use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.
the class ClientInitiatedAccountLinkTest method testAccountLinkingExpired.
@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void testAccountLinkingExpired() throws Exception {
RealmResource realm = adminClient.realms().realm(CHILD_IDP);
List<FederatedIdentityRepresentation> links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
// Login to account mgmt first
profilePage.open(CHILD_IDP);
WaitUtils.waitForPageToLoad();
Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
loginPage.login("child", "password");
profilePage.assertCurrent();
// Now in another tab, request account linking
UriBuilder linkBuilder = UriBuilder.fromUri(appPage.getInjectedUrl().toString()).path("link");
String linkUrl = linkBuilder.clone().queryParam("realm", CHILD_IDP).queryParam("provider", PARENT_IDP).build().toString();
navigateTo(linkUrl);
Assert.assertTrue(loginPage.isCurrent(PARENT_IDP));
// Logout "child" userSession in the meantime (for example through admin request)
realm.logoutAll();
// Finish login on parent.
loginPage.login(PARENT_USERNAME, "password");
// Test I was not automatically linked
links = realm.users().get(childUserId).getFederatedIdentity();
Assert.assertTrue(links.isEmpty());
errorPage.assertCurrent();
Assert.assertEquals("Requested broker account linking, but current session is no longer valid.", errorPage.getError());
logoutAll();
}
use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.
the class UserManagedPermissionServiceTest method testUploadScriptDisabled.
@Test
@DisableFeature(value = Profile.Feature.UPLOAD_SCRIPTS, skipRestart = true)
public void testUploadScriptDisabled() {
ResourceRepresentation resource = new ResourceRepresentation();
resource.setName("Resource A");
resource.setOwnerManagedAccess(true);
resource.setOwner("marta");
resource.addScope("Scope A", "Scope B", "Scope C");
resource = getAuthzClient().protection().resource().create(resource);
UmaPermissionRepresentation newPermission = new UmaPermissionRepresentation();
newPermission.setName("Custom User-Managed Permission");
newPermission.setDescription("Users from specific roles are allowed to access");
newPermission.setCondition("$evaluation.grant()");
ProtectionResource protection = getAuthzClient().protection("marta", "password");
try {
protection.policy(resource.getId()).create(newPermission);
fail("Should fail because upload scripts is disabled");
} catch (Exception ignore) {
}
newPermission.setCondition(null);
UmaPermissionRepresentation representation = protection.policy(resource.getId()).create(newPermission);
representation.setCondition("$evaluation.grant();");
try {
protection.policy(resource.getId()).update(newPermission);
fail("Should fail because upload scripts is disabled");
} catch (Exception ignore) {
}
}
use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.
the class JavascriptAdapterTest method grantBrowserBasedApp.
@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void grantBrowserBasedApp() {
Assume.assumeTrue("This test doesn't work with phantomjs", !"phantomjs".equals(System.getProperty("js.browser")));
ClientResource clientResource = ApiUtil.findClientResourceByClientId(adminClient.realm(REALM_NAME), CLIENT_ID);
ClientRepresentation client = clientResource.toRepresentation();
try {
client.setConsentRequired(true);
clientResource.update(client);
testExecutor.init(defaultArguments(), this::assertInitNotAuth).login(this::assertOnLoginPage).loginForm(testUser, (driver1, output, events) -> assertTrue(oAuthGrantPage.isCurrent(driver1)));
oAuthGrantPage.accept();
EventRepresentation loginEvent = events.expectLogin().client(CLIENT_ID).detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).detail(Details.REDIRECT_URI, testAppUrl).detail(Details.USERNAME, testUser.getUsername()).assertEvent();
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
testExecutor.init(defaultArguments(), this::assertInitAuth);
applicationsPage.navigateTo();
events.expectCodeToToken(codeId, loginEvent.getSessionId()).client(CLIENT_ID).assertEvent();
applicationsPage.revokeGrantForApplication(CLIENT_ID);
events.expect(EventType.REVOKE_GRANT).client("account").detail(Details.REVOKED_CLIENT, CLIENT_ID).assertEvent();
jsDriver.navigate().to(testAppUrl);
// need to configure because we refreshed page
testExecutor.configure().init(defaultArguments(), this::assertInitNotAuth).login((driver1, output, events) -> assertTrue(oAuthGrantPage.isCurrent(driver1)));
} finally {
// Clean
client.setConsentRequired(false);
clientResource.update(client);
}
}
use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.
the class OIDCScopeTest method testRefreshTokenWithConsentRequired.
