use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class DemoServletsAdapterTest method grantServerBasedApp.
@Test
public void grantServerBasedApp() {
ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), "customer-portal");
ClientRepresentation client = clientResource.toRepresentation();
client.setConsentRequired(true);
clientResource.update(client);
RealmRepresentation realm = testRealmResource().toRepresentation();
realm.setEventsEnabled(true);
realm.setEnabledEventTypes(Arrays.asList("REVOKE_GRANT", "LOGIN"));
realm.setEventsListeners(Arrays.asList("jboss-logging", "event-queue"));
testRealmResource().update(realm);
customerPortal.navigateTo();
loginPage.form().login("bburke@redhat.com", "password");
assertTrue(oAuthGrantPage.isCurrent());
oAuthGrantPage.accept();
waitForPageToLoad();
assertLogged();
String userId = ApiUtil.findUserByUsername(testRealmResource(), "bburke@redhat.com").getId();
assertEvents.expectLogin().realm(realm.getId()).client("customer-portal").user(userId).detail(Details.USERNAME, "bburke@redhat.com").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).detail(Details.REDIRECT_URI, org.hamcrest.Matchers.anyOf(org.hamcrest.Matchers.equalTo(customerPortal.getInjectedUrl().toString()), org.hamcrest.Matchers.equalTo(customerPortal.getInjectedUrl().toString() + "/"))).removeDetail(Details.CODE_ID).assertEvent();
assertEvents.expectCodeToToken(null, null).realm(realm.getId()).client("customer-portal").user(userId).session(AssertEvents.isUUID()).removeDetail(Details.CODE_ID).assertEvent();
applicationsPage.navigateTo();
applicationsPage.revokeGrantForApplication("customer-portal");
customerPortal.navigateTo();
assertTrue(oAuthGrantPage.isCurrent());
assertEvents.expect(EventType.REVOKE_GRANT).realm(realm.getId()).client("account").user(userId).detail(Details.REVOKED_CLIENT, "customer-portal").assertEvent();
assertEvents.assertEmpty();
// Revert consent
client = clientResource.toRepresentation();
client.setConsentRequired(false);
clientResource.update(client);
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class SAMLServletAdapterTest method salesMetadataTest.
@Test
public void salesMetadataTest() throws Exception {
Document doc = IOUtil.loadXML(SAMLServletAdapterTest.class.getResourceAsStream("/adapter-test/keycloak-saml/sp-metadata.xml"));
IOUtil.modifyDocElementAttribute(doc, "SingleLogoutService", "Location", "8080", System.getProperty("app.server.http.port", null));
IOUtil.modifyDocElementAttribute(doc, "AssertionConsumerService", "Location", "8080", System.getProperty("app.server.http.port", null));
ClientRepresentation clientRep = testRealmResource().convertClientDescription(IOUtil.documentToString(doc));
clientRep.setAdminUrl(ServerURLs.getAppServerContextRoot() + "/sales-metadata/saml");
try (Response response = testRealmResource().clients().create(clientRep)) {
Assert.assertEquals(201, response.getStatus());
}
testSuccessfulAndUnauthorizedLogin(salesMetadataServletPage, testRealmSAMLPostLoginPage);
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class SAMLServletAdapterTest method disabledClientTest.
@Test
public void disabledClientTest() {
ClientResource clientResource = ApiUtil.findClientResourceByClientId(testRealmResource(), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST_SIG);
ClientRepresentation client = clientResource.toRepresentation();
client.setEnabled(false);
clientResource.update(client);
salesPostSigServletPage.navigateTo();
waitUntilElement(By.xpath("//body")).text().contains("Login requester not enabled");
client.setEnabled(true);
clientResource.update(client);
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class SAMLServletAdapterTest method testAdapterRoleMappings.
/**
* Tests that the adapter is using the configured role mappings provider to map the roles extracted from the assertion
* into roles that exist in the application domain. For this test a {@link org.keycloak.adapters.saml.PropertiesBasedRoleMapper}
* has been setup in the adapter, performing the mappings as specified in the {@code role-mappings.properties} file.
*
* @throws Exception if an error occurs while running the test.
*/
@Test
public void testAdapterRoleMappings() throws Exception {
// bburke user is missing required coordinator role, which is only available via mapping of the supervisor role.
assertForbiddenLogin(employeeRoleMappingPage, bburkeUser.getUsername(), getPasswordOf(bburkeUser), testRealmSAMLPostLoginPage, "bburke@redhat.com");
employeeRoleMappingPage.logout();
checkLoggedOut(employeeRoleMappingPage, testRealmSAMLPostLoginPage);
// assign the supervisor role to user bburke - it should be mapped to coordinator next time he logs in.
UserRepresentation bburke = adminClient.realm(DEMO).users().search("bburke", 0, 1).get(0);
ClientRepresentation clientRepresentation = adminClient.realm(DEMO).clients().findByClientId("http://localhost:8280/employee-role-mapping/").get(0);
RoleRepresentation role = adminClient.realm(DEMO).clients().get(clientRepresentation.getId()).roles().get("supervisor").toRepresentation();
adminClient.realm(DEMO).users().get(bburke.getId()).roles().clientLevel(clientRepresentation.getId()).add(Collections.singletonList(role));
// now check for the set of expected mapped roles: supervisor should have been mapped to coordinator, team-lead should
// have been added to bburke, and user should have been discarded; manager and employed unchanged from mappings.
assertSuccessfulLogin(employeeRoleMappingPage, bburkeUser, testRealmSAMLPostLoginPage, "bburke@redhat.com");
assertThat(employeeRoleMappingPage.rolesList(), hasItems("manager", "coordinator", "team-lead", "employee"));
assertThat(employeeRoleMappingPage.rolesList(), not(hasItems("supervisor", "user")));
employeeRoleMappingPage.logout();
checkLoggedOut(employeeRoleMappingPage, testRealmSAMLPostLoginPage);
adminClient.realm(DEMO).users().get(bburke.getId()).roles().clientLevel(clientRepresentation.getId()).remove(Collections.singletonList(role));
}
use of org.keycloak.representations.idm.ClientRepresentation in project keycloak by keycloak.
the class ClientInitiatedAccountLinkTest method testErrorConditions.
