Search in sources :

Example 6 with ClientAttributeUpdater

use of org.keycloak.testsuite.updaters.ClientAttributeUpdater in project keycloak by keycloak.

the class ArtifactBindingTest method testArtifactBindingWithBackchannelLogout.

@Test
public void testArtifactBindingWithBackchannelLogout() {
    try (SamlMessageReceiver backchannelLogoutReceiver = new SamlMessageReceiver(8082);
        ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING, "true").setFrontchannelLogout(false).setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, backchannelLogoutReceiver.getUrl()).update()) {
        new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).build().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST2, SAML_ASSERTION_CONSUMER_URL_SALES_POST2, POST).build().followOneRedirect().processSamlResponse(POST).transformObject(this::extractNameIdAndSessionIndexAndTerminate).build().execute();
        // We need new SamlClient so that logout is not done using cookie -> frontchannel logout
        new SamlClientBuilder().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST2, POST).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().executeAndTransform(r -> {
            SAMLDocumentHolder saml2ObjectHolder = POST.extractResponse(r);
            assertThat(saml2ObjectHolder.getSamlObject(), isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            return null;
        });
        // Check whether logoutReceiver contains correct LogoutRequest
        await().pollInterval(100, TimeUnit.MILLISECONDS).atMost(1, TimeUnit.MINUTES).until(backchannelLogoutReceiver::isMessageReceived);
        assertThat(backchannelLogoutReceiver.isMessageReceived(), is(true));
        SAMLDocumentHolder message = backchannelLogoutReceiver.getSamlDocumentHolder();
        assertThat(message.getSamlObject(), isSamlLogoutRequest(backchannelLogoutReceiver.getUrl()));
    } catch (Exception e) {
        throw new RuntimeException("Cannot run SamlMessageReceiver", e);
    }
}
Also used : ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver) URISyntaxException(java.net.URISyntaxException) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) IOException(java.io.IOException) Test(org.junit.Test)

Example 7 with ClientAttributeUpdater

use of org.keycloak.testsuite.updaters.ClientAttributeUpdater in project keycloak by keycloak.

the class AudienceProtocolMappersTest method testAudienceResolveNoFullScope.

@Test
public void testAudienceResolveNoFullScope() throws Exception {
    pmu.add(createSamlProtocolMapper(SAMLAudienceResolveProtocolMapper.PROVIDER_ID)).update();
    // remove full scope
    try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_EMPLOYEE_2).setFullScopeAllowed(false).update()) {
        // now only the same client should be in the audience
        this.testExpectedAudiences(SAML_CLIENT_ID_EMPLOYEE_2);
        // add another client in the scope
        String employee2Id = adminClient.realm(REALM_NAME).clients().findByClientId("http://localhost:8280/employee2/").get(0).getId();
        Assert.assertNotNull(employee2Id);
        String employeeId = adminClient.realm(REALM_NAME).clients().findByClientId("http://localhost:8280/employee/").get(0).getId();
        Assert.assertNotNull(employeeId);
        List<RoleRepresentation> availables = adminClient.realm(REALM_NAME).clients().get(employee2Id).getScopeMappings().clientLevel(employeeId).listAvailable();
        Assert.assertThat(availables.size(), greaterThan(0));
        // assign scope to only employee2 (employee-role-mapping should not be there)
        try (RoleScopeUpdater ru = cau.clientRoleScope(employeeId).add(availables.get(0)).update()) {
            this.testExpectedAudiences(SAML_CLIENT_ID_EMPLOYEE_2, "http://localhost:8280/employee/");
        }
    }
}
Also used : ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) RoleScopeUpdater(org.keycloak.testsuite.updaters.RoleScopeUpdater) Test(org.junit.Test)

Example 8 with ClientAttributeUpdater

use of org.keycloak.testsuite.updaters.ClientAttributeUpdater in project keycloak by keycloak.

the class ClientPoliciesTest method testHolderOfKeyEnforceExecutor.

