KEYCLOAK-3967

federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosFederationProviderFactory.java

@@ -24,14 +24,18 @@ import org.keycloak.component.ComponentModel;
 import org.keycloak.federation.kerberos.impl.KerberosServerSubjectAuthenticator;
 import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator;
 import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
+import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.LDAPConstants;
+import org.keycloak.models.RealmModel;
 import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.provider.ProviderConfigurationBuilder;
+import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.storage.UserStorageProvider;
 import org.keycloak.storage.UserStorageProviderFactory;
 import org.keycloak.storage.UserStorageProviderModel;
+import org.keycloak.utils.CredentialHelper;
 
 import java.util.List;
 
@@ -139,4 +143,17 @@ public class KerberosFederationProviderFactory implements UserStorageProviderFac
     protected KerberosUsernamePasswordAuthenticator createKerberosUsernamePasswordAuthenticator(CommonKerberosConfig kerberosConfig) {
         return new KerberosUsernamePasswordAuthenticator(kerberosConfig);
     }
+
+    @Override
+    public void onCreate(KeycloakSession session, RealmModel realm, ComponentModel model) {
+        CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
+                AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED);
+    }
+
+    @Override
+    public void onUpdate(KeycloakSession session, RealmModel realm, ComponentModel model) {
+        CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
+                AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED);
+    }
+
 }

federation/ldap/src/main/java/org/keycloak/storage/ldap/LDAPStorageProviderFactory.java

@@ -26,6 +26,7 @@ import org.keycloak.federation.kerberos.CommonKerberosConfig;
 import org.keycloak.federation.kerberos.impl.KerberosServerSubjectAuthenticator;
 import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator;
 import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
+import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.KeycloakSessionFactory;
 import org.keycloak.models.KeycloakSessionTask;
@@ -36,6 +37,7 @@ import org.keycloak.models.UserModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.provider.ProviderConfigProperty;
 import org.keycloak.provider.ProviderConfigurationBuilder;
+import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.storage.UserStorageProvider;
 import org.keycloak.storage.UserStorageProviderFactory;
 import org.keycloak.storage.UserStorageProviderModel;
@@ -52,6 +54,7 @@ import org.keycloak.storage.ldap.mappers.UserAttributeLDAPStorageMapperFactory;
 import org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapperFactory;
 import org.keycloak.storage.user.ImportSynchronization;
 import org.keycloak.storage.user.SynchronizationResult;
+import org.keycloak.utils.CredentialHelper;
 
 import java.util.Date;
 import java.util.List;
@@ -318,8 +321,18 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
             mapperModel = KeycloakModelUtils.createComponentModel("MSAD account controls", model.getId(), MSADUserAccountControlStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName());
             realm.addComponentModel(mapperModel);
         }
+        checkKerberosCredential(session, realm, model);
     }
 
+    @Override
+    public void onUpdate(KeycloakSession session, RealmModel realm, ComponentModel model) {
+        checkKerberosCredential(session, realm, model);
+
+    }
+
+
+
+
     @Override
     public SynchronizationResult sync(KeycloakSessionFactory sessionFactory, String realmId, UserStorageProviderModel model) {
         syncMappers(sessionFactory, realmId, model);
@@ -521,4 +534,15 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
     protected KerberosUsernamePasswordAuthenticator createKerberosUsernamePasswordAuthenticator(CommonKerberosConfig kerberosConfig) {
         return new KerberosUsernamePasswordAuthenticator(kerberosConfig);
     }
-}
+
+    public static boolean checkKerberosCredential(KeycloakSession session, RealmModel realm, ComponentModel model) {
+        String allowKerberosCfg = model.getConfig().getFirst(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION);
+        if (Boolean.valueOf(allowKerberosCfg)) {
+            CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
+                    AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED);
+            return true;
+        }
+        return false;
+    }
+
+ }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/Assert.java

@@ -17,6 +17,7 @@
 
 package org.keycloak.testsuite;
 
+import org.keycloak.common.util.MultivaluedHashMap;
 import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.ComponentRepresentation;
 import org.keycloak.representations.idm.ConfigPropertyRepresentation;
@@ -105,6 +106,26 @@ public class Assert extends org.junit.Assert {
         }
     }
 
