Search in sources :

Example 21 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class ClientTokenExchangeTest method testBadImpersonator.

@Test
@UncaughtServerErrorExpected
public void testBadImpersonator() throws Exception {
    testingClient.server().run(ClientTokenExchangeTest::setupRealm);
    oauth.realm(TEST);
    oauth.clientId("client-exchanger");
    Client httpClient = AdminClientUtil.createResteasyClient();
    WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path(TEST).path("protocol/openid-connect/token");
    System.out.println("Exchange url: " + exchangeUrl.getUri().toString());
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doGrantAccessTokenRequest("secret", "bad-impersonator", "password");
    String accessToken = tokenResponse.getAccessToken();
    TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
    AccessToken token = accessTokenVerifier.parse().getToken();
    Assert.assertEquals(token.getPreferredUsername(), "bad-impersonator");
    Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
    // test that user does not have impersonator permission
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("client-exchanger", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.SUBJECT_TOKEN, accessToken).param(OAuth2Constants.SUBJECT_TOKEN_TYPE, OAuth2Constants.ACCESS_TOKEN_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")));
        org.junit.Assert.assertEquals(403, response.getStatus());
        response.close();
    }
}
Also used : AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Form(javax.ws.rs.core.Form) AccessToken(org.keycloak.representations.AccessToken) WebTarget(javax.ws.rs.client.WebTarget) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 22 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class ClientTokenExchangeTest method testExchange.

@Test
@UncaughtServerErrorExpected
public void testExchange() throws Exception {
    testingClient.server().run(ClientTokenExchangeTest::setupRealm);
    oauth.realm(TEST);
    oauth.clientId("client-exchanger");
    OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("secret", "user", "password");
    String accessToken = response.getAccessToken();
    TokenVerifier<AccessToken> accessTokenVerifier = TokenVerifier.create(accessToken, AccessToken.class);
    AccessToken token = accessTokenVerifier.parse().getToken();
    Assert.assertEquals(token.getPreferredUsername(), "user");
    Assert.assertTrue(token.getRealmAccess() == null || !token.getRealmAccess().isUserInRole("example"));
    {
        response = oauth.doTokenExchange(TEST, accessToken, "target", "client-exchanger", "secret");
        String exchangedTokenString = response.getAccessToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("client-exchanger", exchangedToken.getIssuedFor());
        Assert.assertEquals("target", exchangedToken.getAudience()[0]);
        Assert.assertEquals(exchangedToken.getPreferredUsername(), "user");
        Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
    }
    {
        response = oauth.doTokenExchange(TEST, accessToken, "target", "legal", "secret");
        String exchangedTokenString = response.getAccessToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("legal", exchangedToken.getIssuedFor());
        Assert.assertEquals("target", exchangedToken.getAudience()[0]);
        Assert.assertEquals(exchangedToken.getPreferredUsername(), "user");
        Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
    }
    {
        response = oauth.doTokenExchange(TEST, accessToken, "target", "illegal", "secret");
        Assert.assertEquals(403, response.getStatusCode());
    }
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) AccessToken(org.keycloak.representations.AccessToken) TokenVerifier(org.keycloak.TokenVerifier) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 23 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class ClientTokenExchangeTest method testDirectImpersonation.

@Test
@UncaughtServerErrorExpected
public void testDirectImpersonation() throws Exception {
    testingClient.server().run(ClientTokenExchangeTest::setupRealm);
    Client httpClient = AdminClientUtil.createResteasyClient();
    WebTarget exchangeUrl = httpClient.target(OAuthClient.AUTH_SERVER_ROOT).path("/realms").path(TEST).path("protocol/openid-connect/token");
    System.out.println("Exchange url: " + exchangeUrl.getUri().toString());
    // direct-exchanger can impersonate from token "user" to user "impersonated-user"
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-exchanger", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user")));
        Assert.assertEquals(200, response.getStatus());
        AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
        response.close();
        String exchangedTokenString = accessTokenResponse.getToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("direct-exchanger", exchangedToken.getIssuedFor());
        Assert.assertNull(exchangedToken.getAudience());
        Assert.assertEquals(exchangedToken.getPreferredUsername(), "impersonated-user");
        Assert.assertNull(exchangedToken.getRealmAccess());
    }
    // direct-legal can impersonate from token "user" to user "impersonated-user" and to "target" client
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-legal", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
        Assert.assertEquals(200, response.getStatus());
        AccessTokenResponse accessTokenResponse = response.readEntity(AccessTokenResponse.class);
        response.close();
        String exchangedTokenString = accessTokenResponse.getToken();
        TokenVerifier<AccessToken> verifier = TokenVerifier.create(exchangedTokenString, AccessToken.class);
        AccessToken exchangedToken = verifier.parse().getToken();
        Assert.assertEquals("direct-legal", exchangedToken.getIssuedFor());
        Assert.assertEquals("target", exchangedToken.getAudience()[0]);
        Assert.assertEquals(exchangedToken.getPreferredUsername(), "impersonated-user");
        Assert.assertTrue(exchangedToken.getRealmAccess().isUserInRole("example"));
    }
    // direct-public fails impersonation
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-public", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
        Assert.assertEquals(403, response.getStatus());
        response.close();
    }
    // direct-no-secret fails impersonation
    {
        Response response = exchangeUrl.request().header(HttpHeaders.AUTHORIZATION, BasicAuthHelper.createHeader("direct-no-secret", "secret")).post(Entity.form(new Form().param(OAuth2Constants.GRANT_TYPE, OAuth2Constants.TOKEN_EXCHANGE_GRANT_TYPE).param(OAuth2Constants.REQUESTED_SUBJECT, "impersonated-user").param(OAuth2Constants.AUDIENCE, "target")));
        Assert.assertTrue(response.getStatus() >= 400);
        response.close();
    }
}
Also used : AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) Response(javax.ws.rs.core.Response) Form(javax.ws.rs.core.Form) AccessToken(org.keycloak.representations.AccessToken) TokenVerifier(org.keycloak.TokenVerifier) WebTarget(javax.ws.rs.client.WebTarget) OAuthClient(org.keycloak.testsuite.util.OAuthClient) Client(javax.ws.rs.client.Client) AccessTokenResponse(org.keycloak.representations.AccessTokenResponse) AbstractKeycloakTest(org.keycloak.testsuite.AbstractKeycloakTest) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 24 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class GroupTest method doNotAllowSameGroupNameAtTopLevelInDatabase.

