Search in sources :

Example 1 with UserAccountControl

use of org.keycloak.storage.ldap.mappers.msad.UserAccountControl in project keycloak by keycloak.

the class LDAPMSADMapperTest method test06RegisterNewUser.

@Test
public void test06RegisterNewUser() {
    loginPage.open();
    loginPage.clickRegister();
    registerPage.assertCurrent();
    // Register user
    registerPage.register("firstName", "lastName", "email3@check.cz", "registeruser3", "Password1", "Password1");
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
    // Check user enabled in MSAD
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        LDAPObject ldapJohn = ctx.getLdapProvider().loadLDAPUserByUsername(appRealm, "johnkeycloak");
        String pwdLastSet = ldapJohn.getAttributeAsString(LDAPConstants.PWD_LAST_SET);
        Assert.assertTrue(Long.parseLong(pwdLastSet) > 0);
        String userAccountControl = ldapJohn.getAttributeAsString(LDAPConstants.USER_ACCOUNT_CONTROL);
        long longValue = userAccountControl == null ? 0 : Long.parseLong(userAccountControl);
        Assert.assertFalse(new UserAccountControl(longValue).has(UserAccountControl.ACCOUNTDISABLE));
    });
    // Logout and login again. Success
    ApiUtil.findUserByUsernameId(adminClient.realm("test"), "registeruser3").logout();
    loginPage.open();
    loginPage.login("registeruser3", "Password1");
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserAccountControl(org.keycloak.storage.ldap.mappers.msad.UserAccountControl) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) Test(org.junit.Test)

Example 2 with UserAccountControl

use of org.keycloak.storage.ldap.mappers.msad.UserAccountControl in project keycloak by keycloak.

the class LDAPMSADMapperTest method isJohnEnabledInMSAD.

private boolean isJohnEnabledInMSAD() {
    String userAccountControls = testingClient.server().fetchString(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        LDAPObject ldapJohn = ctx.getLdapProvider().loadLDAPUserByUsername(appRealm, "johnkeycloak");
        String userAccountControl = ldapJohn.getAttributeAsString(LDAPConstants.USER_ACCOUNT_CONTROL);
        return userAccountControl;
    });
    if (userAccountControls == null) {
        Assert.fail("LDAP user johnkeycloak does not have userAccountControl attribute on him");
    }
    // Need to remove double quotes TODO: Ideally fix fetchString method and all the tests, which uses it as it is dummy to need to remove quotes in each test individually...
    UserAccountControl acControl = new UserAccountControl(Long.parseLong(userAccountControls.replace("\"", "")));
    return !acControl.has(UserAccountControl.ACCOUNTDISABLE);
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserAccountControl(org.keycloak.storage.ldap.mappers.msad.UserAccountControl) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject)

Example 3 with UserAccountControl

use of org.keycloak.storage.ldap.mappers.msad.UserAccountControl in project keycloak by keycloak.

the class LDAPMSADMapperTest method test07DisabledUserInMSADSwitchedToEnabledInKeycloak.

@Test
public void test07DisabledUserInMSADSwitchedToEnabledInKeycloak() {
    // Disable user in MSAD
    testingClient.server().run(session -> {
        LDAPTestContext ctx = LDAPTestContext.init(session);
        RealmModel appRealm = ctx.getRealm();
        LDAPObject ldapJohn = ctx.getLdapProvider().loadLDAPUserByUsername(appRealm, "johnkeycloak");
        String userAccountControlStr = ldapJohn.getAttributeAsString(LDAPConstants.USER_ACCOUNT_CONTROL);
        UserAccountControl control = new UserAccountControl(Long.parseLong(userAccountControlStr));
        control.add(UserAccountControl.ACCOUNTDISABLE);
        ldapJohn.setSingleAttribute(LDAPConstants.USER_ACCOUNT_CONTROL, String.valueOf(control.getValue()));
        ctx.getLdapProvider().getLdapIdentityStore().update(ldapJohn);
    });
    // Check user disabled in both admin REST API and MSAD
    UserResource john = ApiUtil.findUserByUsernameId(adminClient.realm("test"), "johnkeycloak");
    UserRepresentation johnRep = john.toRepresentation();
    Assert.assertFalse(johnRep.isEnabled());
    Assert.assertFalse(isJohnEnabledInMSAD());
    // Login as johnkeycloak, but user disabled
    loginPage.open();
    loginPage.login("johnkeycloak", "Password1");
    Assert.assertEquals("Account is disabled, contact your administrator.", loginPage.getError());
    // Enable user in admin REST API
    johnRep.setEnabled(true);
    john.update(johnRep);
    // Assert user enabled also in MSAD
    Assert.assertTrue(isJohnEnabledInMSAD());
    // Logout and login again. There should not be a need to update required action anymore
    john.logout();
    loginPage.open();
    loginPage.login("johnkeycloak", "Password1");
    Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
}
Also used : RealmModel(org.keycloak.models.RealmModel) UserAccountControl(org.keycloak.storage.ldap.mappers.msad.UserAccountControl) UserResource(org.keycloak.admin.client.resource.UserResource) LDAPObject(org.keycloak.storage.ldap.idm.model.LDAPObject) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test)

Aggregations

RealmModel (org.keycloak.models.RealmModel)3 LDAPObject (org.keycloak.storage.ldap.idm.model.LDAPObject)3 UserAccountControl (org.keycloak.storage.ldap.mappers.msad.UserAccountControl)3 Test (org.junit.Test)2 UserResource (org.keycloak.admin.client.resource.UserResource)1 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)1