Search in sources :

Example 31 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesTest method testIntentionalExceptionOnCondition.

@Test
public void testIntentionalExceptionOnCondition() throws Exception {
    // register policies
    String json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Fyrsta Stefnan", Boolean.TRUE).addCondition(TestRaiseExeptionConditionFactory.PROVIDER_ID, createTestRaiseExeptionConditionConfig()).toRepresentation()).toString();
    updatePolicies(json);
    try {
        createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.SERVER_ERROR, e.getMessage());
    }
}
Also used : ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 32 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureClientRegisteringUriEnforceExecutor.

@Test
public void testSecureClientRegisteringUriEnforceExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Ensimmainen Profiili").addExecutor(SecureClientUrisExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Ensimmainen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    try {
        createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
            clientRep.setRedirectUris(Collections.singletonList("http://newredirect"));
        });
        fail();
    } catch (ClientRegistrationException e) {
        assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
    }
    String cid = null;
    String clientId = generateSuffixedName(CLIENT_NAME);
    try {
        cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
            clientRep.setServiceAccountsEnabled(Boolean.TRUE);
            clientRep.setRedirectUris(null);
        });
    } catch (Exception e) {
        fail();
    }
    updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
        clientRep.setRedirectUris(null);
        clientRep.setServiceAccountsEnabled(Boolean.FALSE);
    });
    assertEquals(false, getClientByAdmin(cid).isServiceAccountsEnabled());
    // update policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Paivitetyn Ensimmaisen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    try {
        updateClientDynamically(clientId, (OIDCClientRepresentation clientRep) -> {
            clientRep.setRedirectUris(Collections.singletonList("https://newredirect/*"));
        });
        fail();
    } catch (ClientRegistrationException e) {
        assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // rootUrl
            clientRep.setRootUrl("https://client.example.com/");
            // adminUrl
            clientRep.setAdminUrl("https://client.example.com/admin/");
            // baseUrl
            clientRep.setBaseUrl("https://client.example.com/base/");
            // web origins
            clientRep.setWebOrigins(Arrays.asList("https://valid.other.client.example.com/", "https://valid.another.client.example.com/"));
            // backchannel logout URL
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "https://client.example.com/logout/");
            clientRep.setAttributes(attributes);
            // OAuth2 : redirectUris
            clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "https://client.example.com/callback/"));
            // OAuth2 : jwks_uri
            attributes.put(OIDCConfigAttributes.JWKS_URL, "https://client.example.com/jwks/");
            clientRep.setAttributes(attributes);
            // OIDD : requestUris
            setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/", "https://client.example.com/reqobj/"));
            // CIBA Client Notification Endpoint
            attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "https://client.example.com/client-notification/");
            clientRep.setAttributes(attributes);
        });
    } catch (Exception e) {
        fail();
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // rootUrl
            clientRep.setRootUrl("http://client.example.com/*/");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid rootUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // adminUrl
            clientRep.setAdminUrl("http://client.example.com/admin/");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid adminUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // baseUrl
            clientRep.setBaseUrl("https://client.example.com/base/*");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid baseUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // web origins
            clientRep.setWebOrigins(Arrays.asList("http://valid.another.client.example.com/"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid webOrigins", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // backchannel logout URL
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "httpss://client.example.com/logout/");
            clientRep.setAttributes(attributes);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid logoutUrl", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // OAuth2 : redirectUris
            clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "ftp://client.example.com/callback/"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid redirectUris", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // OAuth2 : jwks_uri
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(OIDCConfigAttributes.JWKS_URL, "http s://client.example.com/jwks/");
            clientRep.setAttributes(attributes);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid jwksUri", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // OIDD : requestUris
            setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/*", "https://client.example.com/reqobj/"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid requestUris", e.getErrorDetail());
    }
    try {
        updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
            // CIBA Client Notification Endpoint
            Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
            attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "http://client.example.com/client-notification/");
            clientRep.setAttributes(attributes);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
        assertEquals("Invalid cibaClientNotificationEndpoint", e.getErrorDetail());
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) IOException(java.io.IOException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) OAuthErrorException(org.keycloak.OAuthErrorException) BadRequestException(javax.ws.rs.BadRequestException) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 33 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesTest method testConsentRequiredExecutorExecutor.

