Search in sources :

Example 6 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testExtendedClientPolicyIntefacesForDeviceTokenRequest.

@Test
public void testExtendedClientPolicyIntefacesForDeviceTokenRequest() throws Exception {
    // Device Authorization Request from device
    oauth.realm(REALM_NAME);
    oauth.clientId(DEVICE_APP);
    OAuthClient.DeviceAuthorizationResponse response = oauth.doDeviceAuthorizationRequest(DEVICE_APP, "secret");
    Assert.assertEquals(200, response.getStatusCode());
    assertNotNull(response.getDeviceCode());
    assertNotNull(response.getUserCode());
    assertNotNull(response.getVerificationUri());
    assertNotNull(response.getVerificationUriComplete());
    // Verify user code from verification page using browser
    openVerificationPage(response.getVerificationUri());
    verificationPage.assertCurrent();
    verificationPage.submit(response.getUserCode());
    loginPage.assertCurrent();
    // Do Login
    oauth.fillLoginForm("device-login", "password");
    // Consent
    grantPage.assertCurrent();
    grantPage.assertGrants(OAuthGrantPage.PROFILE_CONSENT_TEXT, OAuthGrantPage.EMAIL_CONSENT_TEXT, OAuthGrantPage.ROLES_CONSENT_TEXT);
    grantPage.accept();
    verificationPage.assertApprovedPage();
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(TestRaiseExeptionExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Token request from device
    OAuthClient.AccessTokenResponse tokenResponse = oauth.doDeviceTokenRequest(DEVICE_APP, "secret", response.getDeviceCode());
    assertEquals(400, tokenResponse.getStatusCode());
    assertEquals(OAuthErrorException.INVALID_GRANT, tokenResponse.getError());
    assertEquals("Exception thrown intentionally", tokenResponse.getErrorDescription());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) Test(org.junit.Test)

Example 7 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testExtendedClientPolicyIntefacesForDeviceAuthorizationRequest.

@Test
public void testExtendedClientPolicyIntefacesForDeviceAuthorizationRequest() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(TestRaiseExeptionExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Device Authorization Request from device
    oauth.realm(REALM_NAME);
    oauth.clientId(DEVICE_APP);
    OAuthClient.DeviceAuthorizationResponse response = oauth.doDeviceAuthorizationRequest(DEVICE_APP, "secret");
    assertEquals(400, response.getStatusCode());
    assertEquals(ClientPolicyEvent.DEVICE_AUTHORIZATION_REQUEST.toString(), response.getError());
    assertEquals("Exception thrown intentionally", response.getErrorDescription());
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) Test(org.junit.Test)

Example 8 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testConditionWithoutNoConfiguration.

@Test
public void testConditionWithoutNoConfiguration() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Die Erste Politik").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientAccessTypeCondition", "Die Erste Politik", Boolean.TRUE).addCondition(ClientAccessTypeConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateSourceGroupsCondition", "Die Zweite Politik", Boolean.TRUE).addCondition(ClientUpdaterSourceGroupsConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateSourceRolesCondition", "Die Dritte Politik", Boolean.TRUE).addCondition(ClientUpdaterSourceRolesConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).addPolicy((new ClientPolicyBuilder()).createPolicy("MyPolicy-ClientUpdateContextCondition", "Die Vierte Politik", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, null).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setSecret(clientSecret);
        clientRep.setBearerOnly(Boolean.FALSE);
        clientRep.setPublicClient(Boolean.FALSE);
    });
    successfulLoginAndLogout(clientId, clientSecret);
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Example 9 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testFullScopeDisabledExecutor.

@Test
public void testFullScopeDisabledExecutor() throws Exception {
    // register profiles - client autoConfigured to disable fullScopeAllowed
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(true)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Test Policy", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // Client will be auto-configured to disable fullScopeAllowed
    String clientId = generateSuffixedName("aaa-app");
    String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
        clientRep.setImplicitFlowEnabled(Boolean.FALSE);
        clientRep.setFullScopeAllowed(Boolean.TRUE);
    });
    ClientRepresentation clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    // Client cannot be updated to disable fullScopeAllowed
    updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
        cRep.setFullScopeAllowed(Boolean.TRUE);
    });
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    // Switch auto-configure to false. Auto-configuration won't happen, but validation will still be here, so should not be possible to enable fullScopeAllowed
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Test Profile").addExecutor(FullScopeDisabledExecutorFactory.PROVIDER_ID, createFullScopeDisabledExecutorConfig(false)).toRepresentation()).toString();
    updateProfiles(json);
    // Not possible to register client with fullScopeAllowed due the validation
    try {
        createClientByAdmin(clientId, (ClientRepresentation clientRep2) -> {
            clientRep2.setFullScopeAllowed(Boolean.TRUE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    // Not possible to update existing client to fullScopeAllowed due the validation
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setFullScopeAllowed(Boolean.TRUE);
        });
        fail();
    } catch (ClientPolicyException cpe) {
        assertEquals(Errors.INVALID_REGISTRATION, cpe.getError());
    }
    clientRep = getClientByAdmin(cid);
    assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    try {
        updateClientByAdmin(cid, (ClientRepresentation cRep) -> {
            cRep.setImplicitFlowEnabled(Boolean.TRUE);
        });
        clientRep = getClientByAdmin(cid);
        assertEquals(Boolean.TRUE, clientRep.isImplicitFlowEnabled());
        assertEquals(Boolean.FALSE, clientRep.isFullScopeAllowed());
    } catch (ClientPolicyException cpe) {
        fail();
    }
}
Also used : ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) Test(org.junit.Test)

Example 10 with ClientPolicyBuilder

use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder in project keycloak by keycloak.

the class ClientPoliciesTest method testSecureResponseTypeExecutorAllowTokenResponseType.