@Test
@UncaughtServerErrorExpected
@AuthServerContainerExclude(REMOTE)
public void doNotAllowSameGroupNameAtTopLevelInDatabase() throws Exception {
    final String id = KeycloakModelUtils.generateId();
    testingClient.server().run(session -> {
        RealmModel realm = session.realms().getRealm("test");
        realm.createGroup(id, "test-group");
    });
    getCleanup().addGroupId(id);
    // unique key should work even in top groups
    expectedException.expect(RunOnServerException.class);
    expectedException.expectMessage(ModelDuplicateException.class.getName());
    testingClient.server().run(session -> {
        RealmModel realm = session.realms().getRealm("test");
        realm.createGroup("test-group");
    });
}
Also used : RealmModel(org.keycloak.models.RealmModel) ModelDuplicateException(org.keycloak.models.ModelDuplicateException) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Example 25 with UncaughtServerErrorExpected

use of org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected in project keycloak by keycloak.

the class UserPolicyManagementTest method failInvalidUser.

@Test
@UncaughtServerErrorExpected
public void failInvalidUser() {
    AuthorizationResource authorization = getClient().authorization();
    PolicyRepresentation policy = new PolicyRepresentation();
    policy.setName("User Policy-Malformed");
    policy.setDescription("Description of a malformed user Policy");
    policy.setDecisionStrategy(DecisionStrategy.UNANIMOUS);
    policy.setType("user");
    Map<String, String> config = new HashMap<>();
    // here we put something invalid ... a user ID would be needed
    config.put("users", "[\"doesnotexist\"]");
    policy.setConfig(config);
    try (Response response = authorization.policies().create(policy)) {
        assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
    }
    config.put("users", "");
    policy.setConfig(config);
    try (Response response = authorization.policies().create(policy)) {
        assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
    }
    config.clear();
    policy.setConfig(config);
    try (Response response = authorization.policies().create(policy)) {
        assertEquals(Response.Status.INTERNAL_SERVER_ERROR, response.getStatusInfo());
    }
}
Also used : PolicyRepresentation(org.keycloak.representations.idm.authorization.PolicyRepresentation) UserPolicyRepresentation(org.keycloak.representations.idm.authorization.UserPolicyRepresentation) Response(javax.ws.rs.core.Response) HashMap(java.util.HashMap) AuthorizationResource(org.keycloak.admin.client.resource.AuthorizationResource) Test(org.junit.Test) UncaughtServerErrorExpected(org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)

Aggregations

Test (org.junit.Test)27 UncaughtServerErrorExpected (org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected)27 AbstractKeycloakTest (org.keycloak.testsuite.AbstractKeycloakTest)17 OAuthClient (org.keycloak.testsuite.util.OAuthClient)16 AccessToken (org.keycloak.representations.AccessToken)11 Response (javax.ws.rs.core.Response)10 HashMap (java.util.HashMap)7 List (java.util.List)7 Client (javax.ws.rs.client.Client)6 WebTarget (javax.ws.rs.client.WebTarget)6 Form (javax.ws.rs.core.Form)6 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)6 AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)6 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)6 AccessTokenResponse (org.keycloak.representations.AccessTokenResponse)6 Element (org.w3c.dom.Element)5 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)4 CloseableHttpResponse (org.apache.http.client.methods.CloseableHttpResponse)3 TokenVerifier (org.keycloak.TokenVerifier)3 ClientResource (org.keycloak.admin.client.resource.ClientResource)3