[FGAP] remove transitiveness from auth scopes

Closes #38557

Signed-off-by: vramik <[email protected]>

Author: vramik

services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionEvaluator.java

@@ -159,7 +159,7 @@ public interface ClientPermissionEvaluator {
     /**
      * Returns {@code true} if the caller has at least one of the {@link org.keycloak.models.AdminRoles#VIEW_CLIENTS} or {@link org.keycloak.models.AdminRoles#MANAGE_CLIENTS} roles.
      * <p/>
-     * For V2 only: Also if it has permission to {@link org.keycloak.authorization.AdminPermissionsSchema#VIEW} or {@link org.keycloak.authorization.AdminPermissionsSchema#MANAGE}.
+     * For V2 only: Also if it has permission to {@link org.keycloak.authorization.AdminPermissionsSchema#VIEW}.
      */
     boolean canView(ClientScopeModel clientScope);
 
@@ -196,6 +196,5 @@ public interface ClientPermissionEvaluator {
      *
      * @return Stream of IDs of clients with view permission.
      */
-
     Set<String> getClientIdsWithViewPermission(String scope);
 }

services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissionsV2.java

@@ -18,7 +18,6 @@
 
 import static org.keycloak.authorization.AdminPermissionsSchema.CLIENTS_RESOURCE_TYPE;
 
-import org.jboss.logging.Logger;
 import org.keycloak.authorization.AdminPermissionsSchema;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.model.Policy;
@@ -34,7 +33,6 @@
 import org.keycloak.representations.idm.authorization.Permission;
 
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -44,10 +42,9 @@
 import java.util.function.Function;
 import java.util.stream.Stream;
 
+class ClientPermissionsV2 extends ClientPermissions {
 
-public class ClientPermissionsV2 extends ClientPermissions {
-
-    public ClientPermissionsV2(KeycloakSession session, RealmModel realm, AuthorizationProvider authz, MgmtPermissionsV2 root) {
+    ClientPermissionsV2(KeycloakSession session, RealmModel realm, AuthorizationProvider authz, MgmtPermissionsV2 root) {
         super(session, realm, authz, root);
     }
 
@@ -67,21 +64,23 @@ public boolean canManage(ClientModel client) {
 
     @Override
     public boolean canManage() {
-        return super.canManage() || hasPermission(AdminPermissionsSchema.MANAGE);
+        if (root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS)) return true;
+
+        return hasPermission(AdminPermissionsSchema.MANAGE);
     }
 
     @Override
     public boolean canView(ClientModel client) {
-        if (canView() || canConfigure(client)) {
-            return true;
-        }
+        if (root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS)) return true;
 
         return hasPermission(client, AdminPermissionsSchema.VIEW);
     }
 
     @Override
     public boolean canView() {
-        return canViewClientDefault() || hasPermission(AdminPermissionsSchema.VIEW);
+        if (root.hasOneAdminRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS)) return true;
+
+        return hasPermission(AdminPermissionsSchema.VIEW);
     }
 
     @Override
@@ -115,7 +114,7 @@ public boolean canManage(ClientScopeModel clientScope) {
     public boolean canView(ClientScopeModel clientScope) {
         if (root.hasOneAdminRole(AdminRoles.VIEW_CLIENTS, AdminRoles.MANAGE_CLIENTS)) return true;
 
-        return hasPermission(AdminPermissionsSchema.VIEW) || hasPermission(AdminPermissionsSchema.MANAGE);
+        return hasPermission(AdminPermissionsSchema.VIEW);
     }
 
     @Override
@@ -226,14 +225,11 @@ private boolean hasPermission(ClientModel client, String scope) {
         }
 
         Collection<Permission> permissions = root.evaluatePermission(new ResourcePermission(resourceType, resource, resource.getScopes(), server), server);
-        List<String> expectedScopes = Arrays.asList(scope);
 
         for (Permission permission : permissions) {
             if (permission.getResourceId().equals(resource.getId())) {
-                for (String s : permission.getScopes()) {
-                    if (expectedScopes.contains(s)) {
-                        return true;
-                    }
+                if (permission.getScopes().contains(scope)) {
+                    return true;
                 }
             }
         }
@@ -268,12 +264,10 @@ private boolean hasPermission(String scope) {
         }
 
