Search in sources :

Example 26 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPRoleMappingsTest method test04_syncRoleMappings.

/**
 * KEYCLOAK-5698
 */
@Test
public void test04_syncRoleMappings() {
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        LDAPObject john = LDAPTestUtils.addLDAPUser(ldapProvider, appRealm, "johnrolemapper", "John", "RoleMapper", "johnrolemapper@email.org", null, "1234");
        LDAPTestUtils.updateLDAPPassword(ldapProvider, john, "Password1");
        LDAPTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ctx.getLdapModel(), LDAPGroupMapperMode.LDAP_ONLY);
        UserStorageSyncManager usersSyncManager = new UserStorageSyncManager();
        SynchronizationResult syncResult = usersSyncManager.syncChangedUsers(session.getKeycloakSessionFactory(), appRealm.getId(), new UserStorageProviderModel(ctx.getLdapModel()));
        syncResult.getAdded();
    });
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        // make sure user is cached.
        UserModel johnRoleMapper = session.users().getUserByUsername(appRealm, "johnrolemapper");
        Assert.assertNotNull(johnRoleMapper);
        Assert.assertEquals(0, johnRoleMapper.getRealmRoleMappingsStream().count());
    });
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        // Add some role mappings directly in LDAP
        LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        ComponentModel roleMapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "realmRolesMapper");
        RoleLDAPStorageMapper roleMapper = LDAPTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm);
        LDAPObject johnLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "johnrolemapper");
        roleMapper.addRoleMappingInLDAP("realmRole1", johnLdap);
        roleMapper.addRoleMappingInLDAP("realmRole2", johnLdap);
        // Get user and check that he has requested roles from LDAP
        UserModel johnRoleMapper = session.users().getUserByUsername(appRealm, "johnrolemapper");
        RoleModel realmRole1 = appRealm.getRole("realmRole1");
        RoleModel realmRole2 = appRealm.getRole("realmRole2");
        Set<RoleModel> johnRoles = johnRoleMapper.getRealmRoleMappingsStream().collect(Collectors.toSet());
        Assert.assertFalse(johnRoles.contains(realmRole1));
        Assert.assertFalse(johnRoles.contains(realmRole2));
    });
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        // Add some role mappings directly in LDAP
        LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        ComponentModel roleMapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "realmRolesMapper");
        RoleLDAPStorageMapper roleMapper = LDAPTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm);
        LDAPObject johnLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "johnrolemapper");
        // not sure why it is here for second time, but it is failing for Active directory - mapping already exists
        if (!ctx.getLdapProvider().getLdapIdentityStore().getConfig().isActiveDirectory()) {
            roleMapper.addRoleMappingInLDAP("realmRole1", johnLdap);
            roleMapper.addRoleMappingInLDAP("realmRole2", johnLdap);
        }
        UserStorageSyncManager usersSyncManager = new UserStorageSyncManager();
        SynchronizationResult syncResult = usersSyncManager.syncChangedUsers(session.getKeycloakSessionFactory(), appRealm.getId(), new UserStorageProviderModel(ctx.getLdapModel()));
    });
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        // Get user and check that he has requested roles from LDAP
        UserModel johnRoleMapper = session.users().getUserByUsername(appRealm, "johnrolemapper");
        RoleModel realmRole1 = appRealm.getRole("realmRole1");
        RoleModel realmRole2 = appRealm.getRole("realmRole2");
        Set<RoleModel> johnRoles = johnRoleMapper.getRealmRoleMappingsStream().collect(Collectors.toSet());
        Assert.assertTrue(johnRoles.contains(realmRole1));
        Assert.assertTrue(johnRoles.contains(realmRole2));
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) UserStorageSyncManager(org.keycloak.services.managers.UserStorageSyncManager) ComponentModel(org.keycloak.component.ComponentModel) LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) RoleModel(org.keycloak.models.RoleModel) SynchronizationResult(org.keycloak.storage.user.SynchronizationResult) UserStorageProviderModel(org.keycloak.storage.UserStorageProviderModel) RoleLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper) Test(org.junit.Test)

Example 27 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPSpecialCharsTest method afterImportTestRealm.

