Search in sources :

Example 36 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class ClientPoliciesLoadUpdateTest method testDuplicatedProfiles.

@Test
public void testDuplicatedProfiles() throws Exception {
    String beforeUpdateProfilesJson = ClientPoliciesUtil.convertClientProfilesRepresentationToJson(getProfilesWithGlobals());
    // load profiles
    ClientProfileRepresentation duplicatedProfileRep = (new ClientProfileBuilder()).createProfile("builtin-basic-security", "Enforce basic security level").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(ClientIdAndSecretAuthenticator.PROVIDER_ID, JWTClientAuthenticator.PROVIDER_ID), null)).addExecutor(PKCEEnforcerExecutorFactory.PROVIDER_ID, createPKCEEnforceExecutorConfig(Boolean.FALSE)).addExecutor("no-such-executor", createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation();
    ClientProfileRepresentation loadedProfileRep = (new ClientProfileBuilder()).createProfile("ordinal-test-profile", "The profile that can be loaded.").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Collections.singletonList(JWTClientAuthenticator.PROVIDER_ID), JWTClientAuthenticator.PROVIDER_ID)).toRepresentation();
    String json = (new ClientProfilesBuilder()).addProfile(duplicatedProfileRep).addProfile(loadedProfileRep).addProfile(duplicatedProfileRep).toString();
    try {
        updateProfiles(json);
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals("Bad Request", cpe.getErrorDetail());
        String afterFailedUpdateProfilesJson = ClientPoliciesUtil.convertClientProfilesRepresentationToJson(getProfilesWithGlobals());
        assertEquals(beforeUpdateProfilesJson, afterFailedUpdateProfilesJson);
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfileRepresentation(org.keycloak.representations.idm.ClientProfileRepresentation) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 37 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class AbstractClientPoliciesTest method createClientByAdmin.

// Client CRUD operation by Admin REST API primitives
protected String createClientByAdmin(String clientName, Consumer<ClientRepresentation> op) throws ClientPolicyException {
    ClientRepresentation clientRep = new ClientRepresentation();
    clientRep.setClientId(clientName);
    clientRep.setName(clientName);
    clientRep.setProtocol("openid-connect");
    clientRep.setBearerOnly(Boolean.FALSE);
    clientRep.setPublicClient(Boolean.FALSE);
    clientRep.setServiceAccountsEnabled(Boolean.TRUE);
    clientRep.setRedirectUris(Collections.singletonList(ServerURLs.getAuthServerContextRoot() + "/auth/realms/master/app/auth"));
    op.accept(clientRep);
    Response resp = adminClient.realm(REALM_NAME).clients().create(clientRep);
    if (resp.getStatus() == Response.Status.BAD_REQUEST.getStatusCode()) {
        String respBody = resp.readEntity(String.class);
        Map<String, String> responseJson = null;
        try {
            responseJson = JsonSerialization.readValue(respBody, Map.class);
        } catch (IOException e) {
            fail();
        }
        throw new ClientPolicyException(responseJson.get(OAuth2Constants.ERROR), responseJson.get(OAuth2Constants.ERROR_DESCRIPTION));
    }
    resp.close();
    assertEquals(Response.Status.CREATED.getStatusCode(), resp.getStatus());
    // registered components will be removed automatically when a test method finishes regardless of its success or failure.
    String cId = ApiUtil.getCreatedId(resp);
    testContext.getOrCreateCleanup(REALM_NAME).addClientUuid(cId);
    return cId;
}
Also used : HttpResponse(org.apache.http.HttpResponse) Response(javax.ws.rs.core.Response) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) IOException(java.io.IOException) Map(java.util.Map) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 38 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class AbstractClientPoliciesTest method updatePolicies.

// TODO: Possibly change this to accept ClientPoliciesRepresentation instead of String to have more type-safety.
protected void updatePolicies(String json) throws ClientPolicyException {
    try {
        ClientPoliciesRepresentation clientPolicies = json == null ? null : JsonSerialization.readValue(json, ClientPoliciesRepresentation.class);
        adminClient.realm(REALM_NAME).clientPoliciesPoliciesResource().updatePolicies(clientPolicies);
    } catch (BadRequestException e) {
        throw new ClientPolicyException("update policies failed", e.getResponse().getStatusInfo().toString());
    } catch (IOException e) {
        throw new ClientPolicyException("update policies failed", e.getMessage());
    }
}
Also used : ClientPoliciesRepresentation(org.keycloak.representations.idm.ClientPoliciesRepresentation) BadRequestException(javax.ws.rs.BadRequestException) IOException(java.io.IOException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 39 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class AbstractClientPoliciesTest method updateProfiles.