         Collection<Permission> permissions = root.evaluatePermission(expected, server);
-        List<String> expectedScopes = Arrays.asList(scope);
+
         for (Permission permission : permissions) {
-            for (String s : permission.getScopes()) {
-                if (expectedScopes.contains(s)) {
-                    return true;
-                }
+            if (permission.getScopes().contains(scope)) {
+                return true;
             }
         }
 

services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissionEvaluator.java

@@ -59,8 +59,7 @@ public interface GroupPermissionEvaluator {
      * Returns {@code true} if the caller has one of {@link AdminRoles#MANAGE_USERS} or
      * {@link AdminRoles#VIEW_USERS} roles.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} or
-     * {@link AdminPermissionsSchema#MANAGE} the group.
+     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} the group.
      */
     boolean canView(GroupModel group);
 
@@ -72,8 +71,7 @@ public interface GroupPermissionEvaluator {
     /**
      * Returns {@code true} if the caller has {@link AdminRoles#MANAGE_USERS} role.
      * <p/>
-     * For V2 only: Also if it has permission to {@link AdminPermissionsSchema#VIEW} or
-     * {@link AdminPermissionsSchema#MANAGE} groups.
+     * For V2 only: Also if it has permission to {@link AdminPermissionsSchema#MANAGE} groups.
      */
     boolean canManage();
 
@@ -86,8 +84,7 @@ public interface GroupPermissionEvaluator {
      * Returns {@code true} if the caller has one of {@link AdminRoles#MANAGE_USERS} or 
      * {@link AdminRoles#VIEW_USERS} roles.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} or
-     * {@link AdminPermissionsSchema#MANAGE} groups.
+     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} groups.
      */
     boolean canView();
 
@@ -102,25 +99,24 @@ public interface GroupPermissionEvaluator {
     void requireViewMembers(GroupModel group);
 
     /**
-     * Returns {@code true} if {@link UserPermissionEvaluator#canManage()} evaluates to {@code true}.
+     * Returns {@code true} if the caller has {@link AdminRoles#MANAGE_USERS} role.
      * <p/>
      * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE_MEMBERS} of the group.
      */
     boolean canManageMembers(GroupModel group);
 
     /**
-     * Returns {@code true} if the caller has one of {@link AdminRoles#MANAGE_USERS} role.
+     * Returns {@code true} if the caller has {@link AdminRoles#MANAGE_USERS} role.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE} the group or
-     * {@link AdminPermissionsSchema#MANAGE_MEMBERSHIP} of the group.
+     * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE_MEMBERSHIP} of the group.
      */
     boolean canManageMembership(GroupModel group);
 
     /**
-     * Returns {@code true} if {@link UserPermissionEvaluator#canView()} evaluates to {@code true}.
+     * Returns {@code true} if the caller has one of {@link AdminRoles#MANAGE_USERS} or 
+     * {@link AdminRoles#VIEW_USERS} roles.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW_MEMBERS} or
-     * {@link AdminPermissionsSchema#MANAGE_MEMBERS} of the group.
+     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW_MEMBERS} of the group.
      */
     boolean canViewMembers(GroupModel group);
 

services/src/main/java/org/keycloak/services/resources/admin/permissions/GroupPermissionsV2.java

@@ -55,7 +55,7 @@ public boolean canView() {
             return true;
         }
 
-        return hasPermission(null, AdminPermissionsSchema.VIEW, AdminPermissionsSchema.MANAGE);
+        return hasPermission(null, AdminPermissionsSchema.VIEW);
     }
 
     @Override
@@ -64,7 +64,7 @@ public boolean canView(GroupModel group) {
             return true;
         }
 
-        return hasPermission(group.getId(), AdminPermissionsSchema.VIEW, AdminPermissionsSchema.MANAGE);
+        return hasPermission(group.getId(), AdminPermissionsSchema.VIEW);
     }
 
     @Override
@@ -73,7 +73,7 @@ public boolean canManage() {
             return true;
         }
 
-        return hasPermission(null, AdminPermissionsSchema.VIEW, AdminPermissionsSchema.MANAGE);
+        return hasPermission(null, AdminPermissionsSchema.MANAGE);
     }
 
