Merge pull request #3219 from pedroigor/KEYCLOAK-3534

[KEYCLOAK-3534] - Authorization tab appears too soon in admin console

examples/authz/hello-world/src/main/java/org/keycloak/authz/helloworld/AuthorizationClientExample.java

@@ -43,7 +43,7 @@ public class AuthorizationClientExample {
     }
 
     private static void introspectRequestingPartyToken() {
-        // create a new instance based on the configuration define at keycloak-authz.json
+        // create a new instance based on the configuration defined in keycloak-authz.json
         AuthzClient authzClient = AuthzClient.create();
 
         // query the server for a resource with a given name
@@ -51,8 +51,9 @@ public class AuthorizationClientExample {
                 .resource()
                 .findByFilter("name=Default Resource");
 
-        // obtian a Entitlement API Token in order to get access to the Entitlement API.
-        // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement
+        // obtain an Entitlement API Token in order to get access to the Entitlement API.
+        // this token is just an access token issued to a client on behalf of an user
+        // with a scope = kc_entitlement
         String eat = getEntitlementAPIToken(authzClient);
 
         // create an entitlement request
@@ -63,7 +64,8 @@ public class AuthorizationClientExample {
 
         request.addPermission(permission);
 
-        // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user
+        // send the entitlement request to the server in order to
+        // obtain an RPT with all permissions granted to the user
         EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
         String rpt = response.getRpt();
 
@@ -79,7 +81,7 @@ public class AuthorizationClientExample {
     }
 
     private static void createResource() {
-        // create a new instance based on the configuration define at keycloak-authz.json
+        // create a new instance based on the configuration defined in keycloak-authz.json
         AuthzClient authzClient = AuthzClient.create();
 
         // create a new resource representation with the information we want
@@ -111,8 +113,9 @@ public class AuthorizationClientExample {
         // create a new instance based on the configuration define at keycloak-authz.json
         AuthzClient authzClient = AuthzClient.create();
 
-        // obtian a Entitlement API Token in order to get access to the Entitlement API.
-        // this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement
+        // obtain an Entitlement API Token in order to get access to the Entitlement API.
+        // this token is just an access token issued to a client on behalf of an user
+        // with a scope = kc_entitlement
         String eat = getEntitlementAPIToken(authzClient);
 
         // create an entitlement request
@@ -123,7 +126,8 @@ public class AuthorizationClientExample {
 
         request.addPermission(permission);
 
-        // send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user
+        // send the entitlement request to the server in order to obtain a RPT
+        // with all permissions granted to the user
         EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
         String rpt = response.getRpt();
 
@@ -133,7 +137,7 @@ public class AuthorizationClientExample {
     }
 
     private static void obtainAllEntitlements() {
-        // create a new instance based on the configuration define at keycloak-authz.json
+        // create a new instance based on the configuration defined in keycloak-authz.json
         AuthzClient authzClient = AuthzClient.create();
 
         // obtian a Entitlement API Token in order to get access to the Entitlement API.

services/src/main/java/org/keycloak/authorization/admin/PolicyEvaluationService.java

@@ -171,6 +171,13 @@ public class PolicyEvaluationService {
                     collect.addAll(storeFactory.getResourceStore().findByScope(scope.getId()).stream().map(resource12 -> new ResourcePermission(resource12, asList(scope), resourceServer)).collect(Collectors.toList()));
                 }
 
+                collect.addAll(storeFactory.getResourceStore().findByResourceServer(resourceServer.getId()).stream().map(new Function<Resource, ResourcePermission>() {
+                    @Override
+                    public ResourcePermission apply(Resource resource) {
+                        return new ResourcePermission(resource, resource.getScopes(), resourceServer);
+                    }
+                }).collect(Collectors.toList()));
+
                 return collect.stream();
             }
         }).collect(Collectors.toList());

services/src/main/java/org/keycloak/authorization/admin/representation/PolicyEvaluationResponse.java

@@ -132,7 +132,10 @@ public class PolicyEvaluationResponse {
                         scopes.add(scope);
                     }
                     if (evaluationResultRepresentation.getStatus().equals(Effect.PERMIT)) {
-                        result.getAllowedScopes().add(scope);
+                        List<ScopeRepresentation> allowedScopes = result.getAllowedScopes();
+                        if (!allowedScopes.contains(scope)) {
+                            allowedScopes.add(scope);
+                        }
                     }
                 }
             }

themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties

@@ -986,13 +986,13 @@ authz-required=Required
 authz-import-config.tooltip=Import a JSON file containing authorization settings for this resource server.
 