@Override
protected void afterImportTestRealm() {
    testingClient.testing().ldap(TEST_REALM_NAME).prepareGroupsLDAPTest();
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        String descriptionAttrName = getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
        LDAPTestUtils.createLDAPGroup(session, appRealm, ctx.getLdapModel(), "group-spec,ia*l_characžter)s", descriptionAttrName, "group-special-characters");
        LDAPTestUtils.createLDAPGroup(session, appRealm, ctx.getLdapModel(), "group/with/three/slashes", descriptionAttrName, "group-with-three-slashes");
        // Resync LDAP groups to Keycloak DB
        ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
        new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(appRealm);
        LDAPObject james2 = LDAPTestUtils.addLDAPUser(ctx.getLdapProvider(), appRealm, "jamees,key*cložak)ppp", "James2", "Brown2", "james2@email.org", null, "89102");
        LDAPTestUtils.updateLDAPPassword(ctx.getLdapProvider(), james2, "Password1");
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) ComponentModel(org.keycloak.component.ComponentModel) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) GroupLDAPStorageMapperFactory(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapperFactory)

Example 28 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPGroupMapperTest method test02_readOnlyGroupMappings.

protected void test02_readOnlyGroupMappings(boolean importEnabled) {
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
        LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.READ_ONLY.toString());
        appRealm.updateComponent(mapperModel);
        GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1");
        GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11");
        // Add some group mappings directly into LDAP
        GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ctx.getLdapProvider(), appRealm);
        LDAPObject maryLdap = ctx.getLdapProvider().loadLDAPUserByUsername(appRealm, "marykeycloak");
        groupMapper.addGroupMappingInLDAP(appRealm, group1, maryLdap);
        groupMapper.addGroupMappingInLDAP(appRealm, group11, maryLdap);
    });
    if (importEnabled) {
        testingClient.server().run(session -> {
            LDAPTestContext ctx = LDAPTestContext.init(session);
            RealmModel appRealm = ctx.getRealm();
            UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
            GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1");
            GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11");
            GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
            // Add some group mapping to model
            mary.joinGroup(group12);
            // Assert that mary has both LDAP and DB mapped groups
            Set<GroupModel> maryGroups = mary.getGroupsStream().collect(Collectors.toSet());
            Assert.assertEquals(5, maryGroups.size());
            Assert.assertTrue(maryGroups.contains(group1));
            Assert.assertTrue(maryGroups.contains(group11));
            Assert.assertTrue(maryGroups.contains(group12));
            long groupCount = mary.getGroupsCount();
            Assert.assertEquals(5, groupCount);
            Assert.assertEquals(5, mary.getGroupsStream("gr", 0, 10).count());
            Assert.assertEquals(4, mary.getGroupsStream("gr", 1, 10).count());
            Assert.assertEquals(1, mary.getGroupsStream("gr", 0, 1).count());
            Assert.assertEquals(2, mary.getGroupsStream("12", 0, 10).count());
        });
    } else {
        testingClient.server().run(session -> {
            LDAPTestContext ctx = LDAPTestContext.init(session);
            RealmModel appRealm = ctx.getRealm();
            UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
            GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
            // as it is not allowed to update group mappings in LDAP nor in the DB
            try {
                mary.joinGroup(group12);
                Assert.fail("Not expected to successfully add group12 in no-import mode and READ_ONLY mode of the group mapper");
            } catch (ModelException me) {
            // Ignore
            }
        });
        testingClient.server().run(session -> {
            LDAPTestContext ctx = LDAPTestContext.init(session);
            RealmModel appRealm = ctx.getRealm();
            UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
            GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1");
            GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11");
            GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
            // Assert that mary has both LDAP and DB mapped groups
            Set<GroupModel> maryGroups = mary.getGroupsStream().collect(Collectors.toSet());
            Assert.assertEquals(4, maryGroups.size());
