Search in sources :

Example 1 with ClientProfileRepresentation

use of org.keycloak.representations.idm.ClientProfileRepresentation in project keycloak by keycloak.

the class ClientPoliciesImportExportTest method testRealmExportImport.

private void testRealmExportImport() throws Exception {
    testingClient.testing().exportImport().setAction(ExportImportConfig.ACTION_EXPORT);
    testingClient.testing().exportImport().setRealmName("test");
    testingClient.testing().exportImport().runExport();
    // Delete some realm (and some data in admin realm)
    adminClient.realm("test").remove();
    Assert.assertNames(adminClient.realms().findAll(), "master");
    // Configure import
    testingClient.testing().exportImport().setAction(ExportImportConfig.ACTION_IMPORT);
    testingClient.testing().exportImport().runImport();
    // Ensure data are imported back, but just for "test" realm
    Assert.assertNames(adminClient.realms().findAll(), "master", "test");
    assertExpectedLoadedProfiles((ClientProfilesRepresentation reps) -> {
        ClientProfileRepresentation rep = getProfileRepresentation(reps, "ordinal-test-profile", false);
        assertExpectedProfile(rep, "ordinal-test-profile", "The profile that can be loaded.");
    });
    assertExpectedLoadedPolicies((ClientPoliciesRepresentation reps) -> {
        ClientPolicyRepresentation rep = getPolicyRepresentation(reps, "new-policy");
        assertExpectedPolicy("new-policy", "duplicated profiles are ignored.", true, Arrays.asList("ordinal-test-profile", "lack-of-builtin-field-test-profile"), rep);
    });
}
Also used : ClientPolicyRepresentation(org.keycloak.representations.idm.ClientPolicyRepresentation) ClientProfileRepresentation(org.keycloak.representations.idm.ClientProfileRepresentation) ClientPoliciesRepresentation(org.keycloak.representations.idm.ClientPoliciesRepresentation) ClientProfilesRepresentation(org.keycloak.representations.idm.ClientProfilesRepresentation)

Example 2 with ClientProfileRepresentation

use of org.keycloak.representations.idm.ClientProfileRepresentation in project keycloak by keycloak.

the class AbstractClientPoliciesTest method assertExpectedLoadedProfiles.

protected void assertExpectedLoadedProfiles(Consumer<ClientProfilesRepresentation> modifiedAssertion) throws Exception {
    // retrieve loaded builtin profiles
    ClientProfilesRepresentation actualProfilesRep = getProfilesWithGlobals();
    // same profiles
    assertExpectedProfiles(actualProfilesRep, Arrays.asList(FAPI1_BASELINE_PROFILE_NAME, FAPI1_ADVANCED_PROFILE_NAME, FAPI_CIBA_PROFILE_NAME), Arrays.asList("ordinal-test-profile", "lack-of-builtin-field-test-profile"));
    // each profile - fapi-1-baseline
    ClientProfileRepresentation actualProfileRep = getProfileRepresentation(actualProfilesRep, FAPI1_BASELINE_PROFILE_NAME, true);
    assertExpectedProfile(actualProfileRep, FAPI1_BASELINE_PROFILE_NAME, "Client profile, which enforce clients to conform 'Financial-grade API Security Profile 1.0 - Part 1: Baseline' specification.");
    // each executor
    assertExpectedExecutors(Arrays.asList(SecureSessionEnforceExecutorFactory.PROVIDER_ID, PKCEEnforcerExecutorFactory.PROVIDER_ID, SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID, FullScopeDisabledExecutorFactory.PROVIDER_ID), actualProfileRep);
    assertExpectedSecureSessionEnforceExecutor(actualProfileRep);
    // each profile - ordinal-test-profile - updated
    actualProfileRep = getProfileRepresentation(actualProfilesRep, "ordinal-test-profile", false);
    modifiedAssertion.accept(actualProfilesRep);
    // each executor
    assertExpectedExecutors(Arrays.asList(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID), actualProfileRep);
    assertExpectedSecureClientAuthEnforceExecutor(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID), JWTClientAuthenticator.PROVIDER_ID, actualProfileRep);
    // each profile - lack-of-builtin-field-test-profile
    actualProfileRep = getProfileRepresentation(actualProfilesRep, "lack-of-builtin-field-test-profile", false);
    assertExpectedProfile(actualProfileRep, "lack-of-builtin-field-test-profile", "Without builtin field that is treated as builtin=false.");
    // each executor
    assertExpectedExecutors(Arrays.asList(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, HolderOfKeyEnforcerExecutorFactory.PROVIDER_ID, SecureClientUrisExecutorFactory.PROVIDER_ID, SecureRequestObjectExecutorFactory.PROVIDER_ID, SecureResponseTypeExecutorFactory.PROVIDER_ID, SecureSessionEnforceExecutorFactory.PROVIDER_ID, SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, SecureSigningAlgorithmForSignedJwtExecutorFactory.PROVIDER_ID), actualProfileRep);
    assertExpectedSecureClientAuthEnforceExecutor(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID), JWTClientAuthenticator.PROVIDER_ID, actualProfileRep);
    assertExpectedHolderOfKeyEnforceExecutor(true, actualProfileRep);
    assertExpectedSecureRedirectUriEnforceExecutor(actualProfileRep);
    assertExpectedSecureRequestObjectExecutor(actualProfileRep);
    assertExpectedSecureResponseTypeExecutor(actualProfileRep);
    assertExpectedSecureSessionEnforceExecutor(actualProfileRep);
    assertExpectedSecureSigningAlgorithmEnforceExecutor(actualProfileRep);
    assertExpectedSecureSigningAlgorithmForSignedJwtEnforceExecutor(actualProfileRep);
}
Also used : ClientProfileRepresentation(org.keycloak.representations.idm.ClientProfileRepresentation) ClientProfilesRepresentation(org.keycloak.representations.idm.ClientProfilesRepresentation)

