Search in sources :

Example 11 with DisableFeature

use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.

the class ClientInitiatedAccountLinkTest method testAccountLinkingExpired.

@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void testAccountLinkingExpired() throws Exception {
    RealmResource realm = adminClient.realms().realm(CHILD_IDP);
    List<FederatedIdentityRepresentation> links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    // Login to account mgmt first
    profilePage.open(CHILD_IDP);
    WaitUtils.waitForPageToLoad();
    Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
    loginPage.login("child", "password");
    profilePage.assertCurrent();
    // Now in another tab, request account linking
    UriBuilder linkBuilder = UriBuilder.fromUri(appPage.getInjectedUrl().toString()).path("link");
    String linkUrl = linkBuilder.clone().queryParam("realm", CHILD_IDP).queryParam("provider", PARENT_IDP).build().toString();
    navigateTo(linkUrl);
    Assert.assertTrue(loginPage.isCurrent(PARENT_IDP));
    // Logout "child" userSession in the meantime (for example through admin request)
    realm.logoutAll();
    // Finish login on parent.
    loginPage.login(PARENT_USERNAME, "password");
    // Test I was not automatically linked
    links = realm.users().get(childUserId).getFederatedIdentity();
    Assert.assertTrue(links.isEmpty());
    errorPage.assertCurrent();
    Assert.assertEquals("Requested broker account linking, but current session is no longer valid.", errorPage.getError());
    logoutAll();
}
Also used : RealmResource(org.keycloak.admin.client.resource.RealmResource) UriBuilder(javax.ws.rs.core.UriBuilder) FederatedIdentityRepresentation(org.keycloak.representations.idm.FederatedIdentityRepresentation) DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature) Test(org.junit.Test) AbstractServletsAdapterTest(org.keycloak.testsuite.adapter.AbstractServletsAdapterTest)

Example 12 with DisableFeature

use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.

the class UserManagedPermissionServiceTest method testUploadScriptDisabled.

@Test
@DisableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
public void testUploadScriptDisabled() {
    ResourceRepresentation resource = new ResourceRepresentation();
    resource.setName("Resource A");
    resource.setOwnerManagedAccess(true);
    resource.setOwner("marta");
    resource.addScope("Scope A", "Scope B", "Scope C");
    resource = getAuthzClient().protection().resource().create(resource);
    UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
    newPermission.setName("Custom User-Managed Permission");
    newPermission.setDescription("Users from specific roles are allowed to access");
    newPermission.setCondition("$evaluation.grant()");
    ProtectionResource protection = getAuthzClient().protection("marta", "password");
    try {
        protection.policy(resource.getId()).create(newPermission);
        fail("Should fail because upload scripts is disabled");
    } catch (Exception ignore) {
    }
    newPermission.setCondition(null);
    UmaPermissionRepresentation representation = protection.policy(resource.getId()).create(newPermission);
    representation.setCondition("$evaluation.grant();");
    try {
        protection.policy(resource.getId()).update(newPermission);
        fail("Should fail because upload scripts is disabled");
    } catch (Exception ignore) {
    }
}
Also used : ProtectionResource(org.keycloak.authorization.client.resource.ProtectionResource) UmaPermissionRepresentation(org.keycloak.representations.idm.authorization.UmaPermissionRepresentation) HttpResponseException(org.keycloak.authorization.client.util.HttpResponseException) AuthorizationDeniedException(org.keycloak.authorization.client.AuthorizationDeniedException) NotFoundException(javax.ws.rs.NotFoundException) ResourceRepresentation(org.keycloak.representations.idm.authorization.ResourceRepresentation) DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature) Test(org.junit.Test)

Example 13 with DisableFeature

use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.

the class JavascriptAdapterTest method grantBrowserBasedApp.

