Example 61 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testAnonUpdateWithTrustedHost.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonUpdateWithTrustedHost() throws Exception {
setTrustedHost("localhost");
OIDCClientRepresentation client = create();
// Fail update client
client.setRedirectUris(Collections.singletonList("http://bad:8080/foo"));
assertOidcFail(ClientRegOp.UPDATE, client, 403, "URL doesn't match");
// Should be fine now
client.setRedirectUris(Collections.singletonList("http://localhost:8080/foo"));
reg.oidc().update(client);
}
Also used :
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
Example 62 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testProtocolMappersCreate.
// PROTOCOL MAPPERS
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testProtocolMappersCreate() throws Exception {
setTrustedHost("localhost");
// Try to add client with some "hardcoded role" mapper. Should fail
ClientRepresentation clientRep = createRep("test-app");
clientRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
// Try the same authenticated. Should still fail.
ClientInitialAccessPresentation token = adminClient.realm(REALM_NAME).clientInitialAccess().create(new ClientInitialAccessCreatePresentation(0, 10));
reg.auth(Auth.token(token));
assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
// Update the "authenticated" policy and allow hardcoded role mapper
ComponentRepresentation protocolMapperPolicyRep = findPolicyByProviderAndAuth(ProtocolMappersClientRegistrationPolicyFactory.PROVIDER_ID, getPolicyAuth());
protocolMapperPolicyRep.getConfig().add(ProtocolMappersClientRegistrationPolicyFactory.ALLOWED_PROTOCOL_MAPPER_TYPES, HardcodedRole.PROVIDER_ID);
realmResource().components().component(protocolMapperPolicyRep.getId()).update(protocolMapperPolicyRep);
// Check authenticated registration is permitted
ClientRepresentation registeredClient = reg.create(clientRep);
Assert.assertNotNull(registeredClient.getRegistrationAccessToken());
// Check "anonymous" registration still fails
clientRep = createRep("test-app-2");
clientRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
reg.auth(null);
assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
// Revert policy change
ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
protocolMapperPolicyRep.getConfig().remove(ProtocolMappersClientRegistrationPolicyFactory.ALLOWED_PROTOCOL_MAPPER_TYPES, HardcodedRole.PROVIDER_ID);
realmResource().components().component(protocolMapperPolicyRep.getId()).update(protocolMapperPolicyRep);
}
Also used :
ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation)
ClientInitialAccessCreatePresentation(org.keycloak.representations.idm.ClientInitialAccessCreatePresentation)
ClientInitialAccessPresentation(org.keycloak.representations.idm.ClientInitialAccessPresentation)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
Example 63 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testAnonFullScopeAllowed.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonFullScopeAllowed() throws Exception {
setTrustedHost("localhost");
OIDCClientRepresentation client = create();
// Assert new client has fullScopeAllowed disabled
String clientId = client.getClientId();
ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
Assert.assertFalse(clientRep.isFullScopeAllowed());
// Try update with disabled consent required. Should fail
clientRep.setFullScopeAllowed(true);
assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to enable fullScopeAllowed");
// Try update with enabled consent required. Should pass
clientRep.setFullScopeAllowed(false);
reg.update(clientRep);
}
Also used :
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
Example 64 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testClientScopesPolicyWithPermittedScope.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientScopesPolicyWithPermittedScope() throws Exception {
setTrustedHost("localhost");
// Add some clientScope through Admin REST
ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
clientScope.setName("foo");
clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Response response = realmResource().clientScopes().create(clientScope);
String clientScopeId = ApiUtil.getCreatedId(response);
response.close();
// I can't register new client with this scope
ClientRepresentation clientRep = createRep("test-app");
clientRep.setDefaultClientScopes(Collections.singletonList("foo"));
assertFail(ClientRegOp.CREATE, clientRep, 403, "Not permitted to use specified clientScope");
// Update the policy to allow the "foo" scope
ComponentRepresentation clientScopesPolicyRep = findPolicyByProviderAndAuth(ClientScopesClientRegistrationPolicyFactory.PROVIDER_ID, getPolicyAnon());
clientScopesPolicyRep.getConfig().putSingle(ClientScopesClientRegistrationPolicyFactory.ALLOWED_CLIENT_SCOPES, "foo");
realmResource().components().component(clientScopesPolicyRep.getId()).update(clientScopesPolicyRep);
// Check that I can register client now
ClientRepresentation registeredClient = reg.create(clientRep);
Assert.assertNotNull(registeredClient.getRegistrationAccessToken());
// Revert client scope
ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
realmResource().clientScopes().get(clientScopeId).remove();
}
Also used :
Response(javax.ws.rs.core.Response)
ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation)
ClientScopeRepresentation(org.keycloak.representations.idm.ClientScopeRepresentation)
OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
Example 65 with AuthServerContainerExclude
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientTest method getAllClientsSearchAndPagination.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void getAllClientsSearchAndPagination() {
Set<String> ids = new HashSet<>();
try {
for (int i = 1; i <= 10; i++) {
ClientRepresentation c = ClientBuilder.create().clientId("ccx-" + (i < 10 ? "0" + i : i)).build();
Response response = realm.clients().create(c);
ids.add(ApiUtil.getCreatedId(response));
response.close();
}
assertPaginatedClients(1, 10, realm.clients().findAll("ccx-", null, true, 0, 100));
assertPaginatedClients(1, 5, realm.clients().findAll("ccx-", null, true, 0, 5));
assertPaginatedClients(6, 10, realm.clients().findAll("ccx-", null, true, 5, 5));
} finally {
ids.stream().forEach(id -> realm.clients().get(id).remove());
}
}
Also used :
AccessTokenResponse(org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
HashSet(java.util.HashSet)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
Aggregations
Test (org.junit.Test)108
AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)108
AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)31
UserRepresentation (org.keycloak.representations.idm.UserRepresentation)30
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)29
Matchers.containsString (org.hamcrest.Matchers.containsString)28
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)27
Response (javax.ws.rs.core.Response)24
UserResource (org.keycloak.admin.client.resource.UserResource)21
AbstractAuthenticationTest (org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest)21
SocialLoginTest (org.keycloak.testsuite.broker.SocialLoginTest)21
MimeMessage (javax.mail.internet.MimeMessage)14
OAuthClient (org.keycloak.testsuite.util.OAuthClient)14
OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)13
ComponentRepresentation (org.keycloak.representations.idm.ComponentRepresentation)12
LinkedList (java.util.LinkedList)11
List (java.util.List)9
RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)9
HashMap (java.util.HashMap)8
IOException (java.io.IOException)7