@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void testRefreshTokenWithConsentRequired() {
// Login with consentRequired
oauth.clientId("third-party");
oauth.doLoginGrant("john", "password");
grantPage.assertCurrent();
grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
grantPage.accept();
EventRepresentation loginEvent = events.expectLogin().user(userId).client("third-party").detail(Details.CONSENT, Details.CONSENT_VALUE_CONSENT_GRANTED).assertEvent();
Tokens tokens = sendTokenRequest(loginEvent, userId, "openid email profile", "third-party");
IDToken idToken = tokens.idToken;
RefreshToken refreshToken1 = oauth.parseRefreshToken(tokens.refreshToken);
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
// Ensure that I can refresh token
OAuthClient.AccessTokenResponse refreshResponse = oauth.doRefreshTokenRequest(tokens.refreshToken, "password");
Assert.assertEquals(200, refreshResponse.getStatusCode());
idToken = oauth.verifyIDToken(refreshResponse.getIdToken());
assertProfile(idToken, true);
assertEmail(idToken, true);
assertAddress(idToken, false);
assertPhone(idToken, false);
events.expectRefresh(refreshToken1.getId(), idToken.getSessionState()).user(userId).client("third-party").assertEvent();
// Go to applications in account mgmt and revoke consent
accountAppsPage.open();
events.clear();
accountAppsPage.revokeGrant("third-party");
events.expect(EventType.REVOKE_GRANT).client("account").user(userId).detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
// Ensure I can't refresh anymore
refreshResponse = oauth.doRefreshTokenRequest(refreshResponse.getRefreshToken(), "password");
assertEquals(400, refreshResponse.getStatusCode());
events.expectRefresh(refreshToken1.getId(), idToken.getSessionState()).client("third-party").user(userId).removeDetail(Details.TOKEN_ID).removeDetail(Details.REFRESH_TOKEN_ID).removeDetail(Details.UPDATED_REFRESH_TOKEN_ID).error("invalid_token").assertEvent();
}
use of org.keycloak.testsuite.arquillian.annotation.DisableFeature in project keycloak by keycloak.
the class OfflineTokenTest method offlineTokenRemoveClientWithTokens.
// KEYCLOAK-4525
@Test
// TODO remove this (KEYCLOAK-16228)
@DisableFeature(value = Profile.Feature.ACCOUNT2, skipRestart = true)
public void offlineTokenRemoveClientWithTokens() throws Exception {
// Create new client
RealmResource appRealm = adminClient.realm("test");
ClientRepresentation clientRep = ClientBuilder.create().clientId("offline-client-2").id(KeycloakModelUtils.generateId()).directAccessGrants().secret("secret1").build();
appRealm.clients().create(clientRep);
// Direct grant login requesting offline token
oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
oauth.clientId("offline-client-2");
OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret1", "test-user@localhost", "password");
Assert.assertNull(tokenResponse.getErrorDescription());
AccessToken token = oauth.verifyToken(tokenResponse.getAccessToken());
String offlineTokenString = tokenResponse.getRefreshToken();
RefreshToken offlineToken = oauth.parseRefreshToken(offlineTokenString);
events.expectLogin().client("offline-client-2").user(userId).session(token.getSessionState()).detail(Details.GRANT_TYPE, OAuth2Constants.PASSWORD).detail(Details.TOKEN_ID, token.getId()).detail(Details.REFRESH_TOKEN_ID, offlineToken.getId()).detail(Details.REFRESH_TOKEN_TYPE, TokenUtil.TOKEN_TYPE_OFFLINE).detail(Details.USERNAME, "test-user@localhost").removeDetail(Details.CODE_ID).removeDetail(Details.REDIRECT_URI).removeDetail(Details.CONSENT).assertEvent();
// Go to account mgmt applications page
applicationsPage.open();
loginPage.login("test-user@localhost", "password");
events.expectLogin().client("account").detail(Details.REDIRECT_URI, getAccountRedirectUrl() + "?path=applications").assertEvent();
assertTrue(applicationsPage.isCurrent());
Map<String, AccountApplicationsPage.AppEntry> apps = applicationsPage.getApplications();
assertTrue(apps.containsKey("offline-client-2"));
Assert.assertEquals("Offline Token", apps.get("offline-client-2").getAdditionalGrants().get(0));
// Now remove the client
ClientResource offlineTokenClient2 = ApiUtil.findClientByClientId(appRealm, "offline-client-2");
offlineTokenClient2.remove();
// Go to applications page and see offline-client not anymore
applicationsPage.open();
apps = applicationsPage.getApplications();
assertFalse(apps.containsKey("offline-client-2"));
// Login as admin and see consents of user
UserResource user = ApiUtil.findUserByUsernameId(appRealm, "test-user@localhost");
List<Map<String, Object>> consents = user.getConsents();
for (Map<String, Object> consent : consents) {
assertNotEquals(consent.get("clientId"), "offline-client-2");
}
}
Aggregations