use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class UserTest method createUserWithHashedCredentials.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void createUserWithHashedCredentials() {
UserRepresentation user = new UserRepresentation();
user.setUsername("user_creds");
user.setEmail("email@localhost");
PasswordCredentialModel pcm = PasswordCredentialModel.createFromValues("my-algorithm", "theSalt".getBytes(), 22, "ABC");
CredentialRepresentation hashedPassword = ModelToRepresentation.toRepresentation(pcm);
hashedPassword.setCreatedDate(1001L);
hashedPassword.setUserLabel("deviceX");
hashedPassword.setType(CredentialRepresentation.PASSWORD);
user.setCredentials(Arrays.asList(hashedPassword));
createUser(user);
CredentialModel credentialHashed = fetchCredentials("user_creds");
PasswordCredentialModel pcmh = PasswordCredentialModel.createFromCredentialModel(credentialHashed);
assertNotNull("Expecting credential", credentialHashed);
assertEquals("my-algorithm", pcmh.getPasswordCredentialData().getAlgorithm());
assertEquals(Long.valueOf(1001), credentialHashed.getCreatedDate());
assertEquals("deviceX", credentialHashed.getUserLabel());
assertEquals(22, pcmh.getPasswordCredentialData().getHashIterations());
assertEquals("ABC", pcmh.getPasswordSecretData().getValue());
assertEquals("theSalt", new String(pcmh.getPasswordSecretData().getSalt()));
assertEquals(CredentialRepresentation.PASSWORD, credentialHashed.getType());
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class UserStorageRestTest method testKerberosAuthenticatorEnabledAutomatically.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testKerberosAuthenticatorEnabledAutomatically() {
// Assert kerberos authenticator DISABLED
AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
// create LDAP provider with kerberos
ComponentRepresentation ldapRep = createBasicLDAPProviderRep();
ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
String id = createComponent(ldapRep);
// Assert kerberos authenticator ALTERNATIVE
kerberosExecution = findKerberosExecution();
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
// Switch kerberos authenticator to DISABLED
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
realm.flows().updateExecutions("browser", kerberosExecution);
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
// update LDAP provider with kerberos (without changing kerberos switch)
ldapRep = realm.components().component(id).toRepresentation();
realm.components().component(id).update(ldapRep);
assertAdminEvents.clear();
// Assert kerberos authenticator is still DISABLED
kerberosExecution = findKerberosExecution();
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
// update LDAP provider with kerberos (with changing kerberos switch to disabled)
ldapRep = realm.components().component(id).toRepresentation();
ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "false");
realm.components().component(id).update(ldapRep);
assertAdminEvents.clear();
// Assert kerberos authenticator is still DISABLED
kerberosExecution = findKerberosExecution();
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
// update LDAP provider with kerberos (with changing kerberos switch to enabled)
ldapRep = realm.components().component(id).toRepresentation();
ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
realm.components().component(id).update(ldapRep);
assertAdminEvents.clear();
// Assert kerberos authenticator is still ALTERNATIVE
kerberosExecution = findKerberosExecution();
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
// Cleanup
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
realm.flows().updateExecutions("browser", kerberosExecution);
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
removeComponent(id);
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappers.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserGroupRoleToAttributeMappers() throws Exception {
// Add mapper for realm roles
String clientId = "test-app";
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, "ta.", "Client roles mapper", "roles-custom.test-app", true, true);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", clientId));
String realmRoleMappings = (String) roleMappings.get("realm");
String testAppMappings = (String) roleMappings.get(clientId);
assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
"pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
"pref.user", // from client role customer-admin-composite-role - realm role for test-app
"pref.customer-user-premium", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
"pref.realm-composite-role", // from realm role realm-composite-role
"pref.sample-realm-role");
