Search in sources :

Example 76 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class PermissionsTest method attackDetection.

@Test
public void attackDetection() {
    UserRepresentation newUser = new UserRepresentation();
    newUser.setUsername("attacked");
    newUser.setEnabled(true);
    adminClient.realms().realm(REALM_NAME).users().create(newUser);
    UserRepresentation user = adminClient.realms().realm(REALM_NAME).users().search("attacked").get(0);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.attackDetection().bruteForceUserStatus(user.getId());
        }
    }, Resource.USER, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.attackDetection().clearBruteForceForUser(user.getId());
        }
    }, Resource.USER, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.attackDetection().clearAllBruteForce();
        }
    }, Resource.USER, true);
    adminClient.realms().realm(REALM_NAME).users().get(user.getId()).remove();
}
Also used : RealmResource(org.keycloak.admin.client.resource.RealmResource) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 77 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class PermissionsTest method realms.

@Test
public void realms() throws Exception {
    // Check returned realms
    invoke((RealmResource realm) -> {
        clients.get("master-none").realms().findAll();
    }, clients.get("none"), false);
    invoke((RealmResource realm) -> {
        clients.get("none").realms().findAll();
    }, clients.get("none"), false);
    Assert.assertNames(clients.get("master-admin").realms().findAll(), "master", REALM_NAME, "realm2");
    Assert.assertNames(clients.get(AdminRoles.REALM_ADMIN).realms().findAll(), REALM_NAME);
    Assert.assertNames(clients.get("REALM2").realms().findAll(), "realm2");
    // Check realm only contains name if missing view realm permission
    List<RealmRepresentation> realms = clients.get(AdminRoles.VIEW_USERS).realms().findAll();
    Assert.assertNames(realms, REALM_NAME);
    assertGettersEmpty(realms.get(0));
    realms = clients.get(AdminRoles.VIEW_REALM).realms().findAll();
    Assert.assertNames(realms, REALM_NAME);
    assertNotNull(realms.get(0).getAccessTokenLifespan());
    // Check the same when access with users from 'master' realm
    realms = clients.get("master-" + AdminRoles.VIEW_USERS).realms().findAll();
    Assert.assertNames(realms, REALM_NAME);
    assertGettersEmpty(realms.get(0));
    realms = clients.get("master-" + AdminRoles.VIEW_REALM).realms().findAll();
    Assert.assertNames(realms, REALM_NAME);
    assertNotNull(realms.get(0).getAccessTokenLifespan());
    // Create realm
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get("master-admin").realms().create(RealmBuilder.create().name("master").build());
        }
    }, adminClient, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get("master-" + AdminRoles.MANAGE_USERS).realms().create(RealmBuilder.create().name("master").build());
        }
    }, adminClient, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get(AdminRoles.REALM_ADMIN).realms().create(RealmBuilder.create().name("master").build());
        }
    }, adminClient, false);
    // Get realm
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.toRepresentation();
        }
    }, Resource.REALM, false, true);
    assertGettersEmpty(clients.get(AdminRoles.QUERY_REALMS).realm(REALM_NAME).toRepresentation());
    // this should pass given that users granted with "query" roles are allowed to access the realm with limited access
    for (String role : AdminRoles.ALL_QUERY_ROLES) {
        invoke(realm -> clients.get(role).realms().realm(REALM_NAME).toRepresentation(), clients.get(role), true);
    }
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.update(new RealmRepresentation());
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.pushRevocation();
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.deleteSession("nosuch");
        }
    }, Resource.USER, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.getClientSessionStats();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.getDefaultGroups();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.addDefaultGroup("nosuch");
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.removeDefaultGroup("nosuch");
        }
    }, Resource.REALM, true);
    GroupRepresentation newGroup = new GroupRepresentation();
    newGroup.setName("sample");
    adminClient.realm(REALM_NAME).groups().add(newGroup);
    GroupRepresentation group = adminClient.realms().realm(REALM_NAME).getGroupByPath("sample");
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.getGroupByPath("sample");
        }
    }, Resource.USER, false);
    adminClient.realms().realm(REALM_NAME).groups().group(group.getId()).remove();
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            response.set(realm.testLDAPConnection("nosuch", "nosuch", "nosuch", "nosuch", "nosuch", "nosuch"));
        }
    }, Resource.REALM, true);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            response.set(realm.partialImport(new PartialImportRepresentation()));
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.clearRealmCache();
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.clearUserCache();
        }
    }, Resource.REALM, true);
    // Delete realm
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get("master-admin").realms().realm("nosuch").remove();
        }
    }, adminClient, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get("REALM2").realms().realm(REALM_NAME).remove();
        }
    }, adminClient, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get(AdminRoles.MANAGE_USERS).realms().realm(REALM_NAME).remove();
        }
    }, adminClient, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get(AdminRoles.REALM_ADMIN).realms().realm(REALM_NAME).remove();
        }
    }, adminClient, true);
    // Revert realm removal
    recreatePermissionRealm();
}
Also used : Response(javax.ws.rs.core.Response) PartialImportRepresentation(org.keycloak.representations.idm.PartialImportRepresentation) GroupRepresentation(org.keycloak.representations.idm.GroupRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 78 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class PermissionsTest method components.

