use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testAnonUpdateWithTrustedHost.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonUpdateWithTrustedHost() throws Exception {
setTrustedHost("localhost");
OIDCClientRepresentation client = create();
// Fail update client
client.setRedirectUris(Collections.singletonList("http://bad:8080/foo"));
assertOidcFail(ClientRegOp.UPDATE, client, 403, "URL doesn't match");
// Should be fine now
client.setRedirectUris(Collections.singletonList("http://localhost:8080/foo"));
reg.oidc().update(client);
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testProtocolMappersCreate.
// PROTOCOL MAPPERS
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testProtocolMappersCreate() throws Exception {
setTrustedHost("localhost");
// Try to add client with some "hardcoded role" mapper. Should fail
ClientRepresentation clientRep = createRep("test-app");
clientRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
// Try the same authenticated. Should still fail.
ClientInitialAccessPresentation token = adminClient.realm(REALM_NAME).clientInitialAccess().create(new ClientInitialAccessCreatePresentation(0, 10));
reg.auth(Auth.token(token));
assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
// Update the "authenticated" policy and allow hardcoded role mapper
ComponentRepresentation protocolMapperPolicyRep = findPolicyByProviderAndAuth(ProtocolMappersClientRegistrationPolicyFactory.PROVIDER_ID, getPolicyAuth());
protocolMapperPolicyRep.getConfig().add(ProtocolMappersClientRegistrationPolicyFactory.ALLOWED_PROTOCOL_MAPPER_TYPES, HardcodedRole.PROVIDER_ID);
realmResource().components().component(protocolMapperPolicyRep.getId()).update(protocolMapperPolicyRep);
// Check authenticated registration is permitted
ClientRepresentation registeredClient = reg.create(clientRep);
Assert.assertNotNull(registeredClient.getRegistrationAccessToken());
// Check "anonymous" registration still fails
clientRep = createRep("test-app-2");
clientRep.setProtocolMappers(Collections.singletonList(createHardcodedMapperRep()));
reg.auth(null);
assertFail(ClientRegOp.CREATE, clientRep, 403, "ProtocolMapper type not allowed");
// Revert policy change
ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
protocolMapperPolicyRep.getConfig().remove(ProtocolMappersClientRegistrationPolicyFactory.ALLOWED_PROTOCOL_MAPPER_TYPES, HardcodedRole.PROVIDER_ID);
realmResource().components().component(protocolMapperPolicyRep.getId()).update(protocolMapperPolicyRep);
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testAnonFullScopeAllowed.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testAnonFullScopeAllowed() throws Exception {
setTrustedHost("localhost");
OIDCClientRepresentation client = create();
// Assert new client has fullScopeAllowed disabled
String clientId = client.getClientId();
ClientRepresentation clientRep = ApiUtil.findClientByClientId(realmResource(), clientId).toRepresentation();
Assert.assertFalse(clientRep.isFullScopeAllowed());
// Try update with disabled consent required. Should fail
clientRep.setFullScopeAllowed(true);
assertFail(ClientRegOp.UPDATE, clientRep, 403, "Not permitted to enable fullScopeAllowed");
// Try update with enabled consent required. Should pass
clientRep.setFullScopeAllowed(false);
reg.update(clientRep);
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientRegistrationPoliciesTest method testClientScopesPolicyWithPermittedScope.
@Test
// We would need to do domain name -> ip address to set trusted host
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testClientScopesPolicyWithPermittedScope() throws Exception {
setTrustedHost("localhost");
// Add some clientScope through Admin REST
ClientScopeRepresentation clientScope = new ClientScopeRepresentation();
clientScope.setName("foo");
clientScope.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL);
Response response = realmResource().clientScopes().create(clientScope);
String clientScopeId = ApiUtil.getCreatedId(response);
response.close();
// I can't register new client with this scope
ClientRepresentation clientRep = createRep("test-app");
clientRep.setDefaultClientScopes(Collections.singletonList("foo"));
assertFail(ClientRegOp.CREATE, clientRep, 403, "Not permitted to use specified clientScope");
// Update the policy to allow the "foo" scope
ComponentRepresentation clientScopesPolicyRep = findPolicyByProviderAndAuth(ClientScopesClientRegistrationPolicyFactory.PROVIDER_ID, getPolicyAnon());
clientScopesPolicyRep.getConfig().putSingle(ClientScopesClientRegistrationPolicyFactory.ALLOWED_CLIENT_SCOPES, "foo");
realmResource().components().component(clientScopesPolicyRep.getId()).update(clientScopesPolicyRep);
// Check that I can register client now
ClientRepresentation registeredClient = reg.create(clientRep);
Assert.assertNotNull(registeredClient.getRegistrationAccessToken());
// Revert client scope
ApiUtil.findClientResourceByClientId(realmResource(), "test-app").remove();
realmResource().clientScopes().get(clientScopeId).remove();
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ClientTest method getAllClientsSearchAndPagination.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void getAllClientsSearchAndPagination() {
Set<String> ids = new HashSet<>();
try {
for (int i = 1; i <= 10; i++) {
ClientRepresentation c = ClientBuilder.create().clientId("ccx-" + (i < 10 ? "0" + i : i)).build();
Response response = realm.clients().create(c);
ids.add(ApiUtil.getCreatedId(response));
response.close();
}
assertPaginatedClients(1, 10, realm.clients().findAll("ccx-", null, true, 0, 100));
assertPaginatedClients(1, 5, realm.clients().findAll("ccx-", null, true, 0, 5));
assertPaginatedClients(6, 10, realm.clients().findAll("ccx-", null, true, 5, 5));
} finally {
ids.stream().forEach(id -> realm.clients().get(id).remove());
}
}
Aggregations