clients

src/main/java/org/gcube/service/idm/controller/AuthController.java

@@ -3,6 +3,8 @@ package org.gcube.service.idm.controller;
 import java.util.List;
 import java.util.Map;
 
+import javax.ws.rs.ForbiddenException;
+
 import org.gcube.common.keycloak.model.ModelUtils;
 import org.gcube.common.security.Owner;
 import org.gcube.common.security.providers.SecretManagerProvider;
@@ -10,10 +12,17 @@ import org.gcube.common.security.secrets.Secret;
 
 public class AuthController {
     public final static String IDM_SERVICE_READ = "idm-service-read";
+
+    // can admin current context
     public final static String IDM_SERVICE_ADMIN = "idm-service-admin";
 
-    public final static List<String> ACCESS_READ_ROLES = List.of(IDM_SERVICE_READ, IDM_SERVICE_ADMIN);
+    // can admin all realm, not only current context
-    public final static List<String> ACCESS_ADMIN_ROLES = List.of(IDM_SERVICE_READ);
+    public final static String IDM_SERVICE_REALM = "idm-service-realm";
+
+    public final static List<String> ACCESS_READ_ROLES = List.of(IDM_SERVICE_READ, IDM_SERVICE_ADMIN,
+            IDM_SERVICE_REALM);
+    public final static List<String> ACCESS_ADMIN_ROLES = List.of(IDM_SERVICE_ADMIN, IDM_SERVICE_REALM);
+    public final static List<String> ACCESS_ADMIN_REALM_ROLES = List.of(IDM_SERVICE_REALM);
 
     public static String getAccessToken() {
         Map<String, String> authorizations = SecretManagerProvider.get().getHTTPAuthorizationHeaders();
@@ -76,4 +85,16 @@ public class AuthController {
         return !owner.isApplication() && owner.getId().equals(username);
     }
 
+    public static void checkIsRealmAdmin(String message) throws ForbiddenException {
+        if (!checkAnyRole(ACCESS_ADMIN_ROLES)) {
+            throw new ForbiddenException(message);
+        }
+    }
+
+    public static void checkIsContextmAdmin(String message) throws ForbiddenException {
+        if (!checkAnyRole(ACCESS_ADMIN_REALM_ROLES)) {
+            throw new ForbiddenException(message);
+        }
+    }
+
 }

src/main/java/org/gcube/service/idm/rest/ClientsAPI.java

@@ -7,12 +7,14 @@ import java.util.Set;
 
 import org.gcube.service.idm.IdMManager;
 import org.gcube.service.idm.controller.AdminKeycloakController;
+import org.gcube.service.idm.controller.AuthController;
 import org.gcube.service.idm.controller.KCClientsController;
 import org.gcube.service.idm.controller.KCGroupsController;
 import org.gcube.service.idm.controller.KCRolesController;
 import org.gcube.service.idm.controller.KCUserController;
 import org.gcube.service.idm.keycloack.KkClientFactory;
 import org.gcube.service.idm.serializers.IdmObjectSerializator;
+import org.gcube.service.rest.ErrorMessages;
 import org.gcube.service.rest.ResponseBean;
 import org.gcube.service.rest.ResponseBeanMap;
 import org.gcube.smartgears.annotations.ManagedBy;
@@ -84,29 +86,38 @@ public class ClientsAPI {
             @QueryParam("client_id") String clientId) {
         ResponseBean responseBean = new ResponseBean();
 
-        RealmResource realmResource = KkClientFactory.getSingleton().getKKRealm();
+        if (clientId != null) {
-        ClientResource clientResource = null;
+            AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id");
-
-        // select the client by name, or current client if client_name parameter is
-        // null;
-        if (clientId == null) {
-            clientResource = KkClientFactory.getSingleton().getKKClient();
-        } else {
-
-            List<ClientRepresentation> clients = realmResource.clients().findByClientId(clientId);
-
-            if (clients.size() == 0) {
-                throw new NotFoundException();
-            }
-            String id = clients.get(0).getId();
-
-            clientResource = realmResource.clients().get(id);
         }
 
-        RolesResource roles_resource = clientResource.roles();
+        // RealmResource realmResource = KkClientFactory.getSingleton().getKKRealm();
-        RoleResource role_resource = roles_resource.get(role_name);
+        // ClientResource clientResource = null;
+
+        // // select the client by name, or current client if client_name parameter is
+        // // null;
+        // if (clientId == null) {
+        // clientResource = KkClientFactory.getSingleton().getKKClient();
+        // } else {
+
+        // List<ClientRepresentation> clients =
+        // realmResource.clients().findByClientId(clientId);
+
+        // if (clients.size() == 0) {
+        // throw new NotFoundException();
+        // }
+        // String id = clients.get(0).getId();
+
+        // clientResource = realmResource.clients().get(id);
+        // }
+
+        // RolesResource roles_resource = clientResource.roles();
+        // RoleResource role_resource = roles_resource.get(role_name);
+        // List<UserRepresentation> user_members =
+        // role_resource.getUserMembers(firstResult, maxResults);
+
+        List<UserRepresentation> user_members = KCClientsController.getContextUsersByRole(clientId, role_name,
+                firstResult, maxResults);
 
-        List<UserRepresentation> user_members = role_resource.getUserMembers(firstResult, maxResults);
         Object result = KCUserController.formatList(user_members, format_users);
         responseBean.setResult(result);
 
@@ -159,7 +170,12 @@ public class ClientsAPI {
             @QueryParam("client_id") String clientId) {
         ResponseBean responseBean = new ResponseBean();
 
-        
+        if (clientId != null) {
+            AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id");
+        }
+
+        List<UserRepresentation> user_members = KCClientsController.getMemberGroupUsers(clientId, firstResult,
+                maxResults);
         Object result = KCUserController.formatList(user_members, format_users);
         responseBean.setResult(result);
 
@@ -215,6 +231,12 @@ public class ClientsAPI {
             @QueryParam("client_id") String clientId) {
         ResponseBeanMap responseBean = new ResponseBeanMap();
 
+        if (clientId != null) {
+            AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id");
+        }
+
+        
+
         // String role_name = "Member";
 
         boolean show_groups = !format_group.equals(KCGroupsController.REPR.none);

src/main/java/org/gcube/service/idm/rest/RolesAPI.java

@@ -1,7 +1,5 @@
 package org.gcube.service.idm.rest;
 
-import java.rmi.ServerError;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
 
@@ -175,16 +173,13 @@ public class RolesAPI {
             RolesResource roles_resource = client.roles();
             RoleResource r = roles_resource.get(role_name);
 
-            // ruoli che danno quel 
+            // ruoli che danno quel
             Set<GroupRepresentation> groups = r.getRoleGroupMembers(firstResult, maxResults);
             responseBean.putResult("roleGroupMembers", groups);
 
-
             List<UserRepresentation> users = r.getUserMembers();
             responseBean.putResult("users", users);
 
-
-
             ObjectMapper objectMapper = IdmObjectSerializator.getSerializer();
 
             String jsonData = objectMapper.writeValueAsString(responseBean);

src/main/java/org/gcube/service/rest/ErrorMessages.java

@@ -9,6 +9,10 @@ public class ErrorMessages {
 	public static final String USER_NOT_AUTHORIZED_PRIVATE = "User is not authorized to access private data";
 	public static final String CANNOT_RETRIEVE_PROFILE = "Unable to retrieve user profile";
 
+	public static final String RESERVED_PARAMETER = "The parameter can be used only by realm administrators: ";
+
+
+