Example 46 with LDAPStorageProvider
use of org.keycloak.storage.ldap.LDAPStorageProvider in project keycloak by keycloak.
the class LDAPGroupMapperSyncTest method test01_syncNoPreserveGroupInheritance.
@Test
public void test01_syncNoPreserveGroupInheritance() throws Exception {
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel realm = ctx.getRealm();
String descriptionAttrName = LDAPTestUtils.getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(realm, ctx.getLdapModel(), "groupsMapper");
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, realm);
// Add recursive group mapping to LDAP. Check that sync with preserve group inheritance will fail
LDAPObject group1 = groupMapper.loadLDAPGroupByName("group1");
LDAPObject group12 = groupMapper.loadLDAPGroupByName("group12");
LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, "not-used", group12, group1);
try {
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
Assert.fail("Not expected group sync to pass");
} catch (ModelException expected) {
Assert.assertTrue(expected.getMessage().contains("Recursion detected"));
}
});
// Update group mapper to skip preserve inheritance
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(ctx.getRealm(), ctx.getLdapModel(), "groupsMapper");
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "false");
ctx.getRealm().updateComponent(mapperModel);
});
// Run the LDAP sync again and check it will pass now
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel realm = ctx.getRealm();
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(ctx.getRealm(), ctx.getLdapModel(), "groupsMapper");
new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
});
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel realm = ctx.getRealm();
String descriptionAttrName = LDAPTestUtils.getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(ctx.getRealm(), ctx.getLdapModel(), "groupsMapper");
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, realm);
// Assert groups are imported to keycloak. All are at top level
GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1");
GroupModel kcGroup11 = KeycloakModelUtils.findGroupByPath(realm, "/group11");
GroupModel kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group12");
Assert.assertEquals(0, kcGroup1.getSubGroupsStream().count());
Assert.assertEquals("group1 - description", kcGroup1.getFirstAttribute(descriptionAttrName));
Assert.assertNull(kcGroup11.getFirstAttribute(descriptionAttrName));
Assert.assertEquals("group12 - description", kcGroup12.getFirstAttribute(descriptionAttrName));
// Cleanup - remove recursive mapping in LDAP
LDAPObject group1 = groupMapper.loadLDAPGroupByName("group1");
LDAPObject group12 = groupMapper.loadLDAPGroupByName("group12");
LDAPUtils.deleteMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, "not-used", group12, group1);
});
// Cleanup - revert (non-default) group mapper config
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(ctx.getRealm(), ctx.getLdapModel(), "groupsMapper");
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "true");
ctx.getRealm().updateComponent(mapperModel);
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
ModelException(org.keycloak.models.ModelException)
ComponentModel(org.keycloak.component.ComponentModel)
LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
GroupModel(org.keycloak.models.GroupModel)
GroupLDAPStorageMapperFactory(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapperFactory)
GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)
Test(org.junit.Test)
Example 47 with LDAPStorageProvider
use of org.keycloak.storage.ldap.LDAPStorageProvider in project keycloak by keycloak.
the class LDAPGroupMapperSyncTest method test04_syncNoPreserveGroupInheritanceWithLazySync.
