From 5180007bc0f02aea64128869c51d29e05faadc9b Mon Sep 17 00:00:00 2001 From: vramik Date: Mon, 14 Apr 2025 10:49:04 +0200 Subject: [PATCH] [FGAP] AvailableRoleMappings do not consider all-clients permissions Closes #38913 Signed-off-by: vramik --- .../ui/rest/AvailableRoleMappingResource.java | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java index 39574d5b5924..7d47e3188d77 100644 --- a/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java +++ b/rest/admin-ui-ext/src/main/java/org/keycloak/admin/ui/rest/AvailableRoleMappingResource.java @@ -239,9 +239,14 @@ public final List listAvailableRoleMappings(@PathParam("id") String } private Set getRoleIdsWithPermissions(String roleResourceScope, String clientResourceScope) { - Set roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope); - Set clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope); - clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId())); + Set roleIds; + if (AdminPermissionsSchema.SCHEMA.isAdminPermissionsEnabled(realm) && canPerformOnAllClients(clientResourceScope)) { + roleIds = session.clients().getClientsStream(realm).flatMap(client -> client.getRolesStream()).map(RoleModel::getId).collect(Collectors.toSet()); + } else { + roleIds = this.auth.roles().getRoleIdsByScope(roleResourceScope); + Set clientIds = this.auth.clients().getClientIdsByScope(clientResourceScope); + clientIds.stream().flatMap(cid -> realm.getClientById(cid).getRolesStream()).forEach(role -> roleIds.add(role.getId())); + } return roleIds; } @@ -254,4 +259,17 @@ private List searchForClientRolesByExcludedIds(RealmModel realm, Str Stream result = session.roles().searchForClientRolesStream(realm, search, excludedIds, first, max); return result.map(role -> RoleMapper.convertToModel(role, realm)).collect(Collectors.toList()); } + + private boolean canPerformOnAllClients(String scope) { + switch (scope) { + case MAP_ROLES: + return auth.clients().canMapRoles(null); + case MAP_ROLES_COMPOSITE: + return auth.clients().canMapCompositeRoles(null); + case MAP_ROLES_CLIENT_SCOPE: + return auth.clients().canMapClientScopeRoles(null); + default: + return false; + } + } }