use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class PermissionsTest method attackDetection.
@Test
public void attackDetection() {
UserRepresentation newUser = new UserRepresentation();
newUser.setUsername("attacked");
newUser.setEnabled(true);
adminClient.realms().realm(REALM_NAME).users().create(newUser);
UserRepresentation user = adminClient.realms().realm(REALM_NAME).users().search("attacked").get(0);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.attackDetection().bruteForceUserStatus(user.getId());
}
}, Resource.USER, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.attackDetection().clearBruteForceForUser(user.getId());
}
}, Resource.USER, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.attackDetection().clearAllBruteForce();
}
}, Resource.USER, true);
adminClient.realms().realm(REALM_NAME).users().get(user.getId()).remove();
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class PermissionsTest method realms.
@Test
public void realms() throws Exception {
// Check returned realms
invoke((RealmResource realm) -> {
clients.get("master-none").realms().findAll();
}, clients.get("none"), false);
invoke((RealmResource realm) -> {
clients.get("none").realms().findAll();
}, clients.get("none"), false);
Assert.assertNames(clients.get("master-admin").realms().findAll(), "master", REALM_NAME, "realm2");
Assert.assertNames(clients.get(AdminRoles.REALM_ADMIN).realms().findAll(), REALM_NAME);
Assert.assertNames(clients.get("REALM2").realms().findAll(), "realm2");
// Check realm only contains name if missing view realm permission
List<RealmRepresentation> realms = clients.get(AdminRoles.VIEW_USERS).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertGettersEmpty(realms.get(0));
realms = clients.get(AdminRoles.VIEW_REALM).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertNotNull(realms.get(0).getAccessTokenLifespan());
// Check the same when access with users from 'master' realm
realms = clients.get("master-" + AdminRoles.VIEW_USERS).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertGettersEmpty(realms.get(0));
realms = clients.get("master-" + AdminRoles.VIEW_REALM).realms().findAll();
Assert.assertNames(realms, REALM_NAME);
assertNotNull(realms.get(0).getAccessTokenLifespan());
// Create realm
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get("master-admin").realms().create(RealmBuilder.create().name("master").build());
}
}, adminClient, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get("master-" + AdminRoles.MANAGE_USERS).realms().create(RealmBuilder.create().name("master").build());
}
}, adminClient, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.REALM_ADMIN).realms().create(RealmBuilder.create().name("master").build());
}
}, adminClient, false);
// Get realm
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.toRepresentation();
}
}, Resource.REALM, false, true);
assertGettersEmpty(clients.get(AdminRoles.QUERY_REALMS).realm(REALM_NAME).toRepresentation());
// this should pass given that users granted with "query" roles are allowed to access the realm with limited access
for (String role : AdminRoles.ALL_QUERY_ROLES) {
invoke(realm -> clients.get(role).realms().realm(REALM_NAME).toRepresentation(), clients.get(role), true);
}
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.update(new RealmRepresentation());
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.pushRevocation();
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.deleteSession("nosuch");
}
}, Resource.USER, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.getClientSessionStats();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.getDefaultGroups();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.addDefaultGroup("nosuch");
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.removeDefaultGroup("nosuch");
}
}, Resource.REALM, true);
GroupRepresentation newGroup = new GroupRepresentation();
newGroup.setName("sample");
adminClient.realm(REALM_NAME).groups().add(newGroup);
GroupRepresentation group = adminClient.realms().realm(REALM_NAME).getGroupByPath("sample");
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.getGroupByPath("sample");
}
}, Resource.USER, false);
adminClient.realms().realm(REALM_NAME).groups().group(group.getId()).remove();
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
response.set(realm.testLDAPConnection("nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch"));
}
}, Resource.REALM, true);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
response.set(realm.partialImport(new PartialImportRepresentation()));
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.clearRealmCache();
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.clearUserCache();
}
}, Resource.REALM, true);
// Delete realm
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get("master-admin").realms().realm("nosuch").remove();
}
}, adminClient, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get("REALM2").realms().realm(REALM_NAME).remove();
}
}, adminClient, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.MANAGE_USERS).realms().realm(REALM_NAME).remove();
}
}, adminClient, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.REALM_ADMIN).realms().realm(REALM_NAME).remove();
}
}, adminClient, true);
// Revert realm removal
recreatePermissionRealm();
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class PermissionsTest method components.