     @Override
@@ -91,7 +91,7 @@ public boolean canViewMembers(GroupModel group) {
             return true;
         }
 
-        return hasPermission(group.getId(), AdminPermissionsSchema.VIEW_MEMBERS, AdminPermissionsSchema.MANAGE_MEMBERS);
+        return hasPermission(group.getId(), AdminPermissionsSchema.VIEW_MEMBERS);
     }
 
     @Override
@@ -109,7 +109,7 @@ public boolean canManageMembership(GroupModel group) {
             return true;
         }
 
-        return hasPermission(group.getId(), AdminPermissionsSchema.MANAGE, AdminPermissionsSchema.MANAGE_MEMBERSHIP);
+        return hasPermission(group.getId(), AdminPermissionsSchema.MANAGE_MEMBERSHIP);
     }
 
     @Override

services/src/main/java/org/keycloak/services/resources/admin/permissions/RolePermissionsV2.java

@@ -45,16 +45,16 @@
 
 public class RolePermissionsV2 extends RolePermissions {
 
-    public RolePermissionsV2(KeycloakSession session, RealmModel realm, AuthorizationProvider authz, MgmtPermissions root) {
+    RolePermissionsV2(KeycloakSession session, RealmModel realm, AuthorizationProvider authz, MgmtPermissions root) {
         super(session, realm, authz, root);
     }
 
     @Override
     public boolean canMapClientScope(RoleModel role) {
         if (root.clients().canManageClientsDefault()) return true;
 
-        if (role.getContainer() instanceof ClientModel) {
-            if (root.clients().canMapClientScopeRoles((ClientModel) role.getContainer())) return true;
+        if (role.getContainer() instanceof ClientModel clientModel) {
+            if (root.clients().canMapClientScopeRoles(clientModel)) return true;
         }
 
         return hasPermission(role, MAP_ROLE_CLIENT_SCOPE_SCOPE);
@@ -64,8 +64,8 @@ public boolean canMapClientScope(RoleModel role) {
     public boolean canMapComposite(RoleModel role) {
         if (canManageDefault(role)) return checkAdminRoles(role);
 
-        if (role.getContainer() instanceof ClientModel) {
-            if (root.clients().canMapCompositeRoles((ClientModel) role.getContainer())) return true;
+        if (role.getContainer() instanceof ClientModel clientModel) {
+            if (root.clients().canMapCompositeRoles(clientModel)) return true;
         }
 
         return hasPermission(role, MAP_ROLE_COMPOSITE_SCOPE) && checkAdminRoles(role);
@@ -75,8 +75,8 @@ public boolean canMapComposite(RoleModel role) {
     public boolean canMapRole(RoleModel role) {
         if (root.hasOneAdminRole(AdminRoles.MANAGE_USERS)) return checkAdminRoles(role);
 
-        if (role.getContainer() instanceof ClientModel) {
-            if (root.clients().canMapRoles((ClientModel) role.getContainer())) return true;
+        if (role.getContainer() instanceof ClientModel clientModel) {
+            if (root.clients().canMapRoles(clientModel)) return true;
         }
 
         return hasPermission(role, MAP_ROLE_SCOPE) && checkAdminRoles(role);
@@ -158,7 +158,7 @@ private boolean hasGrantedPermission(ResourceServer server, Resource resource, S
                         return true;
                     }
                 }
-            };
+            }
         }
 
         return false;

services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissionEvaluator.java

@@ -66,8 +66,7 @@ public interface UserPermissionEvaluator {
      * Returns {@code true} if the caller has at least one of {@link AdminRoles#QUERY_USERS},
      * {@link AdminRoles#MANAGE_USERS} or {@link AdminRoles#VIEW_USERS} roles.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} or
-     * {@link AdminPermissionsSchema#MANAGE} users.
+     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} users.
      */
     boolean canQuery();
 
@@ -85,17 +84,15 @@ public interface UserPermissionEvaluator {
      * Returns {@code true} if the caller has one of {@link AdminRoles#MANAGE_USERS} or
      * {@link AdminRoles#VIEW_USERS} roles.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} or
-     * {@link AdminPermissionsSchema#MANAGE} users.
+     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} users.
      */
     boolean canView();
 
