KEYCLOAK-3967
This commit is contained in:
parent
4a80f1e913
commit
1f0600044a
5 changed files with 307 additions and 205 deletions
|
@ -24,14 +24,18 @@ import org.keycloak.component.ComponentModel;
|
|||
import org.keycloak.federation.kerberos.impl.KerberosServerSubjectAuthenticator;
|
||||
import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator;
|
||||
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
|
||||
import org.keycloak.models.AuthenticationExecutionModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.models.LDAPConstants;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
import org.keycloak.provider.ProviderConfigurationBuilder;
|
||||
import org.keycloak.representations.idm.CredentialRepresentation;
|
||||
import org.keycloak.storage.UserStorageProvider;
|
||||
import org.keycloak.storage.UserStorageProviderFactory;
|
||||
import org.keycloak.storage.UserStorageProviderModel;
|
||||
import org.keycloak.utils.CredentialHelper;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
|
@ -139,4 +143,17 @@ public class KerberosFederationProviderFactory implements UserStorageProviderFac
|
|||
protected KerberosUsernamePasswordAuthenticator createKerberosUsernamePasswordAuthenticator(CommonKerberosConfig kerberosConfig) {
|
||||
return new KerberosUsernamePasswordAuthenticator(kerberosConfig);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onCreate(KeycloakSession session, RealmModel realm, ComponentModel model) {
|
||||
CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
|
||||
AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onUpdate(KeycloakSession session, RealmModel realm, ComponentModel model) {
|
||||
CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
|
||||
AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -26,6 +26,7 @@ import org.keycloak.federation.kerberos.CommonKerberosConfig;
|
|||
import org.keycloak.federation.kerberos.impl.KerberosServerSubjectAuthenticator;
|
||||
import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator;
|
||||
import org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator;
|
||||
import org.keycloak.models.AuthenticationExecutionModel;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.KeycloakSessionFactory;
|
||||
import org.keycloak.models.KeycloakSessionTask;
|
||||
|
@ -36,6 +37,7 @@ import org.keycloak.models.UserModel;
|
|||
import org.keycloak.models.utils.KeycloakModelUtils;
|
||||
import org.keycloak.provider.ProviderConfigProperty;
|
||||
import org.keycloak.provider.ProviderConfigurationBuilder;
|
||||
import org.keycloak.representations.idm.CredentialRepresentation;
|
||||
import org.keycloak.storage.UserStorageProvider;
|
||||
import org.keycloak.storage.UserStorageProviderFactory;
|
||||
import org.keycloak.storage.UserStorageProviderModel;
|
||||
|
@ -52,6 +54,7 @@ import org.keycloak.storage.ldap.mappers.UserAttributeLDAPStorageMapperFactory;
|
|||
import org.keycloak.storage.ldap.mappers.msad.MSADUserAccountControlStorageMapperFactory;
|
||||
import org.keycloak.storage.user.ImportSynchronization;
|
||||
import org.keycloak.storage.user.SynchronizationResult;
|
||||
import org.keycloak.utils.CredentialHelper;
|
||||
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
|
@ -318,8 +321,18 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
|
|||
mapperModel = KeycloakModelUtils.createComponentModel("MSAD account controls", model.getId(), MSADUserAccountControlStorageMapperFactory.PROVIDER_ID,LDAPStorageMapper.class.getName());
|
||||
realm.addComponentModel(mapperModel);
|
||||
}
|
||||
checkKerberosCredential(session, realm, model);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void onUpdate(KeycloakSession session, RealmModel realm, ComponentModel model) {
|
||||
checkKerberosCredential(session, realm, model);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
@Override
|
||||
public SynchronizationResult sync(KeycloakSessionFactory sessionFactory, String realmId, UserStorageProviderModel model) {
|
||||
syncMappers(sessionFactory, realmId, model);
|
||||
|
@ -521,4 +534,15 @@ public class LDAPStorageProviderFactory implements UserStorageProviderFactory<LD
|
|||
protected KerberosUsernamePasswordAuthenticator createKerberosUsernamePasswordAuthenticator(CommonKerberosConfig kerberosConfig) {
|
||||
return new KerberosUsernamePasswordAuthenticator(kerberosConfig);
|
||||
}
|
||||
|
||||
public static boolean checkKerberosCredential(KeycloakSession session, RealmModel realm, ComponentModel model) {
|
||||
String allowKerberosCfg = model.getConfig().getFirst(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION);
|
||||
if (Boolean.valueOf(allowKerberosCfg)) {
|
||||
CredentialHelper.setOrReplaceAuthenticationRequirement(session, realm, CredentialRepresentation.KERBEROS,
|
||||
AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED);
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
|
||||
package org.keycloak.testsuite;
|
||||
|
||||
import org.keycloak.common.util.MultivaluedHashMap;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.ComponentRepresentation;
|
||||
import org.keycloak.representations.idm.ConfigPropertyRepresentation;
|
||||
|
@ -105,6 +106,26 @@ public class Assert extends org.junit.Assert {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Assert all the fields from map available. Array "expected" contains pairs when first value from pair is expected key
|
||||
* and second is the expected value from the map for target key.
