Merge pull request keycloak#4823 from patriot1burke/master

KEYCLOAK-5724

server-spi-private/src/main/java/org/keycloak/migration/MigrationModelManager.java

@@ -37,6 +37,7 @@
 import org.keycloak.migration.migrators.MigrateTo3_2_0;
 import org.keycloak.migration.migrators.MigrateTo3_4_0;
 import org.keycloak.migration.migrators.MigrateTo3_4_1;
+import org.keycloak.migration.migrators.MigrateTo3_4_2;
 import org.keycloak.migration.migrators.Migration;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
@@ -68,7 +69,8 @@ public class MigrationModelManager {
             new MigrateTo3_1_0(),
             new MigrateTo3_2_0(),
             new MigrateTo3_4_0(),
-            new MigrateTo3_4_1()
+            new MigrateTo3_4_1(),
+            new MigrateTo3_4_2()
     };
 
     public static void migrate(KeycloakSession session) {

server-spi-private/src/main/java/org/keycloak/migration/migrators/MigrateTo3_4_2.java

@@ -0,0 +1,79 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.migration.migrators;
+
+
+import org.keycloak.migration.ModelVersion;
+import org.keycloak.models.ClientModel;
+import org.keycloak.models.Constants;
+import org.keycloak.models.KeycloakSession;
+import org.keycloak.models.RealmModel;
+import org.keycloak.models.RoleModel;
+import org.keycloak.representations.idm.RealmRepresentation;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.Set;
+
+/**
+ * @author <a href="mailto:bruno@abstractj.org">Bruno Oliveira</a>
+ */
+public class MigrateTo3_4_2 implements Migration {
+
+    public static final ModelVersion VERSION = new ModelVersion("3.4.2");
+
+    @Override
+    public void migrate(KeycloakSession session) {
+        session.realms().getRealms().stream().forEach(
+                r -> {
+                    migrateRealm(r);
+                }
+        );
+    }
+
+    @Override
+    public void migrateImport(KeycloakSession session, RealmModel realm, RealmRepresentation rep, boolean skipUserDependent) {
+        migrateRealm(realm);
+    }
+
+    protected void migrateRealm(RealmModel realm) {
+        // this is a fix for migration that should have been done in 3_2_0
+        ClientModel cli = realm.getClientByClientId(Constants.ADMIN_CLI_CLIENT_ID);
+        clearScope(cli);
+        ClientModel console = realm.getClientByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID);
+        clearScope(console);
+
+    }
+
+    private void clearScope(ClientModel cli) {
+        if (cli.isFullScopeAllowed()) cli.setFullScopeAllowed(false);
+        Set<RoleModel> scope = cli.getScopeMappings();
+        if (scope.size() > 0) {
+            for (RoleModel role : scope) cli.deleteScopeMapping(role);
+        }
+    }
+
+    @Override
+    public ModelVersion getVersion() {
+        return VERSION;
+    }
+
+}

services/src/main/java/org/keycloak/services/managers/RealmManager.java

@@ -151,15 +151,6 @@ protected void setupAdminConsole(RealmModel realm) {
         adminConsole.addRedirectUri(baseUrl + "/*");
         adminConsole.setFullScopeAllowed(false);
         adminConsole.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
-
-        RoleModel adminRole;
-        if (realm.getName().equals(Config.getAdminRealm())) {
-            adminRole = realm.getRole(AdminRoles.ADMIN);
-        } else {
-            String realmAdminApplicationClientId = getRealmAdminClientId(realm);
-            ClientModel realmAdminApp = realm.getClientByClientId(realmAdminApplicationClientId);
-            adminRole = realmAdminApp.getRole(AdminRoles.REALM_ADMIN);
-        }
     }
 
     protected void setupAdminConsoleLocaleMapper(RealmModel realm) {
@@ -185,15 +176,6 @@ public void setupAdminCli(RealmModel realm) {
             adminCli.setStandardFlowEnabled(false);
             adminCli.setDirectAccessGrantsEnabled(true);
             adminCli.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
-
-            RoleModel adminRole;
-            if (realm.getName().equals(Config.getAdminRealm())) {
-                adminRole = realm.getRole(AdminRoles.ADMIN);
-            } else {
-                String realmAdminApplicationClientId = getRealmAdminClientId(realm);
-                ClientModel realmAdminApp = realm.getClientByClientId(realmAdminApplicationClientId);
-                adminRole = realmAdminApp.getRole(AdminRoles.REALM_ADMIN);
-            }
         }
 
     }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java

@@ -34,6 +34,7 @@
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.ClientTemplateRepresentation;
 import org.keycloak.representations.idm.ComponentRepresentation;
+import org.keycloak.representations.idm.MappingsRepresentation;
 import org.keycloak.representations.idm.ProtocolMapperRepresentation;
 import org.keycloak.representations.idm.RealmRepresentation;
 import org.keycloak.representations.idm.RequiredActionProviderRepresentation;
@@ -180,6 +181,23 @@ protected void testMigrationTo3_4_1() {
         }
     }
 
+    protected void testMigrationTo3_4_2() {
+        testCliConsoleScopeSize(this.masterRealm);
+        testCliConsoleScopeSize(this.migrationRealm);
+    }
+
+    private void testCliConsoleScopeSize(RealmResource realm) {
+        ClientRepresentation cli = realm.clients().findByClientId(Constants.ADMIN_CLI_CLIENT_ID).get(0);
+        ClientRepresentation console = realm.clients().findByClientId(Constants.ADMIN_CONSOLE_CLIENT_ID).get(0);
+        MappingsRepresentation scopeMappings = realm.clients().get(console.getId()).getScopeMappings().getAll();
+        Assert.assertNull(scopeMappings.getClientMappings());
+        Assert.assertNull(scopeMappings.getRealmMappings());
+
+        scopeMappings = realm.clients().get(cli.getId()).getScopeMappings().getAll();
+        Assert.assertNull(scopeMappings.getClientMappings());
+        Assert.assertNull(scopeMappings.getRealmMappings());
+    }
+
     protected void testDockerAuthenticationFlow(RealmResource... realms) {
         for (RealmResource realm : realms) {
             AuthenticationFlowRepresentation flow = null;
@@ -420,6 +438,7 @@ protected void testMigrationTo3_x() {
         testMigrationTo3_2_0();
         testMigrationTo3_4_0();
         testMigrationTo3_4_1();
+        testMigrationTo3_4_2();
     }