@Test
public void testConsentRequiredExecutorExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, createConsentRequiredExecutorConfig(true)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Client will be auto-configured to enable consentRequired
    String clientId = generateSuffixedName("aaa-app");
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setImplicitFlowEnabled(Boolean.FALSE);
        clientRep.setConsentRequired(Boolean.FALSE);
    });
    ClientRepresentation clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    // Client cannot be updated to disable consentRequired
    updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
        cRep.setConsentRequired(Boolean.FALSE);
    });
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    // Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to disable consentRequired
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(ConsentRequiredExecutorFactory.PROVIDER_ID, createConsentRequiredExecutorConfig(false)).toRepresentation()).toString();
    updateProfiles(json);
    // Not possible to register client with consentRequired due the validation
    try {
        createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
            clientRep2.setConsentRequired(Boolean.FALSE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    // Not possible to update existing client to consentRequired due the validation
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setConsentRequired(Boolean.FALSE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setImplicitFlowEnabled(Boolean.TRUE);
        });
        clientRep = getClientByAdmin(cid);
        assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
        assertEquals(Boolean.TRUE, clientRep.isConsentRequired());
    } catch (ClientPolicyException cpe) {
        fail();
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 34 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureSigningAlgorithmEnforceExecutor.

@Test
public void testSecureSigningAlgorithmEnforceExecutor() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // create by Admin REST API - fail
    try {
        createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, Algorithm.none.name());
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // create by Admin REST API - success
    String cAppAdminId = createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
        clientRep.setAttributes(new HashMap<>());
        clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.PS256);
        clientRep.getAttributes().put(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.ES256);
        clientRep.getAttributes().put(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
        clientRep.getAttributes().put(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, org.keycloak.crypto.Algorithm.ES256);
        clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.ES256);
    });
    // create by Admin REST API - success, PS256 enforced
    String cAppAdmin2Id = createClientByAdmin(generateSuffixedName("App-by-Admin2"), (ClientRepresentation client2Rep) -> {
    });
    ClientRepresentation cRep2 = getClientByAdmin(cAppAdmin2Id);
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update by Admin REST API - fail
    try {
        updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.RS512);
        });
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REQUEST, cpe.getError());
    }
    ClientRepresentation cRep = getClientByAdmin(cAppAdminId);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update by Admin REST API - success
    updateClientByAdmin(cAppAdminId, (ClientRepresentation clientRep) -> {
        clientRep.setAttributes(new HashMap<>());
        clientRep.getAttributes().put(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG, org.keycloak.crypto.Algorithm.PS384);
    });
    cRep = getClientByAdmin(cAppAdminId);
    assertEquals(org.keycloak.crypto.Algorithm.PS384, cRep.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update profiles, ES256 enforced
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
    updateProfiles(json);
    // update by Admin REST API - success
    updateClientByAdmin(cAppAdmin2Id, (ClientRepresentation client2Rep) -> {
        client2Rep.getAttributes().remove(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG);
        client2Rep.getAttributes().remove(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG);
    });
    cRep2 = getClientByAdmin(cAppAdmin2Id);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.REQUEST_OBJECT_SIGNATURE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.TOKEN_ENDPOINT_AUTH_SIGNING_ALG));
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cRep2.getAttributes().get(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG));
    // update profiles, fall back to PS256
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.RS512)).toRepresentation()).toString();
    updateProfiles(json);
    // create dynamically - fail
    try {
        createClientByAdmin(generateSuffixedName("App-in-Dynamic"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
            clientRep.setAttributes(new HashMap<>());
            clientRep.getAttributes().put(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG, org.keycloak.crypto.Algorithm.RS384);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_REQUEST, e.getMessage());
    }
    // create dynamically - success
    String cAppDynamicClientId = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation clientRep) -> {
        clientRep.setUserinfoSignedResponseAlg(org.keycloak.crypto.Algorithm.ES256);
        clientRep.setRequestObjectSigningAlg(org.keycloak.crypto.Algorithm.ES256);
        clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.PS256);
        clientRep.setTokenEndpointAuthSigningAlg(org.keycloak.crypto.Algorithm.PS256);
    });
    events.expect(EventType.CLIENT_REGISTER).client(cAppDynamicClientId).user(Matchers.isEmptyOrNullString()).assertEvent();
    // update dynamically - fail
    try {
        updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
            clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.RS256);
        });
        fail();
    } catch (ClientRegistrationException e) {
        assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
    }
    assertEquals(org.keycloak.crypto.Algorithm.PS256, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
    // update dynamically - success
    updateClientDynamically(cAppDynamicClientId, (OIDCClientRepresentation clientRep) -> {
        clientRep.setIdTokenSignedResponseAlg(org.keycloak.crypto.Algorithm.ES384);
    });
    assertEquals(org.keycloak.crypto.Algorithm.ES384, getClientDynamically(cAppDynamicClientId).getIdTokenSignedResponseAlg());
    // create dynamically - success, PS256 enforced
    restartAuthenticatedClientRegistrationSetting();
    String cAppDynamicClient2Id = createClientDynamically(generateSuffixedName("App-in-Dynamic"), (OIDCClientRepresentation client2Rep) -> {
    });
    OIDCClientRepresentation cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.PS256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
    // update profiles, enforce ES256
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forsta Profilen").addExecutor(SecureSigningAlgorithmExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmEnforceExecutorConfig(org.keycloak.crypto.Algorithm.ES256)).toRepresentation()).toString();
    updateProfiles(json);
    // update dynamically - success, ES256 enforced
    updateClientDynamically(cAppDynamicClient2Id, (OIDCClientRepresentation client2Rep) -> {
        client2Rep.setUserinfoSignedResponseAlg(null);
        client2Rep.setRequestObjectSigningAlg(null);
        client2Rep.setIdTokenSignedResponseAlg(null);
        client2Rep.setTokenEndpointAuthSigningAlg(null);
    });
    cAppDynamicClient2Rep = getClientDynamically(cAppDynamicClient2Id);
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getUserinfoSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getRequestObjectSigningAlg());
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getIdTokenSignedResponseAlg());
    assertEquals(org.keycloak.crypto.Algorithm.ES256, cAppDynamicClient2Rep.getTokenEndpointAuthSigningAlg());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 35 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesLoadUpdateTest method testDuplicatedPolicies.

