keycloak.services.resources.admin.RealmAuth;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
@@ -55,16 +56,19 @@ public class PolicyService {
 
     private final ResourceServer resourceServer;
     private final AuthorizationProvider authorization;
+    private final RealmAuth auth;
 
-    public PolicyService(ResourceServer resourceServer, AuthorizationProvider authorization) {
+    public PolicyService(ResourceServer resourceServer, AuthorizationProvider authorization, RealmAuth auth) {
         this.resourceServer = resourceServer;
         this.authorization = authorization;
+        this.auth = auth;
     }
 
     @POST
     @Consumes("application/json")
     @Produces("application/json")
     public Response create(PolicyRepresentation representation) {
+        this.auth.requireManage();
         Policy policy = Models.toModel(representation, this.resourceServer, authorization);
 
         updateResources(policy, authorization);
@@ -91,6 +95,7 @@ public Response create(PolicyRepresentation representation) {
     @Consumes("application/json")
     @Produces("application/json")
     public Response update(@PathParam("id") String id, PolicyRepresentation representation) {
+        this.auth.requireManage();
         representation.setId(id);
         StoreFactory storeFactory = authorization.getStoreFactory();
         Policy policy = storeFactory.getPolicyStore().findById(representation.getId());
@@ -125,6 +130,7 @@ public Response update(@PathParam("id") String id, PolicyRepresentation represen
     @Path("{id}")
     @DELETE
     public Response delete(@PathParam("id") String id) {
+        this.auth.requireManage();
         StoreFactory storeFactory = authorization.getStoreFactory();
         PolicyStore policyStore = storeFactory.getPolicyStore();
         Policy policy = policyStore.findById(id);
@@ -156,6 +162,7 @@ public Response delete(@PathParam("id") String id) {
     @GET
     @Produces("application/json")
     public Response findById(@PathParam("id") String id) {
+        this.auth.requireView();
         StoreFactory storeFactory = authorization.getStoreFactory();
         Policy model = storeFactory.getPolicyStore().findById(id);
 
@@ -169,6 +176,7 @@ public Response findById(@PathParam("id") String id) {
     @GET
     @Produces("application/json")
     public Response findAll() {
+        this.auth.requireView();
         StoreFactory storeFactory = authorization.getStoreFactory();
         return Response.ok(
                 storeFactory.getPolicyStore().findByResourceServer(resourceServer.getId()).stream()
@@ -181,6 +189,7 @@ public Response findAll() {
     @GET
     @Produces("application/json")
     public Response findPolicyProviders() {
+        this.auth.requireView();
         return Response.ok(
                 authorization.getProviderFactories().stream()
                         .map(provider -> {
@@ -198,6 +207,7 @@ public Response findPolicyProviders() {
 
     @Path("evaluate")
     public PolicyEvaluationService getPolicyEvaluateResource() {
+        this.auth.requireView();
         PolicyEvaluationService resource = new PolicyEvaluationService(this.resourceServer, this.authorization);
 
         ResteasyProviderFactory.getInstance().injectProperties(resource);
@@ -207,6 +217,7 @@ public PolicyEvaluationService getPolicyEvaluateResource() {
 
     @Path("{policyType}")
     public Object getPolicyTypeResource(@PathParam("policyType") String policyType) {
+        this.auth.requireView();
         return getPolicyProviderAdminResource(policyType, this.authorization);
     }