use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class BrowserButtonsTest method backButtonInResetPasswordFlow.
@Test
// GreenMailRule is not working atm
@AuthServerContainerExclude(AuthServer.REMOTE)
public void backButtonInResetPasswordFlow() throws Exception {
// Click on "forgot password" and type username
loginPage.open();
loginPage.login("login-test", "bad-username");
loginPage.resetPassword();
resetPasswordPage.assertCurrent();
resetPasswordPage.changePassword("login-test");
loginPage.assertCurrent();
assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
// Receive email
MimeMessage message = greenMail.getReceivedMessages()[greenMail.getReceivedMessages().length - 1];
String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message);
driver.navigate().to(changePasswordUrl.trim());
updatePasswordPage.assertCurrent();
// Click browser back. Should be on loginPage for "forked flow"
driver.navigate().back();
loginPage.assertCurrent();
// When clicking browser forward, back on updatePasswordPage
driver.navigate().forward();
updatePasswordPage.assertCurrent();
// Click browser back. And continue login. Should be on updatePasswordPage
driver.navigate().back();
loginPage.assertCurrent();
loginPage.login("login-test", "password");
updatePasswordPage.assertCurrent();
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class BruteForceTest method testResetPassword.
@Test
// GreenMailRule is not working atm
@AuthServerContainerExclude(REMOTE)
public void testResetPassword() throws Exception {
String userId = adminClient.realm("test").users().search("user2", null, null, null, 0, 1).get(0).getId();
loginInvalidPassword("user2");
loginInvalidPassword("user2");
expectTemporarilyDisabled("user2", userId, "invalid");
loginPage.resetPassword();
passwordResetPage.assertCurrent();
passwordResetPage.changePassword("user2");
loginPage.assertCurrent();
assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
events.expectRequiredAction(EventType.SEND_RESET_PASSWORD).user(userId).assertEvent();
MimeMessage message = greenMail.getReceivedMessages()[0];
String passwordResetEmailLink = MailUtils.getPasswordResetEmailLink(message);
driver.navigate().to(passwordResetEmailLink.trim());
assertTrue(passwordUpdatePage.isCurrent());
UserRepresentation userRepresentation = testRealm().users().get(userId).toRepresentation();
assertFalse(userRepresentation.isEnabled());
updatePasswordPage.updatePasswords("password", "password");
events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).assertEvent();
userRepresentation = testRealm().users().get(userId).toRepresentation();
assertTrue(userRepresentation.isEnabled());
Assert.assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
appPage.logout();
events.clear();
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ReAuthenticationTest method identityFirstFormReauthenticationWithGithubLink.
// Re-authentication with user form separate to the password form. The username form is shown due the user linked with "github"
@Test
@AuthServerContainerExclude(REMOTE)
public void identityFirstFormReauthenticationWithGithubLink() {
// Set identity-first as realm flow
setupIdentityFirstFlow();
// Add fake federated link to the user
UserResource user = ApiUtil.findUserByUsernameId(testRealm(), "test-user@localhost");
FederatedIdentityRepresentation fedLink = FederatedIdentityBuilder.create().identityProvider("github").userId("123").userName("test").build();
user.addFederatedIdentity("github", fedLink);
// Login user
loginPage.open();
loginUsernameOnlyPage.assertCurrent();
loginUsernameOnlyPage.login("test-user@localhost");
passwordPage.assertCurrent();
passwordPage.login("password");
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
// See that user can re-authenticate with the github link present on the page as user has link to github social provider
setTimeOffset(10);
oauth.maxAge("1");
loginPage.open();
// Username input hidden as well as register and rememberMe. Info message should be present
loginPage.assertCurrent();
assertUsernameFieldAndOtherFields(false);
assertInfoMessageAboutReAuthenticate(true);
// Check there is NO password field
Assert.assertThat(true, is(driver.findElements(By.id("password")).isEmpty()));
// Github present, Google hidden
assertSocialButtonsPresent(true, false);
// Confirm login with password
loginUsernameOnlyPage.clickSubmitButton();
// Login with password. Info message should not be there anymore
passwordPage.assertCurrent();
passwordPage.login("password");
assertInfoMessageAboutReAuthenticate(false);
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
// Remove link and flow
user.removeFederatedIdentity("github");
BrowserFlowTest.revertFlows(testRealm(), "browser - identity first");
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class OIDCWellKnownProviderTest method testDefaultProviderCustomizations.