            Assert.assertTrue(maryGroups.contains(group1));
            Assert.assertTrue(maryGroups.contains(group11));
            Assert.assertFalse(maryGroups.contains(group12));
            long groupCount = mary.getGroupsCount();
            Assert.assertEquals(4, groupCount);
            Assert.assertEquals(4, mary.getGroupsStream("gr", 0, 10).count());
            Assert.assertEquals(3, mary.getGroupsStream("gr", 1, 10).count());
            Assert.assertEquals(1, mary.getGroupsStream("gr", 0, 1).count());
            Assert.assertEquals(1, mary.getGroupsStream("12", 0, 10).count());
        });
    }
    // Assert that access through DB will have just DB mapped groups
    if (importEnabled) {
        testingClient.server().run(session -> {
            LDAPTestContext ctx = LDAPTestContext.init(session);
            RealmModel appRealm = ctx.getRealm();
            GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1");
            GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11");
            GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
            UserModel maryDB = session.userLocalStorage().getUserByUsername(appRealm, "marykeycloak");
            Set<GroupModel> maryDBGroups = maryDB.getGroupsStream().collect(Collectors.toSet());
            Assert.assertFalse(maryDBGroups.contains(group1));
            Assert.assertFalse(maryDBGroups.contains(group11));
            Assert.assertTrue(maryDBGroups.contains(group12));
            Assert.assertEquals(3, maryDB.getGroupsStream("Gr", 0, 10).count());
            Assert.assertEquals(2, maryDB.getGroupsStream("Gr", 1, 10).count());
            Assert.assertEquals(1, maryDB.getGroupsStream("Gr", 0, 1).count());
            Assert.assertEquals(2, maryDB.getGroupsStream("12", 0, 10).count());
            long dbGroupCount = maryDB.getGroupsCount();
            Assert.assertEquals(3, dbGroupCount);
            // Test the group mapping available for group12
            List<UserModel> group12Members = session.users().getGroupMembersStream(appRealm, group12, 0, 10).collect(Collectors.toList());
            Assert.assertEquals(1, group12Members.size());
            Assert.assertEquals("marykeycloak", group12Members.get(0).getUsername());
            UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
            mary.leaveGroup(group12);
        });
    } else {
        testingClient.server().run(session -> {
            LDAPTestContext ctx = LDAPTestContext.init(session);
            RealmModel appRealm = ctx.getRealm();
            GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
            // Test the group mapping NOT available for group12
            Stream<UserModel> group12Members = session.users().getGroupMembersStream(appRealm, group12, 0, 10);
            Assert.assertEquals(0, group12Members.count());
        });
    }
    // Check through userProvider
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1");
        GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11");
        GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
        UserModel john = session.users().getUserByUsername(appRealm, "johnkeycloak");
        UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
        ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
        GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ctx.getLdapProvider(), appRealm);
        LDAPObject maryLdap = ctx.getLdapProvider().loadLDAPUserByUsername(appRealm, "marykeycloak");
        List<UserModel> group1Members = session.users().getGroupMembersStream(appRealm, group1, 0, 10).collect(Collectors.toList());
        List<UserModel> group11Members = session.users().getGroupMembersStream(appRealm, group11, 0, 10).collect(Collectors.toList());
        Assert.assertEquals(1, group1Members.size());
        Assert.assertEquals("marykeycloak", group1Members.get(0).getUsername());
        Assert.assertEquals(1, group11Members.size());
        Assert.assertEquals("marykeycloak", group11Members.get(0).getUsername());
        try {
            mary.leaveGroup(group1);
            Assert.fail("It wasn't expected to successfully delete LDAP group mappings in READ_ONLY mode");
        } catch (ModelException expected) {
        }
        // Delete group mappings directly in LDAP
        LDAPObject ldapGroup = groupMapper.loadLDAPGroupByName("group1");
        groupMapper.deleteGroupMappingInLDAP(maryLdap, ldapGroup);
        ldapGroup = groupMapper.loadLDAPGroupByName("group11");
        groupMapper.deleteGroupMappingInLDAP(maryLdap, ldapGroup);
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ModelException(org.keycloak.models.ModelException) ComponentModel(org.keycloak.component.ComponentModel) GroupModel(org.keycloak.models.GroupModel) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)

Example 29 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPMSADMapperTest method afterImportTestRealm.