@Test
public void test04_syncNoPreserveGroupInheritanceWithLazySync() throws Exception {
// Update group mapper to skip preserve inheritance
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(ctx.getRealm(), ctx.getLdapModel(), "groupsMapper");
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "false");
ctx.getRealm().updateComponent(mapperModel);
});
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel realm = ctx.getRealm();
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(realm, ctx.getLdapModel(), "groupsMapper");
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, realm);
// Add user to LDAP and put him as member of group11
LDAPTestUtils.removeAllLDAPUsers(ldapProvider, realm);
LDAPObject johnLdap = LDAPTestUtils.addLDAPUser(ldapProvider, realm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234");
LDAPTestUtils.updateLDAPPassword(ldapProvider, johnLdap, "Password1");
GroupMapperConfig groupMapperConfig = new GroupMapperConfig(mapperModel);
LDAPObject ldapGroup = groupMapper.loadLDAPGroupByName("group11");
LDAPUtils.addMember(ldapProvider, groupMapperConfig.getMembershipTypeLdapAttribute(), groupMapperConfig.getMembershipLdapAttribute(), groupMapperConfig.getMembershipUserLdapAttribute(ldapProvider.getLdapIdentityStore().getConfig()), ldapGroup, johnLdap);
// Assert groups not yet imported to Keycloak DB
Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group1"));
Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group11"));
Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group12"));
// Load user from LDAP to Keycloak DB
UserModel john = session.users().getUserByUsername(realm, "johnkeycloak");
Set<GroupModel> johnGroups = john.getGroupsStream().collect(Collectors.toSet());
// Assert just those groups, which john was memberOf exists because they were lazily created
GroupModel group1 = KeycloakModelUtils.findGroupByPath(realm, "/group1");
GroupModel group11 = KeycloakModelUtils.findGroupByPath(realm, "/group11");
GroupModel group12 = KeycloakModelUtils.findGroupByPath(realm, "/group12");
Assert.assertNull(group1);
Assert.assertNotNull(group11);
Assert.assertNull(group12);
Assert.assertEquals(1, johnGroups.size());
Assert.assertTrue(johnGroups.contains(group11));
// Delete group mapping
john.leaveGroup(group11);
});
// Cleanup - revert (non-default) group mapper config
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(ctx.getRealm(), ctx.getLdapModel(), "groupsMapper");
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "true");
ctx.getRealm().updateComponent(mapperModel);
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
UserModel(org.keycloak.models.UserModel)
ComponentModel(org.keycloak.component.ComponentModel)
LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
GroupModel(org.keycloak.models.GroupModel)
GroupMapperConfig(org.keycloak.storage.ldap.mappers.membership.group.GroupMapperConfig)
GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)
Test(org.junit.Test)
Example 48 with LDAPStorageProvider
use of org.keycloak.storage.ldap.LDAPStorageProvider in project keycloak by keycloak.
the class LDAPGroupMapperTest method test09_emptyMemberOnDeletionWorks.
@Test
public void test09_emptyMemberOnDeletionWorks() {
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
// Ignoring this test on ActiveDirectory (same for rhds) as it's not allowed to have LDAP group referencing nonexistent member. KEYCLOAK-2682 was related to OpenLDAP TODO: Better solution than programmatic...
LDAPConfig ldapConfig = ctx.getLdapProvider().getLdapIdentityStore().getConfig();
if (ldapConfig.isActiveDirectory() || LDAPConstants.VENDOR_RHDS.equals(ldapConfig.getVendor())) {
return;
}
// create a group with an existing user alone
String descriptionAttrName = getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
LDAPObject deleteGroup = LDAPTestUtils.createLDAPGroup(session, appRealm, ctx.getLdapModel(), "deletegroup", descriptionAttrName, "deletegroup - description");
LDAPObject maryLdap = ctx.getLdapProvider().loadLDAPUserByUsername(appRealm, "marykeycloak");
LDAPUtils.addMember(ctx.getLdapProvider(), MembershipType.DN, LDAPConstants.MEMBER, "not-used", deleteGroup, maryLdap);
LDAPObject empty = new LDAPObject();
empty.setDn(LDAPDn.fromString(LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE));
LDAPUtils.deleteMember(ctx.getLdapProvider(), MembershipType.DN, LDAPConstants.MEMBER, descriptionAttrName, deleteGroup, empty);
deleteGroup = LDAPGroupMapperTest.searchObjectInBase(ctx.getLdapProvider(), deleteGroup.getDn().toString(), LDAPConstants.MEMBER);
Assert.assertNotNull(deleteGroup);
Assert.assertEquals(1, deleteGroup.getAttributeAsSet(LDAPConstants.MEMBER).size());
Assert.assertEquals(maryLdap.getDn(), LDAPDn.fromString(deleteGroup.getAttributeAsString(LDAPConstants.MEMBER)));
// import into keycloak
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm);
groupMapper.syncDataFromFederationProviderToKeycloak(appRealm);
// check everything is OK
GroupModel kcDeleteGroup = KeycloakModelUtils.findGroupByPath(appRealm, "/deletegroup");
UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
List<UserModel> groupMembers = session.users().getGroupMembersStream(appRealm, kcDeleteGroup, 0, 5).collect(Collectors.toList());
Assert.assertEquals(1, groupMembers.size());
Assert.assertEquals("marykeycloak", groupMembers.get(0).getUsername());
Set<GroupModel> maryGroups = mary.getGroupsStream().collect(Collectors.toSet());
Assert.assertEquals(1, maryGroups.size());
Assert.assertEquals("deletegroup", maryGroups.iterator().next().getName());
// delete the group from mary to force schema violation and assingment of the empty value
mary.leaveGroup(kcDeleteGroup);
// check now the group has the empty member instead of mary
deleteGroup = LDAPGroupMapperTest.searchObjectInBase(ctx.getLdapProvider(), deleteGroup.getDn().toString(), LDAPConstants.MEMBER);
Assert.assertNotNull(deleteGroup);
Assert.assertEquals(1, deleteGroup.getAttributeAsSet(LDAPConstants.MEMBER).size());
Assert.assertEquals(LDAPDn.fromString(LDAPConstants.EMPTY_MEMBER_ATTRIBUTE_VALUE), LDAPDn.fromString(deleteGroup.getAttributeAsString(LDAPConstants.MEMBER)));
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
UserModel(org.keycloak.models.UserModel)
LDAPConfig(org.keycloak.storage.ldap.LDAPConfig)
ComponentModel(org.keycloak.component.ComponentModel)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider)
GroupModel(org.keycloak.models.GroupModel)
GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)
Test(org.junit.Test)
Example 49 with LDAPStorageProvider
use of org.keycloak.storage.ldap.LDAPStorageProvider in project keycloak by keycloak.