     /**
      * Returns {@code true} if the caller has at least one of {@link AdminRoles#MANAGE_USERS} or
      * {@link AdminRoles#VIEW_USERS} roles.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} or
-     * {@link AdminPermissionsSchema#MANAGE} the user.
+     * Or if it has a permission to {@link AdminPermissionsSchema#VIEW} the user.
      * <p/>
      * Or if it has a permission to {@link AdminPermissionsSchema#VIEW_MEMBERS}
      * of the group chain the user is associated with.
@@ -136,11 +133,7 @@ public interface UserPermissionEvaluator {
     /**
      * Returns {@code true} if the caller has {@link AdminRoles#MANAGE_USERS} role.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE} the user or 
-     * {@link AdminPermissionsSchema#MAP_ROLES} of the user.
-     * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE_MEMBERS}
-     * of the group chain the user is associated with.
+     * Or if it has a permission to {@link AdminPermissionsSchema#MAP_ROLES} of the user.
      */
     boolean canMapRoles(UserModel user);
 
@@ -152,15 +145,12 @@ public interface UserPermissionEvaluator {
     /**
      * Returns {@code true} if the caller has {@link AdminRoles#MANAGE_USERS} role.
      * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE} the user or 
-     * {@link AdminPermissionsSchema#MANAGE_GROUP_MEMBERSHIP} of the user.
-     * <p/>
-     * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE_MEMBERS}
-     * of the group chain the user is associated with.
+     * Or if it has a permission to {@link AdminPermissionsSchema#MANAGE_GROUP_MEMBERSHIP} of the user.
      */
     boolean canManageGroupMembership(UserModel user);
 
     @Deprecated
     boolean isImpersonatable(UserModel user, ClientModel requester);
+    @Deprecated
     void grantIfNoPermission(boolean grantIfNoPermission);
 }

services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissionsV2.java

@@ -51,7 +51,7 @@ public boolean canView(UserModel user) {
             return true;
         }
 
-        return hasPermission(user, null, AdminPermissionsSchema.VIEW, AdminPermissionsSchema.MANAGE);
+        return hasPermission(user, null, AdminPermissionsSchema.VIEW);
     }
 
     @Override
@@ -60,7 +60,7 @@ public boolean canView() {
             return true;
         }
 
-        return hasPermission((UserModel) null, null, AdminPermissionsSchema.VIEW, AdminPermissionsSchema.MANAGE);
+        return hasPermission((UserModel) null, null, AdminPermissionsSchema.VIEW);
     }
 
     @Override
@@ -110,7 +110,7 @@ public boolean canMapRoles(UserModel user) {
             return true;
         }
 
-        return hasPermission(user, null, AdminPermissionsSchema.MANAGE, AdminPermissionsSchema.MAP_ROLES);
+        return hasPermission(user, null, AdminPermissionsSchema.MAP_ROLES);
     }
 
     @Override
@@ -119,10 +119,10 @@ public boolean canManageGroupMembership(UserModel user) {
             return true;
         }
 
-        return hasPermission(user, null, AdminPermissionsSchema.MANAGE, AdminPermissionsSchema.MANAGE_GROUP_MEMBERSHIP);
+        return hasPermission(user, null, AdminPermissionsSchema.MANAGE_GROUP_MEMBERSHIP);
     }
 
-    private boolean hasPermission(UserModel user, EvaluationContext context, String... scopes) {
+    private boolean hasPermission(UserModel user, EvaluationContext context, String scope) {
         if (!root.isAdminSameRealm()) {
             return false;
         }
@@ -145,14 +145,10 @@ private boolean hasPermission(UserModel user, EvaluationContext context, String.
                 root.evaluatePermission(new ResourcePermission(resourceType, resource, resource.getScopes(), server), server) :
                 root.evaluatePermission(new ResourcePermission(resourceType, resource, resource.getScopes(), server), server, context);
 
-        List<String> expectedScopes = List.of(scopes);
-
         for (Permission permission : permissions) {
             if (permission.getResourceId().equals(resource.getId())) {
-                for (String scope : permission.getScopes()) {
-                    if (expectedScopes.contains(scope)) {
-                        return true;
-                    }
+                if (permission.getScopes().contains(scope)) {
+                    return true;
                 }
             }
         }