diff --git a/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java b/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java index 887a461057..493637aeaa 100644 --- a/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java +++ b/examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java @@ -43,7 +43,7 @@ public class AuthorizationClientExample { } private static void introspectRequestingPartyToken() { - // create a new instance based on the configuration define at keycloak-authz.json + // create a new instance based on the configuration defined in keycloak-authz.json AuthzClient authzClient = AuthzClient.create(); // query the server for a resource with a given name @@ -51,8 +51,9 @@ public class AuthorizationClientExample { .resource() .findByFilter("name=Default Resource"); - // obtian a Entitlement API Token in order to get access to the Entitlement API. - // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement + // obtain an Entitlement API Token in order to get access to the Entitlement API. + // this token is just an access token issued to a client on behalf of an user + // with a scope = kc_entitlement String eat = getEntitlementAPIToken(authzClient); // create an entitlement request @@ -63,7 +64,8 @@ public class AuthorizationClientExample { request.addPermission(permission); - // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user + // send the entitlement request to the server in order to + // obtain an RPT with all permissions granted to the user EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request); String rpt = response.getRpt(); @@ -79,7 +81,7 @@ public class AuthorizationClientExample { } private static void createResource() { - // create a new instance based on the configuration define at keycloak-authz.json + // create a new instance based on the configuration defined in keycloak-authz.json AuthzClient authzClient = AuthzClient.create(); // create a new resource representation with the information we want @@ -111,8 +113,9 @@ public class AuthorizationClientExample { // create a new instance based on the configuration define at keycloak-authz.json AuthzClient authzClient = AuthzClient.create(); - // obtian a Entitlement API Token in order to get access to the Entitlement API. - // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement + // obtain an Entitlement API Token in order to get access to the Entitlement API. + // this token is just an access token issued to a client on behalf of an user + // with a scope = kc_entitlement String eat = getEntitlementAPIToken(authzClient); // create an entitlement request @@ -123,7 +126,8 @@ public class AuthorizationClientExample { request.addPermission(permission); - // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user + // send the entitlement request to the server in order to obtain a RPT + // with all permissions granted to the user EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request); String rpt = response.getRpt(); @@ -133,7 +137,7 @@ public class AuthorizationClientExample { } private static void obtainAllEntitlements() { - // create a new instance based on the configuration define at keycloak-authz.json + // create a new instance based on the configuration defined in keycloak-authz.json AuthzClient authzClient = AuthzClient.create(); // obtian a Entitlement API Token in order to get access to the Entitlement API. diff --git a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java index 884f2e1abc..076f9af628 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java +++ b/services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java @@ -171,6 +171,13 @@ public class PolicyEvaluationService { collect.addAll(storeFactory.getResourceStore().findByScope(scope.getId()).stream().map(resource12 -> new ResourcePermission(resource12, asList(scope), resourceServer)).collect(Collectors.toList())); } + collect.addAll(storeFactory.getResourceStore().findByResourceServer(resourceServer.getId()).stream().map(new Function() { + @Override + public ResourcePermission apply(Resource resource) { + return new ResourcePermission(resource, resource.getScopes(), resourceServer); + } + }).collect(Collectors.toList())); + return collect.stream(); } }).collect(Collectors.toList()); diff --git a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java index d320a644f9..4f0c64a8a9 100644 --- a/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java +++ b/services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java @@ -132,7 +132,10 @@ public class PolicyEvaluationResponse { scopes.add(scope); } if (evaluationResultRepresentation.getStatus().equals(Effect.PERMIT)) { - result.getAllowedScopes().add(scope); + List allowedScopes = result.getAllowedScopes(); + if (!allowedScopes.contains(scope)) { + allowedScopes.add(scope); + } } } } diff --git a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties index 2ebed9f7c4..998eff8a94 100644 --- a/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties +++ b/themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties @@ -986,13 +986,13 @@ authz-required=Required authz-import-config.tooltip=Import a JSON file containing authorization settings for this resource server. authz-policy-enforcement-mode=Policy Enforcement Mode -authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allow access to any resource. +authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource. authz-policy-enforcement-mode-enforcing=Enforcing authz-policy-enforcement-mode-permissive=Permissive authz-policy-enforcement-mode-disabled=Disabled authz-remote-resource-management=Remote Resource Management -authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can only be managed from this admin console. +authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can be managed only from this admin console. authz-export-settings=Export Settings authz-export-settings.tooltip=Export and download all authorization settings for this resource server. @@ -1035,7 +1035,7 @@ authz-policy-logic.tooltip=The logic dictates how the policy decision should be authz-policy-apply-policy=Apply Policy authz-policy-apply-policy.tooltip=Specifies all the policies that must be applied to the scopes defined by this policy or permission. authz-policy-decision-strategy=Decision Strategy -authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order to the overall decision be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order to the overall decision