@Test
public void testHolderOfKeyEnforceExecutor() throws Exception {
    Assume.assumeTrue("This test must be executed with enabled TLS.", ServerURLs.AUTH_SERVER_SSL_REQUIRED);
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Az Elso Profil").addExecutor(HolderOfKeyEnforcerExecutorFactory.PROVIDER_ID, createHolderOfKeyEnforceExecutorConfig(Boolean.TRUE)).addExecutor(SecureSigningAlgorithmForSignedJwtExecutorFactory.PROVIDER_ID, createSecureSigningAlgorithmForSignedJwtEnforceExecutorConfig(Boolean.FALSE)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Az Elso Politika", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, TEST_CLIENT)) {
        ClientRepresentation clientRep = cau.getResource().toRepresentation();
        Assert.assertNotNull(clientRep);
        OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setUseMtlsHoKToken(true);
        cau.update();
        checkMtlsFlow();
    }
}
Also used : ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 9 with ClientAttributeUpdater

use of org.keycloak.testsuite.updaters.ClientAttributeUpdater in project keycloak by keycloak.

the class ResetPasswordTest method resetPasswordLinkNewTabAndProperRedirectClient.

@Test
public void resetPasswordLinkNewTabAndProperRedirectClient() throws IOException {
    final String REDIRECT_URI = getAuthServerRoot() + "realms/master/app/auth";
    final String CLIENT_ID = "test-app";
    try (BrowserTabUtil tabUtil = BrowserTabUtil.getInstanceAndSetEnv(driver);
        ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(getAdminClient(), TEST_REALM_NAME, CLIENT_ID).filterRedirectUris(uri -> uri.contains(REDIRECT_URI)).update()) {
        assertThat(tabUtil.getCountOfTabs(), Matchers.is(1));
        loginPage.open();
        resetPasswordTwiceInNewTab(defaultUser, CLIENT_ID, false, REDIRECT_URI);
        assertThat(driver.getCurrentUrl(), Matchers.containsString(REDIRECT_URI));
        oauth.openLogout();
        loginPage.open();
        resetPasswordTwiceInNewTab(defaultUser, CLIENT_ID, true, REDIRECT_URI);
        assertThat(driver.getCurrentUrl(), Matchers.containsString(REDIRECT_URI));
    }
}
Also used : BrowserTabUtil(org.keycloak.testsuite.util.BrowserTabUtil) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) RedirectUtils(org.keycloak.protocol.oidc.utils.RedirectUtils) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) URL(java.net.URL) AssertEvents(org.keycloak.testsuite.AssertEvents) MessagingException(javax.mail.MessagingException) WebElement(org.openqa.selenium.WebElement) Page(org.jboss.arquillian.graphene.page.Page) AbstractKerberosTest(org.keycloak.testsuite.federation.kerberos.AbstractKerberosTest) OAuthClient(org.keycloak.testsuite.util.OAuthClient) LoginPasswordUpdatePage(org.keycloak.testsuite.pages.LoginPasswordUpdatePage) AtomicInteger(java.util.concurrent.atomic.AtomicInteger) Map(java.util.Map) SystemClientUtil(org.keycloak.models.utils.SystemClientUtil) Collection(java.util.Collection) InfoPage(org.keycloak.testsuite.pages.InfoPage) DisableFeature(org.keycloak.testsuite.arquillian.annotation.DisableFeature) RealmRepresentation(org.keycloak.representations.idm.RealmRepresentation) LoginPasswordResetPage(org.keycloak.testsuite.pages.LoginPasswordResetPage) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ServiceAccountConstants(org.keycloak.common.constants.ServiceAccountConstants) Details(org.keycloak.events.Details) LoginPage(org.keycloak.testsuite.pages.LoginPage) ResetCredentialsActionToken(org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken) BrowserTabUtil(org.keycloak.testsuite.util.BrowserTabUtil) Profile(org.keycloak.common.Profile) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) SecondBrowser(org.keycloak.testsuite.util.SecondBrowser) GreenMailRule(org.keycloak.testsuite.util.GreenMailRule) WebDriver(org.openqa.selenium.WebDriver) Constants(org.keycloak.models.Constants) HashMap(java.util.HashMap) RealmBuilder(org.keycloak.testsuite.util.RealmBuilder) Drone(org.jboss.arquillian.drone.api.annotation.Drone) AuthenticationExecutionModel(org.keycloak.models.AuthenticationExecutionModel) UserBuilder(org.keycloak.testsuite.util.UserBuilder) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) UserResource(org.keycloak.admin.client.resource.UserResource) AuthServer(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer) MailUtils(org.keycloak.testsuite.util.MailUtils) ApiUtil(org.keycloak.testsuite.admin.ApiUtil) WaitUtils(org.keycloak.testsuite.util.WaitUtils) AppPage(org.keycloak.testsuite.pages.AppPage) Errors(org.keycloak.events.Errors) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) MalformedURLException(java.net.MalformedURLException) By(org.openqa.selenium.By) Matchers(org.hamcrest.Matchers) EventType(org.keycloak.events.EventType) VerifyEmailPage(org.keycloak.testsuite.pages.VerifyEmailPage) IOException(java.io.IOException) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest) MimeMessage(javax.mail.internet.MimeMessage) RequestType(org.keycloak.testsuite.pages.AppPage.RequestType) ErrorPage(org.keycloak.testsuite.pages.ErrorPage) Closeable(java.io.Closeable) org.junit(org.junit) Assert(org.junit.Assert) Collections(java.util.Collections) UserActionTokenBuilder(org.keycloak.testsuite.util.UserActionTokenBuilder) AbstractKerberosTest(org.keycloak.testsuite.federation.kerberos.AbstractKerberosTest) AbstractTestRealmKeycloakTest(org.keycloak.testsuite.AbstractTestRealmKeycloakTest)

