libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Merge remote-tracking branch 'upstream/master'

Browse source
This commit is contained in:
Bill Burke 2017-01-05 10:52:12 -05:00
commit 4934fe5a8e
33 changed files with 1219 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
examples/demo-template/angular2-product-app/src/main/webapp/app/keycloak.http.ts
View file

@ -47,7 +47,7 @@ export class KeycloakHttp extends Http {
result.subscribe((response) => {
observer.next(response);
observer.complete();
});
}, (err) => observer.error(err));
});
return <Observable<Response>>Observable

24
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/AbstractRequestCmd.java
View file

@ -73,6 +73,8 @@ public abstract class AbstractRequestCmd extends AbstractAuthOptionsCmd {
String file;
String body;
String fields;
boolean printHeaders;
@ -210,6 +212,10 @@ public abstract class AbstractRequestCmd extends AbstractAuthOptionsCmd {
throw new IllegalArgumentException("Options --merge and --no-merge are mutually exclusive");
}
if (body != null && file != null) {
throw new IllegalArgumentException("Options --body and --file are mutually exclusive");
}
if (file == null && attrs.size() > 0 && !noMerge) {
mergeMode = true;
}
@ -222,17 +228,17 @@ public abstract class AbstractRequestCmd extends AbstractAuthOptionsCmd {
// see if Content-Type header is explicitly set to non-json value
Header ctype = headers.get("content-type");
InputStream body = null;
InputStream content = null;
CmdStdinContext<JsonNode> ctx = new CmdStdinContext<>();
if (file != null) {
if (ctype != null && !"application/json".equals(ctype.getValue())) {
if ("-".equals(file)) {
body = System.in;
content = System.in;
} else {
try {
body = new BufferedInputStream(new FileInputStream(file));
content = new BufferedInputStream(new FileInputStream(file));
} catch (FileNotFoundException e) {
throw new RuntimeException("File not found: " + file);
}
@ -240,6 +246,8 @@ public abstract class AbstractRequestCmd extends AbstractAuthOptionsCmd {
} else {
ctx = parseFileOrStdin(file);
}
} else if (body != null) {
content = new ByteArrayInputStream(body.getBytes(Charset.forName("utf-8")));
}
ConfigData config = loadConfig();
@ -304,15 +312,15 @@ public abstract class AbstractRequestCmd extends AbstractAuthOptionsCmd {
}
if (attrs.size() > 0) {
if (body != null) {
if (content != null) {
throw new RuntimeException("Can't set attributes on content of type other than application/json");
}
ctx = mergeAttributes(ctx, MAPPER.createObjectNode(), attrs);
}
if (body == null && ctx.getContent() != null) {
body = new ByteArrayInputStream(ctx.getContent().getBytes(Charset.forName("utf-8")));
if (content == null && ctx.getContent() != null) {
content = new ByteArrayInputStream(ctx.getContent().getBytes(Charset.forName("utf-8")));
}
ReturnFields returnFields = null;
@ -322,7 +330,7 @@ public abstract class AbstractRequestCmd extends AbstractAuthOptionsCmd {
}
// make sure content type is set
if (body != null) {
if (content != null) {
headers.addIfMissing("Content-Type", "application/json");
}
@ -339,7 +347,7 @@ public abstract class AbstractRequestCmd extends AbstractAuthOptionsCmd {
HeadersBodyStatus response;
try {
response = HttpUtil.doRequest(httpVerb, resourceUrl, new HeadersBody(headers, body));
response = HttpUtil.doRequest(httpVerb, resourceUrl, new HeadersBody(headers, content));
} catch (IOException e) {
throw new RuntimeException("HTTP request error: " + e.getMessage(), e);
}

64
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/AddRolesCmd.java
View file

@ -67,6 +67,12 @@ public class AddRolesCmd extends AbstractAuthOptionsCmd {
@Option(name = "gid", description = "Target group's 'id'")
String gid;
@Option(name = "rname", description = "Composite role's 'name'")
String rname;
@Option(name = "rid", description = "Composite role's 'id'")
String rid;
@Option(name = "cclientid", description = "Target client's 'clientId'")
String cclientid;
@ -116,19 +122,31 @@ public class AddRolesCmd extends AbstractAuthOptionsCmd {
}
if (roleNames.isEmpty() && roleIds.isEmpty()) {
throw new IllegalArgumentException("No role specified. Use --rolename or --roleid to specify roles");
throw new IllegalArgumentException("No role to add specified. Use --rolename or --roleid to specify roles to add");
}
if (cid != null && cclientid != null) {
throw new IllegalArgumentException("Incompatible options: --cid and --cclientid are mutually exclusive");
}
if (rid != null && rname != null) {
throw new IllegalArgumentException("Incompatible options: --rid and --rname are mutually exclusive");
}
if (isUserSpecified() && isGroupSpecified()) {
throw new IllegalArgumentException("Incompatible options: --uusername / --uid can't be used at the same time as --gname / --gid / --gpath");
}
if (!isUserSpecified() && !isGroupSpecified()) {
throw new IllegalArgumentException("No user nor group specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group");
if (isUserSpecified() && isCompositeRoleSpecified()) {
throw new IllegalArgumentException("Incompatible options: --uusername / --uid can't be used at the same time as --rname / --rid");
}
if (isGroupSpecified() && isCompositeRoleSpecified()) {
throw new IllegalArgumentException("Incompatible options: --rname / --rid can't be used at the same time as --gname / --gid / --gpath");
}
if (!isUserSpecified() && !isGroupSpecified() && !isCompositeRoleSpecified()) {
throw new IllegalArgumentException("No user nor group nor composite role specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group or --rname / --rid to specify a composite role");
}
@ -204,9 +222,32 @@ public class AddRolesCmd extends AbstractAuthOptionsCmd {
GroupOperations.addRealmRoles(adminRoot, realm, auth, gid, new ArrayList<>(rolesToAdd));
}
} else {
} else if (isCompositeRoleSpecified()) {
if (rid == null) {
rid = RoleOperations.getIdFromRoleName(adminRoot, realm, auth, rname);
}
if (isClientSpecified()) {
// list client roles for a composite role
if (cid == null) {
cid = ClientOperations.getIdFromClientId(adminRoot, realm, auth, cclientid);
}
throw new IllegalArgumentException("No user nor group specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group");
List<ObjectNode> roles = RoleOperations.getClientRoles(adminRoot, realm, cid, auth);
Set<ObjectNode> rolesToAdd = getRoleRepresentations(roleNames, roleIds, new LocalSearch(roles));
// now add all the roles
RoleOperations.addClientRoles(adminRoot, realm, auth, rid, new ArrayList<>(rolesToAdd));
} else {
Set<ObjectNode> rolesToAdd = getRoleRepresentations(roleNames, roleIds,
new LocalSearch(RoleOperations.getRealmRolesAsNodes(adminRoot, realm, auth)));
// now add all the roles
RoleOperations.addRealmRoles(adminRoot, realm, auth, rid, new ArrayList<>(rolesToAdd));
}
} else {
throw new IllegalArgumentException("No user nor group, nor composite role specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group or --rname / --rid to specify a composite role");
}
return CommandResult.SUCCESS;
@ -257,6 +298,9 @@ public class AddRolesCmd extends AbstractAuthOptionsCmd {
return uid != null || uusername != null;
}
private boolean isCompositeRoleSpecified() {
return rid != null || rname != null;
}
@Override
protected boolean nothingToDo() {
@ -275,9 +319,10 @@ public class AddRolesCmd extends AbstractAuthOptionsCmd {
StringWriter sb = new StringWriter();
PrintWriter out = new PrintWriter(sb);
out.println("Usage: " + CMD + " add-roles (--uusername USERNAME | --uid ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println("Usage: " + CMD + " add-roles (--gname NAME | --gpath PATH | --gid ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println(" " + CMD + " add-roles (--gname NAME | --gpath PATH | --gid ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println(" " + CMD + " add-roles (--rname ROLE_NAME | --rid ROLE_ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println();
out.println("Command to add realm or client roles to a user or group.");
out.println("Command to add realm or client roles to a user, a group or a composite role.");
out.println();
out.println("Use `" + CMD + " config credentials` to establish an authenticated session, or use CREDENTIALS OPTIONS");
out.println("to perform one time authentication.");
@ -285,7 +330,8 @@ public class AddRolesCmd extends AbstractAuthOptionsCmd {
out.println("If client is specified using --cclientid or --cid then roles to add are client roles, otherwise they are realm roles.");
out.println("Either a user, or a group needs to be specified. If user is specified using --uusername or --uid then roles are added");
out.println("to a specific user. If group is specified using --gname, --gpath or --gid then roles are added to a specific group.");
out.println("One or more roles have to be specified using --rolename or --roleid so that they are added to a group or a user.");
out.println("If composite role is specified using --rname or --rid then roles are added to a specific composite role.");
out.println("One or more roles have to be specified using --rolename or --roleid so that they are added to a group, a user or a composite role.");
out.println();
out.println("Arguments:");
out.println();
@ -306,6 +352,8 @@ public class AddRolesCmd extends AbstractAuthOptionsCmd {
out.println(" to use --gid, or --gpath to specify the target group");
out.println(" --gpath Group's 'path' attribute");
out.println(" --gid Group's 'id' attribute");
out.println(" --rname Composite role's 'name' attribute");
out.println(" --rid Composite role's 'id' attribute");
out.println(" --cclientid Client's 'clientId' attribute");
out.println(" --cid Client's 'id' attribute");
out.println(" --rolename Role's 'name' attribute");

