Search in sources :

Example 36 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPRoleMappingsNoImportTest method test01ReadMappings.

@Test
public void test01ReadMappings() {
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        LDAPTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ctx.getLdapModel(), LDAPGroupMapperMode.LDAP_ONLY);
        ComponentModel roleMapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "realmRolesMapper");
        LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        RoleLDAPStorageMapper roleMapper = LDAPTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm);
        LDAPObject maryLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "marykeycloak");
        roleMapper.addRoleMappingInLDAP("realmRole1", maryLdap);
        roleMapper.addRoleMappingInLDAP("realmRole2", maryLdap);
    });
    testingClient.server().run(session -> {
        session.userCache().clear();
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
        // make sure we are in no-import mode!
        Assert.assertNull(session.userLocalStorage().getUserByUsername(appRealm, "marykeycloak"));
        // This role should already exists as it was imported from LDAP
        RoleModel realmRole1 = appRealm.getRole("realmRole1");
        // This role should already exists as it was imported from LDAP
        RoleModel realmRole2 = appRealm.getRole("realmRole2");
        Set<RoleModel> maryRoles = mary.getRealmRoleMappingsStream().collect(Collectors.toSet());
        Assert.assertTrue(maryRoles.contains(realmRole1));
        Assert.assertTrue(maryRoles.contains(realmRole2));
        // Add some role mappings directly into LDAP
        ComponentModel roleMapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "realmRolesMapper");
        LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        RoleLDAPStorageMapper roleMapper = LDAPTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm);
        LDAPObject maryLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "marykeycloak");
        deleteRoleMappingsInLDAP(roleMapper, maryLdap, "realmRole1");
        deleteRoleMappingsInLDAP(roleMapper, maryLdap, "realmRole2");
    });
    testingClient.server().run(session -> {
        session.userCache().clear();
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        UserModel mary = session.users().getUserByUsername(appRealm, "marykeycloak");
        // This role should already exists as it was imported from LDAP
        RoleModel realmRole1 = appRealm.getRole("realmRole1");
        // This role should already exists as it was imported from LDAP
        RoleModel realmRole2 = appRealm.getRole("realmRole2");
        Set<RoleModel> maryRoles = mary.getRealmRoleMappingsStream().collect(Collectors.toSet());
        Assert.assertFalse(maryRoles.contains(realmRole1));
        Assert.assertFalse(maryRoles.contains(realmRole2));
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ComponentModel(org.keycloak.component.ComponentModel) LDAPTestContext(org.keycloak.testsuite.federation.ldap.LDAPTestContext) LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) RoleModel(org.keycloak.models.RoleModel) RoleLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.role.RoleLDAPStorageMapper) Test(org.junit.Test) AbstractLDAPTest(org.keycloak.testsuite.federation.ldap.AbstractLDAPTest)

Example 37 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPRoleMappingsNoImportTest method afterImportTestRealm.

@Override
protected void afterImportTestRealm() {
    // Disable pagination
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        ctx.getLdapModel().put(LDAPConstants.PAGINATION, "false");
        appRealm.updateComponent(ctx.getLdapModel());
    });
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        UserStorageProviderModel ldapModel = ctx.getLdapModel();
        LDAPTestUtils.addLocalUser(session, appRealm, "mary", "mary@test.com", "password-app");
        // Delete all LDAP users
        LDAPStorageProvider ldapFedProvider = LDAPTestUtils.getLdapProvider(session, ldapModel);
        LDAPTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm);
        // Add sample application
        ClientModel finance = appRealm.addClient("finance");
        // Delete all LDAP roles
        LDAPTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ldapModel, LDAPGroupMapperMode.LDAP_ONLY);
        LDAPTestUtils.removeAllLDAPRoles(session, appRealm, ldapModel, "realmRolesMapper");
        LDAPTestUtils.removeAllLDAPRoles(session, appRealm, ldapModel, "financeRolesMapper");
        // Add some users for testing
        LDAPObject john = LDAPTestUtils.addLDAPUser(ldapFedProvider, appRealm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234");
        LDAPTestUtils.updateLDAPPassword(ldapFedProvider, john, "Password1");
        LDAPObject mary = LDAPTestUtils.addLDAPUser(ldapFedProvider, appRealm, "marykeycloak", "Mary", "Kelly", "mary@email.org", null, "5678");
        LDAPTestUtils.updateLDAPPassword(ldapFedProvider, mary, "Password1");
        LDAPObject rob = LDAPTestUtils.addLDAPUser(ldapFedProvider, appRealm, "robkeycloak", "Rob", "Brown", "rob@email.org", null, "8910");
        LDAPTestUtils.updateLDAPPassword(ldapFedProvider, rob, "Password1");
        // Add some roles for testing
        LDAPTestUtils.createLDAPRole(session, appRealm, ldapModel, "realmRolesMapper", "realmRole1");
        LDAPTestUtils.createLDAPRole(session, appRealm, ldapModel, "realmRolesMapper", "realmRole2");
        LDAPTestUtils.createLDAPRole(session, appRealm, ldapModel, "financeRolesMapper", "financeRole1");
        // Sync LDAP roles to Keycloak DB
        LDAPTestUtils.syncRolesFromLDAP(appRealm, ldapFedProvider, ldapModel);
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) ClientModel(org.keycloak.models.ClientModel) LDAPTestContext(org.keycloak.testsuite.federation.ldap.LDAPTestContext) LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) UserStorageProviderModel(org.keycloak.storage.UserStorageProviderModel)