|
||||
*
|
||||
* Example config = {"key1" -> "value1" , "key2" -> "value2" }
|
||||
* then assertMap(config, "key1", "value1", "key2", "value2" will return true
|
||||
*
|
||||
*/
|
||||
public static void assertMultivaluedMap(MultivaluedHashMap<String, String> config, String... expected) {
|
||||
if (expected == null) {
|
||||
expected = new String[] {};
|
||||
}
|
||||
|
||||
for (int i=0 ; i<expected.length ; i+=2) {
|
||||
String key = expected[i];
|
||||
String value = expected[i+1];
|
||||
Assert.assertEquals(value, config.getFirst(key));
|
||||
}
|
||||
}
|
||||
|
||||
public static void assertProviderConfigProperty(ConfigPropertyRepresentation property, String name, String label, String defaultValue, String helpText, String type) {
|
||||
Assert.assertEquals(name, property.getName());
|
||||
Assert.assertEquals(label, property.getLabel());
|
||||
|
|
|
@ -17,13 +17,255 @@
|
|||
|
||||
package org.keycloak.testsuite.admin;
|
||||
|
||||
import org.junit.Ignore;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.common.constants.KerberosConstants;
|
||||
import org.keycloak.common.util.MultivaluedHashMap;
|
||||
import org.keycloak.events.admin.OperationType;
|
||||
import org.keycloak.events.admin.ResourceType;
|
||||
import org.keycloak.models.AuthenticationExecutionModel;
|
||||
import org.keycloak.models.LDAPConstants;
|
||||
import org.keycloak.representations.idm.AuthenticationExecutionInfoRepresentation;
|
||||
import org.keycloak.representations.idm.ComponentRepresentation;
|
||||
import org.keycloak.storage.UserStorageProvider;
|
||||
import org.keycloak.testsuite.Assert;
|
||||
import org.keycloak.testsuite.admin.authentication.AbstractAuthenticationTest;
|
||||
import org.keycloak.testsuite.util.AdminEventPaths;
|
||||
|
||||
import javax.ws.rs.BadRequestException;
|
||||
import javax.ws.rs.core.Response;
|
||||
import java.util.List;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||
*/
|
||||
@Ignore
|
||||
public class UserStorageRestTest extends AbstractAdminTest {
|
||||
private AuthenticationExecutionInfoRepresentation findKerberosExecution() {
|
||||
AuthenticationExecutionInfoRepresentation kerberosExecution = null;
|
||||
List<AuthenticationExecutionInfoRepresentation> executionReps = realm.flows().getExecutions("browser");
|
||||
kerberosExecution = AbstractAuthenticationTest.findExecutionByProvider("auth-spnego", executionReps);
|
||||
|
||||
Assert.assertNotNull(kerberosExecution);
|
||||
return kerberosExecution;
|
||||
}
|
||||
|
||||
private String createComponent(ComponentRepresentation rep) {
|
||||
Response resp = realm.components().add(rep);
|
||||
Assert.assertEquals(201, resp.getStatus());
|
||||
resp.close();
|
||||
String id = ApiUtil.getCreatedId(resp);
|
||||
|
||||
assertAdminEvents.clear();
|
||||
return id;
|
||||
}
|
||||
|
||||
private void removeComponent(String id) {
|
||||
realm.components().component(id).remove();
|
||||
assertAdminEvents.clear();
|
||||
}
|
||||
|
||||
private void assertFederationProvider(ComponentRepresentation rep, String id, String displayName, String providerId,
|
||||
String... config) {
|
||||
Assert.assertEquals(id, rep.getId());
|
||||
Assert.assertEquals(displayName, rep.getName());
|
||||
Assert.assertEquals(providerId, rep.getProviderId());
|
||||
|
||||
Assert.assertMultivaluedMap(rep.getConfig(), config);
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testKerberosAuthenticatorEnabledAutomatically() {
|
||||
// Assert kerberos authenticator DISABLED
|
||||
AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
|
||||
// create LDAP provider with kerberos
|
||||
ComponentRepresentation ldapRep = new ComponentRepresentation();
|
||||
ldapRep.setName("ldap2");
|
||||
ldapRep.setProviderId("ldap");
|
||||
ldapRep.setProviderType(UserStorageProvider.class.getName());
|
||||
ldapRep.setConfig(new MultivaluedHashMap<>());
|
||||
ldapRep.getConfig().putSingle("priority", Integer.toString(2));
|
||||
ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
|
||||
|
||||
String id = createComponent(ldapRep);
|
||||
|
||||