@Test
@AuthServerContainerExclude(REMOTE)
public void testDefaultProviderCustomizations() throws IOException {
Client client = AdminClientUtil.createResteasyClient();
try {
OIDCConfigurationRepresentation oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
// Assert that CustomOIDCWellKnownProvider was used as a prioritized provider over default OIDCWellKnownProvider
MTLSEndpointAliases mtlsEndpointAliases = oidcConfig.getMtlsEndpointAliases();
Assert.assertEquals("https://placeholder-host-set-by-testsuite-provider/registration", mtlsEndpointAliases.getRegistrationEndpoint());
Assert.assertEquals("bar", oidcConfig.getOtherClaims().get("foo"));
// Assert some configuration was overriden
Assert.assertEquals("some-new-property-value", oidcConfig.getOtherClaims().get("some-new-property"));
Assert.assertEquals("nested-value", ((Map) oidcConfig.getOtherClaims().get("some-new-property-compound")).get("nested1"));
Assert.assertNames(oidcConfig.getIntrospectionEndpointAuthMethodsSupported(), "private_key_jwt", "client_secret_jwt", "tls_client_auth", "custom_nonexisting_authenticator");
// Exact names already tested in OIDC
assertScopesSupportedMatchesWithRealm(oidcConfig);
// Temporarily disable client scopes
getTestingClient().testing().setSystemPropertyOnServer(CustomOIDCWellKnownProviderFactory.INCLUDE_CLIENT_SCOPES, "false");
oidcConfig = getOIDCDiscoveryRepresentation(client, OAuthClient.AUTH_SERVER_ROOT);
Assert.assertNull(oidcConfig.getScopesSupported());
} finally {
getTestingClient().testing().setSystemPropertyOnServer(CustomOIDCWellKnownProviderFactory.INCLUDE_CLIENT_SCOPES, null);
client.close();
}
}
use of org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude in project keycloak by keycloak.
the class ArtifactBindingTest method testSessionStateDuringArtifactBindingLogoutWithOneClient.
// Won't work with openshift, because openshift wouldn't see ArtifactResolutionService
@AuthServerContainerExclude(AuthServerContainerExclude.AuthServer.REMOTE)
@Test
public void testSessionStateDuringArtifactBindingLogoutWithOneClient() {
ClientRepresentation salesRep = adminClient.realm(REALM_NAME).clients().findByClientId(SAML_CLIENT_ID_SALES_POST).get(0);
final String clientId = salesRep.getId();
getCleanup().addCleanup(ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING, "true").setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE, "http://url").setFrontchannelLogout(true).update());
AtomicReference<String> userSessionId = new AtomicReference<>();
SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).setBeforeStepChecks(new SessionStateChecker(testingClient.server()).storeUserSessionId(userSessionId).expectedState(UserSessionModel.State.LOGGED_IN).expectedClientSession(clientId).consumeUserSession(userSessionModel -> assertThat(userSessionModel, notNullValue())).consumeClientSession(clientId, userSessionModel -> assertThat(userSessionModel, notNullValue()))).build().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, POST).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).setBeforeStepChecks(new SessionStateChecker(testingClient.server()).expectedUserSession(userSessionId).expectedState(UserSessionModel.State.LOGGED_OUT_UNCONFIRMED).expectedNumberOfClientSessions(1).expectedAction(clientId, CommonClientSessionModel.Action.LOGGING_OUT)).setAfterStepChecks(new SessionStateChecker(testingClient.server()).consumeUserSession(userSessionModel -> assertThat(userSessionModel, nullValue())).setUserSessionProvider(session -> userSessionId.get())).build().doNotFollowRedirects().executeAndTransform(this::getArtifactResponse);
assertThat(response.getSamlObject(), instanceOf(ArtifactResponseType.class));
ArtifactResponseType artifactResponse = (ArtifactResponseType) response.getSamlObject();
assertThat(artifactResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(artifactResponse.getSignature(), nullValue());
assertThat(artifactResponse.getAny(), not(instanceOf(ResponseType.class)));
assertThat(artifactResponse.getAny(), not(instanceOf(ArtifactResponseType.class)));
assertThat(artifactResponse.getAny(), not(instanceOf(NameIDMappingResponseType.class)));
assertThat(artifactResponse.getAny(), instanceOf(StatusResponseType.class));
StatusResponseType samlResponse = (StatusResponseType) artifactResponse.getAny();
assertThat(samlResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
Aggregations