Example 10 with ClientAttributeUpdater

use of org.keycloak.testsuite.updaters.ClientAttributeUpdater in project keycloak by keycloak.

the class KcSamlLogoutTest method testProviderInitiatedLogoutCorrectlyLogsOutConsumerClients.

@Test
public void testProviderInitiatedLogoutCorrectlyLogsOutConsumerClients() throws Exception {
    try (SamlMessageReceiver logoutReceiver = new SamlMessageReceiver(8082);
        ClientAttributeUpdater cauConsumer = ClientAttributeUpdater.forClient(adminClient, bc.consumerRealmName(), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(false).setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, logoutReceiver.getUrl()).update();
        ClientAttributeUpdater cauProvider = ClientAttributeUpdater.forClient(adminClient, bc.providerRealmName(), bc.getIDPClientIdInProviderRealm()).setFrontchannelLogout(true).update()) {
        AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
        Document doc = SAML2Request.convert(loginRep);
        final AtomicReference<NameIDType> nameIdRef = new AtomicReference<>();
        final AtomicReference<String> sessionIndexRef = new AtomicReference<>();
        new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
        SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
        SamlClient.Binding.POST).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().processSamlResponse(SamlClient.Binding.POST).transformObject(saml2Object -> {
            assertThat(saml2Object, Matchers.notNullValue());
            assertThat(saml2Object, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            return null;
        }).build().authnRequest(getProviderSamlEndpoint(bc.providerRealmName()), PROVIDER_SAML_CLIENT_ID, PROVIDER_SAML_CLIENT_ID + "saml", POST).build().followOneRedirect().processSamlResponse(POST).transformObject(saml2Object -> {
            assertThat(saml2Object, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            ResponseType loginResp1 = (ResponseType) saml2Object;
            final AssertionType firstAssertion = loginResp1.getAssertions().get(0).getAssertion();
            assertThat(firstAssertion, Matchers.notNullValue());
            assertThat(firstAssertion.getSubject().getSubType().getBaseID(), instanceOf(NameIDType.class));
            NameIDType nameId = (NameIDType) firstAssertion.getSubject().getSubType().getBaseID();
            AuthnStatementType firstAssertionStatement = (AuthnStatementType) firstAssertion.getStatements().iterator().next();
            nameIdRef.set(nameId);
            sessionIndexRef.set(firstAssertionStatement.getSessionIndex());
            return null;
        }).build().logoutRequest(getProviderSamlEndpoint(bc.providerRealmName()), PROVIDER_SAML_CLIENT_ID, POST).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().processSamlResponse(POST).transformObject(saml2Object -> {
            assertThat(saml2Object, isSamlLogoutRequest(getConsumerRoot() + "/auth/realms/" + REALM_CONS_NAME + "/broker/" + IDP_SAML_ALIAS + "/endpoint"));
            return saml2Object;
        }).build().executeAndTransform(response -> {
            SAMLDocumentHolder saml2ObjectHolder = POST.extractResponse(response);
            assertThat(saml2ObjectHolder.getSamlObject(), isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
            return null;
        });
        // Check whether logoutReceiver contains correct LogoutRequest
        assertThat(logoutReceiver.isMessageReceived(), is(true));