@Test
public void components() {
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.components().query();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.components().query("nosuch");
}
}, Resource.REALM, false);
invoke(new InvocationWithResponse() {
public void invoke(RealmResource realm, AtomicReference<Response> response) {
response.set(realm.components().add(new ComponentRepresentation()));
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.components().component("nosuch").toRepresentation();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.components().component("nosuch").update(new ComponentRepresentation());
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.components().component("nosuch").remove();
}
}, Resource.REALM, true);
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class PermissionsTest method roles.
@Test
public void roles() {
RoleRepresentation newRole = new RoleRepresentation();
newRole.setName("sample-role");
adminClient.realm(REALM_NAME).roles().create(newRole);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().list();
}
}, Resource.REALM, false, true);
// this should throw forbidden as "create-client" role isn't enough
invoke(new Invocation() {
public void invoke(RealmResource realm) {
clients.get(AdminRoles.CREATE_CLIENT).realm(REALM_NAME).roles().list();
}
}, clients.get(AdminRoles.CREATE_CLIENT), false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").toRepresentation();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").update(newRole);
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().create(new RoleRepresentation());
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().deleteRole("sample-role");
// need to recreate for other tests
realm.roles().create(newRole);
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").getRoleComposites();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").addComposites(Collections.<RoleRepresentation>emptyList());
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").deleteComposites(Collections.<RoleRepresentation>emptyList());
}
}, Resource.REALM, true);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").getRoleComposites();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").getRealmRoleComposites();
}
}, Resource.REALM, false);
invoke(new Invocation() {
public void invoke(RealmResource realm) {
realm.roles().get("sample-role").getClientRoleComposites(KeycloakModelUtils.generateId());
}
}, Resource.REALM, false);
adminClient.realms().realm(REALM_NAME).roles().deleteRole("sample-role");
}
use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.
the class UserTest method roleMappings.
@Test
public void roleMappings() {
RealmResource realm = adminClient.realms().realm("test");
// Enable events
RealmRepresentation realmRep = RealmBuilder.edit(realm.toRepresentation()).testEventListener().build();
realm.update(realmRep);
RoleRepresentation realmCompositeRole = RoleBuilder.create().name("realm-composite").singleAttribute("attribute1", "value1").build();
realm.roles().create(RoleBuilder.create().name("realm-role").build());
realm.roles().create(realmCompositeRole);
realm.roles().create(RoleBuilder.create().name("realm-child").build());
realm.roles().get("realm-composite").addComposites(Collections.singletonList(realm.roles().get("realm-child").toRepresentation()));
final String clientUuid;
try (Response response = realm.clients().create(ClientBuilder.create().clientId("myclient").build())) {
clientUuid = ApiUtil.getCreatedId(response);
}
RoleRepresentation clientCompositeRole = RoleBuilder.create().name("client-composite").singleAttribute("attribute1", "value1").build();
realm.clients().get(clientUuid).roles().create(RoleBuilder.create().name("client-role").build());
realm.clients().get(clientUuid).roles().create(RoleBuilder.create().name("client-role2").build());
realm.clients().get(clientUuid).roles().create(clientCompositeRole);
realm.clients().get(clientUuid).roles().create(RoleBuilder.create().name("client-child").build());
realm.clients().get(clientUuid).roles().get("client-composite").addComposites(Collections.singletonList(realm.clients().get(clientUuid).roles().get("client-child").toRepresentation()));
final String userId;
try (Response response = realm.users().create(UserBuilder.create().username("myuser").build())) {
userId = ApiUtil.getCreatedId(response);