@Test
public void testSecureResponseTypeExecutorAllowTokenResponseType() throws Exception {
    // register profiles
    String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(null, Boolean.TRUE)).toRepresentation()).toString();
    updateProfiles(json);
    // register policies
    json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Den Forsta Policyn", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
    updatePolicies(json);
    // create by Admin REST API
    try {
        createClientByAdmin(generateSuffixedName("App-by-Admin"), (ClientRepresentation clientRep) -> {
            clientRep.setSecret("secret");
        });
        fail();
    } catch (ClientPolicyException e) {
        assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getMessage());
    }
    // update profiles
    json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "O Primeiro Perfil").addExecutor(SecureResponseTypeExecutorFactory.PROVIDER_ID, createSecureResponseTypeExecutor(Boolean.TRUE, null)).toRepresentation()).toString();
    updateProfiles(json);
    String cId = null;
    String clientId = generateSuffixedName(CLIENT_NAME);
    String clientSecret = "secret";
    try {
        cId = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
            clientRep.setSecret(clientSecret);
            clientRep.setStandardFlowEnabled(Boolean.TRUE);
            clientRep.setImplicitFlowEnabled(Boolean.TRUE);
            clientRep.setPublicClient(Boolean.FALSE);
        });
    } catch (ClientPolicyException e) {
        fail();
    }
    ClientRepresentation cRep = getClientByAdmin(cId);
    assertEquals(Boolean.TRUE.toString(), cRep.getAttributes().get(OIDCConfigAttributes.ID_TOKEN_AS_DETACHED_SIGNATURE));
    adminClient.realm(REALM_NAME).clients().get(cId).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
    oauth.clientId(clientId);
    oauth.openLoginForm();
    assertEquals(OAuthErrorException.INVALID_REQUEST, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
    assertEquals("invalid response_type", oauth.getCurrentQuery().get(OAuth2Constants.ERROR_DESCRIPTION));
    oauth.responseType(OIDCResponseType.CODE + " " + OIDCResponseType.ID_TOKEN);
    oauth.nonce("LIVieviDie028f");
    oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
    EventRepresentation loginEvent = events.expectLogin().client(clientId).assertEvent();
    String sessionId = loginEvent.getSessionId();
    String codeId = loginEvent.getDetails().get(Details.CODE_ID);
    String code = new OAuthClient.AuthorizationEndpointResponse(oauth).getCode();
    IDToken idToken = oauth.verifyIDToken(new OAuthClient.AuthorizationEndpointResponse(oauth).getIdToken());
    // confirm ID token as detached signature does not include authenticated user's claims
    Assert.assertNull(idToken.getEmailVerified());
    Assert.assertNull(idToken.getName());
    Assert.assertNull(idToken.getPreferredUsername());
    Assert.assertNull(idToken.getGivenName());
    Assert.assertNull(idToken.getFamilyName());
    Assert.assertNull(idToken.getEmail());
    assertEquals("LIVieviDie028f", idToken.getNonce());
    // confirm an access token not returned
    Assert.assertNull(new OAuthClient.AuthorizationEndpointResponse(oauth).getAccessToken());
    OAuthClient.AccessTokenResponse res = oauth.doAccessTokenRequest(code, clientSecret);
    assertEquals(200, res.getStatusCode());
    events.expectCodeToToken(codeId, sessionId).client(clientId).assertEvent();
    oauth.doLogout(res.getRefreshToken(), clientSecret);
    events.expectLogout(sessionId).client(clientId).clearDetails().assertEvent();
}
Also used : OAuthClient(org.keycloak.testsuite.util.OAuthClient) ClientProfilesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder) ClientPoliciesBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder) EventRepresentation(org.keycloak.representations.idm.EventRepresentation) ClientPolicyBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder) OIDCClientRepresentation(org.keycloak.representations.oidc.OIDCClientRepresentation) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) ClientPolicyException(org.keycloak.services.clientpolicy.ClientPolicyException) ClientProfileBuilder(org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder) IDToken(org.keycloak.representations.IDToken) Test(org.junit.Test)

Aggregations

ClientPoliciesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPoliciesBuilder)54 ClientPolicyBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientPolicyBuilder)54 Test (org.junit.Test)46 ClientProfileBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder)46 ClientProfilesBuilder (org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfilesBuilder)46 OIDCClientRepresentation (org.keycloak.representations.oidc.OIDCClientRepresentation)41 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)37 ClientPolicyException (org.keycloak.services.clientpolicy.ClientPolicyException)19 OAuthClient (org.keycloak.testsuite.util.OAuthClient)14 Matchers.containsString (org.hamcrest.Matchers.containsString)10 ClientResource (org.keycloak.admin.client.resource.ClientResource)10 ClientRegistrationException (org.keycloak.client.registration.ClientRegistrationException)9 IOException (java.io.IOException)8 BadRequestException (javax.ws.rs.BadRequestException)8 AuthenticationRequestAcknowledgement (org.keycloak.testsuite.util.OAuthClient.AuthenticationRequestAcknowledgement)8 OAuthErrorException (org.keycloak.OAuthErrorException)7 HashMap (java.util.HashMap)5 EventRepresentation (org.keycloak.representations.idm.EventRepresentation)4 TestAuthenticationChannelRequest (org.keycloak.testsuite.rest.representation.TestAuthenticationChannelRequest)4 AuthorizationEndpointRequestObject (org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject)4