From 28748ebf3fba39a735fd70cacf926c640b2a6bd5 Mon Sep 17 00:00:00 2001
From: Martin Reinhardt <contact@martinreinhardt-online.de>
Date: Thu, 8 Aug 2019 07:20:36 +0200
Subject: [PATCH] [KEYCLOAK-6376] Fix NPE and test setup

---
 .../browser/ConditionalOtpFormAuthenticator.java     |  6 ++++--
 .../account/custom/CustomAuthFlowOTPTest.java        | 12 +++++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator.java
index 8b1c01e0a4..f532f7a122 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/ConditionalOtpFormAuthenticator.java
@@ -278,8 +278,10 @@ public class ConditionalOtpFormAuthenticator extends OTPFormAuthenticator {
         }
 
         RoleModel role = getRoleFromString(realm, roleName);
-
-        return user.hasRole(role);
+        if (role != null) {
+            return user.hasRole(role);
+        }
+        return false;
     }
 
     private boolean isOTPRequired(KeycloakSession session, RealmModel realm, UserModel user) {
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/custom/CustomAuthFlowOTPTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/custom/CustomAuthFlowOTPTest.java
index b795111c07..8bc675133b 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/custom/CustomAuthFlowOTPTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/custom/CustomAuthFlowOTPTest.java
@@ -340,11 +340,11 @@ public class CustomAuthFlowOTPTest extends AbstractCustomAccountManagementTest {
 
         setConditionalOTPForm(config);
 
-        //create role
+        //create otp group with role included
         GroupRepresentation group = getOrCreateOTPRoleInGroup();
 
         //add group to user
-        testRealmResource().users().get(testUser.getId()).groups().add(group);
+        testRealmResource().users().get(testUser.getId()).joinGroup(group.getId());
 
         //test OTP is required
         testRealmAccountManagementPage.navigateTo();
@@ -374,12 +374,14 @@ public class CustomAuthFlowOTPTest extends AbstractCustomAccountManagementTest {
         try {
             return testRealmResource().groups().groups("otp_group",0,1).get(0);
         } catch (NotFoundException | IndexOutOfBoundsException ex ) {
-            RoleRepresentation role = this.getOrCreateOTPRole();
             GroupRepresentation group = new GroupRepresentation();
             group.setName("otp_group");
-            group.setRealmRoles(Arrays.asList("otp_role"));
-            testRealmResource().groups().add(group);
+            RoleRepresentation role  = getOrCreateOTPRole();
+             testRealmResource().groups().add(group);
             //obtain id
+            GroupRepresentation groupRep = testRealmResource().groups().groups("otp_group",0,1).get(0);
+            testRealmResource().groups().group(groupRep.getId()).roles().realmLevel().add(Arrays.asList(role));
+            //reread
             return testRealmResource().groups().groups("otp_group",0,1).get(0);
         }
     }