KEYCLOAK-2865 Extend coverage of client admin endpoints

integration/admin-client/src/main/java/org/keycloak/admin/client/resource/ClientResource.java

@@ -113,7 +113,8 @@ public interface ClientResource {
 
     @POST
     @Path("push-revocation")
-    public void pushRevocation();
+    @Produces(MediaType.APPLICATION_JSON)
+    void pushRevocation();
 
     @Path("/scope-mappings")
     public RoleMappingResource getScopeMappings();
@@ -138,6 +139,7 @@ public interface ClientResource {
 
     @Path("test-nodes-available")
     @GET
+    @Produces(MediaType.APPLICATION_JSON)
     GlobalRequestResult testNodesAvailable();
 
 }

services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java

@@ -324,6 +324,7 @@ public class ClientResource {
      */
     @Path("push-revocation")
     @POST
+    @Produces(MediaType.APPLICATION_JSON)
     public GlobalRequestResult pushRevocation() {
         auth.requireManage();
 
@@ -522,6 +523,7 @@ public class ClientResource {
     @Path("test-nodes-available")
     @GET
     @NoCache
+    @Produces(MediaType.APPLICATION_JSON)
     public GlobalRequestResult testNodesAvailable() {
         auth.requireManage();
 

testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProvider.java

@@ -22,6 +22,7 @@ import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.representations.adapters.action.LogoutAction;
 import org.keycloak.representations.adapters.action.PushNotBeforeAction;
+import org.keycloak.representations.adapters.action.TestAvailabilityAction;
 import org.keycloak.services.resource.RealmResourceProvider;
 import org.keycloak.services.resources.RealmsResource;
 import org.keycloak.testsuite.events.EventsListenerProvider;
@@ -48,12 +49,15 @@ public class TestApplicationResourceProvider implements RealmResourceProvider {
 
     private final BlockingQueue<LogoutAction> adminLogoutActions;
     private final BlockingQueue<PushNotBeforeAction> adminPushNotBeforeActions;
+    private final BlockingQueue<TestAvailabilityAction> adminTestAvailabilityAction;
 
     public TestApplicationResourceProvider(KeycloakSession session, BlockingQueue<LogoutAction> adminLogoutActions,
-            BlockingQueue<PushNotBeforeAction> adminPushNotBeforeActions) {
+            BlockingQueue<PushNotBeforeAction> adminPushNotBeforeActions,
+            BlockingQueue<TestAvailabilityAction> adminTestAvailabilityAction) {
         this.session = session;
         this.adminLogoutActions = adminLogoutActions;
         this.adminPushNotBeforeActions = adminPushNotBeforeActions;
+        this.adminTestAvailabilityAction = adminTestAvailabilityAction;
     }
 
     @POST
@@ -70,6 +74,13 @@ public class TestApplicationResourceProvider implements RealmResourceProvider {
         adminPushNotBeforeActions.add(new JWSInput(data).readJsonContent(PushNotBeforeAction.class));
     }
 
+    @POST
+    @Consumes(MediaType.TEXT_PLAIN)
+    @Path("/admin/k_test_available")
+    public void testAvailable(String data) throws JWSInputException {
+        adminTestAvailabilityAction.add(new JWSInput(data).readJsonContent(TestAvailabilityAction.class));
+    }
+
     @GET
     @Produces(MediaType.APPLICATION_JSON)
     @Path("/poll-admin-logout")
@@ -84,6 +95,13 @@ public class TestApplicationResourceProvider implements RealmResourceProvider {
         return adminPushNotBeforeActions.poll(10, TimeUnit.SECONDS);
     }
 
+    @GET
+    @Produces(MediaType.APPLICATION_JSON)
+    @Path("/poll-test-available")
+    public TestAvailabilityAction getTestAvailable() throws InterruptedException {
+        return adminTestAvailabilityAction.poll(10, TimeUnit.SECONDS);
+    }
+
     @POST
     @Path("/clear-admin-actions")
     public Response clearAdminActions() {

testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestApplicationResourceProviderFactory.java

@@ -24,6 +24,7 @@ import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.representations.adapters.action.AdminAction;
 import org.keycloak.representations.adapters.action.LogoutAction;
 import org.keycloak.representations.adapters.action.PushNotBeforeAction;
+import org.keycloak.representations.adapters.action.TestAvailabilityAction;
 import org.keycloak.services.resource.RealmResourceProvider;
 import org.keycloak.services.resource.RealmResourceProviderFactory;
 
