Search in sources :

Example 81 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class DemoServletsAdapterTest method grantServerBasedApp.

@Test
public void grantServerBasedApp() {
    ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), "customer-portal");
    ClientRepresentation client = clientResource.toRepresentation();
    client.setConsentRequired(true);
    clientResource.update(client);
    RealmRepresentation realm = testRealmResource().toRepresentation();
    realm.setEventsEnabled(true);
    realm.setEnabledEventTypes(Arrays.asList("REVOKE_GRANT", "LOGIN"));
    realm.setEventsListeners(Arrays.asList("jboss-logging", "event-queue"));
    testRealmResource().update(realm);
    customerPortal.navigateTo();
    loginPage.form().login("bburke@redhat.com", "password");
    assertTrue(oAuthGrantPage.isCurrent());
    oAuthGrantPage.accept();
    waitForPageToLoad();
    assertLogged();
    String userId = ApiUtil.findUserByUsername(testRealmResource(), "bburke@redhat.com").getId();
    assertEvents.expectLogin().realm(realm.getId()).client("customer-portal").user(userId).detail(Details.USERNAME, "bburke@redhat.com").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).detail(Details.REDIRECT_URI, org.hamcrest.Matchers.anyOf(org.hamcrest.Matchers.equalTo(customerPortal.getInjectedUrl().toString()), org.hamcrest.Matchers.equalTo(customerPortal.getInjectedUrl().toString() + "/"))).removeDetail(Details.CODE_ID).assertEvent();
    assertEvents.expectCodeToToken(null, null).realm(realm.getId()).client("customer-portal").user(userId).session(AssertEvents.isUUID()).removeDetail(Details.CODE_ID).assertEvent();
    applicationsPage.navigateTo();
    applicationsPage.revokeGrantForApplication("customer-portal");
    customerPortal.navigateTo();
    assertTrue(oAuthGrantPage.isCurrent());
    assertEvents.expect(EventType.REVOKE_GRANT).realm(realm.getId()).client("account").user(userId).detail(Details.REVOKED_CLIENT, "customer-portal").assertEvent();
    assertEvents.assertEmpty();
    // Revert consent
    client = clientResource.toRepresentation();
    client.setConsentRequired(false);
    clientResource.update(client);
}
Also used : RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) Matchers.containsString(org.hamcrest.Matchers.containsString) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test) AbstractServletsAdapterTest(org.keycloak.testsuite.adapter.AbstractServletsAdapterTest)

Example 82 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class SAMLServletAdapterTest method salesMetadataTest.

@Test
public void salesMetadataTest() throws Exception {
    Document doc = IOUtil.loadXML(SAMLServletAdapterTest.class.getResourceAsStream("/adapter-test/keycloak-saml/sp-metadata.xml"));
    IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "Location", "8080", System.getProperty("app.server.http.port", null));
    IOUtil.modifyDocElementAttribute(doc, "AssertionConsumerService", "Location", "8080", System.getProperty("app.server.http.port", null));
    ClientRepresentation clientRep = testRealmResource().convertClientDescription(IOUtil.documentToString(doc));
    clientRep.setAdminUrl(ServerURLs.getAppServerContextRoot() + "/sales-metadata/saml");
    try (Response response = testRealmResource().clients().create(clientRep)) {
        Assert.assertEquals(201, response.getStatus());
    }
    testSuccessfulAndUnauthorizedLogin(salesMetadataServletPage, testRealmSAMLPostLoginPage);
}
Also used : Response(javax.ws.rs.core.Response) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) Document(org.w3c.dom.Document) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 83 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class SAMLServletAdapterTest method disabledClientTest.

@Test
public void disabledClientTest() {
    ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST_SIG);
    ClientRepresentation client = clientResource.toRepresentation();
    client.setEnabled(false);
    clientResource.update(client);
    salesPostSigServletPage.navigateTo();
    waitUntilElement(By.xpath("//body")).text().contains("Login requester not enabled");
    client.setEnabled(true);
    clientResource.update(client);
}
Also used : ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 84 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class SAMLServletAdapterTest method testAdapterRoleMappings.