@Test
public void components() {
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.components().query();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.components().query("nosuch");
        }
    }, Resource.REALM, false);
    invoke(new InvocationWithResponse() {

        public void invoke(RealmResource realm, AtomicReference<Response> response) {
            response.set(realm.components().add(new ComponentRepresentation()));
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.components().component("nosuch").toRepresentation();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.components().component("nosuch").update(new ComponentRepresentation());
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.components().component("nosuch").remove();
        }
    }, Resource.REALM, true);
}
Also used : Response(javax.ws.rs.core.Response) ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 79 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class PermissionsTest method roles.

@Test
public void roles() {
    RoleRepresentation newRole = new RoleRepresentation();
    newRole.setName("sample-role");
    adminClient.realm(REALM_NAME).roles().create(newRole);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().list();
        }
    }, Resource.REALM, false, true);
    // this should throw forbidden as "create-client" role isn't enough
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            clients.get(AdminRoles.CREATE_CLIENT).realm(REALM_NAME).roles().list();
        }
    }, clients.get(AdminRoles.CREATE_CLIENT), false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").toRepresentation();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").update(newRole);
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().create(new RoleRepresentation());
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().deleteRole("sample-role");
            // need to recreate for other tests
            realm.roles().create(newRole);
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").getRoleComposites();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").addComposites(Collections.<RoleRepresentation>emptyList());
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").deleteComposites(Collections.<RoleRepresentation>emptyList());
        }
    }, Resource.REALM, true);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").getRoleComposites();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").getRealmRoleComposites();
        }
    }, Resource.REALM, false);
    invoke(new Invocation() {

        public void invoke(RealmResource realm) {
            realm.roles().get("sample-role").getClientRoleComposites(KeycloakModelUtils.generateId());
        }
    }, Resource.REALM, false);
    adminClient.realms().realm(REALM_NAME).roles().deleteRole("sample-role");
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 80 with RealmResource

use of org.keycloak.admin.client.resource.RealmResource in project keycloak by keycloak.

the class UserTest method roleMappings.

