use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.
the class JWTITCase method thirdPartyTokenUnknownIssuer.
@Test
public void thirdPartyTokenUnknownIssuer() throws ParseException {
// Create a new token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(UUID.randomUUID().toString());
jwtClaims.setSubject("puccini@apache.org");
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(CustomJWTSSOProvider.ISSUER + "_");
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.HS512);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider jwsSignatureProvider = new HmacJwsSignatureProvider(CustomJWTSSOProvider.CUSTOM_KEY.getBytes(), SignatureAlgorithm.HS512);
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
try {
jwtClient.self();
fail("Failure expected on an unknown issuer");
} catch (AccessControlException ex) {
// expected
}
}
use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.
the class JWTITCase method noneSignature.
@Test
public void noneSignature() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
String tokenId = consumer.getJwtClaims().getTokenId();
// Create a new token using the Id of the first token
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(consumer.getJwtClaims().getSubject());
jwtClaims.setIssuedAt(consumer.getJwtClaims().getIssuedAt());
jwtClaims.setIssuer(consumer.getJwtClaims().getIssuer());
jwtClaims.setExpiryTime(consumer.getJwtClaims().getExpiryTime());
jwtClaims.setNotBefore(consumer.getJwtClaims().getNotBefore());
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.NONE);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider jwsSignatureProvider = new NoneJwsSignatureProvider();
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
try {
jwtUserSelfService.read();
fail("Failure expected on no signature");
} catch (AccessControlException ex) {
// expected
}
}
use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.
the class JWTITCase method tokenValidation.
@Test
public void tokenValidation() throws ParseException {
// Get an initial token
SyncopeClient localClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
AccessTokenService accessTokenService = localClient.getService(AccessTokenService.class);
Response response = accessTokenService.login();
String token = response.getHeaderString(RESTHeaders.TOKEN);
assertNotNull(token);
JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(token);
String tokenId = consumer.getJwtClaims().getTokenId();
// Create a new token using the Id of the first token
Date now = new Date();
long currentTime = now.getTime() / 1000L;
Calendar expiry = Calendar.getInstance();
expiry.setTime(now);
expiry.add(Calendar.MINUTE, 5);
JwtClaims jwtClaims = new JwtClaims();
jwtClaims.setTokenId(tokenId);
jwtClaims.setSubject(ADMIN_UNAME);
jwtClaims.setIssuedAt(currentTime);
jwtClaims.setIssuer(JWT_ISSUER);
jwtClaims.setExpiryTime(expiry.getTime().getTime() / 1000L);
jwtClaims.setNotBefore(currentTime);
JwsHeaders jwsHeaders = new JwsHeaders(JoseType.JWT, SignatureAlgorithm.HS512);
JwtToken jwtToken = new JwtToken(jwsHeaders, jwtClaims);
JwsJwtCompactProducer producer = new JwsJwtCompactProducer(jwtToken);
JwsSignatureProvider jwsSignatureProvider = new HmacJwsSignatureProvider(JWS_KEY.getBytes(), SignatureAlgorithm.HS512);
String signed = producer.signWith(jwsSignatureProvider);
SyncopeClient jwtClient = clientFactory.create(signed);
UserSelfService jwtUserSelfService = jwtClient.getService(UserSelfService.class);
jwtUserSelfService.read();
}
use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.
the class DynRealmITCase method delegatedAdmin.
@Test
public void delegatedAdmin() {
DynRealmTO dynRealm = null;
RoleTO role = null;
try {
// 1. create dynamic realm for all users and groups having resource-ldap assigned
dynRealm = new DynRealmTO();
dynRealm.setKey("LDAPLovers" + getUUIDString());
dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "$resources==resource-ldap");
dynRealm.getDynMembershipConds().put(AnyTypeKind.GROUP.name(), "$resources==resource-ldap");
Response response = dynRealmService.create(dynRealm);
dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
assertNotNull(dynRealm);
// 2. create role for such dynamic realm
role = new RoleTO();
role.setKey("Administer LDAP" + getUUIDString());
role.getEntitlements().add(StandardEntitlement.USER_SEARCH);
role.getEntitlements().add(StandardEntitlement.USER_READ);
role.getEntitlements().add(StandardEntitlement.USER_UPDATE);
role.getEntitlements().add(StandardEntitlement.GROUP_READ);
role.getEntitlements().add(StandardEntitlement.GROUP_UPDATE);
role.getDynRealms().add(dynRealm.getKey());
role = createRole(role);
assertNotNull(role);
// 3. create new user and assign the new role
UserTO dynRealmAdmin = UserITCase.getUniqueSampleTO("dynRealmAdmin@apache.org");
