libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

Merge pull request #3219 from pedroigor/KEYCLOAK-3534

Browse source 
[KEYCLOAK-3534] - Authorization tab appears too soon in admin console
This commit is contained in:
Stian Thorgersen 2016-09-09 08:14:03 +02:00 committed by GitHub
commit 65befb16fd
7 changed files with 43 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java
View file

@ -43,7 +43,7 @@ public class AuthorizationClientExample {
} }
private static void introspectRequestingPartyToken() { private static void introspectRequestingPartyToken() {
// create a new instance based on the configuration define at keycloak-authz.json // create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create(); AuthzClient authzClient = AuthzClient.create();
// query the server for a resource with a given name // query the server for a resource with a given name
@ -51,8 +51,9 @@ public class AuthorizationClientExample {
.resource() .resource()
.findByFilter("name=Default Resource"); .findByFilter("name=Default Resource");
// obtian a Entitlement API Token in order to get access to the Entitlement API. // obtain an Entitlement API Token in order to get access to the Entitlement API.
// this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement // this token is just an access token issued to a client on behalf of an user
// with a scope = kc_entitlement
String eat = getEntitlementAPIToken(authzClient); String eat = getEntitlementAPIToken(authzClient);
// create an entitlement request // create an entitlement request
@ -63,7 +64,8 @@ public class AuthorizationClientExample {
request.addPermission(permission); request.addPermission(permission);
// send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user // send the entitlement request to the server in order to
// obtain an RPT with all permissions granted to the user
EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request); EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
String rpt = response.getRpt(); String rpt = response.getRpt();
@ -79,7 +81,7 @@ public class AuthorizationClientExample {
} }
private static void createResource() { private static void createResource() {
// create a new instance based on the configuration define at keycloak-authz.json // create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create(); AuthzClient authzClient = AuthzClient.create();
// create a new resource representation with the information we want // create a new resource representation with the information we want
@ -111,8 +113,9 @@ public class AuthorizationClientExample {
// create a new instance based on the configuration define at keycloak-authz.json // create a new instance based on the configuration define at keycloak-authz.json
AuthzClient authzClient = AuthzClient.create(); AuthzClient authzClient = AuthzClient.create();
// obtian a Entitlement API Token in order to get access to the Entitlement API. // obtain an Entitlement API Token in order to get access to the Entitlement API.
// this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement // this token is just an access token issued to a client on behalf of an user
// with a scope = kc_entitlement
String eat = getEntitlementAPIToken(authzClient); String eat = getEntitlementAPIToken(authzClient);
// create an entitlement request // create an entitlement request
@ -123,7 +126,8 @@ public class AuthorizationClientExample {
request.addPermission(permission); request.addPermission(permission);
// send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user // send the entitlement request to the server in order to obtain a RPT
// with all permissions granted to the user
EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request); EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
String rpt = response.getRpt(); String rpt = response.getRpt();
@ -133,7 +137,7 @@ public class AuthorizationClientExample {
} }
private static void obtainAllEntitlements() { private static void obtainAllEntitlements() {
// create a new instance based on the configuration define at keycloak-authz.json // create a new instance based on the configuration defined in keycloak-authz.json
AuthzClient authzClient = AuthzClient.create(); AuthzClient authzClient = AuthzClient.create();
// obtian a Entitlement API Token in order to get access to the Entitlement API. // obtian a Entitlement API Token in order to get access to the Entitlement API.

7
services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java
View file

@ -171,6 +171,13 @@ public class PolicyEvaluationService {
collect.addAll(storeFactory.getResourceStore().findByScope(scope.getId()).stream().map(resource12 -> new ResourcePermission(resource12, asList(scope), resourceServer)).collect(Collectors.toList())); collect.addAll(storeFactory.getResourceStore().findByScope(scope.getId()).stream().map(resource12 -> new ResourcePermission(resource12, asList(scope), resourceServer)).collect(Collectors.toList()));
} }
collect.addAll(storeFactory.getResourceStore().findByResourceServer(resourceServer.getId()).stream().map(new Function<Resource, ResourcePermission>() {
@Override
public ResourcePermission apply(Resource resource) {
return new ResourcePermission(resource, resource.getScopes(), resourceServer);
}
}).collect(Collectors.toList()));
return collect.stream(); return collect.stream();
} }
}).collect(Collectors.toList()); }).collect(Collectors.toList());

