use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testTwoProfilesWithDifferentConfigurationOfSameExecutorType.
// KEYCLOAK-18108
@Test
public void testTwoProfilesWithDifferentConfigurationOfSameExecutorType() throws Exception {
setupPolicyClientIdAndSecretNotAcceptableAuthType(POLICY_NAME);
// register another profile with "SecureClientAuthEnforceExecutorFactory", but use different configuration of client authenticator.
// This profile won't allow JWTClientSecretAuthenticator.PROVIDER_ID
String profileName = "UnusedProfile";
String json = (new ClientProfilesBuilder(getProfilesWithoutGlobals())).addProfile((new ClientProfileBuilder()).createProfile(profileName, "Profile with SecureClientAuthEnforceExecutorFactory").addExecutor(SecureClientAuthenticatorExecutorFactory.PROVIDER_ID, createSecureClientAuthenticatorExecutorConfig(Arrays.asList(JWTClientAuthenticator.PROVIDER_ID, X509ClientAuthenticator.PROVIDER_ID), null)).toRepresentation()).toString();
updateProfiles(json);
// Make sure it is still possible to create client with JWTClientSecretAuthenticator. The "UnusedProfile" should not be used as it is not referenced from any client policy
String cId = createClientByAdmin(generateSuffixedName(CLIENT_NAME), (ClientRepresentation clientRep) -> {
clientRep.setClientAuthenticatorType(JWTClientSecretAuthenticator.PROVIDER_ID);
});
assertEquals(JWTClientSecretAuthenticator.PROVIDER_ID, getClientByAdmin(cId).getClientAuthenticatorType());
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testClientScopesCondition.
@Test
public void testClientScopesCondition() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Het Eerste Profiel").addExecutor(PKCEEnforcerExecutorFactory.PROVIDER_ID, createPKCEEnforceExecutorConfig(Boolean.TRUE)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Het Eerste Beleid", Boolean.TRUE).addCondition(ClientScopesConditionFactory.PROVIDER_ID, createClientScopesConditionConfig(ClientScopesConditionFactory.OPTIONAL, Arrays.asList("offline_access", "microprofile-jwt"))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
String clientId = generateSuffixedName(CLIENT_NAME);
String clientSecret = "secret";
createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
});
try {
oauth.scope("address" + " " + "phone");
successfulLoginAndLogout(clientId, clientSecret);
oauth.scope("microprofile-jwt" + " " + "profile");
failLoginByNotFollowingPKCE(clientId);
oauth.scope("microprofile-jwt" + " " + "profile");
failLoginByNotFollowingPKCE(clientId);
successfulLoginAndLogoutWithPKCE(clientId, clientSecret, TEST_USER_NAME, TEST_USER_PASSWORD);
} catch (Exception e) {
fail();
}
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testSecureClientRegisteringUriEnforceExecutor.