Example 38 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPGroupMapperSyncTest method test02_syncWithGroupInheritance.

@Test
public void test02_syncWithGroupInheritance() throws Exception {
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel realm = ctx.getRealm();
        String descriptionAttrName = LDAPTestUtils.getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
        ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(realm, ctx.getLdapModel(), "groupsMapper");
        LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, realm);
        // KEYCLOAK-11415 - This test requires the group mapper to be configured with preserve group inheritance
        // set to 'true' (the default setting). If preservation of group inheritance isn't configured, some of
        // the previous test(s) failed to cleanup properly. Check the requirement as part of running the test
        Assert.assertEquals(mapperModel.getConfig().getFirst("preserve.group.inheritance"), "true");
        // Sync groups with inheritance
        SynchronizationResult syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
        LDAPTestAsserts.assertSyncEquals(syncResult, 3, 0, 0, 0);
        // Assert groups are imported to keycloak including their inheritance from LDAP
        GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1");
        Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group11"));
        Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group12"));
        GroupModel kcGroup11 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group11");
        GroupModel kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group12");
        Assert.assertEquals(2, kcGroup1.getSubGroupsStream().count());
        Assert.assertEquals("group1 - description", kcGroup1.getFirstAttribute(descriptionAttrName));
        Assert.assertNull(kcGroup11.getFirstAttribute(descriptionAttrName));
        Assert.assertEquals("group12 - description", kcGroup12.getFirstAttribute(descriptionAttrName));
        // Update description attributes in LDAP
        LDAPObject group1 = groupMapper.loadLDAPGroupByName("group1");
        group1.setSingleAttribute(descriptionAttrName, "group1 - changed description");
        ldapProvider.getLdapIdentityStore().update(group1);
        LDAPObject group12 = groupMapper.loadLDAPGroupByName("group12");
        group12.setAttribute(descriptionAttrName, null);
        ldapProvider.getLdapIdentityStore().update(group12);
        // Sync and assert groups updated
        syncResult = new GroupLDAPStorageMapperFactory().create(session, mapperModel).syncDataFromFederationProviderToKeycloak(realm);
        LDAPTestAsserts.assertSyncEquals(syncResult, 0, 3, 0, 0);
        // Assert attributes changed in keycloak
        kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1");
        kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group12");
        Assert.assertEquals("group1 - changed description", kcGroup1.getFirstAttribute(descriptionAttrName));
        Assert.assertNull(kcGroup12.getFirstAttribute(descriptionAttrName));
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) ComponentModel(org.keycloak.component.ComponentModel) LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider) GroupModel(org.keycloak.models.GroupModel) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) GroupLDAPStorageMapperFactory(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapperFactory) SynchronizationResult(org.keycloak.storage.user.SynchronizationResult) GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper) Test(org.junit.Test)

Example 39 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPGroupMapperTest method test05_getGroupsFromUserMemberOfStrategyTest.