+    /**
+     * Assert all the fields from map available. Array "expected" contains pairs when first value from pair is expected key
+     * and second is the expected value from the map for target key.
+     *
+     * Example config = {"key1" -> "value1" , "key2" -> "value2" }
+     * then assertMap(config, "key1", "value1", "key2", "value2" will return true
+     *
+     */
+    public static void assertMultivaluedMap(MultivaluedHashMap<String, String> config, String... expected) {
+        if (expected == null) {
+            expected = new String[] {};
+        }
+
+        for (int i=0 ; i<expected.length ; i+=2) {
+            String key = expected[i];
+            String value = expected[i+1];
+            Assert.assertEquals(value, config.getFirst(key));
+        }
+    }
+
     public static void assertProviderConfigProperty(ConfigPropertyRepresentation property, String name, String label, String defaultValue, String helpText, String type) {
         Assert.assertEquals(name, property.getName());
         Assert.assertEquals(label, property.getLabel());

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserStorageRestTest.java

@@ -17,13 +17,255 @@
 
 package org.keycloak.testsuite.admin;
 
-import org.junit.Ignore;
+import org.junit.Test;
+import org.keycloak.common.constants.KerberosConstants;
+import org.keycloak.common.util.MultivaluedHashMap;
+import org.keycloak.events.admin.OperationType;
+import org.keycloak.events.admin.ResourceType;
+import org.keycloak.models.AuthenticationExecutionModel;
+import org.keycloak.models.LDAPConstants;
+import org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation;
+import org.keycloak.representations.idm.ComponentRepresentation;
+import org.keycloak.storage.UserStorageProvider;
+import org.keycloak.testsuite.Assert;
+import org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest;
+import org.keycloak.testsuite.util.AdminEventPaths;
+
+import javax.ws.rs.BadRequestException;
+import javax.ws.rs.core.Response;
+import java.util.List;
 
