use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class ClientPoliciesLoadUpdateTest method testDuplicatedProfiles.
@Test
public void testDuplicatedProfiles() throws Exception {
String beforeUpdateProfilesJson = ClientPoliciesUtil.convertClientProfilesRepresentationToJson(getProfilesWithGlobals());
// load profiles
ClientProfileRepresentation duplicatedProfileRep = (new ClientProfileBuilder()).createProfile("builtin-basic-security", "Enforce basic security level").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(ClientIdAndSecretAuthenticator.PROVIDER_ID, JWTClientAuthenticator.PROVIDER_ID), null)).addExecutor(PKCEEnforcerExecutorFactory.PROVIDER_ID, createPKCEEnforceExecutorConfig(Boolean.FALSE)).addExecutor("no-such-executor", createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation();
ClientProfileRepresentation loadedProfileRep = (new ClientProfileBuilder()).createProfile("ordinal-test-profile", "The profile that can be loaded.").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Collections.singletonList(JWTClientAuthenticator.PROVIDER_ID), JWTClientAuthenticator.PROVIDER_ID)).toRepresentation();
String json = (new ClientProfilesBuilder()).addProfile(duplicatedProfileRep).addProfile(loadedProfileRep).addProfile(duplicatedProfileRep).toString();
try {
updateProfiles(json);
fail();
} catch (ClientPolicyException cpe) {
assertEquals("Bad Request", cpe.getErrorDetail());
String afterFailedUpdateProfilesJson = ClientPoliciesUtil.convertClientProfilesRepresentationToJson(getProfilesWithGlobals());
assertEquals(beforeUpdateProfilesJson, afterFailedUpdateProfilesJson);
}
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class AbstractClientPoliciesTest method createClientByAdmin.
// Client CRUD operation by Admin REST API primitives
protected String createClientByAdmin(String clientName, Consumer<ClientRepresentation> op) throws ClientPolicyException {
ClientRepresentation clientRep = new ClientRepresentation();
clientRep.setClientId(clientName);
clientRep.setName(clientName);
clientRep.setProtocol("openid-connect");
clientRep.setBearerOnly(Boolean.FALSE);
clientRep.setPublicClient(Boolean.FALSE);
clientRep.setServiceAccountsEnabled(Boolean.TRUE);
clientRep.setRedirectUris(Collections.singletonList(ServerURLs.getAuthServerContextRoot() + "/auth/realms/master/app/auth"));
op.accept(clientRep);
Response resp = adminClient.realm(REALM_NAME).clients().create(clientRep);
if (resp.getStatus() == Response.Status.BAD_REQUEST.getStatusCode()) {
String respBody = resp.readEntity(String.class);
Map<String, String> responseJson = null;
try {
responseJson = JsonSerialization.readValue(respBody, Map.class);
} catch (IOException e) {
fail();
}
throw new ClientPolicyException(responseJson.get(OAuth2Constants.ERROR), responseJson.get(OAuth2Constants.ERROR_DESCRIPTION));
}
resp.close();
assertEquals(Response.Status.CREATED.getStatusCode(), resp.getStatus());
// registered components will be removed automatically when a test method finishes regardless of its success or failure.
String cId = ApiUtil.getCreatedId(resp);
testContext.getOrCreateCleanup(REALM_NAME).addClientUuid(cId);
return cId;
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class AbstractClientPoliciesTest method updatePolicies.
// TODO: Possibly change this to accept ClientPoliciesRepresentation instead of String to have more type-safety.
protected void updatePolicies(String json) throws ClientPolicyException {
try {
ClientPoliciesRepresentation clientPolicies = json == null ? null : JsonSerialization.readValue(json, ClientPoliciesRepresentation.class);
adminClient.realm(REALM_NAME).clientPoliciesPoliciesResource().updatePolicies(clientPolicies);
} catch (BadRequestException e) {
throw new ClientPolicyException("update policies failed", e.getResponse().getStatusInfo().toString());
} catch (IOException e) {
throw new ClientPolicyException("update policies failed", e.getMessage());
}
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class AbstractClientPoliciesTest method updateProfiles.
// TODO: Possibly change this to accept ClientProfilesRepresentation instead of String to have more type-safety.
protected void updateProfiles(String json) throws ClientPolicyException {
try {
ClientProfilesRepresentation clientProfiles = JsonSerialization.readValue(json, ClientProfilesRepresentation.class);
adminClient.realm(REALM_NAME).clientPoliciesProfilesResource().updateProfiles(clientProfiles);
} catch (BadRequestException e) {
throw new ClientPolicyException("update profiles failed", e.getResponse().getStatusInfo().toString());
} catch (Exception e) {
throw new ClientPolicyException("update profiles failed", e.getMessage());
}
}
use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.
the class FAPI1Test method testFAPIAdvancedClientRegistration.
@Test
public void testFAPIAdvancedClientRegistration() throws Exception {
// Set "advanced" policy
setupPolicyFAPIAdvancedForAllClient();
// Register client with clientIdAndSecret - should fail
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Register client with signedJWT - should fail
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Register client with privateKeyJWT, but unsecured redirectUri - should fail
try {
createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
clientRep.setRedirectUris(Collections.singletonList("http://foo"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
}
// Try to register client with "client-jwt" - should pass
String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
});
ClientRepresentation client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Try to register client with "client-x509" - should pass
clientUUID = createClientByAdmin("client-x509", (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
});
client = getClientByAdmin(clientUUID);
Assert.assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Try to register client with default authenticator - should pass. Client authenticator should be "client-jwt"
clientUUID = createClientByAdmin("client-jwt-2", (ClientRepresentation clientRep) -> {
});
client = getClientByAdmin(clientUUID);
Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
// Check the Consent is enabled, Holder-of-key is enabled, fullScopeAllowed disabled and default signature algorithm.
Assert.assertTrue(client.isConsentRequired());
OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
Assert.assertTrue(clientConfig.isUseMtlsHokToken());
Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
Assert.assertFalse(client.isFullScopeAllowed());
}
Aggregations