@Test
public void roleMappings() {
    RealmResource realm = adminClient.realms().realm("test");
    // Enable events
    RealmRepresentation realmRep = RealmBuilder.edit(realm.toRepresentation()).testEventListener().build();
    realm.update(realmRep);
    RoleRepresentation realmCompositeRole = RoleBuilder.create().name("realm-composite").singleAttribute("attribute1", "value1").build();
    realm.roles().create(RoleBuilder.create().name("realm-role").build());
    realm.roles().create(realmCompositeRole);
    realm.roles().create(RoleBuilder.create().name("realm-child").build());
    realm.roles().get("realm-composite").addComposites(Collections.singletonList(realm.roles().get("realm-child").toRepresentation()));
    final String clientUuid;
    try (Response response = realm.clients().create(ClientBuilder.create().clientId("myclient").build())) {
        clientUuid = ApiUtil.getCreatedId(response);
    }
    RoleRepresentation clientCompositeRole = RoleBuilder.create().name("client-composite").singleAttribute("attribute1", "value1").build();
    realm.clients().get(clientUuid).roles().create(RoleBuilder.create().name("client-role").build());
    realm.clients().get(clientUuid).roles().create(RoleBuilder.create().name("client-role2").build());
    realm.clients().get(clientUuid).roles().create(clientCompositeRole);
    realm.clients().get(clientUuid).roles().create(RoleBuilder.create().name("client-child").build());
    realm.clients().get(clientUuid).roles().get("client-composite").addComposites(Collections.singletonList(realm.clients().get(clientUuid).roles().get("client-child").toRepresentation()));
    final String userId;
    try (Response response = realm.users().create(UserBuilder.create().username("myuser").build())) {
        userId = ApiUtil.getCreatedId(response);
    }
    // Admin events for creating role, client or user tested already in other places
    assertAdminEvents.clear();
    RoleMappingResource roles = realm.users().get(userId).roles();
    assertNames(roles.realmLevel().listAll(), Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
    assertNames(roles.realmLevel().listEffective(), "user", "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
    // Add realm roles
    List<RoleRepresentation> l = new LinkedList<>();
    l.add(realm.roles().get("realm-role").toRepresentation());
    l.add(realm.roles().get("realm-composite").toRepresentation());
    roles.realmLevel().add(l);
    assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.userRealmRoleMappingsPath(userId), l, ResourceType.REALM_ROLE_MAPPING);
    // Add client roles
    List<RoleRepresentation> list = Collections.singletonList(realm.clients().get(clientUuid).roles().get("client-role").toRepresentation());
    roles.clientLevel(clientUuid).add(list);
    assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.userClientRoleMappingsPath(userId, clientUuid), list, ResourceType.CLIENT_ROLE_MAPPING);
    list = Collections.singletonList(realm.clients().get(clientUuid).roles().get("client-composite").toRepresentation());
    roles.clientLevel(clientUuid).add(list);
    assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.userClientRoleMappingsPath(userId, clientUuid), ResourceType.CLIENT_ROLE_MAPPING);
    // List realm roles
    assertNames(roles.realmLevel().listAll(), "realm-role", "realm-composite", Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
    assertNames(roles.realmLevel().listAvailable(), "realm-child", "admin", "customer-user-premium", "realm-composite-role", "sample-realm-role", "attribute-role", "user", "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION);
    assertNames(roles.realmLevel().listEffective(), "realm-role", "realm-composite", "realm-child", "user", "offline_access", Constants.AUTHZ_UMA_AUTHORIZATION, Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
    // List realm effective role with full representation
    List<RoleRepresentation> realmRolesFullRepresentations = roles.realmLevel().listEffective(false);
    RoleRepresentation realmCompositeRoleFromList = getRoleByName("realm-composite", realmRolesFullRepresentations);
    assertNotNull(realmCompositeRoleFromList);
    assertTrue(realmCompositeRoleFromList.getAttributes().containsKey("attribute1"));
    // List client roles
    assertNames(roles.clientLevel(clientUuid).listAll(), "client-role", "client-composite");
    assertNames(roles.clientLevel(clientUuid).listAvailable(), "client-role2", "client-child");
    assertNames(roles.clientLevel(clientUuid).listEffective(), "client-role", "client-composite", "client-child");
    // List client effective role with full representation
    List<RoleRepresentation> rolesFullRepresentations = roles.clientLevel(clientUuid).listEffective(false);
    RoleRepresentation clientCompositeRoleFromList = getRoleByName("client-composite", rolesFullRepresentations);
    assertNotNull(clientCompositeRoleFromList);
    assertTrue(clientCompositeRoleFromList.getAttributes().containsKey("attribute1"));
    // Get mapping representation
    MappingsRepresentation all = roles.getAll();
    assertNames(all.getRealmMappings(), "realm-role", "realm-composite", Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
    assertEquals(1, all.getClientMappings().size());
    assertNames(all.getClientMappings().get("myclient").getMappings(), "client-role", "client-composite");
    // Remove realm role
    RoleRepresentation realmRoleRep = realm.roles().get("realm-role").toRepresentation();
    roles.realmLevel().remove(Collections.singletonList(realmRoleRep));
    assertAdminEvents.assertEvent("test", OperationType.DELETE, AdminEventPaths.userRealmRoleMappingsPath(userId), Collections.singletonList(realmRoleRep), ResourceType.REALM_ROLE_MAPPING);
    assertNames(roles.realmLevel().listAll(), "realm-composite", Constants.DEFAULT_ROLES_ROLE_PREFIX + "-test");
    // Remove client role
    RoleRepresentation clientRoleRep = realm.clients().get(clientUuid).roles().get("client-role").toRepresentation();
    roles.clientLevel(clientUuid).remove(Collections.singletonList(clientRoleRep));
    assertAdminEvents.assertEvent("test", OperationType.DELETE, AdminEventPaths.userClientRoleMappingsPath(userId, clientUuid), Collections.singletonList(clientRoleRep), ResourceType.CLIENT_ROLE_MAPPING);
    assertNames(roles.clientLevel(clientUuid).listAll(), "client-composite");
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) Response(javax.ws.rs.core.Response) MappingsRepresentation(org.keycloak.representations.idm.MappingsRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) RoleMappingResource(org.keycloak.admin.client.resource.RoleMappingResource) LinkedList(java.util.LinkedList) Test(org.junit.Test)

Aggregations

RealmResource (org.keycloak.admin.client.resource.RealmResource)263 Test (org.junit.Test)190 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)67 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)61 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)58 Response (javax.ws.rs.core.Response)55 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)48 ClientResource (org.keycloak.admin.client.resource.ClientResource)39 OAuthClient (org.keycloak.testsuite.util.OAuthClient)37 GroupRepresentation (org.keycloak.representations.idm.GroupRepresentation)36 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)34 Before (org.junit.Before)31 UserResource (org.keycloak.admin.client.resource.UserResource)30 IdentityProviderRepresentation (org.keycloak.representations.idm.IdentityProviderRepresentation)25 List (java.util.List)19 LinkedList (java.util.LinkedList)16 ClientScopeRepresentation (org.keycloak.representations.idm.ClientScopeRepresentation)16 VerifyProfileTest (org.keycloak.testsuite.forms.VerifyProfileTest)14 ProtocolMapperRepresentation (org.keycloak.representations.idm.ProtocolMapperRepresentation)13 AccessToken (org.keycloak.representations.AccessToken)12