 authz-policy-enforcement-mode=Policy Enforcement Mode
-authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allow access to any resource.
+authz-policy-enforcement-mode.tooltip=The policy enforcement mode dictates how policies are enforced when evaluating authorization requests. 'Enforcing' means requests are denied by default even when there is no policy associated with a given resource. 'Permissive' means requests are allowed even when there is no policy associated with a given resource. 'Disabled' completely disables the evaluation of policies and allows access to any resource.
 authz-policy-enforcement-mode-enforcing=Enforcing
 authz-policy-enforcement-mode-permissive=Permissive
 authz-policy-enforcement-mode-disabled=Disabled
 
 authz-remote-resource-management=Remote Resource Management
-authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can only be managed from this admin console.
+authz-remote-resource-management.tooltip=Should resources be managed remotely by the resource server? If false, resources can be managed only from this admin console.
 
 authz-export-settings=Export Settings
 authz-export-settings.tooltip=Export and download all authorization settings for this resource server.
@@ -1035,7 +1035,7 @@ authz-policy-logic.tooltip=The logic dictates how the policy decision should be
 authz-policy-apply-policy=Apply Policy
 authz-policy-apply-policy.tooltip=Specifies all the policies that must be applied to the scopes defined by this policy or permission.
 authz-policy-decision-strategy=Decision Strategy
-authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order to the overall decision be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order to the overall decision be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.
+authz-policy-decision-strategy.tooltip=The decision strategy dictates how the policies associated with a given permission are evaluated and how a final decision is obtained. 'Affirmative' means that at least one policy must evaluate to a positive decision in order for the final decision to be also positive. 'Unanimous' means that all policies must evaluate to a positive decision in order for the final decision to be also positive. 'Consensus' means that the number of positive decisions must be greater than the number of negative decisions. If the number of positive and negative is the same, the final decision will be negative.
 authz-policy-decision-strategy-affirmative=Affirmative
 authz-policy-decision-strategy-unanimous=Unanimous
 authz-policy-decision-strategy-consensus=Consensus
@@ -1059,15 +1059,15 @@ authz-policy-time-not-before.tooltip=Defines the time before which the policy MU
 authz-policy-time-not-on-after=Not On or After
 authz-policy-time-not-on-after.tooltip=Defines the time after which the policy MUST NOT be granted. Only granted if current date/time is before or equal to this value.
 authz-policy-time-day-month=Day of Month
-authz-policy-time-day-month.tooltip=Defines the day of month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the day of month before/equal which the policy MUST be granted. In this case, the policy would be granted if current day of month is between/equal the two values you provided.
+authz-policy-time-day-month.tooltip=Defines the day of month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current day of month is between or equal to the two values you provided.
 authz-policy-time-month=Month
-authz-policy-time-month.tooltip=Defines the month before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the month before/equal which the policy MUST be granted. In this case, the policy would be granted if current month is between/equal the two values you provided.
+authz-policy-time-month.tooltip=Defines the month which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current month is between or equal to the two values you provided.
 authz-policy-time-year=Year
-authz-policy-time-year.tooltip=Defines the year before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the year before/equal which the policy MUST be granted. In this case, the policy would be granted if current year is between/equal the two values you provided.
+authz-policy-time-year.tooltip=Defines the year which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current year is between or equal to the two values you provided.
 authz-policy-time-hour=Hour
-authz-policy-time-hour.tooltip=Defines the hour before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the hour before/equal which the policy MUST be granted. In this case, the policy would be granted if current hour is between/equal the two values you provided.
+authz-policy-time-hour.tooltip=Defines the hour which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current hour is between or equal to the two values you provided.
 authz-policy-time-minute=Minute
-authz-policy-time-minute.tooltip=Defines the minute before/equal which policy MUST be granted. You can also provide a range period by filling the second field with the minute before/equal which the policy MUST be granted. In this case, the policy would be granted if current minute is between/equal the two values you provided.
+authz-policy-time-minute.tooltip=Defines the minute which the policy MUST be granted. You can also provide a range by filling the second field. In this case, permission is granted only if current minute is between or equal to the two values you provided.
 