22
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/CreateCmd.java
View file

@ -34,9 +34,12 @@ import static org.keycloak.client.admin.cli.util.OsUtil.PROMPT;
@CommandDefinition(name = "create", description = "Command to create new resources")
public class CreateCmd extends AbstractRequestCmd {
@Option(shortName = 'f', name = "file", description = "Read object from file or standard input if FILENAME is set to '-'", hasValue = true)
@Option(shortName = 'f', name = "file", description = "Read object from file or standard input if FILENAME is set to '-'")
String file;
@Option(shortName = 'b', name = "body", description = "JSON object to be sent as-is or used as a template")
String body;
@Option(shortName = 'F', name = "fields", description = "A pattern specifying which attributes of JSON response body to actually display as result - causes mismatch with Content-Length header", hasValue = true)
String fields;
@ -59,6 +62,7 @@ public class CreateCmd extends AbstractRequestCmd {
void initOptions() {
// set options on parent
super.file = file;
super.body = body;
super.fields = fields;
super.printHeaders = printHeaders;
super.returnId = returnId;
@ -69,7 +73,7 @@ public class CreateCmd extends AbstractRequestCmd {
@Override
protected boolean nothingToDo() {
return noOptions() && file == null && (args == null || args.size() == 0);
return noOptions() && file == null && body == null && (args == null || args.size() == 0);
}
protected String suggestHelp() {
@ -109,6 +113,7 @@ public class CreateCmd extends AbstractRequestCmd {
out.println(" -s, --set NAME=VALUE Set a specific attribute NAME to a specified value VALUE");
out.println(" -d, --delete NAME Remove a specific attribute NAME from JSON request body");
out.println(" -f, --file FILENAME Read object from file or standard input if FILENAME is set to '-'");
out.println(" -b, --body CONTENT Content to be sent as-is or used as a JSON object template");
out.println(" -q, --query NAME=VALUE Add to request URI a NAME query parameter with value VALUE");
out.println(" -h, --header NAME=VALUE Set request header NAME to VALUE");
out.println();
@ -153,8 +158,19 @@ public class CreateCmd extends AbstractRequestCmd {
out.println(" EOF");
}
out.println();
out.println("Create a new group using configuration JSON passed as 'body' argument:");
if (OS_ARCH.isWindows()) {
out.println(" " + PROMPT + " " + CMD + " create groups -r demorealm -b \"{ \\\"name\\\": \\\"Admins\\\" }\"");
} else {
out.println(" " + PROMPT + " " + CMD + " create groups -r demorealm -b '{ \"name\": \"Admins\" }'");
}
out.println();
out.println("Create a client using file as a template, and override some attributes - return an 'id' of new client:");
out.println(" " + PROMPT + " " + CMD + " create clients -r demorealm -f my_client.json -s clientId=my_client2 -s 'redirectUris=[\"http://localhost:8980/myapp/*\"]' -i");
if (OS_ARCH.isWindows()) {
out.println(" " + PROMPT + " " + CMD + " create clients -r demorealm -f my_client.json -s clientId=my_client2 -s \"redirectUris=[\\\"http://localhost:8980/myapp/*\\\"]\" -i");
} else {
out.println(" " + PROMPT + " " + CMD + " create clients -r demorealm -f my_client.json -s clientId=my_client2 -s 'redirectUris=[\"http://localhost:8980/myapp/*\"]' -i");
}
out.println();
out.println("Create a new client role for client my_client in realm 'demorealm' (replace ID with output of previous example command):");
out.println(" " + PROMPT + " " + CMD + " create clients/ID/roles -r demorealm -s name=client_role");

1
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/DeleteCmd.java
View file

@ -80,6 +80,7 @@ public class DeleteCmd extends CreateCmd {
out.println(" -s, --set NAME=VALUE Send a body with request - set a specific attribute NAME to a specified value VALUE");
out.println(" -d, --delete NAME Remove a specific attribute NAME from JSON request body");
out.println(" -f, --file FILENAME Send a body with request - read object from file or standard input if FILENAME is set to '-'");
out.println(" -b, --body CONTENT Content to be sent as-is or used as a JSON object template");
out.println(" -q, --query NAME=VALUE Add to request URI a NAME query parameter with value VALUE");
out.println(" -h, --header NAME=VALUE Set request header NAME to VALUE");
out.println();

98
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/GetRolesCmd.java
View file

