Search in sources :

Example 61 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testAnonUpdateWithTrustedHost.

@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonUpdateWithTrustedHost() throws Exception {
    setTrustedHost("localhost");
    OIDCClientRepresentation client = create();
    // Fail update client
    client.setRedirectUris(Collections.singletonList("http://bad:8080/foo"));
    assertOidcFail(ClientRegOp.UPDATE, client, 403, "URL doesn't match");
    // Should be fine now
    client.setRedirectUris(Collections.singletonList("http://localhost:8080/foo"));
    reg.oidc().update(client);
}
Also used : OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Example 62 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testProtocolMappersCreate.

// PROTOCOL MAPPERS
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testProtocolMappersCreate() throws Exception {
    setTrustedHost("localhost");
    // Try to add client with some "hardcoded role" mapper. Should fail
    ClientRepresentation clientRep = createRep("test-app");
    clientRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
    assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
    // Try the same authenticated. Should still fail.
    ClientInitialAccessPresentation token = adminClient.realm(REALM_NAME).clientInitialAccess().create(new ClientInitialAccessCreatePresentation(0, 10));
    reg.auth(Auth.token(token));
    assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
    // Update the "authenticated" policy and allow hardcoded role mapper
    ComponentRepresentation protocolMapperPolicyRep = findPolicyByProviderAndAuth(ProtocolMappersClientRegistrationPolicyFactory.PROVIDER_ID, getPolicyAuth());
    protocolMapperPolicyRep.getConfig().add(ProtocolMappersClientRegistrationPolicyFactory.ALLOWED_PROTOCOL_MAPPER_TYPES, HardcodedRole.PROVIDER_ID);
    realmResource().components().component(protocolMapperPolicyRep.getId()).update(protocolMapperPolicyRep);
    // Check authenticated registration is permitted
    ClientRepresentation registeredClient = reg.create(clientRep);
    Assert.assertNotNull(registeredClient.getRegistrationAccessToken());
    // Check "anonymous" registration still fails
    clientRep = createRep("test-app-2");
    clientRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
    reg.auth(null);
    assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
    // Revert policy change
    ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
    protocolMapperPolicyRep.getConfig().remove(ProtocolMappersClientRegistrationPolicyFactory.ALLOWED_PROTOCOL_MAPPER_TYPES, HardcodedRole.PROVIDER_ID);
    realmResource().components().component(protocolMapperPolicyRep.getId()).update(protocolMapperPolicyRep);
}
Also used : ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation) ClientInitialAccessCreatePresentation(org.keycloak.representations.idm.ClientInitialAccessCreatePresentation) ClientInitialAccessPresentation(org.keycloak.representations.idm.ClientInitialAccessPresentation) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Example 63 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testAnonFullScopeAllowed.

@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonFullScopeAllowed() throws Exception {
    setTrustedHost("localhost");
    OIDCClientRepresentation client = create();
    // Assert new client has fullScopeAllowed disabled
    String clientId = client.getClientId();
    ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
    Assert.assertFalse(clientRep.isFullScopeAllowed());
    // Try update with disabled consent required. Should fail
    clientRep.setFullScopeAllowed(true);
    assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to enable fullScopeAllowed");
    // Try update with enabled consent required. Should pass
    clientRep.setFullScopeAllowed(false);
    reg.update(clientRep);
}
Also used : OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Example 64 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class ClientRegistrationPoliciesTest method testClientScopesPolicyWithPermittedScope.

@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientScopesPolicyWithPermittedScope() throws Exception {
    setTrustedHost("localhost");
    // Add some clientScope through Admin REST
    ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
    clientScope.setName("foo");
    clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
    Response response = realmResource().clientScopes().create(clientScope);
    String clientScopeId = ApiUtil.getCreatedId(response);
    response.close();
    // I can't register new client with this scope
    ClientRepresentation clientRep = createRep("test-app");
    clientRep.setDefaultClientScopes(Collections.singletonList("foo"));
    assertFail(ClientRegOp.CREATE, clientRep, 403, "Not permitted to use specified clientScope");
    // Update the policy to allow the "foo" scope
    ComponentRepresentation clientScopesPolicyRep = findPolicyByProviderAndAuth(ClientScopesClientRegistrationPolicyFactory.PROVIDER_ID, getPolicyAnon());
    clientScopesPolicyRep.getConfig().putSingle(ClientScopesClientRegistrationPolicyFactory.ALLOWED_CLIENT_SCOPES, "foo");
    realmResource().components().component(clientScopesPolicyRep.getId()).update(clientScopesPolicyRep);
    // Check that I can register client now
    ClientRepresentation registeredClient = reg.create(clientRep);
    Assert.assertNotNull(registeredClient.getRegistrationAccessToken());
    // Revert client scope
    ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
    realmResource().clientScopes().get(clientScopeId).remove();
}
Also used : Response(javax.ws.rs.core.Response) ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation) ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Example 65 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class ClientTest method getAllClientsSearchAndPagination.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void getAllClientsSearchAndPagination() {
    Set<String> ids = new HashSet<>();
    try {
        for (int i = 1; i <= 10; i++) {
            ClientRepresentation c = ClientBuilder.create().clientId("ccx-" + (i < 10 ? "0" + i : i)).build();
            Response response = realm.clients().create(c);
            ids.add(ApiUtil.getCreatedId(response));
            response.close();
        }
        assertPaginatedClients(1, 10, realm.clients().findAll("ccx-", null, true, 0, 100));
        assertPaginatedClients(1, 5, realm.clients().findAll("ccx-", null, true, 0, 5));
        assertPaginatedClients(6, 10, realm.clients().findAll("ccx-", null, true, 5, 5));
    } finally {
        ids.stream().forEach(id -> realm.clients().get(id).remove());
    }
}
Also used : AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse) Response(javax.ws.rs.core.Response) HashSet(java.util.HashSet) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Aggregations

Test (org.junit.Test)108 AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)108 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)31 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)30 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)29 Matchers.containsString (org.hamcrest.Matchers.containsString)28 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)27 Response (javax.ws.rs.core.Response)24 UserResource (org.keycloak.admin.client.resource.UserResource)21 AbstractAuthenticationTest (org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest)21 SocialLoginTest (org.keycloak.testsuite.broker.SocialLoginTest)21 MimeMessage (javax.mail.internet.MimeMessage)14 OAuthClient (org.keycloak.testsuite.util.OAuthClient)14 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)13 ComponentRepresentation (org.keycloak.representations.idm.ComponentRepresentation)12 LinkedList (java.util.LinkedList)11 List (java.util.List)9 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)9 HashMap (java.util.HashMap)8 IOException (java.io.IOException)7