Search in sources :

Example 91 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class UserTest method createUserWithHashedCredentials.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void createUserWithHashedCredentials() {
    UserRepresentation user = new UserRepresentation();
    user.setUsername("user_creds");
    user.setEmail("email@localhost");
    PasswordCredentialModel pcm = PasswordCredentialModel.createFromValues("my-algorithm", "theSalt".getBytes(), 22, "ABC");
    CredentialRepresentation hashedPassword = ModelToRepresentation.toRepresentation(pcm);
    hashedPassword.setCreatedDate(1001L);
    hashedPassword.setUserLabel("deviceX");
    hashedPassword.setType(CredentialRepresentation.PASSWORD);
    user.setCredentials(Arrays.asList(hashedPassword));
    createUser(user);
    CredentialModel credentialHashed = fetchCredentials("user_creds");
    PasswordCredentialModel pcmh = PasswordCredentialModel.createFromCredentialModel(credentialHashed);
    assertNotNull("Expecting credential", credentialHashed);
    assertEquals("my-algorithm", pcmh.getPasswordCredentialData().getAlgorithm());
    assertEquals(Long.valueOf(1001), credentialHashed.getCreatedDate());
    assertEquals("deviceX", credentialHashed.getUserLabel());
    assertEquals(22, pcmh.getPasswordCredentialData().getHashIterations());
    assertEquals("ABC", pcmh.getPasswordSecretData().getValue());
    assertEquals("theSalt", new String(pcmh.getPasswordSecretData().getSalt()));
    assertEquals(CredentialRepresentation.PASSWORD, credentialHashed.getType());
}
Also used : CredentialRepresentation(org.keycloak.representations.idm.CredentialRepresentation) CredentialModel(org.keycloak.credential.CredentialModel) PasswordCredentialModel(org.keycloak.models.credential.PasswordCredentialModel) OTPCredentialModel(org.keycloak.models.credential.OTPCredentialModel) PasswordCredentialModel(org.keycloak.models.credential.PasswordCredentialModel) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test)

Example 92 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class UserStorageRestTest method testKerberosAuthenticatorEnabledAutomatically.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testKerberosAuthenticatorEnabledAutomatically() {
    // Assert kerberos authenticator DISABLED
    AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
    Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
    // create LDAP provider with kerberos
    ComponentRepresentation ldapRep = createBasicLDAPProviderRep();
    ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
    String id = createComponent(ldapRep);
    // Assert kerberos authenticator ALTERNATIVE
    kerberosExecution = findKerberosExecution();
    Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
    // Switch kerberos authenticator to DISABLED
    kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
    realm.flows().updateExecutions("browser", kerberosExecution);
    assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
    // update LDAP provider with kerberos (without changing kerberos switch)
    ldapRep = realm.components().component(id).toRepresentation();
    realm.components().component(id).update(ldapRep);
    assertAdminEvents.clear();
    // Assert kerberos authenticator is still DISABLED
    kerberosExecution = findKerberosExecution();
    Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
    // update LDAP provider with kerberos (with changing kerberos switch to disabled)
    ldapRep = realm.components().component(id).toRepresentation();
    ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "false");
    realm.components().component(id).update(ldapRep);
    assertAdminEvents.clear();
    // Assert kerberos authenticator is still DISABLED
    kerberosExecution = findKerberosExecution();
    Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
    // update LDAP provider with kerberos (with changing kerberos switch to enabled)
    ldapRep = realm.components().component(id).toRepresentation();
    ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
    realm.components().component(id).update(ldapRep);
    assertAdminEvents.clear();
    // Assert kerberos authenticator is still ALTERNATIVE
    kerberosExecution = findKerberosExecution();
    Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
    // Cleanup
    kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
    realm.flows().updateExecutions("browser", kerberosExecution);
    assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
    removeComponent(id);
}
Also used : ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation) AuthenticationExecutionInfoRepresentation(org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test) AbstractAuthenticationTest(org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest)