@Test
public void testDuplicatedPolicies() throws Exception {
    String beforeUpdatePoliciesJson = ClientPoliciesUtil.convertClientPoliciesRepresentationToJson(getPolicies());
    // load policies
    ClientPolicyRepresentation duplicatedPoliciesRep = (new ClientPolicyBuilder()).createPolicy("builtin-duplicated-new-policy", "builtin duplicated new policy is ignored.", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(FAPI1_BASELINE_PROFILE_NAME).toRepresentation();
    ClientPolicyRepresentation loadedPolicyRep = (new ClientPolicyBuilder()).createPolicy("new-policy", "duplicated profiles are ignored.", Boolean.TRUE).addCondition(ClientAccessTypeConditionFactory.PROVIDER_ID, createClientAccessTypeConditionConfig(Arrays.asList(ClientAccessTypeConditionFactory.TYPE_PUBLIC, ClientAccessTypeConditionFactory.TYPE_BEARERONLY))).addProfile("lack-of-builtin-field-test-profile").addProfile("ordinal-test-profile").toRepresentation();
    String json = (new ClientPoliciesBuilder()).addPolicy(duplicatedPoliciesRep).addPolicy(loadedPolicyRep).addPolicy(duplicatedPoliciesRep).toString();
    try {
        updatePolicies(json);
    } catch (ClientPolicyException cpe) {
        assertEquals("Bad Request", cpe.getErrorDetail());
        String afterFailedUpdatePoliciesJson = ClientPoliciesUtil.convertClientPoliciesRepresentationToJson(getPolicies());
        assertEquals(beforeUpdatePoliciesJson, afterFailedUpdatePoliciesJson);
        return;
    }
    fail();
}
Also used : ClientPolicyRepresentation(org.keycloak.representations.idm.ClientPolicyRepresentation) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Aggregations

ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)62 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)23 Test (org.junit.Test)22 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)19 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)14 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)14 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)13 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)13 ClientModel (org.keycloak.models.ClientModel)11 ErrorResponseException (org.keycloak.services.ErrorResponseException)10 OAuthErrorException (org.keycloak.OAuthErrorException)9 UserSessionModel (org.keycloak.models.UserSessionModel)9 CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)9 UserModel (org.keycloak.models.UserModel)8 IOException (java.io.IOException)6 Consumes (javax.ws.rs.Consumes)6 POST (javax.ws.rs.POST)6 Response (javax.ws.rs.core.Response)6 ClientSessionContext (org.keycloak.models.ClientSessionContext)6 RegistrationAuth (org.keycloak.services.clientregistration.policy.RegistrationAuth)6