Missing auth checks in some admin endpoints

This change backports a fix for GHSA-2cww-fgmg-4jqc (CVE-2024-3656). Signed-off-by: rmartinc <rmartinc@redhat.com> Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Nordix · Jun 17, 2024 · 1331b1b · 1331b1b
1 parent 3d8ee7f
commit 1331b1b
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/.../ldap/src/main/java/org/keycloak/services/resources/admin/TestLdapConnectionResource.java b/.../ldap/src/main/java/org/keycloak/services/resources/admin/TestLdapConnectionResource.java
@@ -89,6 +89,7 @@ public Response testLDAPConnection(@FormParam("action") String action, @FormPara
     @NoCache
     @Consumes(MediaType.APPLICATION_JSON)
     public Response testLDAPConnection(TestLdapConnectionRepresentation config) {
+        auth.realm().requireManageRealm();
         try {
             LDAPServerCapabilitiesManager.testLDAP(config, session, realm);
             return Response.noContent().build();

diff --git a/...src/main/java/org/keycloak/services/resources/admin/ClientRegistrationPolicyResource.java b/...src/main/java/org/keycloak/services/resources/admin/ClientRegistrationPolicyResource.java
@@ -74,6 +74,7 @@ public ClientRegistrationPolicyResource(KeycloakSession session, AdminPermission
     @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_REGISTRATION_POLICY)
     @Operation( summary="Base path for retrieve providers with the configProperties properly filled")
     public Stream<ComponentTypeRepresentation> getProviders() {
+        auth.realm().requireViewRealm();
         return session.getKeycloakSessionFactory().getProviderFactoriesStream(ClientRegistrationPolicy.class)
                 .map((ProviderFactory factory) -> {
                     ClientRegistrationPolicyFactory clientRegFactory = (ClientRegistrationPolicyFactory) factory;

diff --git a/...ion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java b/...ion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
@@ -49,6 +49,7 @@
 import org.keycloak.representations.idm.RequiredActionProviderRepresentation;
 import org.keycloak.representations.idm.RequiredActionProviderSimpleRepresentation;
 import org.keycloak.representations.idm.RoleRepresentation;
+import org.keycloak.representations.idm.TestLdapConnectionRepresentation;
 import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.ResourcePermissionRepresentation;
@@ -370,7 +371,11 @@ public void invoke(RealmResource realm) {
 
         invoke(new InvocationWithResponse() {
             public void invoke(RealmResource realm, AtomicReference<Response> response) {
-                response.set(realm.testLDAPConnection("nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch"));
+                TestLdapConnectionRepresentation config = new TestLdapConnectionRepresentation(
+                        "nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch");
+                response.set(realm.testLDAPConnection(config.getAction(), config.getConnectionUrl(), config.getBindDn(),
+                        config.getBindCredential(), config.getUseTruststoreSpi(), config.getConnectionTimeout()));
+                response.set(realm.testLDAPConnection(config));
             }
         }, Resource.REALM, true);
 
@@ -1762,6 +1767,11 @@ public void invoke(RealmResource realm) {
                 realm.components().query("nosuch");
             }
         }, Resource.REALM, false);
+        invoke(new Invocation() {
+            public void invoke(RealmResource realm) {
+                realm.clientRegistrationPolicy().getProviders();
+            }
+        }, Resource.REALM, false);
         invoke(new InvocationWithResponse() {
             public void invoke(RealmResource realm, AtomicReference<Response> response) {
                 response.set(realm.components().add(new ComponentRepresentation()));