// Assert kerberos authenticator ALTERNATIVE
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
|
||||
|
||||
// Switch kerberos authenticator to DISABLED
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
|
||||
// update LDAP provider with kerberos
|
||||
ldapRep = realm.components().component(id).toRepresentation();
|
||||
realm.components().component(id).update(ldapRep);
|
||||
assertAdminEvents.clear();
|
||||
|
||||
// Assert kerberos authenticator ALTERNATIVE
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
|
||||
|
||||
// Cleanup
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
removeComponent(id);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testKerberosAuthenticatorChangedOnlyIfDisabled() {
|
||||
// Change kerberos to REQUIRED
|
||||
AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
|
||||
// create LDAP provider with kerberos
|
||||
ComponentRepresentation ldapRep = new ComponentRepresentation();
|
||||
ldapRep.setName("ldap2");
|
||||
ldapRep.setProviderId("ldap");
|
||||
ldapRep.setProviderType(UserStorageProvider.class.getName());
|
||||
ldapRep.setConfig(new MultivaluedHashMap<>());
|
||||
ldapRep.getConfig().putSingle("priority", Integer.toString(2));
|
||||
ldapRep.getConfig().putSingle(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true");
|
||||
|
||||
String id = createComponent(ldapRep);
|
||||
|
||||
|
||||
// Assert kerberos authenticator still REQUIRED
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
|
||||
|
||||
// update LDAP provider with kerberos
|
||||
ldapRep = realm.components().component(id).toRepresentation();
|
||||
realm.components().component(id).update(ldapRep);
|
||||
assertAdminEvents.clear();
|
||||
|
||||
// Assert kerberos authenticator still REQUIRED
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
|
||||
|
||||
// Cleanup
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
removeComponent(id);
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testValidateAndCreateLdapProvider() {
|
||||
// Invalid filter
|
||||
|
||||
ComponentRepresentation ldapRep = new ComponentRepresentation();
|
||||
ldapRep.setName("ldap2");
|
||||
ldapRep.setProviderId("ldap");
|
||||
ldapRep.setProviderType(UserStorageProvider.class.getName());
|
||||
ldapRep.setConfig(new MultivaluedHashMap<>());
|
||||
ldapRep.getConfig().putSingle("priority", Integer.toString(2));
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something");
|
||||
|
||||
Response resp = realm.components().add(ldapRep);
|
||||
Assert.assertEquals(400, resp.getStatus());
|
||||
resp.close();
|
||||
|
||||
// Invalid filter
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something");
|
||||
resp = realm.components().add(ldapRep);
|
||||
Assert.assertEquals(400, resp.getStatus());
|
||||
resp.close();
|
||||
|
||||
// Invalid filter
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something)");
|
||||
resp = realm.components().add(ldapRep);
|
||||
Assert.assertEquals(400, resp.getStatus());
|
||||
resp.close();
|
||||
|
||||
// Assert nothing created so far
|
||||
Assert.assertTrue(realm.components().query(realmId, UserStorageProvider.class.getName()).isEmpty());
|
||||
assertAdminEvents.assertEmpty();
|
||||
|
||||
|
||||
// Valid filter. Creation success
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something)");
|
||||
String id1 = createComponent(ldapRep);
|
||||
|
||||
// Missing filter is ok too. Creation success
|
||||
ComponentRepresentation ldapRep2 = new ComponentRepresentation();
|
||||
ldapRep2.setName("ldap3");
|
||||
ldapRep2.setProviderId("ldap");
|
||||
ldapRep2.setProviderType(UserStorageProvider.class.getName());
|
||||
ldapRep2.setConfig(new MultivaluedHashMap<>());
|
||||
ldapRep2.getConfig().putSingle("priority", Integer.toString(2));
|
||||
ldapRep2.getConfig().putSingle(LDAPConstants.BIND_DN, "cn=manager");
|
||||
ldapRep2.getConfig().putSingle(LDAPConstants.BIND_CREDENTIAL, "password");
|
||||
String id2 = createComponent(ldapRep2);
|
||||
|
||||
// Assert both providers created
|
||||
List<ComponentRepresentation> providerInstances = realm.components().query(realmId, UserStorageProvider.class.getName());