be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative. +authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative. authz-policy-decision-strategy-affirmative=Affirmative authz-policy-decision-strategy-unanimous=Unanimous authz-policy-decision-strategy-consensus=Consensus @@ -1059,15 +1059,15 @@ authz-policy-time-not-before.tooltip=Defines the time before which the policy MU authz-policy-time-not-on-after=Not On or After authz-policy-time-not-on-after.tooltip=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value. authz-policy-time-day-month=Day of Month -authz-policy-time-day-month.tooltip=Defines the day of month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the day of month before/equal which the policy MUST be granted. In this case, the policy would be granted if current day of month is between/equal the two values you provided. +authz-policy-time-day-month.tooltip=Defines the day of month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided. authz-policy-time-month=Month -authz-policy-time-month.tooltip=Defines the month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the month before/equal which the policy MUST be granted. In this case, the policy would be granted if current month is between/equal the two values you provided. +authz-policy-time-month.tooltip=Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided. authz-policy-time-year=Year -authz-policy-time-year.tooltip=Defines the year before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the year before/equal which the policy MUST be granted. In this case, the policy would be granted if current year is between/equal the two values you provided. +authz-policy-time-year.tooltip=Defines the year which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current year is between or equal to the two values you provided. authz-policy-time-hour=Hour -authz-policy-time-hour.tooltip=Defines the hour before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the hour before/equal which the policy MUST be granted. In this case, the policy would be granted if current hour is between/equal the two values you provided. +authz-policy-time-hour.tooltip=Defines the hour which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided. authz-policy-time-minute=Minute -authz-policy-time-minute.tooltip=Defines the minute before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the minute before/equal which the policy MUST be granted. In this case, the policy would be granted if current minute is between/equal the two values you provided. +authz-policy-time-minute.tooltip=Defines the minute which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided. # Authz Drools Policy Detail authz-add-drools-policy=Add Drools Policy diff --git a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js index 72b6c43c06..f4f87aa340 100644 --- a/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js +++ b/themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js @@ -9,6 +9,7 @@ module.controller('ResourceServerCtrl', function($scope, realm, ResourceServer) module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $location, $upload, $modal, realm, ResourceServer, client, AuthzDialog, Notifications) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; ResourceServer.get({ realm : $route.current.params.realm, @@ -82,6 +83,7 @@ module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $l module.controller('ResourceServerResourceCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerResource, client) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; $scope.query = { realm: realm.realm, @@ -134,6 +136,7 @@ module.controller('ResourceServerResourceCtrl', function($scope, $http, $route, module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerResource, ResourceServerScope, AuthzDialog, Notifications) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; ResourceServerScope.query({realm : realm.realm, client : client.id}, function (data) { $scope.scopes = data; @@ -265,6 +268,7 @@ module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $r module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerScope, client) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; $scope.query = { realm: realm.realm, @@ -317,6 +321,7 @@ module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $lo module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerScope, AuthzDialog, Notifications) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; var $instance = this; @@ -426,6 +431,7 @@ module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $rout module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; $scope.policyProviders = []; $scope.query = { @@ -498,6 +504,7 @@ module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $l module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; $scope.policyProviders = []; $scope.query = { @@ -1200,6 +1207,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; $scope.decisionStrategies = ['AFFIRMATIVE', 'UNANIMOUS', 'CONSENSUS']; $scope.logics = ['POSITIVE', 'NEGATIVE']; @@ -1365,6 +1373,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $location, realm, clients, roles, ResourceServer, client, ResourceServerResource, ResourceServerScope, User, Notifications) { $scope.realm = realm; $scope.client = client; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; $scope.clients = clients; $scope.roles = roles; $scope.authzRequest = {}; diff --git a/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js b/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js index 3bbd471758..c015dfa448 100755 --- a/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js +++ b/themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js @@ -812,6 +812,7 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, templates, $scope.samlEncrypt = false; $scope.samlForcePostBinding = false; $scope.samlForceNameIdFormat = false; + $scope.showAuthorizationTab = client.authorizationServicesEnabled; function updateProperties() { if (!$scope.client.attributes) { diff --git a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html index a0d88c645d..96d9adaa52 100755 --- a/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html +++ b/themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html @@ -19,7 +19,7 @@ {{:: 'scope' | translate}} {{:: 'scope.tooltip' | translate}} -
  • {{:: 'authz-authorization' | translate}}
    • +
  • {{:: 'authz-authorization' | translate}}
  • {{:: 'revocation' | translate}}