@Override
protected void afterImportTestRealm() {
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        LDAPTestUtils.addLocalUser(session, appRealm, "marykeycloak", "mary@test.com", "password-app");
        LDAPTestUtils.addZipCodeLDAPMapper(appRealm, ctx.getLdapModel());
        // Delete all LDAP users and add some new for testing
        LDAPStorageProvider ldapFedProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        LDAPTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm);
        LDAPObject john = LDAPTestUtils.addLDAPUser(ldapFedProvider, appRealm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234");
        LDAPTestUtils.updateLDAPPassword(ldapFedProvider, john, "Password1");
        appRealm.getClientByClientId("test-app").setDirectAccessGrantsEnabled(true);
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)

Example 30 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPMSADMapperTest method test06RegisterNewUser.

@Test
public void test06RegisterNewUser() {
    loginPage.open();
    loginPage.clickRegister();
    registerPage.assertCurrent();
    // Register user
    registerPage.register("firstName", "lastName", "email3@check.cz", "registeruser3", "Password1", "Password1");
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    // Check user enabled in MSAD
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        LDAPObject ldapJohn = ctx.getLdapProvider().loadLDAPUserByUsername(appRealm, "johnkeycloak");
        String pwdLastSet = ldapJohn.getAttributeAsString(LDAPConstants.PWD_LAST_SET);
        Assert.assertTrue(Long.parseLong(pwdLastSet) > 0);
        String userAccountControl = ldapJohn.getAttributeAsString(LDAPConstants.USER_ACCOUNT_CONTROL);
        long longValue = userAccountControl == null ? 0 : Long.parseLong(userAccountControl);
        Assert.assertFalse(new UserAccountControl(longValue).has(UserAccountControl.ACCOUNTDISABLE));
    });
    // Logout and login again. Success
    ApiUtil.findUserByUsernameId(adminClient.realm("test"), "registeruser3").logout();
    loginPage.open();
    loginPage.login("registeruser3", "Password1");
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserAccountControl(org.keycloak.storage.ldap.mappers.msad.UserAccountControl) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) Test(org.junit.Test)

Aggregations

LDAPObject (org.keycloak.storage.ldap.idm.model.LDAPObject)105 RealmModel (org.keycloak.models.RealmModel)61 Test (org.junit.Test)38 LDAPStorageProvider (org.keycloak.storage.ldap.LDAPStorageProvider)37 ComponentModel (org.keycloak.component.ComponentModel)35 UserModel (org.keycloak.models.UserModel)28 GroupModel (org.keycloak.models.GroupModel)18 SynchronizationResult (org.keycloak.storage.user.SynchronizationResult)16 GroupLDAPStorageMapper (org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)14 ModelException (org.keycloak.models.ModelException)11 LDAPDn (org.keycloak.storage.ldap.idm.model.LDAPDn)10 LDAPQuery (org.keycloak.storage.ldap.idm.query.internal.LDAPQuery)10 HashMap (java.util.HashMap)9 AbstractAuthTest (org.keycloak.testsuite.AbstractAuthTest)8 HashSet (java.util.HashSet)7 List (java.util.List)7 CachedUserModel (org.keycloak.models.cache.CachedUserModel)7 LDAPConfig (org.keycloak.storage.ldap.LDAPConfig)7 LDAPStorageMapper (org.keycloak.storage.ldap.mappers.LDAPStorageMapper)7 Map (java.util.Map)6