@Test
public void testSecureClientRegisteringUriEnforceExecutor() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Ensimmainen Profiili").addExecutor(SecureClientUrisExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Ensimmainen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_INITIAL_ACCESS_TOKEN, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
try {
createClientDynamically(generateSuffixedName(CLIENT_NAME), (OIDCClientRepresentation clientRep) -> {
clientRep.setRedirectUris(Collections.singletonList("http://newredirect"));
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
String cid = null;
String clientId = generateSuffixedName(CLIENT_NAME);
try {
cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setServiceAccountsEnabled(Boolean.TRUE);
clientRep.setRedirectUris(null);
});
} catch (Exception e) {
fail();
}
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
clientRep.setRedirectUris(null);
clientRep.setServiceAccountsEnabled(Boolean.FALSE);
});
assertEquals(false, getClientByAdmin(cid).isServiceAccountsEnabled());
// update policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Paivitetyn Ensimmaisen Politiikka", Boolean.TRUE).addCondition(ClientUpdaterContextConditionFactory.PROVIDER_ID, createClientUpdateContextConditionConfig(Arrays.asList(ClientUpdaterContextConditionFactory.BY_AUTHENTICATED_USER, ClientUpdaterContextConditionFactory.BY_REGISTRATION_ACCESS_TOKEN))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
try {
updateClientDynamically(clientId, (OIDCClientRepresentation clientRep) -> {
clientRep.setRedirectUris(Collections.singletonList("https://newredirect/*"));
});
fail();
} catch (ClientRegistrationException e) {
assertEquals(ERR_MSG_CLIENT_REG_FAIL, e.getMessage());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// rootUrl
clientRep.setRootUrl("https://client.example.com/");
// adminUrl
clientRep.setAdminUrl("https://client.example.com/admin/");
// baseUrl
clientRep.setBaseUrl("https://client.example.com/base/");
// web origins
clientRep.setWebOrigins(Arrays.asList("https://valid.other.client.example.com/", "https://valid.another.client.example.com/"));
// backchannel logout URL
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "https://client.example.com/logout/");
clientRep.setAttributes(attributes);
// OAuth2 : redirectUris
clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "https://client.example.com/callback/"));
// OAuth2 : jwks_uri
attributes.put(OIDCConfigAttributes.JWKS_URL, "https://client.example.com/jwks/");
clientRep.setAttributes(attributes);
// OIDD : requestUris
setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/", "https://client.example.com/reqobj/"));
// CIBA Client Notification Endpoint
attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "https://client.example.com/client-notification/");
clientRep.setAttributes(attributes);
});
} catch (Exception e) {
fail();
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// rootUrl
clientRep.setRootUrl("http://client.example.com/*/");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid rootUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// adminUrl
clientRep.setAdminUrl("http://client.example.com/admin/");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid adminUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// baseUrl
clientRep.setBaseUrl("https://client.example.com/base/*");
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid baseUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// web origins
clientRep.setWebOrigins(Arrays.asList("http://valid.another.client.example.com/"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid webOrigins", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// backchannel logout URL
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(OIDCConfigAttributes.BACKCHANNEL_LOGOUT_URL, "httpss://client.example.com/logout/");
clientRep.setAttributes(attributes);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid logoutUrl", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// OAuth2 : redirectUris
clientRep.setRedirectUris(Arrays.asList("https://client.example.com/redirect/", "ftp://client.example.com/callback/"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid redirectUris", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// OAuth2 : jwks_uri
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(OIDCConfigAttributes.JWKS_URL, "http s://client.example.com/jwks/");
clientRep.setAttributes(attributes);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid jwksUri", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// OIDD : requestUris
setAttributeMultivalued(clientRep, OIDCConfigAttributes.REQUEST_URIS, Arrays.asList("https://client.example.com/request/*", "https://client.example.com/reqobj/"));
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid requestUris", e.getErrorDetail());
}
try {
updateClientByAdmin(cid, (ClientRepresentation clientRep) -> {
// CIBA Client Notification Endpoint
Map<String, String> attributes = Optional.ofNullable(clientRep.getAttributes()).orElse(new HashMap<>());
attributes.put(CibaConfig.CIBA_BACKCHANNEL_CLIENT_NOTIFICATION_ENDPOINT, "http://client.example.com/client-notification/");
clientRep.setAttributes(attributes);
});
fail();
} catch (ClientPolicyException e) {
assertEquals(OAuthErrorException.INVALID_CLIENT_METADATA, e.getError());
assertEquals("Invalid cibaClientNotificationEndpoint", e.getErrorDetail());
}
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testParSecureRequestObjectExecutor.