Example 3 with ClientProfileRepresentation

use of org.keycloak.representations.idm.ClientProfileRepresentation in project keycloak by keycloak.

the class AbstractClientPoliciesTest method deleteProfile.

protected void deleteProfile(String profileName) throws ClientPolicyException {
    if (profileName == null)
        return;
    ClientProfilesRepresentation reps = getProfilesWithoutGlobals();
    if (reps.getProfiles().stream().anyMatch(i -> profileName.equals(i.getName()))) {
        ClientProfileRepresentation rep = reps.getProfiles().stream().filter(i -> profileName.equals(i.getName())).collect(Collectors.toList()).get(0);
        reps.getProfiles().remove(rep);
        updateProfiles(convertToProfilesJson(reps));
    } else {
        return;
    }
}
Also used : ClientProfileRepresentation(org.keycloak.representations.idm.ClientProfileRepresentation) ClientProfilesRepresentation(org.keycloak.representations.idm.ClientProfilesRepresentation)

Example 4 with ClientProfileRepresentation

use of org.keycloak.representations.idm.ClientProfileRepresentation in project keycloak by keycloak.

the class ClientPoliciesLoadUpdateTest method testLoadBuiltinProfilesAndPolicies.

// Invalid formatted json profiles/policies are not accepted. Existing profiles/policies remain unchanged.
// Well-formed json but invalid semantic profiles/policies are not accepted. Existing profiles/policies remain unchanged.
// Recognized but invalid type fields are not accepted. Existing profiles/policies remain unchanged.
// Unrecognized fields of profiles/policies are not accepted. Existing profiles/policies are changed.
// Unrecognized fields of executors/conditions are accepted. Existing profiles/policies are changed.
// Duplicated fields of profiles/policies are accepted but the only last one is accepted. Existing profiles/policies are changed.
@Test
public void testLoadBuiltinProfilesAndPolicies() throws Exception {
    // retrieve loaded global profiles
    ClientProfilesRepresentation actualProfilesRep = getProfilesWithGlobals();
    // same profiles
    assertExpectedProfiles(actualProfilesRep, Arrays.asList(FAPI1_BASELINE_PROFILE_NAME, FAPI1_ADVANCED_PROFILE_NAME, FAPI_CIBA_PROFILE_NAME), Collections.emptyList());
    // each profile - fapi-1-baseline
    ClientProfileRepresentation actualProfileRep = getProfileRepresentation(actualProfilesRep, FAPI1_BASELINE_PROFILE_NAME, true);
    assertExpectedProfile(actualProfileRep, FAPI1_BASELINE_PROFILE_NAME, "Client profile, which enforce clients to conform 'Financial-grade API Security Profile 1.0 - Part 1: Baseline' specification.");
    // Test some executor
    assertExpectedExecutors(Arrays.asList(SecureSessionEnforceExecutorFactory.PROVIDER_ID, PKCEEnforcerExecutorFactory.PROVIDER_ID, SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, SecureClientUrisExecutorFactory.PROVIDER_ID, ConsentRequiredExecutorFactory.PROVIDER_ID, FullScopeDisabledExecutorFactory.PROVIDER_ID), actualProfileRep);
    assertExpectedSecureSessionEnforceExecutor(actualProfileRep);
    // Check the "get" request without globals. Assert nothing loaded
    actualProfilesRep = getProfilesWithoutGlobals();
    assertExpectedProfiles(actualProfilesRep, null, Collections.emptyList());
    // retrieve loaded builtin policies
    ClientPoliciesRepresentation actualPoliciesRep = getPolicies();
    // No global policies expected
    assertExpectedPolicies(Collections.emptyList(), actualPoliciesRep);
    ClientPolicyRepresentation actualPolicyRep = getPolicyRepresentation(actualPoliciesRep, "builtin-default-policy");
    Assert.assertNull(actualPolicyRep);
}
Also used : ClientPolicyRepresentation(org.keycloak.representations.idm.ClientPolicyRepresentation) ClientProfileRepresentation(org.keycloak.representations.idm.ClientProfileRepresentation) ClientPoliciesRepresentation(org.keycloak.representations.idm.ClientPoliciesRepresentation) ClientProfilesRepresentation(org.keycloak.representations.idm.ClientProfilesRepresentation) Test(org.junit.Test)

Example 5 with ClientProfileRepresentation

use of org.keycloak.representations.idm.ClientProfileRepresentation in project keycloak by keycloak.

the class ClientPoliciesUtil method getValidatedGlobalClientProfilesRepresentation.