5
services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java
View file

@ -132,7 +132,10 @@ public class PolicyEvaluationResponse {
scopes.add(scope); scopes.add(scope);
} }
if (evaluationResultRepresentation.getStatus().equals(Effect.PERMIT)) { if (evaluationResultRepresentation.getStatus().equals(Effect.PERMIT)) {
result.getAllowedScopes().add(scope); List<ScopeRepresentation> allowedScopes = result.getAllowedScopes();
if (!allowedScopes.contains(scope)) {
allowedScopes.add(scope);
}
} }
} }
} }

16
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -986,13 +986,13 @@ authz-required=Required
authz-import-config.tooltip=Import a JSON file containing authorization settings for this resource server. authz-import-config.tooltip=Import a JSON file containing authorization settings for this resource server.
authz-policy-enforcement-mode=Policy Enforcement Mode authz-policy-enforcement-mode=Policy Enforcement Mode
authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allow access to any resource. authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.
authz-policy-enforcement-mode-enforcing=Enforcing authz-policy-enforcement-mode-enforcing=Enforcing
authz-policy-enforcement-mode-permissive=Permissive authz-policy-enforcement-mode-permissive=Permissive
authz-policy-enforcement-mode-disabled=Disabled authz-policy-enforcement-mode-disabled=Disabled
authz-remote-resource-management=Remote Resource Management authz-remote-resource-management=Remote Resource Management
authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can only be managed from this admin console. authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can be managed only from this admin console.
authz-export-settings=Export Settings authz-export-settings=Export Settings
authz-export-settings.tooltip=Export and download all authorization settings for this resource server. authz-export-settings.tooltip=Export and download all authorization settings for this resource server.
@ -1035,7 +1035,7 @@ authz-policy-logic.tooltip=The logic dictates how the policy decision should be
authz-policy-apply-policy=Apply Policy authz-policy-apply-policy=Apply Policy
authz-policy-apply-policy.tooltip=Specifies all the policies that must be applied to the scopes defined by this policy or permission. authz-policy-apply-policy.tooltip=Specifies all the policies that must be applied to the scopes defined by this policy or permission.
authz-policy-decision-strategy=Decision Strategy authz-policy-decision-strategy=Decision Strategy
authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order to the overall decision be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order to the overall decision be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative. authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.
authz-policy-decision-strategy-affirmative=Affirmative authz-policy-decision-strategy-affirmative=Affirmative
authz-policy-decision-strategy-unanimous=Unanimous authz-policy-decision-strategy-unanimous=Unanimous
authz-policy-decision-strategy-consensus=Consensus authz-policy-decision-strategy-consensus=Consensus
@ -1059,15 +1059,15 @@ authz-policy-time-not-before.tooltip=Defines the time before which the policy MU
authz-policy-time-not-on-after=Not On or After authz-policy-time-not-on-after=Not On or After
authz-policy-time-not-on-after.tooltip=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value. authz-policy-time-not-on-after.tooltip=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value.
authz-policy-time-day-month=Day of Month authz-policy-time-day-month=Day of Month
authz-policy-time-day-month.tooltip=Defines the day of month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the day of month before/equal which the policy MUST be granted. In this case, the policy would be granted if current day of month is between/equal the two values you provided. authz-policy-time-day-month.tooltip=Defines the day of month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided.
authz-policy-time-month=Month authz-policy-time-month=Month
authz-policy-time-month.tooltip=Defines the month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the month before/equal which the policy MUST be granted. In this case, the policy would be granted if current month is between/equal the two values you provided. authz-policy-time-month.tooltip=Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided.
authz-policy-time-year=Year authz-policy-time-year=Year
authz-policy-time-year.tooltip=Defines the year before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the year before/equal which the policy MUST be granted. In this case, the policy would be granted if current year is between/equal the two values you provided. authz-policy-time-year.tooltip=Defines the year which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current year is between or equal to the two values you provided.
authz-policy-time-hour=Hour authz-policy-time-hour=Hour
authz-policy-time-hour.tooltip=Defines the hour before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the hour before/equal which the policy MUST be granted. In this case, the policy would be granted if current hour is between/equal the two values you provided. authz-policy-time-hour.tooltip=Defines the hour which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided.
authz-policy-time-minute=Minute authz-policy-time-minute=Minute
authz-policy-time-minute.tooltip=Defines the minute before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the minute before/equal which the policy MUST be granted. In this case, the policy would be granted if current minute is between/equal the two values you provided. authz-policy-time-minute.tooltip=Defines the minute which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided.
# Authz Drools Policy Detail # Authz Drools Policy Detail
authz-add-drools-policy=Add Drools Policy authz-add-drools-policy=Add Drools Policy