@@ -37,10 +38,11 @@ public class TestApplicationResourceProviderFactory implements RealmResourceProv
 
     private BlockingQueue<LogoutAction> adminLogoutActions = new LinkedBlockingDeque<>();
     private BlockingQueue<PushNotBeforeAction> pushNotBeforeActions = new LinkedBlockingDeque<>();
+    private BlockingQueue<TestAvailabilityAction> testAvailabilityActions = new LinkedBlockingDeque<>();
 
     @Override
     public RealmResourceProvider create(KeycloakSession session) {
-        return new TestApplicationResourceProvider(session, adminLogoutActions, pushNotBeforeActions);
+        return new TestApplicationResourceProvider(session, adminLogoutActions, pushNotBeforeActions, testAvailabilityActions);
     }
 
     @Override

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/resources/TestApplicationResource.java

@@ -19,6 +19,7 @@ package org.keycloak.testsuite.client.resources;
 
 import org.keycloak.representations.adapters.action.LogoutAction;
 import org.keycloak.representations.adapters.action.PushNotBeforeAction;
+import org.keycloak.representations.adapters.action.TestAvailabilityAction;
 
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -43,6 +44,11 @@ public interface TestApplicationResource {
     @Path("/poll-admin-not-before")
     PushNotBeforeAction getAdminPushNotBefore();
 
+    @GET
+    @Produces(MediaType.APPLICATION_JSON)
+    @Path("/poll-test-available")
+    TestAvailabilityAction getTestAvailable();
+
     @POST
     @Path("/clear-admin-actions")
     Response clearAdminActions();

testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java

@@ -72,17 +72,17 @@ public class OAuthClient {
 
     private String baseUrl = AUTH_SERVER_ROOT;
 
-    private String realm = "test";
+    private String realm;
 
-    private String clientId = "test-app";
+    private String clientId;
 
-    private String redirectUri = APP_ROOT + "/auth";
+    private String redirectUri;
 
-    private String state = "mystate";
+    private String state;
 
     private String scope;
 
-    private String uiLocales = null;
+    private String uiLocales;
 
     private String clientSessionState;
 
@@ -90,12 +90,19 @@ public class OAuthClient {
 
     private Map<String, PublicKey> publicKeys = new HashMap<>();
 
-    public void setAdminClient(Keycloak adminClient) {
+    public void init(Keycloak adminClient, WebDriver driver) {
         this.adminClient = adminClient;
-    }
-
-    public void setDriver(WebDriver driver) {
         this.driver = driver;
+
+        baseUrl = AUTH_SERVER_ROOT;
+        realm = "test";
+        clientId = "test-app";
+        redirectUri = APP_ROOT + "/auth";
+        state = "mystate";
+        scope = null;
+        uiLocales = null;
+        clientSessionState = null;
+        clientSessionHost = null;
     }
 
     public AuthorizationCodeResponse doLogin(String username, String password) {

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java

@@ -151,8 +151,7 @@ public abstract class AbstractKeycloakTest {
 
         importTestRealms();
 
-        oauth.setAdminClient(adminClient);
+        oauth.init(adminClient, driver);
-        oauth.setDriver(driver);
     }
 
     @After

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ClientTest.java

@@ -18,21 +18,37 @@
 package org.keycloak.testsuite.admin;
 
 import org.junit.Test;
+import org.keycloak.OAuth2Constants;
 import org.keycloak.admin.client.resource.ClientResource;
 import org.keycloak.admin.client.resource.ProtocolMappersResource;
+import org.keycloak.admin.client.resource.RoleMappingResource;
+import org.keycloak.common.util.Time;
+import org.keycloak.models.AccountRoles;
 import org.keycloak.models.Constants;
 import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
+import org.keycloak.representations.adapters.action.GlobalRequestResult;
+import org.keycloak.representations.adapters.action.PushNotBeforeAction;
+import org.keycloak.representations.adapters.action.TestAvailabilityAction;
 import org.keycloak.representations.idm.*;
 
 import javax.ws.rs.NotFoundException;
 import javax.ws.rs.core.Response;
 
+import java.io.IOException;
+import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Set;
 