/**
 * get validated and modified global (built-in) client profiles set on keycloak app as representation.
 * it is loaded from json file enclosed in keycloak's binary.
 * not return null.
 */
static List<ClientProfileRepresentation> getValidatedGlobalClientProfilesRepresentation(KeycloakSession session, InputStream is) throws ClientPolicyException {
    // load builtin client profiles representation
    ClientProfilesRepresentation proposedProfilesRep = null;
    try {
        proposedProfilesRep = JsonSerialization.readValue(is, ClientProfilesRepresentation.class);
    } catch (Exception e) {
        throw new ClientPolicyException("failed to deserialize global proposed client profiles json string.", e.getMessage());
    }
    if (proposedProfilesRep == null) {
        return Collections.emptyList();
    }
    // no profile contained (it is valid)
    List<ClientProfileRepresentation> proposedProfileRepList = proposedProfilesRep.getProfiles();
    if (proposedProfileRepList == null || proposedProfileRepList.isEmpty()) {
        return Collections.emptyList();
    }
    // duplicated profile name is not allowed.
    if (proposedProfileRepList.size() != proposedProfileRepList.stream().map(i -> i.getName()).distinct().count()) {
        throw new ClientPolicyException("proposed global client profile name duplicated.");
    }
    // construct validated and modified profiles from builtin profiles in JSON file enclosed in keycloak binary.
    List<ClientProfileRepresentation> updatingProfileList = new LinkedList<>();
    for (ClientProfileRepresentation proposedProfileRep : proposedProfilesRep.getProfiles()) {
        if (proposedProfileRep.getName() == null) {
            throw new ClientPolicyException("client profile without its name not allowed.");
        }
        ClientProfileRepresentation profileRep = new ClientProfileRepresentation();
        profileRep.setName(proposedProfileRep.getName());
        profileRep.setDescription(proposedProfileRep.getDescription());
        // to prevent returning null
        profileRep.setExecutors(new ArrayList<>());
        if (proposedProfileRep.getExecutors() != null) {
            for (ClientPolicyExecutorRepresentation executorRep : proposedProfileRep.getExecutors()) {
                // Skip the check if feature is disabled as then the executor implementations are disabled
                if (Profile.isFeatureEnabled(Profile.Feature.CLIENT_POLICIES) && !isValidExecutor(session, executorRep.getExecutorProviderId())) {
                    throw new ClientPolicyException("proposed client profile contains the executor with its invalid configuration.");
                }
                profileRep.getExecutors().add(executorRep);
            }
        }
        updatingProfileList.add(profileRep);
    }
    return updatingProfileList;
}