|
||||
Assert.assertEquals(providerInstances.size(), 2);
|
||||
|
||||
// Cleanup
|
||||
removeComponent(id1);
|
||||
removeComponent(id2);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testUpdateProvider() {
|
||||
ComponentRepresentation ldapRep = new ComponentRepresentation();
|
||||
ldapRep.setName("ldap2");
|
||||
ldapRep.setProviderId("ldap");
|
||||
ldapRep.setProviderType(UserStorageProvider.class.getName());
|
||||
ldapRep.setConfig(new MultivaluedHashMap<>());
|
||||
ldapRep.getConfig().putSingle("priority", Integer.toString(2));
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.BIND_DN, "cn=manager");
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.BIND_CREDENTIAL, "password");
|
||||
String id = createComponent(ldapRep);
|
||||
|
||||
// Assert update with invalid filter should fail
|
||||
ldapRep = realm.components().component(id).toRepresentation();
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2");
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.BIND_DN, "cn=manager-updated");
|
||||
try {
|
||||
realm.components().component(id).update(ldapRep);
|
||||
Assert.fail("Not expected to successfull update");
|
||||
} catch (BadRequestException bre) {
|
||||
// Expected
|
||||
}
|
||||
|
||||
// Assert nothing was updated
|
||||
assertFederationProvider(realm.components().component(id).toRepresentation(), id, "ldap2", "ldap", LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "**********");
|
||||
|
||||
// Change filter to be valid
|
||||
ldapRep.getConfig().putSingle(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
|
||||
realm.components().component(id).update(ldapRep);
|
||||
assertAdminEvents.clear();
|
||||
|
||||
// Assert updated successfully
|
||||
ldapRep = realm.components().component(id).toRepresentation();
|
||||
assertFederationProvider(ldapRep, id, "ldap2", "ldap", LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "**********",
|
||||
LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
|
||||
|
||||
// Assert update displayName
|
||||
ldapRep.setName("ldap2");
|
||||
realm.components().component(id).update(ldapRep);
|
||||
|
||||
assertFederationProvider(realm.components().component(id).toRepresentation(), id, "ldap2", "ldap",LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "**********",
|
||||
LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
|
||||
|
||||
|
||||
|
||||
// Cleanup
|
||||
removeComponent(id);
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/*
|
||||
@Test
|
||||
public void testProviderFactories() {
|
||||
|
@ -102,191 +344,11 @@ public class UserStorageRestTest extends AbstractAdminTest {
|
|||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testValidateAndCreateLdapProvider() {
|
||||
// Invalid filter
|
||||
UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
|
||||
.displayName("ldap1")
|
||||
.providerName("ldap")
|
||||
.priority(1)
|
||||
.configProperty(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something")
|
||||
.build();
|
||||
Response resp = userFederation().create(ldapRep);
|
||||
Assert.assertEquals(400, resp.getStatus());
|
||||
resp.close();
|
||||
|
||||
// Invalid filter
|
||||
ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something");
|
||||
resp = userFederation().create(ldapRep);
|
||||
Assert.assertEquals(400, resp.getStatus());
|
||||
resp.close();
|
||||
|
||||
// Invalid filter
|
||||
ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "dc=something)");
|
||||
resp = userFederation().create(ldapRep);
|
||||
Assert.assertEquals(400, resp.getStatus());
|
||||
resp.close();
|
||||
|
||||
// Assert nothing created so far
|
||||
Assert.assertTrue(userFederation().getProviderInstances().isEmpty());
|
||||
assertAdminEvents.assertEmpty();
|
||||
|
||||
|
||||
// Valid filter. Creation success
|
||||
ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something)");
|
||||
String id1 = createUserFederationProvider(ldapRep);
|
||||
|
||||
// Missing filter is ok too. Creation success
|
||||