assertRolesString(testAppMappings, // from direct assignment to /roleRichGroup/level2group
"ta.customer-user", // from direct assignment to /roleRichGroup/level2group
"ta.customer-admin-composite-role", // from client role customer-admin-composite-role - client role for test-app
"ta.customer-admin", // from realm role realm-composite-role - client role for test-app
"ta.sample-client-role");
// Revert
deleteMappers(protocolMappers);
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testTokenPropertiesMapping.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testTokenPropertiesMapping() throws Exception {
UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
UserRepresentation user = userResource.toRepresentation();
user.singleAttribute("userid", "123456789");
user.getAttributes().put("useraud", Arrays.asList("test-app", "other"));
userResource.update(user);
// create a user attr mapping for some claims that exist as properties in the tokens
ClientResource app = findClientResourceByClientId(adminClient.realm("test"), "test-app");
app.getProtocolMappers().createMapper(createClaimMapper("userid-as-sub", "userid", "sub", "String", true, true, false)).close();
app.getProtocolMappers().createMapper(createClaimMapper("useraud", "useraud", "aud", "String", true, true, true)).close();
app.getProtocolMappers().createMapper(createHardcodedClaim("website-hardcoded", "website", "http://localhost", "String", true, true)).close();
app.getProtocolMappers().createMapper(createHardcodedClaim("iat-hardcoded", "iat", "123", "long", true, false)).close();
// login
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
// assert mappers work as expected
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
assertEquals(user.firstAttribute("userid"), idToken.getSubject());
assertEquals("http://localhost", idToken.getWebsite());
assertNotNull(idToken.getAudience());
assertThat(Arrays.asList(idToken.getAudience()), hasItems("test-app", "other"));
AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
assertEquals(user.firstAttribute("userid"), accessToken.getSubject());
assertEquals("http://localhost", accessToken.getWebsite());
assertNotNull(accessToken.getAudience());
assertThat(Arrays.asList(accessToken.getAudience()), hasItems("test-app", "other"));
// iat should not be modified
assertNotEquals(123L, accessToken.getIat().longValue());
// assert that tokens are also OK in the UserInfo response (hardcoded mappers in IDToken are in UserInfo)
Client client = AdminClientUtil.createResteasyClient();
try {
Response userInfoResponse = UserInfoClientUtil.executeUserInfoRequest_getMethod(client, response.getAccessToken());
UserInfo userInfo = userInfoResponse.readEntity(UserInfo.class);
assertEquals(user.firstAttribute("userid"), userInfo.getSubject());
assertEquals(user.getEmail(), userInfo.getEmail());
assertEquals(user.getUsername(), userInfo.getPreferredUsername());
assertEquals(user.getLastName(), userInfo.getFamilyName());
assertEquals(user.getFirstName(), userInfo.getGivenName());
assertEquals("http://localhost", userInfo.getWebsite());
assertNotNull(accessToken.getAudience());
assertThat(Arrays.asList(accessToken.getAudience()), hasItems("test-app", "other"));
} finally {
client.close();
}
// logout
oauth.openLogout();
// undo mappers
app = findClientByClientId(adminClient.realm("test"), "test-app");
ClientRepresentation clientRepresentation = app.toRepresentation();
for (ProtocolMapperRepresentation model : clientRepresentation.getProtocolMappers()) {
if (model.getName().equals("userid-as-sub") || model.getName().equals("website-hardcoded") || model.getName().equals("iat-hardcoded") || model.getName().equals("useraud")) {
app.getProtocolMappers().delete(model.getId());
}
}
events.clear();
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class OIDCProtocolMappersTest method testUserRoleToAttributeMappers.
@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserRoleToAttributeMappers() throws Exception {
// Add mapper for realm roles
ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true);
ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
// Login user
OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
// Verify attribute is filled
Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
String realmRoleMappings = (String) roleMappings.get("realm");
String testAppMappings = (String) roleMappings.get("test-app");
assertRolesString(realmRoleMappings, // from direct assignment in user definition
"pref.user", // from direct assignment in user definition
"pref.offline_access");
assertRolesString(testAppMappings, // from direct assignment in user definition
"customer-user");
// Revert
deleteMappers(protocolMappers);
}
Aggregations