        SAMLDocumentHolder message = logoutReceiver.getSamlDocumentHolder();
        assertThat(message.getSamlObject(), isSamlLogoutRequest(logoutReceiver.getUrl()));
    }
}
Also used : CoreMatchers.is(org.hamcrest.CoreMatchers.is) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) IDP_SAML_ALIAS(org.keycloak.testsuite.broker.BrokerTestConstants.IDP_SAML_ALIAS) SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request) IdentityProviderAttributeUpdater(org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) SamlConfigAttributes(org.keycloak.protocol.saml.SamlConfigAttributes) POST(org.keycloak.testsuite.util.SamlClient.Binding.POST) Matchers.isSamlLogoutRequest(org.keycloak.testsuite.util.Matchers.isSamlLogoutRequest) AtomicReference(java.util.concurrent.atomic.AtomicReference) CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf) BrokerTestTools.getConsumerRoot(org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot) SAMLIdentityProviderConfig(org.keycloak.broker.saml.SAMLIdentityProviderConfig) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) Document(org.w3c.dom.Document) SamlClient(org.keycloak.testsuite.util.SamlClient) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) Matchers.isSamlResponse(org.keycloak.testsuite.util.Matchers.isSamlResponse) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Matchers(org.hamcrest.Matchers) Test(org.junit.Test) SamlProtocol(org.keycloak.protocol.saml.SamlProtocol) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) List(java.util.List) UserAttributeUpdater(org.keycloak.testsuite.updaters.UserAttributeUpdater) REALM_CONS_NAME(org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME) Closeable(java.io.Closeable) ATTRIBUTE_TO_MAP_NAME(org.keycloak.testsuite.broker.KcOidcBrokerConfiguration.ATTRIBUTE_TO_MAP_NAME) ClientBuilder(org.keycloak.testsuite.util.ClientBuilder) Matchers.isSamlStatusResponse(org.keycloak.testsuite.util.Matchers.isSamlStatusResponse) SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver) BrokerTestTools.getProviderRoot(org.keycloak.testsuite.broker.BrokerTestTools.getProviderRoot) SamlPrincipalType(org.keycloak.protocol.saml.SamlPrincipalType) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) AtomicReference(java.util.concurrent.atomic.AtomicReference) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) Document(org.w3c.dom.Document) SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Aggregations

ClientAttributeUpdater (org.keycloak.testsuite.updaters.ClientAttributeUpdater)12 Test (org.junit.Test)11 HashMap (java.util.HashMap)4 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)4 Matchers.containsString (org.hamcrest.Matchers.containsString)3 Closeable (java.io.Closeable)2 IOException (java.io.IOException)2 Map (java.util.Map)2 MatcherAssert.assertThat (org.hamcrest.MatcherAssert.assertThat)2 Matchers (org.hamcrest.Matchers)2 Matchers.isEmptyOrNullString (org.hamcrest.Matchers.isEmptyOrNullString)2 AbstractTestRealmKeycloakTest (org.keycloak.testsuite.AbstractTestRealmKeycloakTest)2 AuthServerContainerExclude (org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude)2 RoleScopeUpdater (org.keycloak.testsuite.updaters.RoleScopeUpdater)2 Document (org.w3c.dom.Document)2 MalformedURLException (java.net.MalformedURLException)1 URISyntaxException (java.net.URISyntaxException)1 URL (java.net.URL)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 Collection (java.util.Collection)1