Example 93 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserGroupRoleToAttributeMappers.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserGroupRoleToAttributeMappers() throws Exception {
    // Add mapper for realm roles
    String clientId = "test-app";
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper(clientId, "ta.", "Client roles mapper", "roles-custom.test-app", true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), clientId).getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    OAuthClient.AccessTokenResponse response = browserLogin("password", "rich.roles@redhat.com", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", clientId));
    String realmRoleMappings = (String) roleMappings.get("realm");
    String testAppMappings = (String) roleMappings.get(clientId);
    assertRolesString(realmRoleMappings, // from direct assignment to /roleRichGroup/level2group
    "pref.admin", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
    "pref.user", // from client role customer-admin-composite-role - realm role for test-app
    "pref.customer-user-premium", // from parent group of /roleRichGroup/level2group, i.e. from /roleRichGroup
    "pref.realm-composite-role", // from realm role realm-composite-role
    "pref.sample-realm-role");
    assertRolesString(testAppMappings, // from direct assignment to /roleRichGroup/level2group
    "ta.customer-user", // from direct assignment to /roleRichGroup/level2group
    "ta.customer-admin-composite-role", // from client role customer-admin-composite-role - client role for test-app
    "ta.customer-admin", // from realm role realm-composite-role - client role for test-app
    "ta.sample-client-role");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 94 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testTokenPropertiesMapping.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testTokenPropertiesMapping() throws Exception {
    UserResource userResource = findUserByUsernameId(adminClient.realm("test"), "test-user@localhost");
    UserRepresentation user = userResource.toRepresentation();
    user.singleAttribute("userid", "123456789");
    user.getAttributes().put("useraud", Arrays.asList("test-app", "other"));
    userResource.update(user);
    // create a user attr mapping for some claims that exist as properties in the tokens
    ClientResource app = findClientResourceByClientId(adminClient.realm("test"), "test-app");
    app.getProtocolMappers().createMapper(createClaimMapper("userid-as-sub", "userid", "sub", "String", true, true, false)).close();
    app.getProtocolMappers().createMapper(createClaimMapper("useraud", "useraud", "aud", "String", true, true, true)).close();
    app.getProtocolMappers().createMapper(createHardcodedClaim("website-hardcoded", "website", "http://localhost", "String", true, true)).close();
    app.getProtocolMappers().createMapper(createHardcodedClaim("iat-hardcoded", "iat", "123", "long", true, false)).close();
    // login
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    // assert mappers work as expected
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    assertEquals(user.firstAttribute("userid"), idToken.getSubject());
    assertEquals("http://localhost", idToken.getWebsite());
    assertNotNull(idToken.getAudience());
    assertThat(Arrays.asList(idToken.getAudience()), hasItems("test-app", "other"));
    AccessToken accessToken = oauth.verifyToken(response.getAccessToken());
    assertEquals(user.firstAttribute("userid"), accessToken.getSubject());
    assertEquals("http://localhost", accessToken.getWebsite());
    assertNotNull(accessToken.getAudience());
    assertThat(Arrays.asList(accessToken.getAudience()), hasItems("test-app", "other"));
    // iat should not be modified
    assertNotEquals(123L, accessToken.getIat().longValue());
    // assert that tokens are also OK in the UserInfo response (hardcoded mappers in IDToken are in UserInfo)
    Client client = AdminClientUtil.createResteasyClient();
    try {
        Response userInfoResponse = UserInfoClientUtil.executeUserInfoRequest_getMethod(client, response.getAccessToken());
        UserInfo userInfo = userInfoResponse.readEntity(UserInfo.class);
        assertEquals(user.firstAttribute("userid"), userInfo.getSubject());
        assertEquals(user.getEmail(), userInfo.getEmail());
        assertEquals(user.getUsername(), userInfo.getPreferredUsername());
        assertEquals(user.getLastName(), userInfo.getFamilyName());
        assertEquals(user.getFirstName(), userInfo.getGivenName());
        assertEquals("http://localhost", userInfo.getWebsite());
        assertNotNull(accessToken.getAudience());
        assertThat(Arrays.asList(accessToken.getAudience()), hasItems("test-app", "other"));
    } finally {
        client.close();
    }
    // logout
    oauth.openLogout();
    // undo mappers
    app = findClientByClientId(adminClient.realm("test"), "test-app");
    ClientRepresentation clientRepresentation = app.toRepresentation();
    for (ProtocolMapperRepresentation model : clientRepresentation.getProtocolMappers()) {
        if (model.getName().equals("userid-as-sub") || model.getName().equals("website-hardcoded") || model.getName().equals("iat-hardcoded") || model.getName().equals("useraud")) {
            app.getProtocolMappers().delete(model.getId());
        }
    }
    events.clear();
}
Also used : Response(javax.ws.rs.core.Response) OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) UserResource(org.keycloak.admin.client.resource.UserResource) ClientResource(org.keycloak.admin.client.resource.ClientResource) IDToken(org.keycloak.representations.IDToken) UserInfo(org.keycloak.representations.UserInfo) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Example 95 with AuthServerContainerExclude