@ -57,10 +57,10 @@ public class GetRolesCmd extends GetCmd {
@Option(name = "cid", description = "Target client's 'id'")
String cid;
@Option(name = "rolename", description = "Target role's 'name'")
@Option(name = "rname", description = "Composite role's 'name'")
String rname;
@Option(name = "roleid", description = "Target role's 'id'")
@Option(name = "rid", description = "Composite role's 'id'")
String rid;
@Option(name = "gname", description = "Target group's 'name'")
@ -72,6 +72,12 @@ public class GetRolesCmd extends GetCmd {
@Option(name = "gid", description = "Target group's 'id'")
String gid;
@Option(name = "rolename", description = "Target role's 'name'")
String rolename;
@Option(name = "roleid", description = "Target role's 'id'")
String roleid;
@Option(name = "available", description = "List only available roles", hasValue = false)
boolean available;
@ -108,10 +114,14 @@ public class GetRolesCmd extends GetCmd {
throw new IllegalArgumentException("Incompatible options: --gid, --gname and --gpath are mutually exclusive");
}
if (rid != null && rname != null) {
if (roleid != null && rolename != null) {
throw new IllegalArgumentException("Incompatible options: --roleid and --rolename are mutually exclusive");
}
if (rid != null && rname != null) {
throw new IllegalArgumentException("Incompatible options: --rid and --rname are mutually exclusive");
}
if (cid != null && cclientid != null) {
throw new IllegalArgumentException("Incompatible options: --cid and --cclientid are mutually exclusive");
}
@ -120,6 +130,22 @@ public class GetRolesCmd extends GetCmd {
throw new IllegalArgumentException("Incompatible options: --uusername / --uid can't be used at the same time as --gname / --gid / --gpath");
}
if (isUserSpecified() && isCompositeRoleSpecified()) {
throw new IllegalArgumentException("Incompatible options: --uusername / --uid can't be used at the same time as --rname / --rid");
}
if (isGroupSpecified() && isCompositeRoleSpecified()) {
throw new IllegalArgumentException("Incompatible options: --rname / --rid can't be used at the same time as --gname / --gid / --gpath");
}
if (all && effective) {
throw new IllegalArgumentException("Incompatible options: --all can't be used at the same time as --effective");
}
if (all && available) {
throw new IllegalArgumentException("Incompatible options: --all can't be used at the same time as --available");
}
super.processOptions(commandInvocation);
}
@ -167,7 +193,7 @@ public class GetRolesCmd extends GetCmd {
} else if (effective) {
super.url = composeResourceUrl(adminRoot, realm, "users/" + uid + "/role-mappings/realm/composite");
} else {
super.url = composeResourceUrl(adminRoot, realm, "users/" + uid + "/role-mappings/realm");
super.url = composeResourceUrl(adminRoot, realm, "users/" + uid + (all ? "/role-mappings" : "/role-mappings/realm"));
}
}
} else if (isGroupSpecified()) {
@ -195,9 +221,35 @@ public class GetRolesCmd extends GetCmd {
} else if (effective) {
super.url = composeResourceUrl(adminRoot, realm, "groups/" + gid + "/role-mappings/realm/composite");
} else {
super.url = composeResourceUrl(adminRoot, realm, "groups/" + gid + "/role-mappings/realm");
super.url = composeResourceUrl(adminRoot, realm, "groups/" + gid + (all ? "/role-mappings" : "/role-mappings/realm"));
}
}
} else if (isCompositeRoleSpecified()) {
String uri = rname != null ? "roles/" + rname : "roles-by-id/" + rid;
if (isClientSpecified()) {
if (cid == null) {
cid = ClientOperations.getIdFromClientId(adminRoot, realm, auth, cclientid);
}
if (available) {
throw new IllegalArgumentException("Option --available not supported with composite roles. Try '" + CMD + " get-roles --cid " + cid + "' for full list of client roles for that client");
}
if (effective) {
throw new IllegalArgumentException("Option --effective not supported with composite roles.");
}
uri += "/composites/clients/" + cid;
} else {
if (available) {
throw new IllegalArgumentException("Option --available not supported with composite roles. Try '" + CMD + " get-roles' for full list of realm roles");
}
if (effective) {
throw new IllegalArgumentException("Option --effective not supported with composite roles.");
}
uri += all ? "/composites" : "/composites/realm";
}
super.url = composeResourceUrl(adminRoot, realm, uri);
} else if (isClientSpecified()) {
if (cid == null) {
cid = ClientOperations.getIdFromClientId(adminRoot, realm, auth, cclientid);
@ -205,10 +257,10 @@ public class GetRolesCmd extends GetCmd {
if (isRoleSpecified()) {
// get specific client role
if (rname == null) {
rname = RoleOperations.getClientRoleNameFromId(adminRoot, realm, auth, cid, rid);
if (rolename == null) {
rolename = RoleOperations.getClientRoleNameFromId(adminRoot, realm, auth, cid, roleid);
}
super.url = composeResourceUrl(adminRoot, realm, "clients/" + cid + "/roles/" + rname);
super.url = composeResourceUrl(adminRoot, realm, "clients/" + cid + "/roles/" + rolename);
} else {
// list defined client roles
super.url = composeResourceUrl(adminRoot, realm, "clients/" + cid + "/roles");
@ -216,10 +268,10 @@ public class GetRolesCmd extends GetCmd {
} else {
if (isRoleSpecified()) {
// get specific realm role
if (rname == null) {
rname = RoleOperations.getClientRoleNameFromId(adminRoot, realm, auth, cid, rid);
if (rolename == null) {
rolename = RoleOperations.getClientRoleNameFromId(adminRoot, realm, auth, cid, roleid);
}
super.url = composeResourceUrl(adminRoot, realm, "roles/" + rname);
super.url = composeResourceUrl(adminRoot, realm, "roles/" + rolename);
} else {
// list defined realm roles
super.url = composeResourceUrl(adminRoot, realm, "roles");
@ -230,7 +282,7 @@ public class GetRolesCmd extends GetCmd {
}
private boolean isRoleSpecified() {
return rid != null || rname != null;
return roleid != null || rolename != null;
}
private boolean isClientSpecified() {
@ -241,6 +293,10 @@ public class GetRolesCmd extends GetCmd {
return gid != null || gname != null || gpath != null;
}
private boolean isCompositeRoleSpecified() {
return rid != null || rname != null;
}
private boolean isUserSpecified() {
return uid != null || uusername != null;
}
@ -261,10 +317,11 @@ public class GetRolesCmd extends GetCmd {
StringWriter sb = new StringWriter();
PrintWriter out = new PrintWriter(sb);
out.println("Usage: " + CMD + " get-roles [--cclientid CLIENT_ID | --cid ID] [ARGUMENTS]");
out.println("Usage: " + CMD + " get-roles (--uusername USERNAME | --uid ID) [--cclientid CLIENT_ID | --cid ID] [--available | --effective] (ARGUMENTS)");
out.println("Usage: " + CMD + " get-roles (--gname NAME | --gpath PATH | --gid ID) [--cclientid CLIENT_ID | --cid ID] [--available | --effective] [ARGUMENTS]");
out.println(" " + CMD + " get-roles (--uusername USERNAME | --uid ID) [--cclientid CLIENT_ID | --cid ID] [--available | --effective | --all] (ARGUMENTS)");
out.println(" " + CMD + " get-roles (--gname NAME | --gpath PATH | --gid ID) [--cclientid CLIENT_ID | --cid ID] [--available | --effective | --all] [ARGUMENTS]");
out.println(" " + CMD + " get-roles (--rname ROLE_NAME | --rid ROLE_ID) [--cclientid CLIENT_ID | --cid ID] [--available | --effective | --all] [ARGUMENTS]");
out.println();
out.println("Command to list realm or client roles on a realm, user or group.");
out.println("Command to list realm or client roles of a realm, a user, a group or a composite role.");
out.println();
out.println("Use `" + CMD + " config credentials` to establish an authenticated session, or use CREDENTIALS OPTIONS");
out.println("to perform one time authentication.");
@ -272,11 +329,13 @@ public class GetRolesCmd extends GetCmd {
out.println("If client is specified using --cclientid or --cid then client roles are listed, otherwise realm roles are listed.");
out.println("If user is specified using --uusername or --uid then roles are listed for a specific user.");
out.println("If group is specified using --gname, --gpath or --gid then roles are listed for a specific group.");
out.println("If neither user nor group is specified then defined roles are listed for a realm or specific client");
out.println("If composite role is specified --rname or --rid then roles are listed for a specific composite role.");
out.println("If neither user nor group, nor composite role is specified then defined roles are listed for a realm or specific client.");
out.println("If role is specified using --rolename or --roleid then only that specific role is returned.");
out.println("If --available is specified, then only roles not yet added to the target user or group are returned.");
out.println("If --effective is specified, then roles added to the target user or group are transitively resolved and a full");
out.println("set of roles in effect for that user or group is returned.");
out.println("set of roles in effect for that user, group or composite role is returned.");
out.println("If --all is specified, then client roles for all clients are returned in addition to realm roles.");
out.println();
out.println("Arguments:");
out.println();
@ -297,10 +356,15 @@ public class GetRolesCmd extends GetCmd {
out.println(" to use --gid, or --gpath to specify the target group");
out.println(" --gpath Group's 'path' attribute");
out.println(" --gid Group's 'id' attribute");
out.println(" --rname Composite role's 'name' attribute");
out.println(" --rid Composite role's 'id' attribute");
out.println(" --cclientid Client's 'clientId' attribute");
out.println(" --cid Client's 'id' attribute");
out.println(" --rolename Role's 'name' attribute");
out.println(" --roleid Role's 'id' attribute");
out.println(" --available Return available roles - those that can still be added");
out.println(" --effective Return effective roles - transitively taking composite roles into account");
out.println(" --all Return all client roles in addition to realm roles");
out.println(" -a, --admin-root URL URL of Admin REST endpoint root if not default - e.g. http://localhost:8080/auth/admin");
out.println(" -r, --target-realm REALM Target realm to issue requests against if not the one authenticated against");
out.println();

64
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/RemoveRolesCmd.java
View file