the class LDAPGroupMapperTest method test03_importGroupMappings.
@Test
public void test03_importGroupMappings() {
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.IMPORT.toString());
appRealm.updateComponent(mapperModel);
// Add some group mappings directly in LDAP
LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm);
GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1");
GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11");
GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
LDAPObject robLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "robkeycloak");
groupMapper.addGroupMappingInLDAP(appRealm, group11, robLdap);
groupMapper.addGroupMappingInLDAP(appRealm, group12, robLdap);
// Get user and check that he has requested groups from LDAP
UserModel rob = session.users().getUserByUsername(appRealm, "robkeycloak");
Set<GroupModel> robGroups = rob.getGroupsStream().collect(Collectors.toSet());
Assert.assertFalse(robGroups.contains(group1));
Assert.assertTrue(robGroups.contains(group11));
Assert.assertTrue(robGroups.contains(group12));
Assert.assertEquals(4, rob.getGroupsStream("Gr", 0, 10).count());
Assert.assertEquals(3, rob.getGroupsStream("Gr", 1, 10).count());
Assert.assertEquals(1, rob.getGroupsStream("Gr", 0, 1).count());
Assert.assertEquals(2, rob.getGroupsStream("12", 0, 10).count());
long dbGroupCount = rob.getGroupsCount();
Assert.assertEquals(4, dbGroupCount);
// Check getGroupMembers
Stream<UserModel> group1Members = session.users().getGroupMembersStream(appRealm, group1, 0, 10);
List<UserModel> group11Members = session.users().getGroupMembersStream(appRealm, group11, 0, 10).collect(Collectors.toList());
List<UserModel> group12Members = session.users().getGroupMembersStream(appRealm, group12, 0, 10).collect(Collectors.toList());
Assert.assertEquals(0, group1Members.count());
Assert.assertEquals(1, group11Members.size());
Assert.assertEquals("robkeycloak", group11Members.get(0).getUsername());
Assert.assertEquals(1, group12Members.size());
Assert.assertEquals("robkeycloak", group12Members.get(0).getUsername());
// Delete some group mappings in LDAP and check that it doesn't have any effect and user still has groups
LDAPObject ldapGroup = groupMapper.loadLDAPGroupByName("group11");
groupMapper.deleteGroupMappingInLDAP(robLdap, ldapGroup);
ldapGroup = groupMapper.loadLDAPGroupByName("group12");
groupMapper.deleteGroupMappingInLDAP(robLdap, ldapGroup);
robGroups = rob.getGroupsStream().collect(Collectors.toSet());
Assert.assertTrue(robGroups.contains(group11));
Assert.assertTrue(robGroups.contains(group12));
// Check getGroupMembers
group1Members = session.users().getGroupMembersStream(appRealm, group1, 0, 10);
group11Members = session.users().getGroupMembersStream(appRealm, group11, 0, 10).collect(Collectors.toList());
group12Members = session.users().getGroupMembersStream(appRealm, group12, 0, 10).collect(Collectors.toList());
Assert.assertEquals(0, group1Members.count());
Assert.assertEquals(1, group11Members.size());
Assert.assertEquals("robkeycloak", group11Members.get(0).getUsername());
Assert.assertEquals(1, group12Members.size());
Assert.assertEquals("robkeycloak", group12Members.get(0).getUsername());
// Delete group mappings through model and verifies that user doesn't have them anymore
rob.leaveGroup(group11);
rob.leaveGroup(group12);
Assert.assertEquals(2, rob.getGroupsStream().count());
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
UserModel(org.keycloak.models.UserModel)
ComponentModel(org.keycloak.component.ComponentModel)
LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider)
GroupModel(org.keycloak.models.GroupModel)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)
Test(org.junit.Test)
Example 50 with LDAPStorageProvider
use of org.keycloak.storage.ldap.LDAPStorageProvider in project keycloak by keycloak.