@Test
public void testParSecureRequestObjectExecutor() throws Exception {
Integer availablePeriod = Integer.valueOf(SecureRequestObjectExecutor.DEFAULT_AVAILABLE_PERIOD + 400);
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Prvy Profil").addExecutor(SecureRequestObjectExecutorFactory.PROVIDER_ID, createSecureRequestObjectExecutorConfig(availablePeriod, true)).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "Prva Politika", Boolean.TRUE).addCondition(ClientRolesConditionFactory.PROVIDER_ID, createClientRolesConditionConfig(Arrays.asList(SAMPLE_CLIENT_ROLE))).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
String clientId = generateSuffixedName(CLIENT_NAME);
String clientSecret = "secret";
String cid = createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRep).setRequestUris(Arrays.asList(TestApplicationResourceUrls.clientRequestUri()));
});
oauth.realm(REALM_NAME);
oauth.clientId(clientId);
adminClient.realm(REALM_NAME).clients().get(cid).roles().create(RoleBuilder.create().name(SAMPLE_CLIENT_ROLE).build());
AuthorizationEndpointRequestObject requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
oauth.request(signRequestObject(requestObject));
OAuthClient.ParResponse pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
assertEquals(201, pResp.getStatusCode());
String requestUri = pResp.getRequestUri();
oauth.scope(null);
oauth.responseType(null);
oauth.request(null);
oauth.requestUri(requestUri);
OAuthClient.AuthorizationEndpointResponse loginResponse = oauth.doLogin(TEST_USER_NAME, TEST_USER_PASSWORD);
assertNotNull(loginResponse.getCode());
oauth.openLogout();
requestObject.exp(null);
oauth.requestUri(null);
oauth.request(signRequestObject(requestObject));
pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
requestUri = pResp.getRequestUri();
oauth.request(null);
oauth.requestUri(requestUri);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.nbf(null);
oauth.requestUri(null);
oauth.request(signRequestObject(requestObject));
pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
requestUri = pResp.getRequestUri();
oauth.request(null);
oauth.requestUri(requestUri);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.audience("https://www.other1.example.com/");
oauth.request(signRequestObject(requestObject));
oauth.requestUri(null);
pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
requestUri = pResp.getRequestUri();
oauth.request(null);
oauth.requestUri(requestUri);
oauth.openLoginForm();
assertEquals(OAuthErrorException.INVALID_REQUEST_URI, oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
requestObject = createValidRequestObjectForSecureRequestObjectExecutor(clientId);
requestObject.setOtherClaims(OIDCLoginProtocol.REQUEST_URI_PARAM, "foo");
oauth.request(signRequestObject(requestObject));
oauth.requestUri(null);
pResp = oauth.doPushedAuthorizationRequest(clientId, clientSecret);
assertEquals(OAuthErrorException.INVALID_REQUEST_OBJECT, pResp.getError());
}
use of org.keycloak.testsuite.util.ClientPoliciesUtil.ClientProfileBuilder in project keycloak by keycloak.
the class ClientPoliciesTest method testNegativeLogicCondition.
@Test
public void testNegativeLogicCondition() throws Exception {
// register profiles
String json = (new ClientProfilesBuilder()).addProfile((new ClientProfileBuilder()).createProfile(PROFILE_NAME, "Den Forste Profilen").addExecutor(SecureSessionEnforceExecutorFactory.PROVIDER_ID, null).toRepresentation()).toString();
updateProfiles(json);
// register policies
json = (new ClientPoliciesBuilder()).addPolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig()).addProfile(PROFILE_NAME).toRepresentation()).toString();
updatePolicies(json);
String clientId = generateSuffixedName(CLIENT_NAME);
String clientSecret = "secretBeta";
createClientByAdmin(clientId, (ClientRepresentation clientRep) -> {
clientRep.setSecret(clientSecret);
});
try {
failLoginWithoutSecureSessionParameter(clientId, ERR_MSG_MISSING_NONCE);
// update policies
updatePolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig(Boolean.TRUE)).addProfile(PROFILE_NAME).toRepresentation());
successfulLoginAndLogout(clientId, clientSecret);
// update policies
updatePolicy((new ClientPolicyBuilder()).createPolicy(POLICY_NAME, "La Premiere Politique", Boolean.TRUE).addCondition(AnyClientConditionFactory.PROVIDER_ID, createAnyClientConditionConfig(Boolean.FALSE)).addProfile(PROFILE_NAME).toRepresentation());
failLoginWithoutSecureSessionParameter(clientId, ERR_MSG_MISSING_NONCE);
} catch (Exception e) {
fail();
}
}
Aggregations