@ -67,6 +67,12 @@ public class RemoveRolesCmd extends AbstractAuthOptionsCmd {
@Option(name = "gid", description = "Target group's 'id'")
String gid;
@Option(name = "rname", description = "Composite role's 'name'")
String rname;
@Option(name = "rid", description = "Composite role's 'id'")
String rid;
@Option(name = "cclientid", description = "Target client's 'clientId'")
String cclientid;
@ -116,19 +122,31 @@ public class RemoveRolesCmd extends AbstractAuthOptionsCmd {
}
if (roleNames.isEmpty() && roleIds.isEmpty()) {
throw new IllegalArgumentException("No role specified. Use --rolename or --roleid to specify roles");
throw new IllegalArgumentException("No role to remove specified. Use --rolename or --roleid to specify roles to remove");
}
if (cid != null && cclientid != null) {
throw new IllegalArgumentException("Incompatible options: --cid and --cclientid are mutually exclusive");
}
if (rid != null && rname != null) {
throw new IllegalArgumentException("Incompatible options: --rid and --rname are mutually exclusive");
}
if (isUserSpecified() && isGroupSpecified()) {
throw new IllegalArgumentException("Incompatible options: --uusername / --uid can't be used at the same time as --gname / --gid / --gpath");
}
if (!isUserSpecified() && !isGroupSpecified()) {
throw new IllegalArgumentException("No user nor group specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group");
if (isUserSpecified() && isCompositeRoleSpecified()) {
throw new IllegalArgumentException("Incompatible options: --uusername / --uid can't be used at the same time as --rname / --rid");
}
if (isGroupSpecified() && isCompositeRoleSpecified()) {
throw new IllegalArgumentException("Incompatible options: --rname / --rid can't be used at the same time as --gname / --gid / --gpath");
}
if (!isUserSpecified() && !isGroupSpecified() && !isCompositeRoleSpecified()) {
throw new IllegalArgumentException("No user nor group nor composite role specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group or --rname / --rid to specify a composite role");
}
@ -204,9 +222,32 @@ public class RemoveRolesCmd extends AbstractAuthOptionsCmd {
GroupOperations.removeRealmRoles(adminRoot, realm, auth, gid, new ArrayList<>(rolesToAdd));
}
} else {
} else if (isCompositeRoleSpecified()) {
if (rid == null) {
rid = RoleOperations.getIdFromRoleName(adminRoot, realm, auth, rname);
}
if (isClientSpecified()) {
// remove client roles from a role
if (cid == null) {
cid = ClientOperations.getIdFromClientId(adminRoot, realm, auth, cclientid);
}
throw new IllegalArgumentException("No user nor group specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group");
List<ObjectNode> roles = RoleOperations.getClientRoles(adminRoot, realm, cid, auth);
Set<ObjectNode> rolesToAdd = getRoleRepresentations(roleNames, roleIds, new LocalSearch(roles));
// now remove the roles
RoleOperations.removeClientRoles(adminRoot, realm, auth, rid, new ArrayList<>(rolesToAdd));
} else {
Set<ObjectNode> rolesToAdd = getRoleRepresentations(roleNames, roleIds,
new LocalSearch(RoleOperations.getRealmRolesAsNodes(adminRoot, realm, auth)));
// now remove the roles
RoleOperations.removeRealmRoles(adminRoot, realm, auth, rid, new ArrayList<>(rolesToAdd));
}
} else {
throw new IllegalArgumentException("No user nor group, nor composite role specified. Use --uusername / --uid to specify user or --gname / --gid / --gpath to specify group or --rname / --rid to specify a composite role");
}
return CommandResult.SUCCESS;
@ -257,6 +298,9 @@ public class RemoveRolesCmd extends AbstractAuthOptionsCmd {
return uid != null || uusername != null;
}
private boolean isCompositeRoleSpecified() {
return rid != null || rname != null;
}
@Override
protected boolean nothingToDo() {
@ -275,9 +319,10 @@ public class RemoveRolesCmd extends AbstractAuthOptionsCmd {
StringWriter sb = new StringWriter();
PrintWriter out = new PrintWriter(sb);
out.println("Usage: " + CMD + " remove-roles (--uusername USERNAME | --uid ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println("Usage: " + CMD + " remove-roles (--gname NAME | --gpath PATH | --gid ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println(" " + CMD + " remove-roles (--gname NAME | --gpath PATH | --gid ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println(" " + CMD + " remove-roles (--rname ROLE_NAME | --rid ROLE_ID) [--cclientid CLIENT_ID | --cid ID] (--rolename NAME | --roleid ID)+ [ARGUMENTS]");
out.println();
out.println("Command to remove realm or client roles from a user or group.");
out.println("Command to remove realm or client roles from a user, a group or a composite role.");
out.println();
out.println("Use `" + CMD + " config credentials` to establish an authenticated session, or use CREDENTIALS OPTIONS");
out.println("to perform one time authentication.");
@ -285,7 +330,8 @@ public class RemoveRolesCmd extends AbstractAuthOptionsCmd {
out.println("If client is specified using --cclientid or --cid then roles to remove are client roles, otherwise they are realm roles.");
out.println("Either a user, or a group needs to be specified. If user is specified using --uusername or --uid then roles are removed");
out.println("from a specific user. If group is specified using --gname, --gpath or --gid then roles are removed from a specific group.");
out.println("One or more roles have to be specified using --rolename or --roleid to be removed from a group or a user.");
out.println("If composite role is specified using --rname or --rid then roles are removed from a specific composite role.");
out.println("One or more roles have to be specified using --rolename or --roleid to be removed from a group, a user or a composite role.");
out.println();
out.println("Arguments:");
out.println();
@ -306,6 +352,8 @@ public class RemoveRolesCmd extends AbstractAuthOptionsCmd {
out.println(" to use --gid, or --gpath to specify the target group");
out.println(" --gpath Group's 'path' attribute");
out.println(" --gid Group's 'id' attribute");
out.println(" --rname Composite role's 'name' attribute");
out.println(" --rid Composite role's 'id' attribute");
out.println(" --cclientid Client's 'clientId' attribute");
out.println(" --cid Client's 'id' attribute");
out.println(" --rolename Role's 'name' attribute");

14
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/commands/UpdateCmd.java
View file

@ -26,6 +26,7 @@ import java.io.StringWriter;
import static org.keycloak.client.admin.cli.util.ConfigUtil.DEFAULT_CONFIG_FILE_STRING;
import static org.keycloak.client.admin.cli.util.OsUtil.CMD;
import static org.keycloak.client.admin.cli.util.OsUtil.EOL;
import static org.keycloak.client.admin.cli.util.OsUtil.OS_ARCH;
import static org.keycloak.client.admin.cli.util.OsUtil.PROMPT;
/**
@ -37,6 +38,9 @@ public class UpdateCmd extends AbstractRequestCmd {
@Option(shortName = 'f', name = "file", description = "Read object from file or standard input if FILENAME is set to '-'")
String file;
@Option(shortName = 'b', name = "body", description = "JSON object to be sent as-is or used as a template")
String body;
@Option(shortName = 'F', name = "fields", description = "A pattern specifying which attributes of JSON response body to actually display as result - causes mismatch with Content-Length header")
String fields;
@ -63,6 +67,7 @@ public class UpdateCmd extends AbstractRequestCmd {
void initOptions() {
// set options on parent
super.file = file;
super.body = body;
super.fields = fields;
super.printHeaders = printHeaders;
super.returnId = false;
@ -76,7 +81,7 @@ public class UpdateCmd extends AbstractRequestCmd {
@Override
protected boolean nothingToDo() {
return noOptions() && file == null && (args == null || args.size() == 0);
return noOptions() && file == null && body == null && (args == null || args.size() == 0);
}
protected String suggestHelp() {
@ -117,6 +122,7 @@ public class UpdateCmd extends AbstractRequestCmd {
out.println(" NAME+=VALUE Add item VALUE to list attribute NAME");
out.println(" -d, --delete NAME Remove a specific attribute NAME from JSON request body");
out.println(" -f, --file FILENAME Read object from file or standard input if FILENAME is set to '-'");
out.println(" -b, --body CONTENT Content to be sent as-is or used as a JSON object template");
out.println(" -q, --query NAME=VALUE Add to request URI a NAME query parameter with value VALUE");
out.println(" -h, --header NAME=VALUE Set request header NAME to VALUE");
out.println(" -m, --merge Merge new values with existing configuration on the server");
@ -150,7 +156,11 @@ public class UpdateCmd extends AbstractRequestCmd {
out.println(" " + PROMPT + " " + CMD + " update realms/demorealm -s registrationAllowed=true");
out.println();
out.println("Update a client by overwriting existing configuration using local file as a template (replace ID with client's 'id'):");
out.println(" " + PROMPT + " " + CMD + " update clients/ID -f new_my_client.json -s 'redirectUris=[\"http://localhost:8080/myapp/*\"]'");
if (OS_ARCH.isWindows()) {
out.println(" " + PROMPT + " " + CMD + " update clients/ID -f new_my_client.json -s \"redirectUris=[\\\"http://localhost:8080/myapp/*\\\"]\"");
} else {
out.println(" " + PROMPT + " " + CMD + " update clients/ID -f new_my_client.json -s 'redirectUris=[\"http://localhost:8080/myapp/*\"]'");
}
out.println();
out.println("Update client by fetching current configuration from server and merging with specified changes (replace ID with client's 'id'):");
out.println(" " + PROMPT + " " + CMD + " update clients/ID -f new_my_client.json -s enabled=true --merge");

25
integration/client-cli/admin-cli/src/main/java/org/keycloak/client/admin/cli/operations/RoleOperations.java
View file