UserFederationProviderRepresentation ldapRep2 = UserFederationProviderBuilder.create()
|
||||
.displayName("ldap2")
|
||||
.providerName("ldap")
|
||||
.priority(2)
|
||||
.configProperty(LDAPConstants.BIND_DN, "cn=manager")
|
||||
.configProperty(LDAPConstants.BIND_CREDENTIAL, "password")
|
||||
.build();
|
||||
String id2 = createUserFederationProvider(ldapRep2);
|
||||
|
||||
// Assert both providers created
|
||||
List<UserFederationProviderRepresentation> providerInstances = userFederation().getProviderInstances();
|
||||
Assert.assertEquals(providerInstances.size(), 2);
|
||||
assertFederationProvider(providerInstances.get(0), id1, "ldap1", "ldap", 1, -1, -1, -1, LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something)");
|
||||
assertFederationProvider(providerInstances.get(1), id2, "ldap2", "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "password");
|
||||
|
||||
// Cleanup
|
||||
removeUserFederationProvider(id1);
|
||||
removeUserFederationProvider(id2);
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testUpdateProvider() {
|
||||
UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
|
||||
.providerName("ldap")
|
||||
.priority(2)
|
||||
.configProperty(LDAPConstants.BIND_DN, "cn=manager")
|
||||
.configProperty(LDAPConstants.BIND_CREDENTIAL, "password")
|
||||
.build();
|
||||
String id = createUserFederationProvider(ldapRep);
|
||||
assertFederationProvider(userFederation().get(id).toRepresentation(), id, id, "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "password");
|
||||
|
||||
// Assert update with invalid filter should fail
|
||||
ldapRep = userFederation().get(id).toRepresentation();
|
||||
ldapRep.setDisplayName("");
|
||||
ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2");
|
||||
ldapRep.getConfig().put(LDAPConstants.BIND_DN, "cn=manager-updated");
|
||||
try {
|
||||
userFederation().get(id).update(ldapRep);
|
||||
Assert.fail("Not expected to successfull update");
|
||||
} catch (BadRequestException bre) {
|
||||
// Expected
|
||||
}
|
||||
|
||||
// Assert nothing was updated
|
||||
assertFederationProvider(userFederation().get(id).toRepresentation(), id, id, "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager", LDAPConstants.BIND_CREDENTIAL, "password");
|
||||
|
||||
// Change filter to be valid
|
||||
ldapRep.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
|
||||
userFederation().get(id).update(ldapRep);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
|
||||
|
||||
// Assert updated successfully
|
||||
ldapRep = userFederation().get(id).toRepresentation();
|
||||
assertFederationProvider(ldapRep, id, id, "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "password",
|
||||
LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
|
||||
|
||||
// Assert update displayName
|
||||
ldapRep.setDisplayName("ldap2");
|
||||
userFederation().get(id).update(ldapRep);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
|
||||
|
||||
assertFederationProvider(userFederation().get(id).toRepresentation(), id, "ldap2", "ldap", 2, -1, -1, -1, LDAPConstants.BIND_DN, "cn=manager-updated", LDAPConstants.BIND_CREDENTIAL, "password",
|
||||
LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(dc=something2)");
|
||||
|
||||
|
||||
|
||||
// Cleanup
|
||||
removeUserFederationProvider(id);
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void testKerberosAuthenticatorEnabledAutomatically() {
|
||||
// Assert kerberos authenticator DISABLED
|
||||
AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
|
||||
// create LDAP provider with kerberos
|
||||
UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
|
||||
.displayName("ldap2")
|
||||
.providerName("ldap")
|
||||
.priority(2)
|
||||
.configProperty(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true")
|
||||
.build();
|
||||
String id = createUserFederationProvider(ldapRep);
|
||||
|
||||
// Assert kerberos authenticator ALTERNATIVE
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
|
||||
|
||||
// Switch kerberos authenticator to DISABLED
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
|
||||
// update LDAP provider with kerberos