dynRealmAdmin.setPassword("password123");
dynRealmAdmin.getRoles().add(role.getKey());
dynRealmAdmin = createUser(dynRealmAdmin).getEntity();
assertNotNull(dynRealmAdmin);
// 4. create new user and group, assign resource-ldap
UserTO user = UserITCase.getUniqueSampleTO("dynRealmUser@apache.org");
user.setRealm("/even/two");
user.getResources().clear();
user.getResources().add(RESOURCE_NAME_LDAP);
user = createUser(user).getEntity();
assertNotNull(user);
final String userKey = user.getKey();
GroupTO group = GroupITCase.getSampleTO("dynRealmGroup");
group.setRealm("/odd");
group.getResources().clear();
group.getResources().add(RESOURCE_NAME_LDAP);
group = createGroup(group).getEntity();
assertNotNull(group);
final String groupKey = group.getKey();
if (ElasticsearchDetector.isElasticSearchEnabled(syncopeService)) {
try {
Thread.sleep(2000);
} catch (InterruptedException ex) {
// ignore
}
}
// 5. verify that the new user and group are found when searching by dynamic realm
PagedResult<UserTO> matchingUsers = userService.search(new AnyQuery.Builder().realm("/").fiql(SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));
PagedResult<GroupTO> matchingGroups = groupService.search(new AnyQuery.Builder().realm("/").fiql(SyncopeClient.getGroupSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
assertTrue(matchingGroups.getResult().stream().anyMatch(object -> object.getKey().equals(groupKey)));
// 6. prepare to act as delegated admin
SyncopeClient delegatedClient = clientFactory.create(dynRealmAdmin.getUsername(), "password123");
UserService delegatedUserService = delegatedClient.getService(UserService.class);
GroupService delegatedGroupService = delegatedClient.getService(GroupService.class);
// 7. verify delegated administration
// USER_READ
assertNotNull(delegatedUserService.read(userKey));
// GROUP_READ
assertNotNull(delegatedGroupService.read(groupKey));
// USER_SEARCH
matchingUsers = delegatedUserService.search(new AnyQuery.Builder().realm("/").build());
assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));
// USER_UPDATE
UserPatch userPatch = new UserPatch();
userPatch.setKey(userKey);
userPatch.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_LDAP).operation(PatchOperation.DELETE).build());
// this will fail because unassigning resource-ldap would result in removing the user from the dynamic realm
try {
delegatedUserService.update(userPatch);
fail("This should not happen");
} catch (SyncopeClientException e) {
assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
}
// this will succeed instead
userPatch.getResources().clear();
userPatch.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_NOPROPAGATION).build());
user = delegatedUserService.update(userPatch).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
}).getEntity();
assertNotNull(user);
assertTrue(user.getResources().contains(RESOURCE_NAME_NOPROPAGATION));
// GROUP_UPDATE
GroupPatch groupPatch = new GroupPatch();
groupPatch.setKey(groupKey);
groupPatch.getPlainAttrs().add(new AttrPatch.Builder().attrTO(attrTO("icon", "modified")).build());
group = delegatedGroupService.update(groupPatch).readEntity(new GenericType<ProvisioningResult<GroupTO>>() {
}).getEntity();
assertNotNull(group);
assertEquals("modified", group.getPlainAttr("icon").get().getValues().get(0));
} finally {
if (role != null) {
roleService.delete(role.getKey());
}
if (dynRealm != null) {
dynRealmService.delete(dynRealm.getKey());
}
}
}
use of org.apache.syncope.client.lib.SyncopeClient in project syncope by apache.
the class UserITCase method async.
@Test
public void async() {
SyncopeClient asyncClient = clientFactory.create(ADMIN_UNAME, ADMIN_PWD);
UserService asyncService = asyncClient.nullPriorityAsync(asyncClient.getService(UserService.class), true);
UserTO user = getUniqueSampleTO("async@syncope.apache.org");
user.getResources().add(RESOURCE_NAME_TESTDB);
user.getResources().add(RESOURCE_NAME_TESTDB2);
user.getResources().add(RESOURCE_NAME_LDAP);
ProvisioningResult<UserTO> result = asyncService.create(user, true).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
});
assertNotNull(result);
verifyAsyncResult(result.getPropagationStatuses());
UserPatch userPatch = new UserPatch();
userPatch.setKey(result.getEntity().getKey());
userPatch.setPassword(new PasswordPatch.Builder().onSyncope(true).resources(RESOURCE_NAME_LDAP, RESOURCE_NAME_TESTDB, RESOURCE_NAME_TESTDB2).value("password321").build());
result = asyncService.update(userPatch).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
});
assertNotNull(result);
verifyAsyncResult(result.getPropagationStatuses());
result = asyncService.delete(result.getEntity().getKey()).readEntity(new GenericType<ProvisioningResult<UserTO>>() {
});
assertNotNull(result);
verifyAsyncResult(result.getPropagationStatuses());
}
Aggregations