@ -23,8 +23,11 @@ import java.util.ArrayList;
import java.util.List;
import static org.keycloak.client.admin.cli.util.HttpUtil.composeResourceUrl;
import static org.keycloak.client.admin.cli.util.HttpUtil.doDeleteJSON;
import static org.keycloak.client.admin.cli.util.HttpUtil.doGetJSON;
import static org.keycloak.client.admin.cli.util.HttpUtil.doPostJSON;
import static org.keycloak.client.admin.cli.util.HttpUtil.getAttrForType;
import static org.keycloak.client.admin.cli.util.HttpUtil.getIdForType;
/**
* @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
@ -34,6 +37,28 @@ public class RoleOperations {
public static class LIST_OF_ROLES extends ArrayList<RoleRepresentation>{};
public static class LIST_OF_NODES extends ArrayList<ObjectNode>{};
public static String getIdFromRoleName(String adminRoot, String realm, String auth, String rname) {
return getIdForType(adminRoot, realm, auth, "roles", "name", rname);
}
public static void addRealmRoles(String rootUrl, String realm, String auth, String roleid, List<?> roles) {
String resourceUrl = composeResourceUrl(rootUrl, realm, "roles-by-id/" + roleid + "/composites");
doPostJSON(resourceUrl, auth, roles);
}
public static void addClientRoles(String rootUrl, String realm, String auth, String roleid, List<?> roles) {
addRealmRoles(rootUrl, realm, auth, roleid, roles);
}
public static void removeRealmRoles(String rootUrl, String realm, String auth, String roleid, List<?> roles) {
String resourceUrl = composeResourceUrl(rootUrl, realm, "roles-by-id/" + roleid + "/composites");
doDeleteJSON(resourceUrl, auth, roles);
}
public static void removeClientRoles(String rootUrl, String realm, String auth, String roleid, List<?> roles) {
removeRealmRoles(rootUrl, realm, auth, roleid, roles);
}
public static String getRoleNameFromId(String adminRoot, String realm, String auth, String rid) {
return getAttrForType(adminRoot, realm, auth, "roles", "id", rid, "name");
}

2
model/jpa/src/main/java/org/keycloak/events/jpa/JpaAdminEventQuery.java
View file

@ -111,7 +111,7 @@ public class JpaAdminEventQuery implements AdminEventQuery {
@Override
public AdminEventQuery resourcePath(String resourcePath) {
Expression<String> rPath = root.get("resourcePath");
predicates.add(cb.like(rPath, "%"+resourcePath+"%"));
predicates.add(cb.like(rPath, resourcePath.replace('*', '%')));
return this;
}

25
saml-core/src/main/java/org/keycloak/saml/common/util/StaxParserUtil.java
View file

@ -239,15 +239,10 @@ public class StaxParserUtil {
* @return
*/
public static XMLEventReader getXMLEventReader(InputStream is) {
XMLInputFactory xmlInputFactory = null;
XMLInputFactory xmlInputFactory;
XMLEventReader xmlEventReader = null;
try {
xmlInputFactory = getXMLInputFactory();
xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.TRUE);
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE);
xmlInputFactory = XML_INPUT_FACTORY.get();
xmlEventReader = xmlInputFactory.createXMLEventReader(is);
} catch (Exception ex) {
throw new RuntimeException(ex);
@ -518,6 +513,13 @@ public class StaxParserUtil {
throw new RuntimeException(logger.parserExpectedEndTag("</" + tag + ">. Found </" + elementTag + ">"));
}
private static final ThreadLocal<XMLInputFactory> XML_INPUT_FACTORY = new ThreadLocal<XMLInputFactory>() {
@Override
protected XMLInputFactory initialValue() {
return getXMLInputFactory();
}
};
private static XMLInputFactory getXMLInputFactory() {
boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
.equalsIgnoreCase("true");
@ -526,7 +528,14 @@ public class StaxParserUtil {
if (tccl_jaxp) {
SecurityActions.setTCCL(StaxParserUtil.class.getClassLoader());
}
return XMLInputFactory.newInstance();
XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance();
xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.TRUE);
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE);
return xmlInputFactory;
} finally {
if (tccl_jaxp) {
SecurityActions.setTCCL(prevTCCL);

10
saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java
View file

@ -243,7 +243,7 @@ public class SAML2Request {
*
* @throws ConfigurationException
*/
public LogoutRequestType createLogoutRequest(String issuer) throws ConfigurationException {
public static LogoutRequestType createLogoutRequest(String issuer) throws ConfigurationException {
LogoutRequestType lrt = new LogoutRequestType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant());
// Create an issuer
@ -266,7 +266,7 @@ public class SAML2Request {
* @throws ParsingException
* @throws ConfigurationException
*/
public Document convert(RequestAbstractType rat) throws ProcessingException, ConfigurationException, ParsingException {
public static Document convert(RequestAbstractType rat) throws ProcessingException, ConfigurationException, ParsingException {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
SAMLRequestWriter writer = new SAMLRequestWriter(StaxUtil.getXMLStreamWriter(bos));
@ -290,7 +290,7 @@ public class SAML2Request {
* @throws ParsingException
* @throws ConfigurationException
*/
public Document convert(ResponseType responseType) throws ProcessingException, ParsingException, ConfigurationException {
public static Document convert(ResponseType responseType) throws ProcessingException, ParsingException, ConfigurationException {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(baos));
writer.write(responseType);
@ -307,7 +307,7 @@ public class SAML2Request {
*
* @throws ProcessingException
*/
public void marshall(RequestAbstractType requestType, OutputStream os) throws ProcessingException {
public static void marshall(RequestAbstractType requestType, OutputStream os) throws ProcessingException {
SAMLRequestWriter samlRequestWriter = new SAMLRequestWriter(StaxUtil.getXMLStreamWriter(os));
if (requestType instanceof AuthnRequestType) {
samlRequestWriter.write((AuthnRequestType) requestType);
@ -325,7 +325,7 @@ public class SAML2Request {
*
* @throws ProcessingException
*/
public void marshall(RequestAbstractType requestType, Writer writer) throws ProcessingException {
public static void marshall(RequestAbstractType requestType, Writer writer) throws ProcessingException {
SAMLRequestWriter samlRequestWriter = new SAMLRequestWriter(StaxUtil.getXMLStreamWriter(writer));
if (requestType instanceof AuthnRequestType) {
samlRequestWriter.write((AuthnRequestType) requestType);

4
saml-core/src/test/resources/org/keycloak/saml/processing/core/parsers/saml/saml20-encrypted-signed-redirect-response-two-extensions.xml
View file

@ -2,7 +2,9 @@
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://localhost:8081/auth/realms/saml-demo</saml:Issuer>
<samlp:Extensions>
<kckey:KeyInfo xmlns:kckey="urn:keycloak:ext:key:1.0" MessageSigningKeyId="FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"/>
<what:ever xmlns:what="urn:keycloak:ext:what:1.0" what="ever"/>
<what:ever xmlns:what="urn:keycloak:ext:what:1.0" what="ever">
<nested><element>text contents</element></nested>
</what:ever>
</samlp:Extensions>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

5
server-spi-private/src/main/java/org/keycloak/events/EventType.java
View file

@ -68,6 +68,7 @@ public enum EventType {
REMOVE_TOTP_ERROR(true),
REVOKE_GRANT(true),
REVOKE_GRANT_ERROR(true),
SEND_VERIFY_EMAIL(true),
SEND_VERIFY_EMAIL_ERROR(true),
@ -78,9 +79,12 @@ public enum EventType {
RESET_PASSWORD(true),
RESET_PASSWORD_ERROR(true),
INVALID_SIGNATURE(false),
INVALID_SIGNATURE_ERROR(false),
REGISTER_NODE(false),
REGISTER_NODE_ERROR(false),
UNREGISTER_NODE(false),
UNREGISTER_NODE_ERROR(false),
USER_INFO_REQUEST(false),
USER_INFO_REQUEST_ERROR(false),
@ -96,6 +100,7 @@ public enum EventType {
IDENTITY_PROVIDER_RETRIEVE_TOKEN(false),
IDENTITY_PROVIDER_RETRIEVE_TOKEN_ERROR(false),
IMPERSONATE(true),
IMPERSONATE_ERROR(true),
CUSTOM_REQUIRED_ACTION(true),
CUSTOM_REQUIRED_ACTION_ERROR(true),
EXECUTE_ACTIONS(true),

6
server-spi-private/src/main/java/org/keycloak/events/admin/AdminEventQuery.java
View file

