Search in sources :

Example 21 with ProtocolMappersResource

use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScopedClientNotSet.

@Test
public void testUserGroupRoleToAttributeMappersScopedClientNotSet() throws Exception {
    String clientId = "test-app-scope";
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(null, null, "Client roles mapper", "roles-custom.test-app-scope", true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    ClientManager.realm(adminClient.realm("test")).clientId(clientId).directAccessGrant(true);
    oauth.clientId(clientId);
    OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", clientId));
    String realmRoleMappings = (String) roleMappings.get("realm");
    String testAppScopeMappings = (String) roleMappings.get(clientId);
    assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
    "pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
    "pref.user", "pref.customer-user-premium");
    assertRolesString(testAppScopeMappings, // from direct assignment to roleRichUser, present as scope allows it
    "test-app-allowed-by-scope", // from direct assignment to /roleRichGroup/level2group, present as scope allows it
    "test-app-disallowed-by-scope");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 22 with ProtocolMappersResource

use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserRoleToAttributeMappers.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserRoleToAttributeMappers() throws Exception {
    // Add mapper for realm roles
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
    String realmRoleMappings = (String) roleMappings.get("realm");
    String testAppMappings = (String) roleMappings.get("test-app");
    assertRolesString(realmRoleMappings, // from direct assignment in user definition
    "pref.user", // from direct assignment in user definition
    "pref.offline_access");
    assertRolesString(testAppMappings, // from direct assignment in user definition
    "customer-user");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 23 with ProtocolMappersResource

use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappersScoped.

@Test
public void testUserGroupRoleToAttributeMappersScoped() throws Exception {
    String clientId = "test-app-scope";
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, null, "Client roles mapper", "roles-custom.test-app-scope", true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    ClientManager.realm(adminClient.realm("test")).clientId(clientId).directAccessGrant(true);
    oauth.clientId(clientId);
    OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", clientId));
    String realmRoleMappings = (String) roleMappings.get("realm");
    String testAppScopeMappings = (String) roleMappings.get(clientId);
    assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
    "pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
    "pref.user", "pref.customer-user-premium");
    assertRolesString(testAppScopeMappings, // from direct assignment to roleRichUser, present as scope allows it
    "test-app-allowed-by-scope", "test-app-disallowed-by-scope");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 24 with ProtocolMappersResource

use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testGroupAttributeTwoGroupMultiValueNoAggregate.

@Test
public void testGroupAttributeTwoGroupMultiValueNoAggregate() throws Exception {
    // get the user
    UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
    // create two groups with two values (one is the same value)
    GroupRepresentation group1 = new GroupRepresentation();
    group1.setName("group1");
    group1.setAttributes(new HashMap<>());
    group1.getAttributes().put("group-value", Arrays.asList("value1", "value2"));
    adminClient.realm("test").groups().add(group1);
    group1 = adminClient.realm("test").getGroupByPath("/group1");
    userResource.joinGroup(group1.getId());
    GroupRepresentation group2 = new GroupRepresentation();
    group2.setName("group2");
    group2.setAttributes(new HashMap<>());
    group2.getAttributes().put("group-value", Arrays.asList("value2", "value3"));
    adminClient.realm("test").groups().add(group2);
    group2 = adminClient.realm("test").getGroupByPath("/group2");
    userResource.joinGroup(group2.getId());
    // create the attribute mapper
    ProtocolMappersResource protocolMappers = findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(createClaimMapper("group-value", "group-value", "group-value", "String", true, true, true, false)).close();
    try {
        // test it
        OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
        IDToken idToken = oauth.verifyIDToken(response.getIdToken());
        assertNotNull(idToken.getOtherClaims());
        assertNotNull(idToken.getOtherClaims().get("group-value"));
        assertTrue(idToken.getOtherClaims().get("group-value") instanceof List);
        assertEquals(2, ((List) idToken.getOtherClaims().get("group-value")).size());
        assertTrue((((List) idToken.getOtherClaims().get("group-value")).contains("value1") && ((List) idToken.getOtherClaims().get("group-value")).contains("value2")) || (((List) idToken.getOtherClaims().get("group-value")).contains("value2") && ((List) idToken.getOtherClaims().get("group-value")).contains("value3")));
    } finally {
        // revert
        userResource.leaveGroup(group1.getId());
        adminClient.realm("test").groups().group(group1.getId()).remove();
        userResource.leaveGroup(group2.getId());
        adminClient.realm("test").groups().group(group2.getId()).remove();
        deleteMappers(protocolMappers);
    }
}
Also used : GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) OAuthClient(org.keycloak.testsuite.util.OAuthClient) UserResource(org.keycloak.admin.client.resource.UserResource) IDToken(org.keycloak.representations.IDToken) List(java.util.List) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 25 with ProtocolMappersResource

use of org.keycloak.admin.client.resource.ProtocolMappersResource in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserRoleToAttributeMappersWithFullScopeDisabled.

/**
 * KEYCLOAK-5259
 * @throws Exception
 */
@Test
public void testUserRoleToAttributeMappersWithFullScopeDisabled() throws Exception {
    // Add mapper for realm roles
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true, true);
    ClientResource client = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app");
    // Disable full-scope-allowed
    ClientRepresentation rep = client.toRepresentation();
    rep.setFullScopeAllowed(false);
    client.update(rep);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
    Assert.assertThat(roleMappings.get("realm"), CoreMatchers.instanceOf(List.class));
    Assert.assertThat(roleMappings.get("test-app"), CoreMatchers.instanceOf(List.class));
    List<String> realmRoleMappings = (List<String>) roleMappings.get("realm");
    List<String> testAppMappings = (List<String>) roleMappings.get("test-app");
    assertRoles(realmRoleMappings, // from direct assignment in user definition
    "pref.user");
    assertRoles(testAppMappings, // from direct assignment in user definition
    "customer-user");
    // Revert
    deleteMappers(protocolMappers);
    rep = client.toRepresentation();
    rep.setFullScopeAllowed(true);
    client.update(rep);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) IDToken(org.keycloak.representations.IDToken) List(java.util.List) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)27 Test (org.junit.Test)25 IDToken (org.keycloak.representations.IDToken)18 OAuthClient (org.keycloak.testsuite.util.OAuthClient)18 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)17 GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)14 ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)12 HashMap (java.util.HashMap)11 Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)11 UserResource (org.keycloak.admin.client.resource.UserResource)10 List (java.util.List)8 Map (java.util.Map)8 ClientResource (org.keycloak.admin.client.resource.ClientResource)7 LinkedHashMap (java.util.LinkedHashMap)5 AbstractSamlTest (org.keycloak.testsuite.saml.AbstractSamlTest)5 Response (javax.ws.rs.core.Response)3 ClientScopeRepresentation (org.keycloak.representations.idm.ClientScopeRepresentation)3 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)3 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)2 AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)2