@Test
public void testErrorConditions() throws Exception {
String helloUrl = appPage.getUriBuilder().clone().path("hello").build().toASCIIString();
RealmResource realm = adminClient.realms().realm(CHILD_IDP);
List<FederatedIdentityRepresentation> links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
ClientRepresentation client = adminClient.realms().realm(CHILD_IDP).clients().findByClientId("client-linking").get(0);
UriBuilder redirectUri = UriBuilder.fromUri(appPage.getInjectedUrl().toString()).path("link").queryParam("response", "true");
UriBuilder directLinking = UriBuilder.fromUri(getAuthServerContextRoot() + "/auth").path("realms/child/broker/{provider}/link").queryParam("client_id", "client-linking").queryParam("redirect_uri", redirectUri.build()).queryParam("hash", Base64Url.encode("crap".getBytes())).queryParam("nonce", UUID.randomUUID().toString());
String linkUrl = directLinking.build(PARENT_IDP).toString();
// test not logged in
navigateTo(linkUrl);
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
Assert.assertTrue(driver.getCurrentUrl().contains("link_error=not_logged_in"));
logoutAll();
// now log in
navigateTo(helloUrl);
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
Assert.assertTrue(driver.getCurrentUrl().startsWith(helloUrl));
Assert.assertTrue(driver.getPageSource().contains("Unknown request:"));
// now test CSRF with bad hash.
navigateTo(linkUrl);
Assert.assertTrue(driver.getPageSource().contains("We are sorry..."));
logoutAll();
// now log in again with client that does not have scope
String accountId = adminClient.realms().realm(CHILD_IDP).clients().findByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID).get(0).getId();
RoleRepresentation manageAccount = adminClient.realms().realm(CHILD_IDP).clients().get(accountId).roles().get(MANAGE_ACCOUNT).toRepresentation();
RoleRepresentation manageLinks = adminClient.realms().realm(CHILD_IDP).clients().get(accountId).roles().get(MANAGE_ACCOUNT_LINKS).toRepresentation();
RoleRepresentation userRole = adminClient.realms().realm(CHILD_IDP).roles().get("user").toRepresentation();
client.setFullScopeAllowed(false);
ClientResource clientResource = adminClient.realms().realm(CHILD_IDP).clients().get(client.getId());
clientResource.update(client);
List<RoleRepresentation> roles = new LinkedList<>();
roles.add(userRole);
clientResource.getScopeMappings().realmLevel().add(roles);
navigateTo(helloUrl);
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
Assert.assertTrue(driver.getCurrentUrl().startsWith(helloUrl));
Assert.assertTrue(driver.getPageSource().contains("Unknown request:"));
UriBuilder linkBuilder = UriBuilder.fromUri(appPage.getInjectedUrl().toString()).path("link");
String clientLinkUrl = linkBuilder.clone().queryParam("realm", CHILD_IDP).queryParam("provider", PARENT_IDP).build().toString();
navigateTo(clientLinkUrl);
Assert.assertTrue(driver.getCurrentUrl().contains("error=not_allowed"));
logoutAll();
// add MANAGE_ACCOUNT_LINKS scope should pass.
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
roles = new LinkedList<>();
roles.add(manageLinks);
clientResource.getScopeMappings().clientLevel(accountId).add(roles);
navigateTo(clientLinkUrl);
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
Assert.assertTrue(loginPage.isCurrent(PARENT_IDP));
loginPage.login(PARENT_USERNAME, "password");
Assert.assertTrue(driver.getCurrentUrl().startsWith(linkBuilder.toTemplate()));
Assert.assertTrue(driver.getPageSource().contains("Account Linked"));
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertFalse(links.isEmpty());
realm.users().get(childUserId).removeFederatedIdentity(PARENT_IDP);
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
clientResource.getScopeMappings().clientLevel(accountId).remove(roles);
logoutAll();
navigateTo(clientLinkUrl);
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
Assert.assertTrue(driver.getCurrentUrl().contains("link_error=not_allowed"));
logoutAll();
// add MANAGE_ACCOUNT scope should pass
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
roles = new LinkedList<>();
roles.add(manageAccount);
clientResource.getScopeMappings().clientLevel(accountId).add(roles);
navigateTo(clientLinkUrl);
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
Assert.assertTrue(loginPage.isCurrent(PARENT_IDP));
loginPage.login(PARENT_USERNAME, "password");
Assert.assertTrue(driver.getCurrentUrl().startsWith(linkBuilder.toTemplate()));
Assert.assertTrue(driver.getPageSource().contains("Account Linked"));
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertFalse(links.isEmpty());
realm.users().get(childUserId).removeFederatedIdentity(PARENT_IDP);
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
clientResource.getScopeMappings().clientLevel(accountId).remove(roles);
logoutAll();
navigateTo(clientLinkUrl);
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
Assert.assertTrue(driver.getCurrentUrl().contains("link_error=not_allowed"));
logoutAll();
// undo fullScopeAllowed
client = adminClient.realms().realm(CHILD_IDP).clients().findByClientId("client-linking").get(0);
client.setFullScopeAllowed(true);
clientResource.update(client);
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
logoutAll();
}
Aggregations