// KEYCLOAK-5848
// Test GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE with custom 'Member-Of LDAP Attribute'. As a workaround, we are testing this with custom attribute "street"
// just because it's available on all the LDAP servers
@Test
public void test05_getGroupsFromUserMemberOfStrategyTest() throws Exception {
    ComponentRepresentation groupMapperRep = findMapperRepByName("groupsMapper");
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        // Create street attribute mapper
        LDAPTestUtils.addUserAttributeMapper(appRealm, ctx.getLdapModel(), "streetMapper", "street", LDAPConstants.STREET);
        // Find DN of "group1"
        ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
        GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ctx.getLdapProvider(), appRealm);
        LDAPObject ldapGroup = groupMapper.loadLDAPGroupByName("group1");
        String ldapGroupDN = ldapGroup.getDn().toString();
        // Create new user in LDAP. Add him some "street" referencing existing LDAP Group
        LDAPObject carlos = LDAPTestUtils.addLDAPUser(ctx.getLdapProvider(), appRealm, "carloskeycloak", "Carlos", "Doel", "carlos.doel@email.org", ldapGroupDN, "1234");
        LDAPTestUtils.updateLDAPPassword(ctx.getLdapProvider(), carlos, "Password1");
        // Update group mapper
        LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.USER_ROLES_RETRIEVE_STRATEGY, GroupMapperConfig.GET_GROUPS_FROM_USER_MEMBEROF_ATTRIBUTE, GroupMapperConfig.MEMBEROF_LDAP_ATTRIBUTE, LDAPConstants.STREET);
        appRealm.updateComponent(mapperModel);
    });
    ComponentRepresentation streetMapperRep = findMapperRepByName("streetMapper");
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        // Get user in Keycloak. Ensure that he is member of requested group
        UserModel carlos = session.users().getUserByUsername(appRealm, "carloskeycloak");
        Set<GroupModel> carlosGroups = carlos.getGroupsStream().collect(Collectors.toSet());
        GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1");
        GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11");
        GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12");
        Assert.assertTrue(carlosGroups.contains(group1));
        Assert.assertFalse(carlosGroups.contains(group11));
        Assert.assertFalse(carlosGroups.contains(group12));
        Assert.assertEquals(1, carlosGroups.size());
    });
    // Revert mappers
    testRealm().components().component(streetMapperRep.getId()).remove();
    groupMapperRep.getConfig().putSingle(GroupMapperConfig.USER_ROLES_RETRIEVE_STRATEGY, GroupMapperConfig.LOAD_GROUPS_BY_MEMBER_ATTRIBUTE);
    testRealm().components().component(groupMapperRep.getId()).update(groupMapperRep);
}
Also used : ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation) RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) ComponentModel(org.keycloak.component.ComponentModel) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) GroupModel(org.keycloak.models.GroupModel) GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper) Test(org.junit.Test)

Example 40 with LDAPObject

use of org.keycloak.storage.ldap.idm.model.LDAPObject in project keycloak by keycloak.

the class LDAPGroupMapperTest method test08_ldapOnlyGroupMappingsRanged.