@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void grantBrowserBasedApp() {
    Assume.assumeTrue("This test doesn't work with phantomjs", !"phantomjs".equals(System.getProperty("js.browser")));
    ClientResource clientResource = ApiUtil.findClientResourceByClientId(adminClient.realm(REALM_NAME), CLIENT_ID);
    ClientRepresentation client = clientResource.toRepresentation();
    try {
        client.setConsentRequired(true);
        clientResource.update(client);
        testExecutor.init(defaultArguments(), this::assertInitNotAuth).login(this::assertOnLoginPage).loginForm(testUser, (driver1, output, events) -> assertTrue(oAuthGrantPage.isCurrent(driver1)));
        oAuthGrantPage.accept();
        EventRepresentation loginEvent = events.expectLogin().client(CLIENT_ID).detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).detail(Details.REDIRECT_URI, testAppUrl).detail(Details.USERNAME, testUser.getUsername()).assertEvent();
        String codeId = loginEvent.getDetails().get(Details.CODE_ID);
        testExecutor.init(defaultArguments(), this::assertInitAuth);
        applicationsPage.navigateTo();
        events.expectCodeToToken(codeId, loginEvent.getSessionId()).client(CLIENT_ID).assertEvent();
        applicationsPage.revokeGrantForApplication(CLIENT_ID);
        events.expect(EventType.REVOKE_GRANT).client("account").detail(Details.REVOKED_CLIENT, CLIENT_ID).assertEvent();
        jsDriver.navigate().to(testAppUrl);
        // need to configure because we refreshed page
        testExecutor.configure().init(defaultArguments(), this::assertInitNotAuth).login((driver1, output, events) -> assertTrue(oAuthGrantPage.isCurrent(driver1)));
    } finally {
        // Clean
        client.setConsentRequired(false);
        clientResource.update(client);
    }
}
Also used : EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientResource(org.keycloak.admin.client.resource.ClientResource) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature) Test(org.junit.Test)

Example 14 with DisableFeature

use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.

the class OIDCScopeTest method testRefreshTokenWithConsentRequired.

@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void testRefreshTokenWithConsentRequired() {
    // Login with consentRequired
    oauth.clientId("third-party");
    oauth.doLoginGrant("john", "password");
    grantPage.assertCurrent();
    grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
    grantPage.accept();
    EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
    Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
    IDToken idToken = tokens.idToken;
    RefreshToken refreshToken1 = oauth.parseRefreshToken(tokens.refreshToken);
    assertProfile(idToken, true);
    assertEmail(idToken, true);
    assertAddress(idToken, false);
    assertPhone(idToken, false);
    // Ensure that I can refresh token
    OAuthClient.AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(tokens.refreshToken, "password");
    Assert.assertEquals(200, refreshResponse.getStatusCode());
    idToken = oauth.verifyIDToken(refreshResponse.getIdToken());
    assertProfile(idToken, true);
    assertEmail(idToken, true);
    assertAddress(idToken, false);
    assertPhone(idToken, false);
    events.expectRefresh(refreshToken1.getId(), idToken.getSessionState()).user(userId).client("third-party").assertEvent();
    // Go to applications in account mgmt and revoke consent
    accountAppsPage.open();
    events.clear();
    accountAppsPage.revokeGrant("third-party");
    events.expect(EventType.REVOKE_GRANT).client("account").user(userId).detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
    // Ensure I can't refresh anymore
    refreshResponse = oauth.doRefreshTokenRequest(refreshResponse.getRefreshToken(), "password");
    assertEquals(400, refreshResponse.getStatusCode());
    events.expectRefresh(refreshToken1.getId(), idToken.getSessionState()).client("third-party").user(userId).removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).removeDetail(Details.UPDATED_REFRESH_TOKEN_ID).error("invalid_token").assertEvent();
}
Also used : RefreshToken(org.keycloak.representations.RefreshToken) OAuthClient(org.keycloak.testsuite.util.OAuthClient) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) IDToken(org.keycloak.representations.IDToken) DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature) Test(org.junit.Test)

Example 15 with DisableFeature

use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.

the class OfflineTokenTest method offlineTokenRemoveClientWithTokens.