use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.

the class OIDCProtocolMappersTest method testUserRoleToAttributeMappers.

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void testUserRoleToAttributeMappers() throws Exception {
    // Add mapper for realm roles
    ProtocolMapperRepresentation realmMapper = ProtocolMapperUtil.createUserRealmRoleMappingMapper("pref.", "Realm roles mapper", "roles-custom.realm", true, true);
    ProtocolMapperRepresentation clientMapper = ProtocolMapperUtil.createUserClientRoleMappingMapper("test-app", null, "Client roles mapper", "roles-custom.test-app", true, true);
    ProtocolMappersResource protocolMappers = ApiUtil.findClientResourceByClientId(adminClient.realm("test"), "test-app").getProtocolMappers();
    protocolMappers.createMapper(Arrays.asList(realmMapper, clientMapper));
    // Login user
    OAuthClient.AccessTokenResponse response = browserLogin("password", "test-user@localhost", "password");
    IDToken idToken = oauth.verifyIDToken(response.getIdToken());
    // Verify attribute is filled
    Map<String, Object> roleMappings = (Map<String, Object>) idToken.getOtherClaims().get("roles-custom");
    Assert.assertThat(roleMappings.keySet(), containsInAnyOrder("realm", "test-app"));
    String realmRoleMappings = (String) roleMappings.get("realm");
    String testAppMappings = (String) roleMappings.get("test-app");
    assertRolesString(realmRoleMappings, // from direct assignment in user definition
    "pref.user", // from direct assignment in user definition
    "pref.offline_access");
    assertRolesString(testAppMappings, // from direct assignment in user definition
    "customer-user");
    // Revert
    deleteMappers(protocolMappers);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) IDToken(org.keycloak.representations.IDToken) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Map(java.util.Map) HashMap(java.util.HashMap) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

Test (org.junit.Test)108 AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)108 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)31 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)30 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)29 Matchers.containsString (org.hamcrest.Matchers.containsString)28 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)27 Response (javax.ws.rs.core.Response)24 UserResource (org.keycloak.admin.client.resource.UserResource)21 AbstractAuthenticationTest (org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest)21 SocialLoginTest (org.keycloak.testsuite.broker.SocialLoginTest)21 MimeMessage (javax.mail.internet.MimeMessage)14 OAuthClient (org.keycloak.testsuite.util.OAuthClient)14 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)13 ComponentRepresentation (org.keycloak.representations.idm.ComponentRepresentation)12 LinkedList (java.util.LinkedList)11 List (java.util.List)9 RealmRepresentation (org.keycloak.representations.idm.RealmRepresentation)9 HashMap (java.util.HashMap)8 IOException (java.io.IOException)7