@ -81,11 +81,11 @@ public interface AdminEventQuery {
AdminEventQuery resourceType(ResourceType ... resourceTypes);
/**
* Search by resource path. Supports wildcards <code>*</code> and <code>**</code>. For example:
* Search by resource path. Supports wildcard <code>*</code>. For example:
* <ul>
* <li><b>*&#47;master</b> - matches 'realms/master'</li>
* <li><b>**&#47;00d4b16f</b> - matches 'realms/master/clients/00d4b16f'</li>
* <li><b>realms&#47;master&#47;**</b> - matches anything under 'realms/master'</li>
* <li><b>realms/master&#47;*&#47;00d4b16f</b> - matches 'realms/master/clients/00d4b16f'</li>
* <li><b>realms&#47;master&#47;*</b> - matches anything under 'realms/master'</li>
* </ul>
*
* @param resourcePath

2
services/src/main/java/org/keycloak/authentication/authenticators/resetcred/ResetCredentialChooseUser.java
View file

@ -80,6 +80,8 @@ public class ResetCredentialChooseUser implements Authenticator, AuthenticatorFa
context.failureChallenge(AuthenticationFlowError.INVALID_USER, challenge);
return;
}
username = username.trim();
RealmModel realm = context.getRealm();
UserModel user = context.getSession().users().getUserByUsername(username, realm);

4
services/src/main/java/org/keycloak/services/resources/admin/AuthenticationManagementResource.java
View file

@ -37,6 +37,7 @@ import org.keycloak.models.AuthenticatorConfigModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredActionProviderModel;
import org.keycloak.models.utils.DefaultAuthenticationFlows;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.provider.ProviderConfigProperty;
@ -186,7 +187,8 @@ public class AuthenticationManagementResource {
List<AuthenticationFlowRepresentation> flows = new LinkedList<>();
for (AuthenticationFlowModel flow : realm.getAuthenticationFlows()) {
if (flow.isTopLevel()) {
// KEYCLOAK-3517, we need a better way to filter non-configurable internal flows
if (flow.isTopLevel() && !flow.getAlias().equals(DefaultAuthenticationFlows.SAML_ECP_FLOW)) {
flows.add(ModelToRepresentation.toRepresentation(realm, flow));
}
}

5
testsuite/integration-arquillian/test-apps/servlets/src/main/java/org/keycloak/testsuite/adapter/servlet/SendUsernameServlet.java
View file

@ -195,7 +195,10 @@ public class SendUsernameServlet {
output += "<br /> friendlyAttribute email: " + principal.getFriendlyAttribute("email");
output += "<br /> phone: " + principal.getAttribute("phone");
output += "<br /> friendlyAttribute phone: " + principal.getFriendlyAttribute("phone");
output += "<br /> hardcoded-attribute: " + principal.getAttribute("hardcoded-attribute");
output += "<br /> hardcoded-attribute: ";
for (String attr : principal.getAttributes("hardcoded-attribute")) {
output += attr + ",";
}
return output;
}

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/authentication/InitialFlowsTest.java
View file

@ -196,13 +196,6 @@ public class InitialFlowsTest extends AbstractAuthenticationTest {
addExecInfo(execs, "Reset OTP", "reset-otp", false, 0, 3, OPTIONAL, null, new String[]{REQUIRED, OPTIONAL, DISABLED});
expected.add(new FlowExecutions(flow, execs));
flow = newFlow("saml ecp", "SAML ECP Profile Authentication Flow", "basic-flow", true, true);
addExecExport(flow, null, false, "http-basic-authenticator", false, null, REQUIRED, 10);
execs = new LinkedList<>();
addExecInfo(execs, "HTTP Basic Authentication", "http-basic-authenticator", false, 0, 0, REQUIRED, null, new String[]{});
expected.add(new FlowExecutions(flow, execs));
return expected;
}

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/event/AdminEventTest.java
View file

@ -57,9 +57,9 @@ public class AdminEventTest extends AbstractEventTest {
return testRealmResource().getAdminEvents();
}
private void createUser(String username) {
private String createUser(String username) {
UserRepresentation user = createUserRepresentation(username, username + "@foo.com", "foo", "bar", true);
ApiUtil.createUserWithAdminClient(testRealmResource(), user);
return ApiUtil.createUserWithAdminClient(testRealmResource(), user);
}
private void updateRealm() {

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/partialimport/PartialImportTest.java
View file

@ -133,7 +133,7 @@ public class PartialImportTest extends AbstractAuthTest {
public void removeClients() {
List<ClientRepresentation> toRemove = testRealmResource().clients().findAll();
for (ClientRepresentation client : toRemove) {
if (client.getName().startsWith(CLIENT_PREFIX)) {
if (client.getName() != null && client.getName().startsWith(CLIENT_PREFIX)) {
testRealmResource().clients().get(client.getId()).remove();
}
}

197
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cli/admin/KcAdmSessionTest.java Normal file
View file

@ -0,0 +1,197 @@
package org.keycloak.testsuite.cli.admin;
import com.fasterxml.jackson.databind.node.ObjectNode;
import org.junit.Assert;
import org.junit.Test;
import org.keycloak.client.admin.cli.config.FileConfigHandler;
import org.keycloak.testsuite.cli.KcAdmExec;
import org.keycloak.testsuite.util.TempFileResource;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
import static org.keycloak.testsuite.cli.KcAdmExec.execute;
/**
* @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
*/
public class KcAdmSessionTest extends AbstractAdmCliTest {
static Class<? extends List<ObjectNode>> LIST_OF_JSON = new ArrayList<ObjectNode>() {}.getClass();
@Test
public void test() throws IOException {
FileConfigHandler handler = initCustomConfigFile();
try (TempFileResource configFile = new TempFileResource(handler.getConfigFile())) {
// login as admin
loginAsUser(configFile.getFile(), serverUrl, "master", "admin", "admin");
// create realm
KcAdmExec exe = execute("create realms --config '" + configFile.getName() + "' -s realm=demorealm -s enabled=true");
assertExitCodeAndStreamSizes(exe, 0, 0, 1);
Assert.assertTrue(exe.stderrLines().get(0).startsWith("Created "));
// create user
exe = execute("create users --config '" + configFile.getName() + "' -r demorealm -s username=testuser -s enabled=true -i");
assertExitCodeAndStreamSizes(exe, 0, 1, 0);
String userId = exe.stdoutLines().get(0);
// add realm admin capabilities to user
exe = execute("add-roles --config '" + configFile.getName() + "' -r demorealm --uusername testuser --cclientid realm-management --rolename realm-admin");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
// set password for the user
exe = execute("set-password --config '" + configFile.getName() + "' -r demorealm --username testuser -p password");
assertExitCodeAndStdErrSize(exe, 0, 0);
// login as testuser
loginAsUser(configFile.getFile(), serverUrl, "demorealm", "testuser", "password");
// get realm roles
exe = execute("get-roles --config '" + configFile.getName() + "'");
assertExitCodeAndStdErrSize(exe, 0, 0);
List<ObjectNode> roles = loadJson(exe.stdout(), LIST_OF_JSON);
Assert.assertTrue("expect two realm roles available", roles.size() == 2);
// create realm role
exe = execute("create roles --config '" + configFile.getName() + "' -s name=testrole -s 'description=Test role' -o");
assertExitCodeAndStdErrSize(exe, 0, 0);
ObjectNode role = loadJson(exe.stdout(), ObjectNode.class);
Assert.assertEquals("testrole", role.get("name").asText());
String roleId = role.get("id").asText();
// get realm roles again
exe = execute("get-roles --config '" + configFile.getName() + "'");
assertExitCodeAndStdErrSize(exe, 0, 0);
roles = loadJson(exe.stdout(), LIST_OF_JSON);
Assert.assertTrue("expect three realm roles available", roles.size() == 3);
// create client
exe = execute("create clients --config '" + configFile.getName() + "' -s clientId=testclient -i");
assertExitCodeAndStreamSizes(exe, 0, 1, 0);
String idOfClient = exe.stdoutLines().get(0);
// create client role
exe = execute("create clients/" + idOfClient + "/roles --config '" + configFile.getName() + "' -s name=clientrole -s 'description=Test client role'");
assertExitCodeAndStreamSizes(exe, 0, 0, 1);
Assert.assertTrue(exe.stderrLines().get(0).startsWith("Created "));
// make sure client role has been created
exe = execute("get-roles --config '" + configFile.getName() + "' --cclientid testclient");
assertExitCodeAndStdErrSize(exe, 0, 0);
roles = loadJson(exe.stdout(), LIST_OF_JSON);
Assert.assertTrue("expect one role", roles.size() == 1);
Assert.assertEquals("clientrole", roles.get(0).get("name").asText());
// add created role to user - we are realm admin so we can add role to ourself
exe = execute("add-roles --config '" + configFile.getName() + "' --uusername testuser --cclientid testclient --rolename clientrole");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
// make sure the roles have been added
exe = execute("get-roles --config '" + configFile.getName() + "' --uusername testuser --all");
assertExitCodeAndStdErrSize(exe, 0, 0);
ObjectNode node = loadJson(exe.stdout(), ObjectNode.class);
Assert.assertNotNull(node.get("realmMappings"));
List<String> realmMappings = StreamSupport.stream(node.get("realmMappings").spliterator(), false)
.map(o -> o.get("name").asText()).sorted().collect(Collectors.toList());
Assert.assertEquals(Arrays.asList("offline_access", "uma_authorization"), realmMappings);
ObjectNode clientRoles = (ObjectNode) node.get("clientMappings");
//List<String> fields = asSortedList(clientRoles.fieldNames());
List<String> fields = StreamSupport.stream(clientRoles.spliterator(), false)
.map(o -> o.get("client").asText()).sorted().collect(Collectors.toList());
Assert.assertEquals(Arrays.asList("account", "realm-management", "testclient"), fields);
realmMappings = StreamSupport.stream(clientRoles.get("account").get("mappings").spliterator(), false)
.map(o -> o.get("name").asText()).sorted().collect(Collectors.toList());
Assert.assertEquals(Arrays.asList("manage-account", "view-profile"), realmMappings);
realmMappings = StreamSupport.stream(clientRoles.get("realm-management").get("mappings").spliterator(), false)
.map(o -> o.get("name").asText()).sorted().collect(Collectors.toList());
Assert.assertEquals(Arrays.asList("realm-admin"), realmMappings);
realmMappings = StreamSupport.stream(clientRoles.get("testclient").get("mappings").spliterator(), false)
.map(o -> o.get("name").asText()).sorted().collect(Collectors.toList());
Assert.assertEquals(Arrays.asList("clientrole"), realmMappings);
// add a realm role to the user
exe = execute("add-roles --config '" + configFile.getName() + "' --uusername testuser --rolename testrole");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
// get all roles for the user again
exe = execute("get-roles --config '" + configFile.getName() + "' --uusername testuser --all");
assertExitCodeAndStdErrSize(exe, 0, 0);
node = loadJson(exe.stdout(), ObjectNode.class);
Assert.assertNotNull(node.get("realmMappings"));
realmMappings = StreamSupport.stream(node.get("realmMappings").spliterator(), false)
.map(o -> o.get("name").asText()).sorted().collect(Collectors.toList());
Assert.assertEquals(Arrays.asList("offline_access", "testrole", "uma_authorization"), realmMappings);
// create a group
exe = execute("create groups --config '" + configFile.getName() + "' -s name=TestUsers -i");
assertExitCodeAndStdErrSize(exe, 0, 0);
String groupId = exe.stdoutLines().get(0);
// create a sub-group
exe = execute("create groups/" + groupId + "/children --config '" + configFile.getName() + "' -s name=TestPowerUsers -i");
assertExitCodeAndStdErrSize(exe, 0, 0);
String subGroupId = exe.stdoutLines().get(0);
// add testuser to TestPowerUsers
exe = execute("update users/" + userId + "/groups/" + subGroupId + " --config '" + configFile.getName()
+ "' -s realm=demorealm -s userId=" + userId + " -s groupId=" + subGroupId + " -n");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
// delete everything
exe = execute("delete groups/" + subGroupId + " --config '" + configFile.getName() + "'");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
exe = execute("delete groups/" + groupId + " --config '" + configFile.getName() + "'");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
exe = execute("delete clients/" + idOfClient + " --config '" + configFile.getName() + "'");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
exe = execute("delete roles/testrole --config '" + configFile.getName() + "'");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
exe = execute("delete users/" + userId + " --config '" + configFile.getName() + "'");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
// delete realm as well - using initial master realm session still saved in config file
exe = execute("delete realms/demorealm --config '" + configFile.getName() + "' --realm master");
assertExitCodeAndStreamSizes(exe, 0, 0, 0);
}
}
}