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
-@Ignore
 public class UserStorageRestTest extends AbstractAdminTest {
+    private AuthenticationExecutionInfoRepresentation findKerberosExecution() {
+        AuthenticationExecutionInfoRepresentation kerberosExecution = null;
+        List<AuthenticationExecutionInfoRepresentation> executionReps = realm.flows().getExecutions("browser");
+        kerberosExecution = AbstractAuthenticationTest.findExecutionByProvider("auth-spnego", executionReps);
+
+        Assert.assertNotNull(kerberosExecution);
+        return kerberosExecution;
+    }
+
+    private String createComponent(ComponentRepresentation rep) {
+        Response resp = realm.components().add(rep);
+        Assert.assertEquals(201, resp.getStatus());
+        resp.close();
+        String id = ApiUtil.getCreatedId(resp);
+
+        assertAdminEvents.clear();
+        return id;
+    }
+
+    private void removeComponent(String id) {
+        realm.components().component(id).remove();
+        assertAdminEvents.clear();
+    }
+
+    private void assertFederationProvider(ComponentRepresentation rep, String id, String displayName, String providerId,
+                                          String... config) {
+        Assert.assertEquals(id, rep.getId());
+        Assert.assertEquals(displayName, rep.getName());
+        Assert.assertEquals(providerId, rep.getProviderId());
+
+        Assert.assertMultivaluedMap(rep.getConfig(), config);
+    }
+
+
+    @Test
+    public void testKerberosAuthenticatorEnabledAutomatically() {
+        // Assert kerberos authenticator DISABLED
+        AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
+        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
+
+        // create LDAP provider with kerberos
+        ComponentRepresentation ldapRep = new ComponentRepresentation();
+        ldapRep.setName("ldap2");
+        ldapRep.setProviderId("ldap");
+        ldapRep.setProviderType(UserStorageProvider.class.getName());
+        ldapRep.setConfig(new MultivaluedHashMap<>());
+        ldapRep.getConfig().putSingle("priority", Integer.toString(2));
+        ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
+
+        String id = createComponent(ldapRep);
+
+        // Assert kerberos authenticator ALTERNATIVE
+        kerberosExecution = findKerberosExecution();
+        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
+
+        // Switch kerberos authenticator to DISABLED
+        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
+        realm.flows().updateExecutions("browser", kerberosExecution);
+        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
+
+        // update LDAP provider with kerberos
+        ldapRep = realm.components().component(id).toRepresentation();
+        realm.components().component(id).update(ldapRep);
+        assertAdminEvents.clear();
+
+        // Assert kerberos authenticator ALTERNATIVE
+        kerberosExecution = findKerberosExecution();
+        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
+
+        // Cleanup
+        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
+        realm.flows().updateExecutions("browser", kerberosExecution);
+        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
+        removeComponent(id);
+    }
+
+    @Test
+    public void testKerberosAuthenticatorChangedOnlyIfDisabled() {
+        // Change kerberos to REQUIRED
+        AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
+        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString());
+        realm.flows().updateExecutions("browser", kerberosExecution);
+        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
+
+        // create LDAP provider with kerberos
+        ComponentRepresentation ldapRep = new ComponentRepresentation();
+        ldapRep.setName("ldap2");
+        ldapRep.setProviderId("ldap");
+        ldapRep.setProviderType(UserStorageProvider.class.getName());
+        ldapRep.setConfig(new MultivaluedHashMap<>());
+        ldapRep.getConfig().putSingle("priority", Integer.toString(2));
+        ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
+
+        String id = createComponent(ldapRep);
+
+
+        // Assert kerberos authenticator still REQUIRED
+        kerberosExecution = findKerberosExecution();
+        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
+
+        // update LDAP provider with kerberos
+        ldapRep = realm.components().component(id).toRepresentation();
+        realm.components().component(id).update(ldapRep);
+        assertAdminEvents.clear();
+
+        // Assert kerberos authenticator still REQUIRED
+        kerberosExecution = findKerberosExecution();
+        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
+
+        // Cleanup
+        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
+        realm.flows().updateExecutions("browser", kerberosExecution);
+        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
+        removeComponent(id);
+
+    }
+
+    @Test
+    public void testValidateAndCreateLdapProvider() {
+        // Invalid filter
+
+        ComponentRepresentation ldapRep = new ComponentRepresentation();
+        ldapRep.setName("ldap2");
+        ldapRep.setProviderId("ldap");
+        ldapRep.setProviderType(UserStorageProvider.class.getName());
+        ldapRep.setConfig(new MultivaluedHashMap<>());
+        ldapRep.getConfig().putSingle("priority", Integer.toString(2));
+        ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something");
+
+        Response resp = realm.components().add(ldapRep);
+        Assert.assertEquals(400, resp.getStatus());
+        resp.close();
+
+        // Invalid filter
+        ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something");
+        resp = realm.components().add(ldapRep);
+        Assert.assertEquals(400, resp.getStatus());
+        resp.close();
+
+        // Invalid filter
+        ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something)");
+        resp = realm.components().add(ldapRep);
+        Assert.assertEquals(400, resp.getStatus());
+        resp.close();
+
+        // Assert nothing created so far
+        Assert.assertTrue(realm.components().query(realmId, UserStorageProvider.class.getName()).isEmpty());
+        assertAdminEvents.assertEmpty();
+
+
+        // Valid filter. Creation success
+        ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something)");
+        String id1 = createComponent(ldapRep);
+
+        // Missing filter is ok too. Creation success
+        ComponentRepresentation ldapRep2 = new ComponentRepresentation();
+        ldapRep2.setName("ldap3");
+        ldapRep2.setProviderId("ldap");
+        ldapRep2.setProviderType(UserStorageProvider.class.getName());
+        ldapRep2.setConfig(new MultivaluedHashMap<>());
+        ldapRep2.getConfig().putSingle("priority", Integer.toString(2));
+        ldapRep2.getConfig().putSingle(LDAPConstants.BIND_DN, "cn=manager");
+        ldapRep2.getConfig().putSingle(LDAPConstants.BIND_CREDENTIAL, "password");
+        String id2 = createComponent(ldapRep2);
+
+        // Assert both providers created
+        List<ComponentRepresentation> providerInstances = realm.components().query(realmId, UserStorageProvider.class.getName());
+        Assert.assertEquals(providerInstances.size(), 2);
+
+        // Cleanup
+        removeComponent(id1);
+        removeComponent(id2);
+    }
+
+    @Test
+    public void testUpdateProvider() {
+        ComponentRepresentation ldapRep = new ComponentRepresentation();
+        ldapRep.setName("ldap2");
+        ldapRep.setProviderId("ldap");
+        ldapRep.setProviderType(UserStorageProvider.class.getName());
+        ldapRep.setConfig(new MultivaluedHashMap<>());
+        ldapRep.getConfig().putSingle("priority", Integer.toString(2));
+        ldapRep.getConfig().putSingle(LDAPConstants.BIND_DN, "cn=manager");
+        ldapRep.getConfig().putSingle(LDAPConstants.BIND_CREDENTIAL, "password");
+        String id = createComponent(ldapRep);
+
+        // Assert update with invalid filter should fail
+        ldapRep = realm.components().component(id).toRepresentation();
+        ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2");
+        ldapRep.getConfig().putSingle(LDAPConstants.BIND_DN, "cn=manager-updated");
+        try {
+            realm.components().component(id).update(ldapRep);
+            Assert.fail("Not expected to successfull update");
+        } catch (BadRequestException bre) {
+            // Expected
+        }
+
+        // Assert nothing was updated
+        assertFederationProvider(realm.components().component(id).toRepresentation(), id, "ldap2", "ldap", LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "**********");
+
+        // Change filter to be valid
+        ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
+        realm.components().component(id).update(ldapRep);
+        assertAdminEvents.clear();
+
+        // Assert updated successfully
+        ldapRep = realm.components().component(id).toRepresentation();
+        assertFederationProvider(ldapRep, id, "ldap2", "ldap", LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "**********",
+                LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
+
+        // Assert update displayName
+        ldapRep.setName("ldap2");
+        realm.components().component(id).update(ldapRep);
+
+        assertFederationProvider(realm.components().component(id).toRepresentation(), id, "ldap2", "ldap",LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "**********",
+                LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
+
+
+
+        // Cleanup
+        removeComponent(id);
+    }
+
+
+
+
+
 /*
     @Test
     public void testProviderFactories() {
@@ -102,191 +344,11 @@ public class UserStorageRestTest extends AbstractAdminTest {
     }
 