Also used : ClientPoliciesRepresentation(org.keycloak.representations.idm.ClientPoliciesRepresentation) ClientProfilesRepresentation(org.keycloak.representations.idm.ClientProfilesRepresentation) Profile(org.keycloak.common.Profile) Logger(org.jboss.logging.Logger) Constants(org.keycloak.models.Constants) ArrayList(java.util.ArrayList) ComponentModel(org.keycloak.component.ComponentModel) ClientPolicyConditionConfigurationRepresentation(org.keycloak.representations.idm.ClientPolicyConditionConfigurationRepresentation) JsonNode(com.fasterxml.jackson.databind.JsonNode) LinkedList(java.util.LinkedList) ClientPolicyConditionProvider(org.keycloak.services.clientpolicy.condition.ClientPolicyConditionProvider) ClientPolicyExecutorProvider(org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider) ClientPolicyConditionRepresentation(org.keycloak.representations.idm.ClientPolicyConditionRepresentation) ClientPolicyRepresentation(org.keycloak.representations.idm.ClientPolicyRepresentation) ClientPolicyExecutorConfigurationRepresentation(org.keycloak.representations.idm.ClientPolicyExecutorConfigurationRepresentation) RealmModel(org.keycloak.models.RealmModel) Set(java.util.Set) KeycloakSession(org.keycloak.models.KeycloakSession) IOException(java.io.IOException) Collectors(java.util.stream.Collectors) JsonConfigComponentModel(org.keycloak.component.JsonConfigComponentModel) ClientPolicyExecutorRepresentation(org.keycloak.representations.idm.ClientPolicyExecutorRepresentation) ClientProfileRepresentation(org.keycloak.representations.idm.ClientProfileRepresentation) JsonSerialization(org.keycloak.util.JsonSerialization) List(java.util.List) Collections(java.util.Collections) InputStream(java.io.InputStream) ClientProfileRepresentation(org.keycloak.representations.idm.ClientProfileRepresentation) ClientPolicyExecutorRepresentation(org.keycloak.representations.idm.ClientPolicyExecutorRepresentation) ClientProfilesRepresentation(org.keycloak.representations.idm.ClientProfilesRepresentation) IOException(java.io.IOException) LinkedList(java.util.LinkedList)

Aggregations

ClientProfileRepresentation (org.keycloak.representations.idm.ClientProfileRepresentation)12 ClientProfilesRepresentation (org.keycloak.representations.idm.ClientProfilesRepresentation)9 ClientPolicyRepresentation (org.keycloak.representations.idm.ClientPolicyRepresentation)7 ClientPoliciesRepresentation (org.keycloak.representations.idm.ClientPoliciesRepresentation)6 ArrayList (java.util.ArrayList)4 ClientPolicyExecutorRepresentation (org.keycloak.representations.idm.ClientPolicyExecutorRepresentation)4 ClientPolicyExecutorProvider (org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorProvider)4 JsonNode (com.fasterxml.jackson.databind.JsonNode)3 IOException (java.io.IOException)3 InputStream (java.io.InputStream)3 Collections (java.util.Collections)3 LinkedList (java.util.LinkedList)3 List (java.util.List)3 Set (java.util.Set)3 Collectors (java.util.stream.Collectors)3 Logger (org.jboss.logging.Logger)3 Test (org.junit.Test)3 Profile (org.keycloak.common.Profile)3 ComponentModel (org.keycloak.component.ComponentModel)3 JsonConfigComponentModel (org.keycloak.component.JsonConfigComponentModel)3