9
themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js
View file

@ -9,6 +9,7 @@ module.controller('ResourceServerCtrl', function($scope, realm, ResourceServer)
module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $location, $upload, $modal, realm, ResourceServer, client, AuthzDialog, Notifications) { module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $location, $upload, $modal, realm, ResourceServer, client, AuthzDialog, Notifications) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
ResourceServer.get({ ResourceServer.get({
realm : $route.current.params.realm, realm : $route.current.params.realm,
@ -82,6 +83,7 @@ module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $l
module.controller('ResourceServerResourceCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerResource, client) { module.controller('ResourceServerResourceCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerResource, client) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.query = { $scope.query = {
realm: realm.realm, realm: realm.realm,
@ -134,6 +136,7 @@ module.controller('ResourceServerResourceCtrl', function($scope, $http, $route,
module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerResource, ResourceServerScope, AuthzDialog, Notifications) { module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerResource, ResourceServerScope, AuthzDialog, Notifications) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
ResourceServerScope.query({realm : realm.realm, client : client.id}, function (data) { ResourceServerScope.query({realm : realm.realm, client : client.id}, function (data) {
$scope.scopes = data; $scope.scopes = data;
@ -265,6 +268,7 @@ module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $r
module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerScope, client) { module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerScope, client) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.query = { $scope.query = {
realm: realm.realm, realm: realm.realm,
@ -317,6 +321,7 @@ module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $lo
module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerScope, AuthzDialog, Notifications) { module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerScope, AuthzDialog, Notifications) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
var $instance = this; var $instance = this;
@ -426,6 +431,7 @@ module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $rout
module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) { module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.policyProviders = []; $scope.policyProviders = [];
$scope.query = { $scope.query = {
@ -498,6 +504,7 @@ module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $l
module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) { module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.policyProviders = []; $scope.policyProviders = [];
$scope.query = { $scope.query = {
@ -1200,6 +1207,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.decisionStrategies = ['AFFIRMATIVE', 'UNANIMOUS', 'CONSENSUS']; $scope.decisionStrategies = ['AFFIRMATIVE', 'UNANIMOUS', 'CONSENSUS'];
$scope.logics = ['POSITIVE', 'NEGATIVE']; $scope.logics = ['POSITIVE', 'NEGATIVE'];
@ -1365,6 +1373,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $location, realm, clients, roles, ResourceServer, client, ResourceServerResource, ResourceServerScope, User, Notifications) { module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $location, realm, clients, roles, ResourceServer, client, ResourceServerResource, ResourceServerScope, User, Notifications) {
$scope.realm = realm; $scope.realm = realm;
$scope.client = client; $scope.client = client;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
$scope.clients = clients; $scope.clients = clients;
$scope.roles = roles; $scope.roles = roles;
$scope.authzRequest = {}; $scope.authzRequest = {};

1
themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js
View file

@ -812,6 +812,7 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, templates,
$scope.samlEncrypt = false; $scope.samlEncrypt = false;
$scope.samlForcePostBinding = false; $scope.samlForcePostBinding = false;
$scope.samlForceNameIdFormat = false; $scope.samlForceNameIdFormat = false;
$scope.showAuthorizationTab = client.authorizationServicesEnabled;
function updateProperties() { function updateProperties() {
if (!$scope.client.attributes) { if (!$scope.client.attributes) {

2
themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
View file

@ -19,7 +19,7 @@
<a href="#/realms/{{realm.realm}}/clients/{{client.id}}/scope-mappings">{{:: 'scope' | translate}}</a> <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/scope-mappings">{{:: 'scope' | translate}}</a>
<kc-tooltip>{{:: 'scope.tooltip' | translate}}</kc-tooltip> <kc-tooltip>{{:: 'scope.tooltip' | translate}}</kc-tooltip>
</li> </li>
<li ng-class="{active: path[4] == 'authz'}" data-ng-show="client.authorizationServicesEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' | translate}}</a></li> <li ng-class="{active: path[4] == 'authz'}" data-ng-show="showAuthorizationTab"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' | translate}}</a></li>
<li ng-class="{active: path[4] == 'revocation'}"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/revocation">{{:: 'revocation' | translate}}</a></li> <li ng-class="{active: path[4] == 'revocation'}"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/revocation">{{:: 'revocation' | translate}}</a></li>
<!-- <li ng-class="{active: path[4] == 'identity-provider'}" data-ng-show="realm.identityFederationEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/identity-provider">Identity Provider</a></li> --> <!-- <li ng-class="{active: path[4] == 'identity-provider'}" data-ng-show="realm.identityFederationEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/identity-provider">Identity Provider</a></li> -->
<li ng-class="{active: path[4] == 'sessions'}" data-ng-show="!client.bearerOnly"> <li ng-class="{active: path[4] == 'sessions'}" data-ng-show="!client.bearerOnly">