 
-    @Test
-    public void testValidateAndCreateLdapProvider() {
-        // Invalid filter
-        UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
-                .displayName("ldap1")
-                .providerName("ldap")
-                .priority(1)
-                .configProperty(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something")
-                .build();
-        Response resp = userFederation().create(ldapRep);
-        Assert.assertEquals(400, resp.getStatus());
-        resp.close();
-
-        // Invalid filter
-        ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something");
-        resp = userFederation().create(ldapRep);
-        Assert.assertEquals(400, resp.getStatus());
-        resp.close();
-
-        // Invalid filter
-        ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something)");
-        resp = userFederation().create(ldapRep);
-        Assert.assertEquals(400, resp.getStatus());
-        resp.close();
-
-        // Assert nothing created so far
-        Assert.assertTrue(userFederation().getProviderInstances().isEmpty());
-        assertAdminEvents.assertEmpty();
-
-
-        // Valid filter. Creation success
-        ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something)");
-        String id1 = createUserFederationProvider(ldapRep);
-
-        // Missing filter is ok too. Creation success
-        UserFederationProviderRepresentation ldapRep2 = UserFederationProviderBuilder.create()
-                .displayName("ldap2")
-                .providerName("ldap")
-                .priority(2)
-                .configProperty(LDAPConstants.BIND_DN, "cn=manager")
-                .configProperty(LDAPConstants.BIND_CREDENTIAL, "password")
-                .build();
-        String id2 = createUserFederationProvider(ldapRep2);
-
-        // Assert both providers created
-        List<UserFederationProviderRepresentation> providerInstances = userFederation().getProviderInstances();
-        Assert.assertEquals(providerInstances.size(), 2);
-        assertFederationProvider(providerInstances.get(0), id1, "ldap1", "ldap", 1, -1, -1, -1, LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something)");
-        assertFederationProvider(providerInstances.get(1), id2, "ldap2", "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "password");
-
-        // Cleanup
-        removeUserFederationProvider(id1);
-        removeUserFederationProvider(id2);
-    }
-
-
-    @Test
-    public void testUpdateProvider() {
-        UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
-                .providerName("ldap")
-                .priority(2)
-                .configProperty(LDAPConstants.BIND_DN, "cn=manager")
-                .configProperty(LDAPConstants.BIND_CREDENTIAL, "password")
-                .build();
-        String id = createUserFederationProvider(ldapRep);
-        assertFederationProvider(userFederation().get(id).toRepresentation(), id, id, "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "password");
-
-        // Assert update with invalid filter should fail
-        ldapRep = userFederation().get(id).toRepresentation();
-        ldapRep.setDisplayName("");
-        ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2");
-        ldapRep.getConfig().put(LDAPConstants.BIND_DN, "cn=manager-updated");
-        try {
-            userFederation().get(id).update(ldapRep);
-            Assert.fail("Not expected to successfull update");
-        } catch (BadRequestException bre) {
-            // Expected
-        }
-
-        // Assert nothing was updated
-        assertFederationProvider(userFederation().get(id).toRepresentation(), id, id, "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "password");
-
-        // Change filter to be valid
-        ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
-        userFederation().get(id).update(ldapRep);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
-
-        // Assert updated successfully
-        ldapRep = userFederation().get(id).toRepresentation();
-        assertFederationProvider(ldapRep, id, id, "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "password",
-                LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
-
-        // Assert update displayName
-        ldapRep.setDisplayName("ldap2");
-        userFederation().get(id).update(ldapRep);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
-
-        assertFederationProvider(userFederation().get(id).toRepresentation(), id, "ldap2", "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "password",
-                LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
 