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/SAMLClientRegistrationTest.java
View file

@ -57,6 +57,8 @@ public class SAMLClientRegistrationTest extends AbstractClientRegistrationTest {
"https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/paos",
"https://LoadBalancer-9.siroe.com:3443/federation/Consumer/metaAlias/sp/redirect"
)); // No redirect URI for ARTIFACT binding which is unsupported
assertThat(response.getAttributes().get("saml_single_logout_service_url_redirect"), is("https://LoadBalancer-9.siroe.com:3443/federation/SPSloRedirect/metaAlias/sp"));
}
}

13
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/events/AdminEventStoreProviderTest.java
View file

@ -152,12 +152,13 @@ public class AdminEventStoreProviderTest extends AbstractEventsTest {
testing().onAdminEvent(create(oldest, "realmId", OperationType.CREATE, "realmId", "clientId2", "userId", "127.0.0.1", "/admin/realms/master", "error"), false);
testing().onAdminEvent(create("realmId", OperationType.CREATE, "realmId", "clientId", "userId2", "127.0.0.1", "/admin/realms/master", "error"), false);
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/admin", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/realms", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/master", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/admin/realms", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/realms/master", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/admin/realms/master", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/admin/*", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "*/realms/*", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "*/master", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/admin/realms/*", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "*/realms/master", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/admin/*/master", null, null, null, null).size());
Assert.assertEquals(6, testing().getAdminEvents(null, null, null, null, null, null, "/ad*/*/master", null, null, null, null).size());
}
@Test

11
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/ResetPasswordTest.java
View file

@ -177,6 +177,11 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest {
resetPassword("login-test");
}
@Test
public void resetPasswordWithSpacesInUsername() throws IOException, MessagingException {
resetPassword(" login-test ");
}
@Test
public void resetPasswordCancelChangeUser() throws IOException, MessagingException {
loginPage.open();
@ -224,7 +229,7 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest {
events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
.user(userId)
.detail(Details.USERNAME, username)
.detail(Details.USERNAME, username.trim())
.detail(Details.EMAIL, "login@test.com")
.session((String)null)
.assertEvent();
@ -241,11 +246,11 @@ public class ResetPasswordTest extends AbstractTestRealmKeycloakTest {
updatePasswordPage.changePassword("resetPassword", "resetPassword");
String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).detail(Details.USERNAME, username).assertEvent().getSessionId();
String sessionId = events.expectRequiredAction(EventType.UPDATE_PASSWORD).user(userId).detail(Details.USERNAME, username.trim()).assertEvent().getSessionId();
assertEquals(RequestType.AUTH_RESPONSE, appPage.getRequestType());
events.expectLogin().user(userId).detail(Details.USERNAME, username).session(sessionId).assertEvent();
events.expectLogin().user(userId).detail(Details.USERNAME, username.trim()).session(sessionId).assertEvent();
oauth.openLogout();

200
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/AuthnRequestNameIdFormatTest.java Normal file
View file