}
// Admin events for creating role, client or user tested already in other places
assertAdminEvents.clear();
RoleMappingResource roles = realm.users().get(userId).roles();
assertNames(roles.realmLevel().listAll(), Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
assertNames(roles.realmLevel().listEffective(), "user", "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
// Add realm roles
List<RoleRepresentation> l = new LinkedList<>();
l.add(realm.roles().get("realm-role").toRepresentation());
l.add(realm.roles().get("realm-composite").toRepresentation());
roles.realmLevel().add(l);
assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.userRealmRoleMappingsPath(userId), l, ResourceType.REALM_ROLE_MAPPING);
// Add client roles
List<RoleRepresentation> list = Collections.singletonList(realm.clients().get(clientUuid).roles().get("client-role").toRepresentation());
roles.clientLevel(clientUuid).add(list);
assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.userClientRoleMappingsPath(userId, clientUuid), list, ResourceType.CLIENT_ROLE_MAPPING);
list = Collections.singletonList(realm.clients().get(clientUuid).roles().get("client-composite").toRepresentation());
roles.clientLevel(clientUuid).add(list);
assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.userClientRoleMappingsPath(userId, clientUuid), ResourceType.CLIENT_ROLE_MAPPING);
// List realm roles
assertNames(roles.realmLevel().listAll(), "realm-role", "realm-composite", Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
assertNames(roles.realmLevel().listAvailable(), "realm-child", "admin", "customer-user-premium", "realm-composite-role", "sample-realm-role", "attribute-role", "user", "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION);
assertNames(roles.realmLevel().listEffective(), "realm-role", "realm-composite", "realm-child", "user", "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
// List realm effective role with full representation
List<RoleRepresentation> realmRolesFullRepresentations = roles.realmLevel().listEffective(false);
RoleRepresentation realmCompositeRoleFromList = getRoleByName("realm-composite", realmRolesFullRepresentations);
assertNotNull(realmCompositeRoleFromList);
assertTrue(realmCompositeRoleFromList.getAttributes().containsKey("attribute1"));
// List client roles
assertNames(roles.clientLevel(clientUuid).listAll(), "client-role", "client-composite");
assertNames(roles.clientLevel(clientUuid).listAvailable(), "client-role2", "client-child");
assertNames(roles.clientLevel(clientUuid).listEffective(), "client-role", "client-composite", "client-child");
// List client effective role with full representation
List<RoleRepresentation> rolesFullRepresentations = roles.clientLevel(clientUuid).listEffective(false);
RoleRepresentation clientCompositeRoleFromList = getRoleByName("client-composite", rolesFullRepresentations);
assertNotNull(clientCompositeRoleFromList);
assertTrue(clientCompositeRoleFromList.getAttributes().containsKey("attribute1"));
// Get mapping representation
MappingsRepresentation all = roles.getAll();
assertNames(all.getRealmMappings(), "realm-role", "realm-composite", Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
assertEquals(1, all.getClientMappings().size());
assertNames(all.getClientMappings().get("myclient").getMappings(), "client-role", "client-composite");
// Remove realm role
RoleRepresentation realmRoleRep = realm.roles().get("realm-role").toRepresentation();
roles.realmLevel().remove(Collections.singletonList(realmRoleRep));
assertAdminEvents.assertEvent("test", OperationType.DELETE, AdminEventPaths.userRealmRoleMappingsPath(userId), Collections.singletonList(realmRoleRep), ResourceType.REALM_ROLE_MAPPING);
assertNames(roles.realmLevel().listAll(), "realm-composite", Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
// Remove client role
RoleRepresentation clientRoleRep = realm.clients().get(clientUuid).roles().get("client-role").toRepresentation();
roles.clientLevel(clientUuid).remove(Collections.singletonList(clientRoleRep));
assertAdminEvents.assertEvent("test", OperationType.DELETE, AdminEventPaths.userClientRoleMappingsPath(userId, clientUuid), Collections.singletonList(clientRoleRep), ResourceType.CLIENT_ROLE_MAPPING);
assertNames(roles.clientLevel(clientUuid).listAll(), "client-composite");
}
Aggregations