+import org.keycloak.services.resources.admin.ScopeMappedResource;
 import org.keycloak.testsuite.Assert;
+import org.keycloak.testsuite.util.ClientBuilder;
+import org.keycloak.testsuite.util.CredentialBuilder;
 import org.keycloak.testsuite.util.OAuthClient;
+import org.keycloak.testsuite.util.OAuthClient.AccessTokenResponse;
+import org.keycloak.testsuite.util.RoleBuilder;
+import org.keycloak.testsuite.util.UserBuilder;
 
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
@@ -174,6 +190,154 @@ public class ClientTest extends AbstractAdminTest {
         assertClient(client, storedClient);
     }
 
+    @Test
+    public void serviceAccount() {
+        Response response = realm.clients().create(ClientBuilder.create().clientId("serviceClient").serviceAccount().build());
+        String id = ApiUtil.getCreatedId(response);
+        UserRepresentation userRep = realm.clients().get(id).getServiceAccountUser();
+        assertEquals("service-account-serviceclient", userRep.getUsername());
+    }
+
+    @Test
+    public void pushRevocation() {
+        testingClient.testApp().clearAdminActions();
+
+        String redirectUri = oauth.getRedirectUri().replace("/master/", "/" + REALM_NAME + "/");
+
+        ClientRepresentation client = new ClientRepresentation();
+        client.setClientId("test-app");
+        client.setAdminUrl(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/app/admin");
+        client.setRedirectUris(Collections.singletonList(redirectUri));
+        client.setSecret("secret");
+
+        int notBefore = Time.currentTime() - 60;
+
+        client.setNotBefore(notBefore);
+        Response response = realm.clients().create(client);
+        String id = ApiUtil.getCreatedId(response);
+        response.close();
+
+        realm.clients().get(id).pushRevocation();
+
+        PushNotBeforeAction pushNotBefore = testingClient.testApp().getAdminPushNotBefore();
+        assertEquals(notBefore, pushNotBefore.getNotBefore());
+    }
+
+    @Test
+    public void nodes() {
+        testingClient.testApp().clearAdminActions();
+
+        String redirectUri = oauth.getRedirectUri().replace("/master/", "/" + REALM_NAME + "/");
+
+        ClientRepresentation client = new ClientRepresentation();
+        client.setClientId("test-app");
+        client.setAdminUrl(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/app/admin");
+        client.setRedirectUris(Collections.singletonList(redirectUri));
+        client.setSecret("secret");
+
+        Response response = realm.clients().create(client);
+        String id = ApiUtil.getCreatedId(response);
+        response.close();
+
+        realm.clients().get(id).registerNode(Collections.singletonMap("node", suiteContext.getAuthServerInfo().getContextRoot().getHost()));
+        realm.clients().get(id).registerNode(Collections.singletonMap("node", "invalid"));
+
+        GlobalRequestResult result = realm.clients().get(id).testNodesAvailable();
+        assertEquals(1, result.getSuccessRequests().size());
+        assertEquals(1, result.getFailedRequests().size());
+
+        TestAvailabilityAction testAvailable = testingClient.testApp().getTestAvailable();
+        assertEquals("test-app", testAvailable.getResource());
+
+        assertEquals(2, realm.clients().get(id).toRepresentation().getRegisteredNodes().size());
+
+        realm.clients().get(id).unregisterNode("invalid");
+
+        assertEquals(1, realm.clients().get(id).toRepresentation().getRegisteredNodes().size());
+    }
+
+    @Test
+    public void offlineUserSessions() throws IOException {
+        String redirectUri = oauth.getRedirectUri().replace("/master/", "/" + REALM_NAME + "/");
+
+        ClientRepresentation client = new ClientRepresentation();
+        client.setClientId("test-app");
+        client.setAdminUrl(suiteContext.getAuthServerInfo().getContextRoot() + "/auth/realms/master/app/admin");
+        client.setRedirectUris(Collections.singletonList(redirectUri));
+        client.setSecret("secret");
+
+        Response response = realm.clients().create(client);
+        String id = ApiUtil.getCreatedId(response);
+        response.close();
+
+        response = realm.users().create(UserBuilder.create().username("testuser").build());
