Search in sources :

Example 6 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class UncaughtErrorPageTest method uncaughtErrorJson.

@Test
@UncaughtServerErrorExpected
public void uncaughtErrorJson() throws IOException {
    Response response = testingClient.testing().uncaughtError();
    assertEquals(500, response.getStatus());
    InputStream is = (InputStream) response.getEntity();
    String responseString = StreamUtil.readString(is, Charset.forName("UTF-8"));
    Assert.assertTrue(responseString.contains("An internal server error has occurred"));
}
Also used : CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) Response(javax.ws.rs.core.Response) InputStream(java.io.InputStream) Test(org.junit.Test) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 7 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class KerberosStandaloneTest method handleUnknownKerberosRealm.

/**
 * KEYCLOAK-4178
 *
 * Assert it's handled when kerberos realm is unreachable
 *
 * @throws Exception
 */
@Test
@UncaughtServerErrorExpected
public void handleUnknownKerberosRealm() throws Exception {
    // Switch kerberos realm to "unavailable"
    List<ComponentRepresentation> reps = testRealmResource().components().query("test", UserStorageProvider.class.getName());
    org.keycloak.testsuite.Assert.assertEquals(1, reps.size());
    ComponentRepresentation kerberosProvider = reps.get(0);
    kerberosProvider.getConfig().putSingle(KerberosConstants.KERBEROS_REALM, "unavailable");
    testRealmResource().components().component(kerberosProvider.getId()).update(kerberosProvider);
    // Try register new user and assert it failed
    UserRepresentation john = new UserRepresentation();
    john.setUsername("john");
    Response response = testRealmResource().users().create(john);
    Assert.assertEquals(500, response.getStatus());
    response.close();
}
Also used : ComponentRepresentation(org.keycloak.representations.idm.ComponentRepresentation) Response(javax.ws.rs.core.Response) UserStorageProvider(org.keycloak.storage.UserStorageProvider) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 8 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class AuthorizationTokenEncryptionTest method testAuthorizationEncryptionWithoutEncryptionKEK.

@Test
@UncaughtServerErrorExpected
public void testAuthorizationEncryptionWithoutEncryptionKEK() throws MalformedURLException, URISyntaxException {
    ClientResource clientResource = null;
    ClientRepresentation clientRep = null;
    try {
        // generate and register signing/verifying key onto client, not encryption key
        TestOIDCEndpointsApplicationResource oidcClientEndpointsResource = testingClient.testApp().oidcClientEndpoints();
        oidcClientEndpointsResource.generateKeys(Algorithm.RS256);
        clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
        clientRep = clientResource.toRepresentation();
        // set id token signature algorithm and encryption algorithms
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationSignedResponseAlg(Algorithm.RS256);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseAlg(JWEConstants.RSA1_5);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseEnc(JWEConstants.A128CBC_HS256);
        // use and set jwks_url
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(true);
        String jwksUrl = TestApplicationResourceUrls.clientJwksUri();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(jwksUrl);
        clientResource.update(clientRep);
        // get authorization response but failed
        oauth.responseMode("jwt");
        oauth.stateParamHardcoded("OpenIdConnect.AuthenticationProperties=2302984sdlk");
        OAuthClient.AuthorizationEndpointResponse errorResponse = oauth.doLogin("test-user@localhost", "password");
        System.out.println(driver.getPageSource().contains("Unexpected error when handling authentication request to identity provider."));
    } finally {
        // Revert
        clientResource = ApiUtil.findClientByClientId(adminClient.realm("test"), "test-app");
        clientRep = clientResource.toRepresentation();
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationSignedResponseAlg(Algorithm.RS256);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseAlg(null);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setAuthorizationEncryptedResponseEnc(null);
        // Revert jwks_url settings
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseJwksUrl(false);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setJwksUrl(null);
        clientResource.update(clientRep);
    }
}
Also used : TestOIDCEndpointsApplicationResource(org.keycloak.testsuite.client.resources.TestOIDCEndpointsApplicationResource) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 9 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class ClientTokenExchangeTest method testExchangeNoRefreshToken.

@Test
@UncaughtServerErrorExpected
public void testExchangeNoRefreshToken() throws Exception {
    testingClient.server().run(ClientTokenExchangeTest::setupRealm);
    oauth.realm(TEST);
    oauth.clientId("client-exchanger");
    ClientResource client = ApiUtil.findClientByClientId(adminClient.realm(TEST), "no-refresh-token");
    ClientRepresentation clientRepresentation = client.toRepresentation();
    clientRepresentation.getAttributes().put(OIDCConfigAttributes.USE_REFRESH_TOKEN, "false");
    client.update(clientRepresentation);
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "user", "password");
    String accessToken = response.getAccessToken();
    {
        response = oauth.doTokenExchange(TEST, accessToken, "target", "client-exchanger", "secret");
        String exchangedTokenString = response.getAccessToken();
        String refreshTokenString = response.getRefreshToken();
        assertNotNull(exchangedTokenString);
        assertNotNull(refreshTokenString);
    }
    {
        response = oauth.doTokenExchange(TEST, accessToken, "target", "no-refresh-token", "secret");
        String exchangedTokenString = response.getAccessToken();
        String refreshTokenString = response.getRefreshToken();
        assertNotNull(exchangedTokenString);
        assertNull(refreshTokenString);
    }
    clientRepresentation.getAttributes().put(OIDCConfigAttributes.USE_REFRESH_TOKEN, "true");
    client.update(clientRepresentation);
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientResource(org.keycloak.admin.client.resource.ClientResource) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 10 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class ClientTokenExchangeTest method testImpersonation.

@Test
@UncaughtServerErrorExpected
public void testImpersonation() throws Exception {
    testingClient.server().run(ClientTokenExchangeTest::setupRealm);
    oauth.realm(TEST);
    oauth.clientId("client-exchanger");
    Client httpClient = AdminClientUtil.createResteasyClient();
    WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path(TEST).path("protocol/openid-connect/token");
    System.out.println("Exchange url: " + exchangeUrl.getUri().toString());
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret", "user", "password");
    String accessToken = tokenResponse.getAccessToken();
    TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
    AccessToken token = accessTokenVerifier.parse().getToken();
    Assert.assertEquals(token.getPreferredUsername(), "user");
    Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
    // client-exchanger can impersonate from token "user" to user "impersonated-user"
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("client-exchanger", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.SUBJECT_TOKEN, accessToken).param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")));
        org.junit.Assert.assertEquals(200, response.getStatus());
        AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
        response.close();
        String exchangedTokenString = accessTokenResponse.getToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("client-exchanger", exchangedToken.getIssuedFor());
        Assert.assertNull(exchangedToken.getAudience());
        Assert.assertEquals("impersonated-user", exchangedToken.getPreferredUsername());
        Assert.assertNull(exchangedToken.getRealmAccess());
        Object impersonatorRaw = exchangedToken.getOtherClaims().get("impersonator");
        Assert.assertThat(impersonatorRaw, instanceOf(Map.class));
        Map impersonatorClaim = (Map) impersonatorRaw;
        Assert.assertEquals(token.getSubject(), impersonatorClaim.get("id"));
        Assert.assertEquals("user", impersonatorClaim.get("username"));
    }
    // client-exchanger can impersonate from token "user" to user "impersonated-user" and to "target" client
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("client-exchanger", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.SUBJECT_TOKEN, accessToken).param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
        org.junit.Assert.assertEquals(200, response.getStatus());
        AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
        response.close();
        String exchangedTokenString = accessTokenResponse.getToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("client-exchanger", exchangedToken.getIssuedFor());
        Assert.assertEquals("target", exchangedToken.getAudience()[0]);
        Assert.assertEquals(exchangedToken.getPreferredUsername(), "impersonated-user");
        Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) Form(javax.ws.rs.core.Form) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) AccessToken(org.keycloak.representations.AccessToken) TokenVerifier(org.keycloak.TokenVerifier) WebTarget(javax.ws.rs.client.WebTarget) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Map(java.util.Map) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Aggregations

Test (org.junit.Test)27 UncaughtServerErrorExpected (org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)27 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)17 OAuthClient (org.keycloak.testsuite.util.OAuthClient)16 AccessToken (org.keycloak.representations.AccessToken)11 Response (javax.ws.rs.core.Response)10 HashMap (java.util.HashMap)7 List (java.util.List)7 Client (javax.ws.rs.client.Client)6 WebTarget (javax.ws.rs.client.WebTarget)6 Form (javax.ws.rs.core.Form)6 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)6 AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)6 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)6 Element (org.w3c.dom.Element)5 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)4 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)3 TokenVerifier (org.keycloak.TokenVerifier)3 ClientResource (org.keycloak.admin.client.resource.ClientResource)3