// TODO: Possibly change this to accept ClientProfilesRepresentation instead of String to have more type-safety.
protected void updateProfiles(String json) throws ClientPolicyException {
    try {
        ClientProfilesRepresentation clientProfiles = JsonSerialization.readValue(json, ClientProfilesRepresentation.class);
        adminClient.realm(REALM_NAME).clientPoliciesProfilesResource().updateProfiles(clientProfiles);
    } catch (BadRequestException e) {
        throw new ClientPolicyException("update profiles failed", e.getResponse().getStatusInfo().toString());
    } catch (Exception e) {
        throw new ClientPolicyException("update profiles failed", e.getMessage());
    }
}
Also used : BadRequestException(javax.ws.rs.BadRequestException) ClientProfilesRepresentation(org.keycloak.representations.idm.ClientProfilesRepresentation) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) IOException(java.io.IOException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) URISyntaxException(java.net.URISyntaxException) OAuthErrorException(org.keycloak.OAuthErrorException) BadRequestException(javax.ws.rs.BadRequestException) ClientRegistrationException(org.keycloak.client.registration.ClientRegistrationException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) NoSuchProviderException(java.security.NoSuchProviderException) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException)

Example 40 with ClientPolicyException

use of org.keycloak.services.clientpolicy.ClientPolicyException in project keycloak by keycloak.

the class FAPI1Test method testFAPIAdvancedClientRegistration.

@Test
public void testFAPIAdvancedClientRegistration() throws Exception {
    // Set "advanced" policy
    setupPolicyFAPIAdvancedForAllClient();
    // Register client with clientIdAndSecret - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(ClientIdAndSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Register client with signedJWT - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Register client with privateKeyJWT, but unsecured redirectUri - should fail
    try {
        createClientByAdmin("invalid", (ClientRepresentation clientRep) -> {
            clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
            clientRep.setRedirectUris(Collections.singletonList("http://foo"));
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // Try to register client with "client-jwt" - should pass
    String clientUUID = createClientByAdmin("client-jwt", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(JWTClientAuthenticator.PROVIDER_ID);
    });
    ClientRepresentation client = getClientByAdmin(clientUUID);
    Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Try to register client with "client-x509" - should pass
    clientUUID = createClientByAdmin("client-x509", (ClientRepresentation clientRep) -> {
        clientRep.setClientAuthenticatorType(X509ClientAuthenticator.PROVIDER_ID);
    });
    client = getClientByAdmin(clientUUID);
    Assert.assertEquals(X509ClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Try to register client with default authenticator - should pass. Client authenticator should be "client-jwt"
    clientUUID = createClientByAdmin("client-jwt-2", (ClientRepresentation clientRep) -> {
    });
    client = getClientByAdmin(clientUUID);
    Assert.assertEquals(JWTClientAuthenticator.PROVIDER_ID, client.getClientAuthenticatorType());
    // Check the Consent is enabled, Holder-of-key is enabled, fullScopeAllowed disabled and default signature algorithm.
    Assert.assertTrue(client.isConsentRequired());
    OIDCAdvancedConfigWrapper clientConfig = OIDCAdvancedConfigWrapper.fromClientRepresentation(client);
    Assert.assertTrue(clientConfig.isUseMtlsHokToken());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getIdTokenSignedResponseAlg());
    Assert.assertEquals(Algorithm.PS256, clientConfig.getRequestObjectSignatureAlg().toString());
    Assert.assertFalse(client.isFullScopeAllowed());
}
Also used : OIDCAdvancedConfigWrapper(org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Aggregations

ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)62 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)23 Test (org.junit.Test)22 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)19 ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)14 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)14 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)13 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)13 ClientModel (org.keycloak.models.ClientModel)11 ErrorResponseException (org.keycloak.services.ErrorResponseException)10 OAuthErrorException (org.keycloak.OAuthErrorException)9 UserSessionModel (org.keycloak.models.UserSessionModel)9 CorsErrorResponseException (org.keycloak.services.CorsErrorResponseException)9 UserModel (org.keycloak.models.UserModel)8 IOException (java.io.IOException)6 Consumes (javax.ws.rs.Consumes)6 POST (javax.ws.rs.POST)6 Response (javax.ws.rs.core.Response)6 ClientSessionContext (org.keycloak.models.ClientSessionContext)6 RegistrationAuth (org.keycloak.services.clientregistration.policy.RegistrationAuth)6