+        String userId = ApiUtil.getCreatedId(response);
+        response.close();
+
+        realm.users().get(userId).resetPassword(CredentialBuilder.create().password("password").build());
+
+        Map<String, Long> offlineSessionCount = realm.clients().get(id).getOfflineSessionCount();
+        assertEquals(new Long(0), offlineSessionCount.get("count"));
+
+        oauth.realm(REALM_NAME);
+        oauth.redirectUri(redirectUri);
+        oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
+        oauth.doLogin("testuser", "password");
+        AccessTokenResponse accessTokenResponse = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get("code"), "secret");
+        assertEquals(200, accessTokenResponse.getStatusCode());
+
+        offlineSessionCount = realm.clients().get(id).getOfflineSessionCount();
+        assertEquals(new Long(1), offlineSessionCount.get("count"));
+
+        List<UserSessionRepresentation> offlineUserSessions = realm.clients().get(id).getOfflineUserSessions(0, 100);
+        assertEquals(1, offlineUserSessions.size());
+        assertEquals("testuser", offlineUserSessions.get(0).getUsername());
+    }
+
+    @Test
+    public void scopes() {
+        Response response = realm.clients().create(ClientBuilder.create().clientId("client").fullScopeEnabled(false).build());
+        String id = ApiUtil.getCreatedId(response);
+        response.close();
+
+        RoleMappingResource scopesResource = realm.clients().get(id).getScopeMappings();
+
+        realm.roles().create(RoleBuilder.create().name("role1").build());
+        realm.roles().create(RoleBuilder.create().name("role2").build());
+
+        RoleRepresentation roleRep1 = realm.roles().get("role1").toRepresentation();
+        RoleRepresentation roleRep2 = realm.roles().get("role2").toRepresentation();
+
+        realm.roles().get("role1").addComposites(Collections.singletonList(roleRep2));
+
+        String accountMgmtId = realm.clients().findByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).get(0).getId();
+        RoleRepresentation viewAccountRoleRep = realm.clients().get(accountMgmtId).roles().get(AccountRoles.VIEW_PROFILE).toRepresentation();
+
+        scopesResource.realmLevel().add(Collections.singletonList(roleRep1));
+        scopesResource.clientLevel(accountMgmtId).add(Collections.singletonList(viewAccountRoleRep));
+
+        Assert.assertNames(scopesResource.realmLevel().listAll(), "role1");
+        Assert.assertNames(scopesResource.realmLevel().listEffective(), "role1", "role2");
+        Assert.assertNames(scopesResource.realmLevel().listAvailable(), "offline_access");
+
+        Assert.assertNames(scopesResource.clientLevel(accountMgmtId).listAll(), AccountRoles.VIEW_PROFILE);
+        Assert.assertNames(scopesResource.clientLevel(accountMgmtId).listEffective(), AccountRoles.VIEW_PROFILE);
+        Assert.assertNames(scopesResource.clientLevel(accountMgmtId).listAvailable(), AccountRoles.MANAGE_ACCOUNT);
+
+        Assert.assertNames(scopesResource.getAll().getRealmMappings(), "role1");
+        Assert.assertNames(scopesResource.getAll().getClientMappings().get(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getMappings(), AccountRoles.VIEW_PROFILE);
+
+        scopesResource.realmLevel().remove(Collections.singletonList(roleRep1));
+        scopesResource.clientLevel(accountMgmtId).remove(Collections.singletonList(viewAccountRoleRep));
+
+        Assert.assertNames(scopesResource.realmLevel().listAll());
+        Assert.assertNames(scopesResource.realmLevel().listEffective());
+        Assert.assertNames(scopesResource.realmLevel().listAvailable(), "offline_access", "role1", "role2");
+        Assert.assertNames(scopesResource.clientLevel(accountMgmtId).listAll());
+        Assert.assertNames(scopesResource.clientLevel(accountMgmtId).listAvailable(), AccountRoles.VIEW_PROFILE, AccountRoles.MANAGE_ACCOUNT);
+        Assert.assertNames(scopesResource.clientLevel(accountMgmtId).listEffective());
+    }
+
     public static void protocolMappersTest(ProtocolMappersResource mappersResource) {
         // assert default mappers found
         List<ProtocolMapperRepresentation> protocolMappers = mappersResource.getMappers();