/**
 * Tests that the adapter is using the configured role mappings provider to map the roles extracted from the assertion
 * into roles that exist in the application domain. For this test a {@link org.keycloak.adapters.saml.PropertiesBasedRoleMapper}
 * has been setup in the adapter, performing the mappings as specified in the {@code role-mappings.properties} file.
 *
 * @throws Exception if an error occurs while running the test.
 */
@Test
public void testAdapterRoleMappings() throws Exception {
    // bburke user is missing required coordinator role, which is only available via mapping of the supervisor role.
    assertForbiddenLogin(employeeRoleMappingPage, bburkeUser.getUsername(), getPasswordOf(bburkeUser), testRealmSAMLPostLoginPage, "bburke@redhat.com");
    employeeRoleMappingPage.logout();
    checkLoggedOut(employeeRoleMappingPage, testRealmSAMLPostLoginPage);
    // assign the supervisor role to user bburke - it should be mapped to coordinator next time he logs in.
    UserRepresentation bburke = adminClient.realm(DEMO).users().search("bburke", 0, 1).get(0);
    ClientRepresentation clientRepresentation = adminClient.realm(DEMO).clients().findByClientId("http://localhost:8280/employee-role-mapping/").get(0);
    RoleRepresentation role = adminClient.realm(DEMO).clients().get(clientRepresentation.getId()).roles().get("supervisor").toRepresentation();
    adminClient.realm(DEMO).users().get(bburke.getId()).roles().clientLevel(clientRepresentation.getId()).add(Collections.singletonList(role));
    // now check for the set of expected mapped roles: supervisor should have been mapped to coordinator, team-lead should
    // have been added to bburke, and user should have been discarded; manager and employed unchanged from mappings.
    assertSuccessfulLogin(employeeRoleMappingPage, bburkeUser, testRealmSAMLPostLoginPage, "bburke@redhat.com");
    assertThat(employeeRoleMappingPage.rolesList(), hasItems("manager", "coordinator", "team-lead", "employee"));
    assertThat(employeeRoleMappingPage.rolesList(), not(hasItems("supervisor", "user")));
    employeeRoleMappingPage.logout();
    checkLoggedOut(employeeRoleMappingPage, testRealmSAMLPostLoginPage);
    adminClient.realm(DEMO).users().get(bburke.getId()).roles().clientLevel(clientRepresentation.getId()).remove(Collections.singletonList(role));
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 85 with ClientRepresentation

use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.

the class ClientInitiatedAccountLinkTest method testErrorConditions.