// KEYCLOAK-4525
@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void offlineTokenRemoveClientWithTokens() throws Exception {
    // Create new client
    RealmResource appRealm = adminClient.realm("test");
    ClientRepresentation clientRep = ClientBuilder.create().clientId("offline-client-2").id(KeycloakModelUtils.generateId()).directAccessGrants().secret("secret1").build();
    appRealm.clients().create(clientRep);
    // Direct grant login requesting offline token
    oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
    oauth.clientId("offline-client-2");
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret1", "test-user@localhost", "password");
    Assert.assertNull(tokenResponse.getErrorDescription());
    AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
    String offlineTokenString = tokenResponse.getRefreshToken();
    RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
    events.expectLogin().client("offline-client-2").user(userId).session(token.getSessionState()).detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD).detail(Details.TOKEN_ID, token.getId()).detail(Details.REFRESH_TOKEN_ID, offlineToken.getId()).detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).detail(Details.USERNAME, "test-user@localhost").removeDetail(Details.CODE_ID).removeDetail(Details.REDIRECT_URI).removeDetail(Details.CONSENT).assertEvent();
    // Go to account mgmt applications page
    applicationsPage.open();
    loginPage.login("test-user@localhost", "password");
    events.expectLogin().client("account").detail(Details.REDIRECT_URI, getAccountRedirectUrl() + "?path=applications").assertEvent();
    assertTrue(applicationsPage.isCurrent());
    Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
    assertTrue(apps.containsKey("offline-client-2"));
    Assert.assertEquals("Offline Token", apps.get("offline-client-2").getAdditionalGrants().get(0));
    // Now remove the client
    ClientResource offlineTokenClient2 = ApiUtil.findClientByClientId(appRealm, "offline-client-2");
    offlineTokenClient2.remove();
    // Go to applications page and see offline-client not anymore
    applicationsPage.open();
    apps = applicationsPage.getApplications();
    assertFalse(apps.containsKey("offline-client-2"));
    // Login as admin and see consents of user
    UserResource user = ApiUtil.findUserByUsernameId(appRealm, "test-user@localhost");
    List<Map<String, Object>> consents = user.getConsents();
    for (Map<String, Object> consent : consents) {
        assertNotEquals(consent.get("clientId"), "offline-client-2");
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) RealmResource(org.keycloak.admin.client.resource.RealmResource) UserResource(org.keycloak.admin.client.resource.UserResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) RefreshToken(org.keycloak.representations.RefreshToken) AccessToken(org.keycloak.representations.AccessToken) ClientResource(org.keycloak.admin.client.resource.ClientResource) Map(java.util.Map) DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test)

Aggregations

DisableFeature (org.keycloak.testsuite.arquillian.annotation.DisableFeature)23 Test (org.junit.Test)21 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)11 OAuthClient (org.keycloak.testsuite.util.OAuthClient)4 Matchers.containsString (org.hamcrest.Matchers.containsString)3 RealmResource (org.keycloak.admin.client.resource.RealmResource)3 UserResource (org.keycloak.admin.client.resource.UserResource)3 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)3 UserRepresentation (org.keycloak.representations.idm.UserRepresentation)3 Closeable (java.io.Closeable)2 ClientResource (org.keycloak.admin.client.resource.ClientResource)2 PasswordCredentialModel (org.keycloak.models.credential.PasswordCredentialModel)2 RefreshToken (org.keycloak.representations.RefreshToken)2 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)2 ClientScopeRepresentation (org.keycloak.representations.idm.ClientScopeRepresentation)2 RequiredActionProviderRepresentation (org.keycloak.representations.idm.RequiredActionProviderRepresentation)2 AbstractAuthenticationTest (org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest)2 AbstractKerberosTest (org.keycloak.testsuite.federation.kerberos.AbstractKerberosTest)2 WebElement (org.openqa.selenium.WebElement)2 Arrays (java.util.Arrays)1