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/ClientTest.java

@@ -91,28 +91,4 @@ public class ClientTest extends AbstractClientTest {
         assertEqualClients(rep, gotById);
     }
 
-    /*  DEPRECATED?
-    @Test
-    public void testAllowedOrigins() {
-        createOidcClient("originsClient");
-        ClientResource client = findClientResource("originsClient");
-        java.util.Set<String> origins = client.getAllowedOrigins();
-        assertEquals(1, origins.size());
-        assertTrue(origins.contains("foo/*"));
-
-        origins.add("bar/*");
-        client.updateAllowedOrigins(origins); //<-- STACK OVERFLOW
-        origins = client.getAllowedOrigins();
-        assertEquals(2, origins.size());
-        assertTrue(origins.contains("foo/*"));
-        assertTrue(origins.contains("bar/*"));
-
-        java.util.Set<String> toRemove = new java.util.HashSet<>();
-        toRemove.add("bar/*");
-        client.removeAllowedOrigins(origins);
-        origins = client.getAllowedOrigins();
-        assertEquals(1, origins.size());
-        assertTrue(origins.contains("foo/*"));
-    } */
-
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/SSOTest.java

@@ -113,8 +113,7 @@ public class SSOTest extends TestRealmKeycloakTest {
         try {
             //OAuthClient oauth2 = new OAuthClient(driver2);
             OAuthClient oauth2 = new OAuthClient();
-            oauth2.setDriver(driver2);
+            oauth2.init(adminClient, driver2);
-            oauth2.setAdminClient(adminClient);
 
             oauth2.state("mystate");
             oauth2.doLogin("test-user@localhost", "password");

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java

@@ -95,7 +95,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest {
                 .clientId("client2")
                 .directAccessGrants()
                 .serviceAccountsEnabled(true)
-                .redirectUris(oauth.getRedirectUri())
+                .redirectUris(OAuthClient.APP_ROOT + "/auth")
                 .attribute(JWTClientAuthenticator.CERTIFICATE_ATTR, "MIICnTCCAYUCBgFPPQDGxTANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdjbGllbnQxMB4XDTE1MDgxNzE4NTAwNVoXDTI1MDgxNzE4NTE0NVowEjEQMA4GA1UEAwwHY2xpZW50MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMMw3PaBffWxgS2PYSDDBp6As+cNvv9kt2C4f/RDAGmvSIHPFev9kuQiKs3Oaws3ZsV4JG3qHEuYgnh9W4vfe3DwNwtD1bjL5FYBhPBFTw0lAQECYxaBHnkjHwUKp957FqdSPPICm3LjmTcEdlH+9dpp9xHCMbbiNiWDzWI1xSxC8Fs2d0hwz1sd+Q4QeTBPIBWcPM+ICZtNG5MN+ORfayu4X+Me5d0tXG2fQO//rAevk1i5IFjKZuOjTwyKB5SJIY4b8QTeg0g/50IU7Ht00Pxw6CK02dHS+FvXHasZlD3ckomqCDjStTBWdhJo5dST0CbOqalkkpLlCCbGA1yEQRsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAUIMeJ+EAo8eNpCG/nXImacjrKakbFnZYBGD/gqeTGaZynkX+jgBSructTHR83zSH+yELEhsAy+3BfK4EEihp+PEcRnK2fASVkHste8AQ7rlzC+HGGirlwrVhWCdizNUCGK80DE537IZ7nmZw6LFG9P5/Q2MvCsOCYjRUvMkukq6TdXBXR9tETwZ+0gpSfsOxjj0ZF7ftTRUSzx4rFfcbM9fRNdVizdOuKGc8HJPA5lLOxV6CyaYIvi3y5RlQI1OHeS34lE4w9CNPRFa/vdxXvN7ClyzA0HMFNWxBN7pC/Ht/FbhSvaAagJBHg+vCrcY5C26Oli7lAglf/zZrwUPs0w==")
                 .authenticatorType(JWTClientAuthenticator.PROVIDER_ID)
                 .build();

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/ClientBuilder.java

@@ -17,6 +17,7 @@
 
 package org.keycloak.testsuite.util;
 
+import org.keycloak.dom.saml.v2.ac.BooleanType;
 import org.keycloak.representations.idm.ClientRepresentation;
 
 import java.util.Arrays;
@@ -58,11 +59,21 @@ public class ClientBuilder {
         return this;
     }
 
+    public ClientBuilder serviceAccount() {
+        rep.setServiceAccountsEnabled(true);
+        return this;
+    }
+
     public ClientBuilder directAccessGrants() {
         rep.setDirectAccessGrantsEnabled(true);
         return this;
     }
 
+    public ClientBuilder fullScopeEnabled(Boolean fullScopeEnabled) {
+        rep.setFullScopeAllowed(fullScopeEnabled);
+        return this;
+    }
+
     public ClientBuilder secret(String secret) {
         rep.setSecret(secret);
         return this;