|
||||
ldapRep = userFederation().get(id).toRepresentation();
|
||||
userFederation().get(id).update(ldapRep);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
|
||||
|
||||
// Assert kerberos authenticator ALTERNATIVE
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.ALTERNATIVE.toString());
|
||||
|
||||
// Cleanup
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
removeUserFederationProvider(id);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testKerberosAuthenticatorChangedOnlyIfDisabled() {
|
||||
// Change kerberos to REQUIRED
|
||||
AuthenticationExecutionInfoRepresentation kerberosExecution = findKerberosExecution();
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.REQUIRED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
|
||||
// create LDAP provider with kerberos
|
||||
UserFederationProviderRepresentation ldapRep = UserFederationProviderBuilder.create()
|
||||
.displayName("ldap2")
|
||||
.providerName("ldap")
|
||||
.priority(2)
|
||||
.configProperty(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "true")
|
||||
.build();
|
||||
String id = createUserFederationProvider(ldapRep);
|
||||
|
||||
// Assert kerberos authenticator still REQUIRED
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
|
||||
|
||||
// update LDAP provider with kerberos
|
||||
ldapRep = userFederation().get(id).toRepresentation();
|
||||
userFederation().get(id).update(ldapRep);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.userFederationResourcePath(id), ldapRep, ResourceType.USER_FEDERATION_PROVIDER);
|
||||
|
||||
// Assert kerberos authenticator still REQUIRED
|
||||
kerberosExecution = findKerberosExecution();
|
||||
Assert.assertEquals(kerberosExecution.getRequirement(), AuthenticationExecutionModel.Requirement.REQUIRED.toString());
|
||||
|
||||
// Cleanup
|
||||
kerberosExecution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED.toString());
|
||||
realm.flows().updateExecutions("browser", kerberosExecution);
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, AdminEventPaths.authUpdateExecutionPath("browser"), kerberosExecution, ResourceType.AUTH_EXECUTION);
|
||||
removeUserFederationProvider(id);
|
||||
|
||||
}
|
||||
|
||||
|
||||
@Test (expected = NotFoundException.class)
|
||||
public void testLookupNotExistentProvider() {
|
||||
|
@ -342,20 +404,6 @@ public class UserStorageRestTest extends AbstractAdminTest {
|
|||
}
|
||||
|
||||
|
||||
private String createUserFederationProvider(UserFederationProviderRepresentation rep) {
|
||||
Response resp = userFederation().create(rep);
|
||||
Assert.assertEquals(201, resp.getStatus());
|
||||
resp.close();
|
||||
String federationProviderId = ApiUtil.getCreatedId(resp);
|
||||
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.CREATE, AdminEventPaths.userFederationResourcePath(federationProviderId), rep, ResourceType.USER_FEDERATION_PROVIDER);
|
||||
return federationProviderId;
|
||||
}
|
||||
|
||||
private void removeUserFederationProvider(String id) {
|
||||
userFederation().get(id).remove();
|
||||
assertAdminEvents.assertEvent(realmId, OperationType.DELETE, AdminEventPaths.userFederationResourcePath(id), ResourceType.USER_FEDERATION_PROVIDER);
|
||||
}
|
||||
|
||||
private void assertFederationProvider(UserFederationProviderRepresentation rep, String id, String displayName, String providerName,
|
||||
int priority, int fullSyncPeriod, int changeSyncPeriod, int lastSync,
|
||||
|
@ -372,13 +420,5 @@ public class UserStorageRestTest extends AbstractAdminTest {
|
|||
}
|
||||
|
||||
|
||||
private AuthenticationExecutionInfoRepresentation findKerberosExecution() {
|
||||
AuthenticationExecutionInfoRepresentation kerberosExecution = null;
|
||||
List<AuthenticationExecutionInfoRepresentation> executionReps = realm.flows().getExecutions("browser");
|
||||
kerberosExecution = AbstractAuthenticationTest.findExecutionByProvider("auth-spnego", executionReps);
|
||||
|
||||
Assert.assertNotNull(kerberosExecution);
|
||||
return kerberosExecution;
|
||||
}
|
||||
*/
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue