Example 21 with UncaughtServerErrorExpected
use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.
the class ClientTokenExchangeTest method testBadImpersonator.
@Test
@UncaughtServerErrorExpected
public void testBadImpersonator() throws Exception {
testingClient.server().run(ClientTokenExchangeTest::setupRealm);
oauth.realm(TEST);
oauth.clientId("client-exchanger");
Client httpClient = AdminClientUtil.createResteasyClient();
WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path(TEST).path("protocol/openid-connect/token");
System.out.println("Exchange url: " + exchangeUrl.getUri().toString());
OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret", "bad-impersonator", "password");
String accessToken = tokenResponse.getAccessToken();
TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
AccessToken token = accessTokenVerifier.parse().getToken();
Assert.assertEquals(token.getPreferredUsername(), "bad-impersonator");
Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
// test that user does not have impersonator permission
{
Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("client-exchanger", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.SUBJECT_TOKEN, accessToken).param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")));
org.junit.Assert.assertEquals(403, response.getStatus());
response.close();
}
}
Also used :
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
Form(javax.ws.rs.core.Form)
AccessToken(org.keycloak.representations.AccessToken)
WebTarget(javax.ws.rs.client.WebTarget)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
Client(javax.ws.rs.client.Client)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Test(org.junit.Test)
UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)
Example 22 with UncaughtServerErrorExpected
use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.
the class ClientTokenExchangeTest method testExchange.
@Test
@UncaughtServerErrorExpected
public void testExchange() throws Exception {
testingClient.server().run(ClientTokenExchangeTest::setupRealm);
oauth.realm(TEST);
oauth.clientId("client-exchanger");
OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "user", "password");
String accessToken = response.getAccessToken();
TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
AccessToken token = accessTokenVerifier.parse().getToken();
Assert.assertEquals(token.getPreferredUsername(), "user");
Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
{
response = oauth.doTokenExchange(TEST, accessToken, "target", "client-exchanger", "secret");
String exchangedTokenString = response.getAccessToken();
TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
AccessToken exchangedToken = verifier.parse().getToken();
Assert.assertEquals("client-exchanger", exchangedToken.getIssuedFor());
Assert.assertEquals("target", exchangedToken.getAudience()[0]);
Assert.assertEquals(exchangedToken.getPreferredUsername(), "user");
Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
}
{
response = oauth.doTokenExchange(TEST, accessToken, "target", "legal", "secret");
String exchangedTokenString = response.getAccessToken();
TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
AccessToken exchangedToken = verifier.parse().getToken();
Assert.assertEquals("legal", exchangedToken.getIssuedFor());
Assert.assertEquals("target", exchangedToken.getAudience()[0]);
Assert.assertEquals(exchangedToken.getPreferredUsername(), "user");
Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
}
{
response = oauth.doTokenExchange(TEST, accessToken, "target", "illegal", "secret");
Assert.assertEquals(403, response.getStatusCode());
}
}
Also used :
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
AccessToken(org.keycloak.representations.AccessToken)
TokenVerifier(org.keycloak.TokenVerifier)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Test(org.junit.Test)
UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)
Example 23 with UncaughtServerErrorExpected
use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.
the class ClientTokenExchangeTest method testDirectImpersonation.
@Test
@UncaughtServerErrorExpected
public void testDirectImpersonation() throws Exception {
testingClient.server().run(ClientTokenExchangeTest::setupRealm);
Client httpClient = AdminClientUtil.createResteasyClient();
WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path(TEST).path("protocol/openid-connect/token");
System.out.println("Exchange url: " + exchangeUrl.getUri().toString());
// direct-exchanger can impersonate from token "user" to user "impersonated-user"
{
Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-exchanger", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")));
Assert.assertEquals(200, response.getStatus());
AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
response.close();
String exchangedTokenString = accessTokenResponse.getToken();
TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
AccessToken exchangedToken = verifier.parse().getToken();
Assert.assertEquals("direct-exchanger", exchangedToken.getIssuedFor());
Assert.assertNull(exchangedToken.getAudience());
Assert.assertEquals(exchangedToken.getPreferredUsername(), "impersonated-user");
Assert.assertNull(exchangedToken.getRealmAccess());
}
// direct-legal can impersonate from token "user" to user "impersonated-user" and to "target" client
{
Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-legal", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
Assert.assertEquals(200, response.getStatus());
AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
response.close();
String exchangedTokenString = accessTokenResponse.getToken();
TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
AccessToken exchangedToken = verifier.parse().getToken();
Assert.assertEquals("direct-legal", exchangedToken.getIssuedFor());
Assert.assertEquals("target", exchangedToken.getAudience()[0]);
Assert.assertEquals(exchangedToken.getPreferredUsername(), "impersonated-user");
Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
}
// direct-public fails impersonation
{
Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-public", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
Assert.assertEquals(403, response.getStatus());
response.close();
}
// direct-no-secret fails impersonation
{
Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-no-secret", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
Assert.assertTrue(response.getStatus() >= 400);
response.close();
}
}
Also used :
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
Response(javax.ws.rs.core.Response)
Form(javax.ws.rs.core.Form)
AccessToken(org.keycloak.representations.AccessToken)
TokenVerifier(org.keycloak.TokenVerifier)
WebTarget(javax.ws.rs.client.WebTarget)
OAuthClient(org.keycloak.testsuite.util.OAuthClient)
Client(javax.ws.rs.client.Client)
AccessTokenResponse(org.keycloak.representations.AccessTokenResponse)
AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest)
Test(org.junit.Test)
UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)
Example 24 with UncaughtServerErrorExpected
use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.
the class GroupTest method doNotAllowSameGroupNameAtTopLevelInDatabase.
@Test
@UncaughtServerErrorExpected
@AuthServerContainerExclude(REMOTE)
public void doNotAllowSameGroupNameAtTopLevelInDatabase() throws Exception {
final String id = KeycloakModelUtils.generateId();
testingClient.server().run(session -> {
RealmModel realm = session.realms().getRealm("test");
realm.createGroup(id, "test-group");
});
getCleanup().addGroupId(id);
// unique key should work even in top groups
expectedException.expect(RunOnServerException.class);
expectedException.expectMessage(ModelDuplicateException.class.getName());
testingClient.server().run(session -> {
RealmModel realm = session.realms().getRealm("test");
realm.createGroup("test-group");
});
}
Also used :
RealmModel(org.keycloak.models.RealmModel)
ModelDuplicateException(org.keycloak.models.ModelDuplicateException)
AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)
Test(org.junit.Test)
UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)
Example 25 with UncaughtServerErrorExpected
use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.
the class UserPolicyManagementTest method failInvalidUser.
@Test
@UncaughtServerErrorExpected
public void failInvalidUser() {
AuthorizationResource authorization = getClient().authorization();
PolicyRepresentation policy = new PolicyRepresentation();
policy.setName("User Policy-Malformed");
policy.setDescription("Description of a malformed user Policy");
policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
policy.setType("user");
Map<String, String> config = new HashMap<>();
// here we put something invalid ... a user ID would be needed
config.put("users", "[\"doesnotexist\"]");
policy.setConfig(config);
try (Response response = authorization.policies().create(policy)) {
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
}
config.put("users", "");
policy.setConfig(config);
try (Response response = authorization.policies().create(policy)) {
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
}
config.clear();
policy.setConfig(config);
try (Response response = authorization.policies().create(policy)) {
assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
}
}
Also used :
PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation)
UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation)
Response(javax.ws.rs.core.Response)
HashMap(java.util.HashMap)
AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource)
Test(org.junit.Test)
UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)
Aggregations
Test (org.junit.Test)27
UncaughtServerErrorExpected (org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)27
AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)17
OAuthClient (org.keycloak.testsuite.util.OAuthClient)16
AccessToken (org.keycloak.representations.AccessToken)11
Response (javax.ws.rs.core.Response)10
HashMap (java.util.HashMap)7
List (java.util.List)7
Client (javax.ws.rs.client.Client)6
WebTarget (javax.ws.rs.client.WebTarget)6
Form (javax.ws.rs.core.Form)6
AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)6
AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)6
NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6
AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)6
Element (org.w3c.dom.Element)5
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)4
CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)3
TokenVerifier (org.keycloak.TokenVerifier)3
ClientResource (org.keycloak.admin.client.resource.ClientResource)3
