/**
* Update the top-level information of the realm
*
* <p>Any user, roles or client information in the representation will be ignored. This will only
* update top-level attributes of the realm.
*
* @param rep
* @return
*/
@PUT
@Consumes(MediaType.APPLICATION_JSON)
public Response updateRealm(final RealmRepresentation rep) {
auth.requireManage();
logger.debug("updating realm: " + realm.getName());
if (Config.getAdminRealm().equals(realm.getName())
&& (rep.getRealm() != null && !rep.getRealm().equals(Config.getAdminRealm()))) {
return ErrorResponse.error("Can't rename master realm", Status.BAD_REQUEST);
}
try {
if (!Constants.GENERATE.equals(rep.getPublicKey())
&& (rep.getPrivateKey() != null && rep.getPublicKey() != null)) {
try {
KeyPairVerifier.verify(rep.getPrivateKey(), rep.getPublicKey());
} catch (VerificationException e) {
return ErrorResponse.error(e.getMessage(), Status.BAD_REQUEST);
}
}
if (!Constants.GENERATE.equals(rep.getPublicKey()) && (rep.getCertificate() != null)) {
try {
X509Certificate cert = PemUtils.decodeCertificate(rep.getCertificate());
if (cert == null) {
return ErrorResponse.error("Failed to decode certificate", Status.BAD_REQUEST);
}
} catch (Exception e) {
return ErrorResponse.error("Failed to decode certificate", Status.BAD_REQUEST);
}
}
RepresentationToModel.updateRealm(rep, realm, session);
// Refresh periodic sync tasks for configured federationProviders
List<UserStorageProviderModel> federationProviders = realm.getUserStorageProviders();
UserStorageSyncManager usersSyncManager = new UserStorageSyncManager();
for (final UserStorageProviderModel fedProvider : federationProviders) {
usersSyncManager.notifyToRefreshPeriodicSync(session, realm, fedProvider, false);
}
adminEvent
.operation(OperationType.UPDATE)
.representation(StripSecretsUtils.strip(rep))
.success();
return Response.noContent().build();
} catch (PatternSyntaxException e) {
return ErrorResponse.error(
"Specified regex pattern(s) is invalid.", Response.Status.BAD_REQUEST);
} catch (ModelDuplicateException e) {
return ErrorResponse.exists("Realm with same name exists");
} catch (Exception e) {
logger.error(e.getMessage(), e);
return ErrorResponse.error("Failed to update realm", Response.Status.INTERNAL_SERVER_ERROR);
}
}
public ExtendingThemeManager(
KeycloakSession session,
ConcurrentHashMap<ExtendingThemeManagerFactory.ThemeKey, Theme> themeCache) {
this.session = session;
this.themeCache = themeCache;
this.defaultTheme = Config.scope("theme").get("default", Version.NAME.toLowerCase());
}
protected void addNewMasterAdminRoles() throws SQLException, DatabaseException {
// Retrieve ID of admin role of master realm
String adminRoleId = getAdminRoleId();
String masterRealmId = Config.getAdminRealm();
PreparedStatement statement = jdbcConnection.prepareStatement("select NAME from REALM");
try {
ResultSet resultSet = statement.executeQuery();
try {
while (resultSet.next()) {
String realmName = resultSet.getString("NAME");
String masterAdminAppName = realmName + "-realm";
PreparedStatement statement2 =
jdbcConnection.prepareStatement(
"select ID from CLIENT where REALM_ID = ? AND NAME = ?");
statement2.setString(1, masterRealmId);
statement2.setString(2, masterAdminAppName);
try {
ResultSet resultSet2 = statement2.executeQuery();
try {
if (resultSet2.next()) {
String masterAdminAppId = resultSet2.getString("ID");
addAdminRole(
AdminRoles.VIEW_IDENTITY_PROVIDERS,
masterRealmId,
masterAdminAppId,
adminRoleId);
addAdminRole(
AdminRoles.MANAGE_IDENTITY_PROVIDERS,
masterRealmId,
masterAdminAppId,
adminRoleId);
} else {
throw new IllegalStateException(
"Couldn't find ID of '"
+ masterAdminAppName
+ "' application in 'master' realm. ");
}
} finally {
resultSet2.close();
}
} finally {
statement2.close();
}
}
} finally {
resultSet.close();
}
} finally {
statement.close();
}
}
private void addNewAdminRoles() {
DBCollection realms = db.getCollection("realms");
String adminRealmName = Config.getAdminRealm();
DBCursor realmsCursor = realms.find();
try {
while (realmsCursor.hasNext()) {
BasicDBObject realm = (BasicDBObject) realmsCursor.next();
if (adminRealmName.equals(realm.get("name"))) {
addNewAdminRolesToMasterRealm(realm);
} else {
addNewAdminRolesToRealm(realm);
}
}
} finally {
realmsCursor.close();
}
}
private String getAdminRoleId() throws SQLException, DatabaseException {
PreparedStatement statement =
jdbcConnection.prepareStatement(
"select ID from KEYCLOAK_ROLE where NAME = ? AND REALM = ?");
statement.setString(1, AdminRoles.ADMIN);
statement.setString(2, Config.getAdminRealm());
try {
ResultSet resultSet = statement.executeQuery();
try {
if (resultSet.next()) {
return resultSet.getString("ID");
} else {
throw new IllegalStateException("Couldn't find ID of 'admin' role in 'master' realm");
}
} finally {
resultSet.close();
}
} finally {
statement.close();
}
}
private static String createToken() {
KeycloakSession session = keycloakRule.startSession();
try {
RealmManager manager = new RealmManager(session);
RealmModel adminRealm = manager.getRealm(Config.getAdminRealm());
ApplicationModel adminConsole =
adminRealm.getApplicationByName(Constants.ADMIN_CONSOLE_APPLICATION);
TokenManager tm = new TokenManager();
UserModel admin = session.users().getUserByUsername("admin", adminRealm);
UserSessionModel userSession =
session.sessions().createUserSession(adminRealm, admin, "admin", null, "form", false);
AccessToken token =
tm.createClientAccessToken(
tm.getAccess(null, adminConsole, admin),
adminRealm,
adminConsole,
admin,
userSession);
return tm.encodeToken(adminRealm, token);
} finally {
keycloakRule.stopSession(session, true);
}
}
@Test
public void testImpersonateByMastertBadImpersonator() {
testForbiddenImpersonation("master-bad-impersonator", Config.getAdminRealm());
}
@Test
public void testImpersonateByMasterImpersonator() {
testSuccessfulImpersonation("master-impersonator", Config.getAdminRealm());
}
@Test
public void testImpersonateByMasterAdmin() {
// test that composite is set up right for impersonation role
testSuccessfulImpersonation("admin", Config.getAdminRealm());
}
@Override
public void init(Config.Scope config) {
if (Config.scope("theme").getBoolean("cacheThemes", true)) {
themeCache = new ConcurrentHashMap<>();
}
}