@Test
public void test08_ldapOnlyGroupMappingsRanged() {
    testingClient.server().run(session -> {
        // try to do 3 pages (30+30+1)
        int membersToTest = 61;
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        ComponentModel mapperModel = LDAPTestUtils.getSubcomponentByName(appRealm, ctx.getLdapModel(), "groupsMapper");
        LDAPTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.LDAP_ONLY.toString());
        appRealm.updateComponent(mapperModel);
        // Ignoring this test on ActiveDirectory and rhds as it's currently impossible to import more than 60 users without timeout
        LDAPConfig ldapConfig = ctx.getLdapProvider().getLdapIdentityStore().getConfig();
        if (ldapConfig.isActiveDirectory() || LDAPConstants.VENDOR_RHDS.equals(ldapConfig.getVendor())) {
            return;
        }
        // create big grups that use ranged search
        String descriptionAttrName = getGroupDescriptionLDAPAttrName(ctx.getLdapProvider());
        LDAPObject bigGroup = LDAPTestUtils.createLDAPGroup(session, appRealm, ctx.getLdapModel(), "biggroup", descriptionAttrName, "biggroup - description");
        // create the users to use range search and add them to the group
        for (int i = 0; i < membersToTest; i++) {
            String username = String.format("user%02d", i);
            LDAPObject user = LDAPTestUtils.addLDAPUser(ctx.getLdapProvider(), appRealm, username, username, username, username + "@email.org", null, "1234");
            LDAPUtils.addMember(ctx.getLdapProvider(), MembershipType.DN, LDAPConstants.MEMBER, "not-used", bigGroup, user);
        }
        // check if ranged intercetor is in place and working
        GroupMapperConfig config = new GroupMapperConfig(mapperModel);
        bigGroup = LDAPGroupMapperTest.searchObjectInBase(ctx.getLdapProvider(), bigGroup.getDn().toString(), config.getMembershipLdapAttribute());
        Assert.assertNotNull(bigGroup.getAttributes().get(config.getMembershipLdapAttribute()));
        Assert.assertFalse(bigGroup.isRangeComplete(config.getMembershipLdapAttribute()));
        Assert.assertTrue(membersToTest > bigGroup.getAttributeAsSet(config.getMembershipLdapAttribute()).size());
        Assert.assertEquals(bigGroup.getCurrentRange(config.getMembershipLdapAttribute()), bigGroup.getAttributeAsSet(config.getMembershipLdapAttribute()).size() - 1);
        // now check the population of ranged attributes is OK
        LDAPStorageProvider ldapProvider = LDAPTestUtils.getLdapProvider(session, ctx.getLdapModel());
        GroupLDAPStorageMapper groupMapper = LDAPTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm);
        groupMapper.syncDataFromFederationProviderToKeycloak(appRealm);
        GroupModel kcBigGroup = KeycloakModelUtils.findGroupByPath(appRealm, "/biggroup");
        // check all the users have the group assigned
        for (int i = 0; i < membersToTest; i++) {
            UserModel kcUser = session.users().getUserByUsername(appRealm, String.format("user%02d", i));
            Assert.assertTrue("User contains biggroup " + i, kcUser.getGroupsStream().collect(Collectors.toSet()).contains(kcBigGroup));
        }
        // check the group contains all the users as member
        List<UserModel> groupMembers = session.users().getGroupMembersStream(appRealm, kcBigGroup, 0, membersToTest).collect(Collectors.toList());
        Assert.assertEquals(membersToTest, groupMembers.size());
        Set<String> usernames = groupMembers.stream().map(u -> u.getUsername()).collect(Collectors.toSet());
        for (int i = 0; i < membersToTest; i++) {
            Assert.assertTrue("Group contains user " + i, usernames.contains(String.format("user%02d", i)));
        }
    });
}
Also used : MethodSorters(org.junit.runners.MethodSorters) LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider) KeycloakModelUtils(org.keycloak.models.utils.KeycloakModelUtils) SearchControls(javax.naming.directory.SearchControls) LDAPConstants(org.keycloak.models.LDAPConstants) ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation) UserModel(org.keycloak.models.UserModel) LDAPRule(org.keycloak.testsuite.util.LDAPRule) ComponentModel(org.keycloak.component.ComponentModel) GroupModel(org.keycloak.models.GroupModel) ClassRule(org.junit.ClassRule) LDAPGroupMapperMode(org.keycloak.storage.ldap.mappers.membership.LDAPGroupMapperMode) LDAPDn(org.keycloak.storage.ldap.idm.model.LDAPDn) MembershipType(org.keycloak.storage.ldap.mappers.membership.MembershipType) RealmModel(org.keycloak.models.RealmModel) LDAPConfig(org.keycloak.storage.ldap.LDAPConfig) LDAPTestUtils(org.keycloak.testsuite.util.LDAPTestUtils) Set(java.util.Set) LDAPTestUtils.getGroupDescriptionLDAPAttrName(org.keycloak.testsuite.util.LDAPTestUtils.getGroupDescriptionLDAPAttrName) Test(org.junit.Test) LDAPQuery(org.keycloak.storage.ldap.idm.query.internal.LDAPQuery) Collectors(java.util.stream.Collectors) GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) List(java.util.List) Stream(java.util.stream.Stream) LDAPUtils(org.keycloak.storage.ldap.LDAPUtils) ModelException(org.keycloak.models.ModelException) Assert(org.junit.Assert) FixMethodOrder(org.junit.FixMethodOrder) GroupMapperConfig(org.keycloak.storage.ldap.mappers.membership.group.GroupMapperConfig) LDAPStorageProvider(org.keycloak.storage.ldap.LDAPStorageProvider) GroupModel(org.keycloak.models.GroupModel) GroupMapperConfig(org.keycloak.storage.ldap.mappers.membership.group.GroupMapperConfig) RealmModel(org.keycloak.models.RealmModel) UserModel(org.keycloak.models.UserModel) LDAPConfig(org.keycloak.storage.ldap.LDAPConfig) ComponentModel(org.keycloak.component.ComponentModel) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) GroupLDAPStorageMapper(org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper) Test(org.junit.Test)

Aggregations

LDAPObject (org.keycloak.storage.ldap.idm.model.LDAPObject)105 RealmModel (org.keycloak.models.RealmModel)61 Test (org.junit.Test)38 LDAPStorageProvider (org.keycloak.storage.ldap.LDAPStorageProvider)37 ComponentModel (org.keycloak.component.ComponentModel)35 UserModel (org.keycloak.models.UserModel)28 GroupModel (org.keycloak.models.GroupModel)18 SynchronizationResult (org.keycloak.storage.user.SynchronizationResult)16 GroupLDAPStorageMapper (org.keycloak.storage.ldap.mappers.membership.group.GroupLDAPStorageMapper)14 ModelException (org.keycloak.models.ModelException)11 LDAPDn (org.keycloak.storage.ldap.idm.model.LDAPDn)10 LDAPQuery (org.keycloak.storage.ldap.idm.query.internal.LDAPQuery)10 HashMap (java.util.HashMap)9 AbstractAuthTest (org.keycloak.testsuite.AbstractAuthTest)8 HashSet (java.util.HashSet)7 List (java.util.List)7 CachedUserModel (org.keycloak.models.cache.CachedUserModel)7 LDAPConfig (org.keycloak.storage.ldap.LDAPConfig)7 LDAPStorageMapper (org.keycloak.storage.ldap.mappers.LDAPStorageMapper)7 Map (java.util.Map)6