 # Authz Drools Policy Detail
 authz-add-drools-policy=Add Drools Policy

themes/src/main/resources/theme/base/admin/resources/js/authz/authz-controller.js

@@ -9,6 +9,7 @@ module.controller('ResourceServerCtrl', function($scope, realm, ResourceServer)
 module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $location, $upload, $modal, realm, ResourceServer, client, AuthzDialog, Notifications) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
 
     ResourceServer.get({
         realm : $route.current.params.realm,
@@ -82,6 +83,7 @@ module.controller('ResourceServerDetailCtrl', function($scope, $http, $route, $l
 module.controller('ResourceServerResourceCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerResource, client) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
 
     $scope.query = {
         realm: realm.realm,
@@ -134,6 +136,7 @@ module.controller('ResourceServerResourceCtrl', function($scope, $http, $route,
 module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerResource, ResourceServerScope, AuthzDialog, Notifications) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
 
     ResourceServerScope.query({realm : realm.realm, client : client.id}, function (data) {
         $scope.scopes = data;
@@ -265,6 +268,7 @@ module.controller('ResourceServerResourceDetailCtrl', function($scope, $http, $r
 module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerScope, client) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
 
     $scope.query = {
         realm: realm.realm,
@@ -317,6 +321,7 @@ module.controller('ResourceServerScopeCtrl', function($scope, $http, $route, $lo
 module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $route, $location, realm, ResourceServer, client, ResourceServerScope, AuthzDialog, Notifications) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
 
     var $instance = this;
 
@@ -426,6 +431,7 @@ module.controller('ResourceServerScopeDetailCtrl', function($scope, $http, $rout
 module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
     $scope.policyProviders = [];
 
     $scope.query = {
@@ -498,6 +504,7 @@ module.controller('ResourceServerPolicyCtrl', function($scope, $http, $route, $l
 module.controller('ResourceServerPermissionCtrl', function($scope, $http, $route, $location, realm, ResourceServer, ResourceServerPolicy, PolicyProvider, client) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
     $scope.policyProviders = [];
 
     $scope.query = {
@@ -1200,6 +1207,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
 
         $scope.realm = realm;
         $scope.client = client;
+        $scope.showAuthorizationTab = client.authorizationServicesEnabled;
 
         $scope.decisionStrategies = ['AFFIRMATIVE', 'UNANIMOUS', 'CONSENSUS'];
         $scope.logics = ['POSITIVE', 'NEGATIVE'];
@@ -1365,6 +1373,7 @@ module.service("PolicyController", function($http, $route, $location, ResourceSe
 module.controller('PolicyEvaluateCtrl', function($scope, $http, $route, $location, realm, clients, roles, ResourceServer, client, ResourceServerResource, ResourceServerScope, User, Notifications) {
     $scope.realm = realm;
     $scope.client = client;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
     $scope.clients = clients;
     $scope.roles = roles;
     $scope.authzRequest = {};

themes/src/main/resources/theme/base/admin/resources/js/controllers/clients.js

@@ -812,6 +812,7 @@ module.controller('ClientDetailCtrl', function($scope, realm, client, templates,
     $scope.samlEncrypt = false;
     $scope.samlForcePostBinding = false;
     $scope.samlForceNameIdFormat = false;
+    $scope.showAuthorizationTab = client.authorizationServicesEnabled;
 
     function updateProperties() {
         if (!$scope.client.attributes) {

themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html

@@ -19,7 +19,7 @@
             <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/scope-mappings">{{:: 'scope' | translate}}</a>
             <kc-tooltip>{{:: 'scope.tooltip' | translate}}</kc-tooltip>
         </li>
-        <li ng-class="{active: path[4] == 'authz'}" data-ng-show="client.authorizationServicesEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' | translate}}</a></li>
+        <li ng-class="{active: path[4] == 'authz'}" data-ng-show="showAuthorizationTab"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' | translate}}</a></li>
         <li ng-class="{active: path[4] == 'revocation'}"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/revocation">{{:: 'revocation' | translate}}</a></li>
     <!--    <li ng-class="{active: path[4] == 'identity-provider'}" data-ng-show="realm.identityFederationEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/identity-provider">Identity Provider</a></li> -->
         <li ng-class="{active: path[4] == 'sessions'}" data-ng-show="!client.bearerOnly">