Enable realm name and role used in requests to be configured (SPI conf)

roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProvider.java

@@ -11,14 +11,18 @@ import org.keycloak.services.resource.RealmResourceProvider;
 public class MailPassResourceProvider implements RealmResourceProvider {
 
   private KeycloakSession session;
+  private String realmName;
+  private String realmRole;
 
-  public MailPassResourceProvider(KeycloakSession session) {
+  public MailPassResourceProvider(KeycloakSession session, String realmName, String realmRole) {
     this.session = session;
+    this.realmName = realmName;
+    this.realmRole = realmRole;
   }
 
   @Override
   public Object getResource() {
-    return new MailPassRestResource(session);
+    return new MailPassRestResource(session, realmName, realmRole);
   }
 
   @Override

roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassResourceProviderFactory.java

@@ -13,6 +13,12 @@ import org.keycloak.services.resource.RealmResourceProviderFactory;
  */
 public class MailPassResourceProviderFactory implements RealmResourceProviderFactory {
 
+  private static final String DEFAULT_REALM_NAME = "master";
+  private static final String DEFAULT_REALM_ROLE = "admin";
+
+  private String realmName;
+  private String realmRole;
+
   public static final String ID = "mailpass";
 
   @Override
@@ -22,11 +28,13 @@ public class MailPassResourceProviderFactory implements RealmResourceProviderFac
 
   @Override
   public RealmResourceProvider create(KeycloakSession session) {
-    return new MailPassResourceProvider(session);
+    return new MailPassResourceProvider(session, realmName, realmRole);
   }
 
   @Override
   public void init(Scope config) {
+    this.realmName = config.get("realmName", DEFAULT_REALM_NAME);
+    this.realmRole = config.get("realmRole", DEFAULT_REALM_ROLE);
   }
 
   @Override

roles/keycloak/files/providers/keycloak-mailpass-rest/src/main/java/org/archlinux/keycloak/mailpass/rest/MailPassRestResource.java

@@ -17,23 +17,35 @@ import org.keycloak.services.managers.AuthenticationManager;
 public class MailPassRestResource {
 
   private final KeycloakSession session;
+  private final String realmName;
+  private final String realmRole;
   private final AuthenticationManager.AuthResult auth;
 
-  public MailPassRestResource(KeycloakSession session) {
+  public MailPassRestResource(KeycloakSession session, String realmName, String realmRole) {
     this.session = session;
     this.auth = new AppAuthManager.BearerTokenAuthenticator(session).authenticate();
+    this.realmName = realmName;
+    this.realmRole = realmRole;
   }
 
   @Path("roleauth")
   public MailPassResource getMailPassResourceAuthenticated() {
+    checkRealm();
     checkRealmAdmin();
     return new MailPassResource(session);
   }
 
+  private void checkRealm() {
+    String requestedRealm = session.getContext().getRealm().getName();
+    if (!requestedRealm.equals(realmName)) {
+      throw new ForbiddenException("Operation not allowed on this realm: " + requestedRealm);
+    }
+  }
+
   private void checkRealmAdmin() {
     if (auth == null) {
       throw new NotAuthorizedException("Bearer");
-    } else if (auth.getToken().getRealmAccess() == null || !auth.getToken().getRealmAccess().isUserInRole("admin")) {
+    } else if (auth.getToken().getRealmAccess() == null || !auth.getToken().getRealmAccess().isUserInRole(realmRole)) {
       throw new ForbiddenException("Does not have realm admin role");
     }
   }