the class LDAPMultipleAttributesTest method afterImportTestRealm.
@Override
protected void afterImportTestRealm() {
testingClient.server().run(session -> {
LDAPTestContext ctx = LDAPTestContext.init(session);
RealmModel appRealm = ctx.getRealm();
LDAPTestUtils.addZipCodeLDAPMapper(appRealm, ctx.getLdapModel());
LDAPTestUtils.addUserAttributeMapper(appRealm, ctx.getLdapModel(), "streetMapper", "street", LDAPConstants.STREET);
// Remove current users and add default users
LDAPStorageProvider ldapFedProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
LDAPTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm);
LDAPObject james = LDAPTestUtils.addLDAPUser(ldapFedProvider, appRealm, "jbrown", "James", "Brown", "jbrown@keycloak.org", null, "88441");
LDAPTestUtils.updateLDAPPassword(ldapFedProvider, james, "Password1");
// User for testing duplicating surname and postalCode
LDAPObject bruce = LDAPTestUtils.addLDAPUser(ldapFedProvider, appRealm, "bwilson", "Bruce", "Wilson", "bwilson@keycloak.org", "Elm 5", "88441", "77332");
bruce.setAttribute("sn", new LinkedHashSet<>(Arrays.asList("Wilson", "Schneider")));
ldapFedProvider.getLdapIdentityStore().update(bruce);
LDAPTestUtils.updateLDAPPassword(ldapFedProvider, bruce, "Password1");
// Create ldap-portal client
ClientModel ldapClient = appRealm.addClient("ldap-portal");
ldapClient.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
ldapClient.addRedirectUri("/ldap-portal");
ldapClient.addRedirectUri("/ldap-portal/*");
ldapClient.setManagementUrl("/ldap-portal");
ldapClient.addProtocolMapper(UserAttributeMapper.createClaimMapper("postalCode", "postal_code", "postal_code", "String", true, true, true));
ldapClient.addProtocolMapper(UserAttributeMapper.createClaimMapper("street", "street", "street", "String", true, true, false));
ldapClient.addScopeMapping(appRealm.getRole("user"));
ldapClient.setSecret("password");
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
ClientModel(org.keycloak.models.ClientModel)
LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider)
LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)
Aggregations
LDAPStorageProvider (org.keycloak.storage.ldap.LDAPStorageProvider)56
RealmModel (org.keycloak.models.RealmModel)46
ComponentModel (org.keycloak.component.ComponentModel)44
LDAPObject (org.keycloak.storage.ldap.idm.model.LDAPObject)34
Test (org.junit.Test)29
UserModel (org.keycloak.models.UserModel)17
GroupModel (org.keycloak.models.GroupModel)12
GroupLDAPStorageMapper (org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)12
SynchronizationResult (org.keycloak.storage.user.SynchronizationResult)9
UserStorageProviderModel (org.keycloak.storage.UserStorageProviderModel)8
GroupLDAPStorageMapperFactory (org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapperFactory)8
LDAPStorageMapper (org.keycloak.storage.ldap.mappers.LDAPStorageMapper)7
UserStorageProvider (org.keycloak.storage.UserStorageProvider)6
Path (javax.ws.rs.Path)4
KeycloakSession (org.keycloak.models.KeycloakSession)4
LDAPTestContext (org.keycloak.testsuite.federation.ldap.LDAPTestContext)4
HashMap (java.util.HashMap)3
Set (java.util.Set)3
Consumes (javax.ws.rs.Consumes)3
POST (javax.ws.rs.POST)3