 
 
-        // Cleanup
-        removeUserFederationProvider(id);
-    }
 
 
-    @Test
-    public void testKerberosAuthenticatorEnabledAutomatically() {
-        // Assert kerberos authenticator DISABLED
-        AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
-        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
-
-        // create LDAP provider with kerberos
-        UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
-                .displayName("ldap2")
-                .providerName("ldap")
-                .priority(2)
-                .configProperty(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true")
-                .build();
-        String id = createUserFederationProvider(ldapRep);
-
-        // Assert kerberos authenticator ALTERNATIVE
-        kerberosExecution = findKerberosExecution();
-        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
-
-        // Switch kerberos authenticator to DISABLED
-        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
-        realm.flows().updateExecutions("browser", kerberosExecution);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
-
-        // update LDAP provider with kerberos
-        ldapRep = userFederation().get(id).toRepresentation();
-        userFederation().get(id).update(ldapRep);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
-
-        // Assert kerberos authenticator ALTERNATIVE
-        kerberosExecution = findKerberosExecution();
-        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
-
-        // Cleanup
-        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
-        realm.flows().updateExecutions("browser", kerberosExecution);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
-        removeUserFederationProvider(id);
-    }
-
-    @Test
-    public void testKerberosAuthenticatorChangedOnlyIfDisabled() {
-        // Change kerberos to REQUIRED
-        AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
-        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString());
-        realm.flows().updateExecutions("browser", kerberosExecution);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
-
-        // create LDAP provider with kerberos
-        UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
-                .displayName("ldap2")
-                .providerName("ldap")
-                .priority(2)
-                .configProperty(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true")
-                .build();
-        String id = createUserFederationProvider(ldapRep);
-
-        // Assert kerberos authenticator still REQUIRED
-        kerberosExecution = findKerberosExecution();
-        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
-
-        // update LDAP provider with kerberos
-        ldapRep = userFederation().get(id).toRepresentation();
-        userFederation().get(id).update(ldapRep);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
-
-        // Assert kerberos authenticator still REQUIRED
-        kerberosExecution = findKerberosExecution();
-        Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
-
-        // Cleanup
-        kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
-        realm.flows().updateExecutions("browser", kerberosExecution);
-        assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
-        removeUserFederationProvider(id);
-
-    }
-
 
     @Test (expected = NotFoundException.class)
     public void testLookupNotExistentProvider() {
@@ -342,20 +404,6 @@ public class UserStorageRestTest extends AbstractAdminTest {
     }
 
 
-    private String createUserFederationProvider(UserFederationProviderRepresentation rep) {
-        Response resp = userFederation().create(rep);
-        Assert.assertEquals(201, resp.getStatus());
-        resp.close();
-        String federationProviderId = ApiUtil.getCreatedId(resp);
-
-        assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.userFederationResourcePath(federationProviderId), rep, ResourceType.USER_FEDERATION_PROVIDER);
-        return federationProviderId;
-    }
-
-    private void removeUserFederationProvider(String id) {
-        userFederation().get(id).remove();
-        assertAdminEvents.assertEvent(realmId, OperationType.DELETE, AdminEventPaths.userFederationResourcePath(id), ResourceType.USER_FEDERATION_PROVIDER);
-    }
 
     private void assertFederationProvider(UserFederationProviderRepresentation rep, String id, String displayName, String providerName,
                                           int priority, int fullSyncPeriod, int changeSyncPeriod, int lastSync,
@@ -372,13 +420,5 @@ public class UserStorageRestTest extends AbstractAdminTest {
     }
 
 
-    private AuthenticationExecutionInfoRepresentation findKerberosExecution() {
-        AuthenticationExecutionInfoRepresentation kerberosExecution = null;
-        List<AuthenticationExecutionInfoRepresentation> executionReps = realm.flows().getExecutions("browser");
-        kerberosExecution = AbstractAuthenticationTest.findExecutionByProvider("auth-spnego", executionReps);
-
-        Assert.assertNotNull(kerberosExecution);
-        return kerberosExecution;
-    }
     */
 }