@Test
public void testErrorConditions() throws Exception {
    String helloUrl = appPage.getUriBuilder().clone().path("hello").build().toASCIIString();
    RealmResource realm = adminClient.realms().realm(CHILD_IDP);
    List<FederatedIdentityRepresentation> links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    ClientRepresentation client = adminClient.realms().realm(CHILD_IDP).clients().findByClientId("client-linking").get(0);
    UriBuilder redirectUri = UriBuilder.fromUri(appPage.getInjectedUrl().toString()).path("link").queryParam("response", "true");
    UriBuilder directLinking = UriBuilder.fromUri(getAuthServerContextRoot() + "/auth").path("realms/child/broker/{provider}/link").queryParam("client_id", "client-linking").queryParam("redirect_uri", redirectUri.build()).queryParam("hash", Base64Url.encode("crap".getBytes())).queryParam("nonce", UUID.randomUUID().toString());
    String linkUrl = directLinking.build(PARENT_IDP).toString();
    // test not logged in
    navigateTo(linkUrl);
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    Assert.assertTrue(driver.getCurrentUrl().contains("link_error=not_logged_in"));
    logoutAll();
    // now log in
    navigateTo(helloUrl);
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    Assert.assertTrue(driver.getCurrentUrl().startsWith(helloUrl));
    Assert.assertTrue(driver.getPageSource().contains("Unknown request:"));
    // now test CSRF with bad hash.
    navigateTo(linkUrl);
    Assert.assertTrue(driver.getPageSource().contains("We are sorry..."));
    logoutAll();
    // now log in again with client that does not have scope
    String accountId = adminClient.realms().realm(CHILD_IDP).clients().findByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID).get(0).getId();
    RoleRepresentation manageAccount = adminClient.realms().realm(CHILD_IDP).clients().get(accountId).roles().get(MANAGE_ACCOUNT).toRepresentation();
    RoleRepresentation manageLinks = adminClient.realms().realm(CHILD_IDP).clients().get(accountId).roles().get(MANAGE_ACCOUNT_LINKS).toRepresentation();
    RoleRepresentation userRole = adminClient.realms().realm(CHILD_IDP).roles().get("user").toRepresentation();
    client.setFullScopeAllowed(false);
    ClientResource clientResource = adminClient.realms().realm(CHILD_IDP).clients().get(client.getId());
    clientResource.update(client);
    List<RoleRepresentation> roles = new LinkedList<>();
    roles.add(userRole);
    clientResource.getScopeMappings().realmLevel().add(roles);
    navigateTo(helloUrl);
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    Assert.assertTrue(driver.getCurrentUrl().startsWith(helloUrl));
    Assert.assertTrue(driver.getPageSource().contains("Unknown request:"));
    UriBuilder linkBuilder = UriBuilder.fromUri(appPage.getInjectedUrl().toString()).path("link");
    String clientLinkUrl = linkBuilder.clone().queryParam("realm", CHILD_IDP).queryParam("provider", PARENT_IDP).build().toString();
    navigateTo(clientLinkUrl);
    Assert.assertTrue(driver.getCurrentUrl().contains("error=not_allowed"));
    logoutAll();
    // add MANAGE_ACCOUNT_LINKS scope should pass.
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    roles = new LinkedList<>();
    roles.add(manageLinks);
    clientResource.getScopeMappings().clientLevel(accountId).add(roles);
    navigateTo(clientLinkUrl);
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    Assert.assertTrue(loginPage.isCurrent(PARENT_IDP));
    loginPage.login(PARENT_USERNAME, "password");
    Assert.assertTrue(driver.getCurrentUrl().startsWith(linkBuilder.toTemplate()));
    Assert.assertTrue(driver.getPageSource().contains("Account Linked"));
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertFalse(links.isEmpty());
    realm.users().get(childUserId).removeFederatedIdentity(PARENT_IDP);
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    clientResource.getScopeMappings().clientLevel(accountId).remove(roles);
    logoutAll();
    navigateTo(clientLinkUrl);
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    Assert.assertTrue(driver.getCurrentUrl().contains("link_error=not_allowed"));
    logoutAll();
    // add MANAGE_ACCOUNT scope should pass
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    roles = new LinkedList<>();
    roles.add(manageAccount);
    clientResource.getScopeMappings().clientLevel(accountId).add(roles);
    navigateTo(clientLinkUrl);
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    Assert.assertTrue(loginPage.isCurrent(PARENT_IDP));
    loginPage.login(PARENT_USERNAME, "password");
    Assert.assertTrue(driver.getCurrentUrl().startsWith(linkBuilder.toTemplate()));
    Assert.assertTrue(driver.getPageSource().contains("Account Linked"));
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertFalse(links.isEmpty());
    realm.users().get(childUserId).removeFederatedIdentity(PARENT_IDP);
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    clientResource.getScopeMappings().clientLevel(accountId).remove(roles);
    logoutAll();
    navigateTo(clientLinkUrl);
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    Assert.assertTrue(driver.getCurrentUrl().contains("link_error=not_allowed"));
    logoutAll();
    // undo fullScopeAllowed
    client = adminClient.realms().realm(CHILD_IDP).clients().findByClientId("client-linking").get(0);
    client.setFullScopeAllowed(true);
    clientResource.update(client);
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    logoutAll();
}
Also used : RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) RealmResource(org.keycloak.admin.client.resource.RealmResource) ClientResource(org.keycloak.admin.client.resource.ClientResource) UriBuilder(javax.ws.rs.core.UriBuilder) FederatedIdentityRepresentation(org.keycloak.representations.idm.FederatedIdentityRepresentation) LinkedList(java.util.LinkedList) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test) AbstractServletsAdapterTest(org.keycloak.testsuite.adapter.AbstractServletsAdapterTest)

Aggregations

ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)576 Test (org.junit.Test)359 ClientResource (org.keycloak.admin.client.resource.ClientResource)189 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)139 OAuthClient (org.keycloak.testsuite.util.OAuthClient)101 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)61 Response (javax.ws.rs.core.Response)59 Matchers.containsString (org.hamcrest.Matchers.containsString)58 RealmResource (org.keycloak.admin.client.resource.RealmResource)58 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)58 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)53 RoleRepresentation (org.keycloak.representations.idm.RoleRepresentation)43 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)41 ClientsResource (org.keycloak.admin.client.resource.ClientsResource)38 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)38 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)37 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)37 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)37 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)37 HashMap (java.util.HashMap)33