@ -0,0 +1,200 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.saml;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.testsuite.AbstractAuthTest;
import org.keycloak.testsuite.util.SamlClient;
import java.io.IOException;
import java.net.URI;
import java.util.List;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriBuilderException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.hamcrest.Matcher;
import org.junit.Test;
import org.w3c.dom.Document;
import static org.hamcrest.Matchers.*;
import static org.keycloak.testsuite.util.SamlClient.*;
import static org.junit.Assert.assertThat;
import static org.keycloak.testsuite.util.IOUtil.loadRealm;
import static org.keycloak.testsuite.util.Matchers.statusCodeIsHC;
/**
*
* @author hmlnarik
*/
public class AuthnRequestNameIdFormatTest extends AbstractAuthTest {
private static final String REALM_NAME = "demo";
private static final String SAML_ASSERTION_CONSUMER_URL_SALES_POST = "http://localhost:8080/sales-post/";
private static final String SAML_CLIENT_ID_SALES_POST = "http://localhost:8081/sales-post/";
public static SAMLDocumentHolder login(UserRepresentation user, URI samlEndpoint,
Document samlRequest, String relayState, Binding requestBinding, Binding expectedResponseBinding) {
CloseableHttpResponse response = null;
SamlClient.RedirectStrategyWithSwitchableFollowRedirect strategy = new SamlClient.RedirectStrategyWithSwitchableFollowRedirect();
try (CloseableHttpClient client = HttpClientBuilder.create().setRedirectStrategy(strategy).build()) {
HttpClientContext context = HttpClientContext.create();
HttpUriRequest post = requestBinding.createSamlRequest(samlEndpoint, relayState, samlRequest);
response = client.execute(post, context);
assertThat(response, statusCodeIsHC(Response.Status.OK));
String loginPageText = EntityUtils.toString(response.getEntity(), "UTF-8");
response.close();
assertThat(loginPageText, containsString("login"));
HttpUriRequest loginRequest = handleLoginPage(user, loginPageText);
strategy.setRedirectable(false);
response = client.execute(loginRequest, context);
return expectedResponseBinding.extractResponse(response);
} catch (Exception ex) {
throw new RuntimeException(ex);
} finally {
if (response != null) {
EntityUtils.consumeQuietly(response.getEntity());
try { response.close(); } catch (IOException ex) { }
}
}
}
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
testRealms.add(loadRealm("/adapter-test/keycloak-saml/testsaml.json"));
}
public AuthnRequestType createLoginRequestDocument(String issuer, String assertionConsumerURL, String realmName) {
return SamlClient.createLoginRequestDocument(issuer, assertionConsumerURL, getAuthServerSamlEndpoint(realmName));
}
private URI getAuthServerSamlEndpoint(String realm) throws IllegalArgumentException, UriBuilderException {
return RealmsResource
.protocolUrl(UriBuilder.fromUri(getAuthServerRoot()))
.build(realm, SamlProtocol.LOGIN_PROTOCOL);
}
private void testLoginWithNameIdPolicy(Binding requestBinding, Binding responseBinding, NameIDPolicyType nameIDPolicy, Matcher<String> nameIdMatcher) throws Exception {
AuthnRequestType loginRep = createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, REALM_NAME);
loginRep.setProtocolBinding(requestBinding.getBindingUri());
loginRep.setNameIDPolicy(nameIDPolicy);
Document samlRequest = SAML2Request.convert(loginRep);
SAMLDocumentHolder res = login(bburkeUser, getAuthServerSamlEndpoint(REALM_NAME), samlRequest, null, requestBinding, responseBinding);
assertThat(res.getSamlObject(), notNullValue());
assertThat(res.getSamlObject(), instanceOf(ResponseType.class));
ResponseType rt = (ResponseType) res.getSamlObject();
assertThat(rt.getAssertions(), not(empty()));
assertThat(rt.getAssertions().get(0).getAssertion().getSubject().getSubType().getBaseID(), instanceOf(NameIDType.class));
NameIDType nameId = (NameIDType) rt.getAssertions().get(0).getAssertion().getSubject().getSubType().getBaseID();
assertThat(nameId.getValue(), nameIdMatcher);
}
@Test
public void testPostLoginNameIdPolicyUnspecified() throws Exception {
NameIDPolicyType nameIdPolicy = new NameIDPolicyType();
nameIdPolicy.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get()));
testLoginWithNameIdPolicy(Binding.POST, Binding.POST, nameIdPolicy, is("bburke"));
}
@Test
public void testPostLoginNameIdPolicyEmail() throws Exception {
NameIDPolicyType nameIdPolicy = new NameIDPolicyType();
nameIdPolicy.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()));
testLoginWithNameIdPolicy(Binding.POST, Binding.POST, nameIdPolicy, is("bburke@redhat.com"));
}
@Test
public void testPostLoginNameIdPolicyPersistent() throws Exception {
NameIDPolicyType nameIdPolicy = new NameIDPolicyType();
nameIdPolicy.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()));
testLoginWithNameIdPolicy(Binding.POST, Binding.POST, nameIdPolicy, startsWith("G-"));
}
@Test
public void testPostLoginNoNameIdPolicyUnset() throws Exception {
testLoginWithNameIdPolicy(Binding.POST, Binding.POST, null, is("bburke"));
}
@Test
public void testRedirectLoginNameIdPolicyUnspecified() throws Exception {
NameIDPolicyType nameIdPolicy = new NameIDPolicyType();
nameIdPolicy.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get()));
testLoginWithNameIdPolicy(Binding.REDIRECT, Binding.REDIRECT, nameIdPolicy, is("bburke"));
}
@Test
public void testRedirectLoginNameIdPolicyEmail() throws Exception {
NameIDPolicyType nameIdPolicy = new NameIDPolicyType();
nameIdPolicy.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get()));
testLoginWithNameIdPolicy(Binding.REDIRECT, Binding.REDIRECT, nameIdPolicy, is("bburke@redhat.com"));
}
@Test
public void testRedirectLoginNameIdPolicyPersistent() throws Exception {
NameIDPolicyType nameIdPolicy = new NameIDPolicyType();
nameIdPolicy.setFormat(URI.create(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()));
testLoginWithNameIdPolicy(Binding.REDIRECT, Binding.REDIRECT, nameIdPolicy, startsWith("G-"));
}
@Test
public void testRedirectLoginNoNameIdPolicyUnset() throws Exception {
testLoginWithNameIdPolicy(Binding.REDIRECT, Binding.REDIRECT, null, is("bburke"));
}
@Test
public void testRedirectLoginNoNameIdPolicyForcePostBinding() throws Exception {
ClientsResource clients = adminClient.realm(REALM_NAME).clients();
List<ClientRepresentation> foundClients = clients.findByClientId("http://localhost:8081/sales-post/");
assertThat(foundClients, hasSize(1));
ClientResource clientRes = clients.get(foundClients.get(0).getId());
ClientRepresentation client = clientRes.toRepresentation();
client.getAttributes().put(SamlConfigAttributes.SAML_FORCE_POST_BINDING, "true");
clientRes.update(client);
testLoginWithNameIdPolicy(Binding.REDIRECT, Binding.POST, null, is("bburke"));
}
}

142
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/ConcurrentAuthnRequestTest.java Normal file
View file

@ -0,0 +1,142 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.saml;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.testsuite.AbstractAuthTest;
import org.keycloak.testsuite.util.SamlClient;
import java.io.IOException;
import java.net.URI;
import java.util.Collection;
import java.util.LinkedList;
import java.util.List;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriBuilderException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.junit.Ignore;
import org.junit.Test;
import org.w3c.dom.Document;
import static org.keycloak.testsuite.util.SamlClient.*;
import static org.keycloak.testsuite.util.IOUtil.loadRealm;
/**
*
* @author hmlnarik
*/
@Ignore
public class ConcurrentAuthnRequestTest extends AbstractAuthTest {
private static final String REALM_NAME = "demo";
private static final String SAML_ASSERTION_CONSUMER_URL_SALES_POST = "http://localhost:8080/sales-post/";
private static final String SAML_CLIENT_ID_SALES_POST = "http://localhost:8081/sales-post/";
public static final int ITERATIONS = 10000;
public static final int CONCURRENT_THREADS = 5;
private static void loginRepeatedly(UserRepresentation user, URI samlEndpoint,
Document samlRequest, String relayState, Binding requestBinding) {
CloseableHttpResponse response = null;
SamlClient.RedirectStrategyWithSwitchableFollowRedirect strategy = new SamlClient.RedirectStrategyWithSwitchableFollowRedirect();
ExecutorService threadPool = Executors.newFixedThreadPool(CONCURRENT_THREADS);
try (CloseableHttpClient client = HttpClientBuilder.create().setRedirectStrategy(strategy).build()) {
HttpUriRequest post = requestBinding.createSamlRequest(samlEndpoint, relayState, samlRequest);
Collection<Callable<Void>> futures = new LinkedList<>();
for (int i = 0; i < ITERATIONS; i ++) {
final int j = i;
Callable<Void> f = () -> {
performLogin(post, samlEndpoint, relayState, samlRequest, response, client, user, strategy);
return null;
};
futures.add(f);
}
threadPool.invokeAll(futures);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
}
public static void performLogin(HttpUriRequest post, URI samlEndpoint, String relayState,
Document samlRequest, CloseableHttpResponse response, final CloseableHttpClient client,
UserRepresentation user,
RedirectStrategyWithSwitchableFollowRedirect strategy) {
try {
HttpClientContext context = HttpClientContext.create();
response = client.execute(post, context);
String loginPageText = EntityUtils.toString(response.getEntity(), "UTF-8");
response.close();
HttpUriRequest loginRequest = handleLoginPage(user, loginPageText);
strategy.setRedirectable(false);
response = client.execute(loginRequest, context);
response.close();
} catch (Exception ex) {
throw new RuntimeException(ex);
} finally {
if (response != null) {
EntityUtils.consumeQuietly(response.getEntity());
try { response.close(); } catch (IOException ex) { }
}
}
}
@Override
public void addTestRealms(List<RealmRepresentation> testRealms) {
testRealms.add(loadRealm("/adapter-test/keycloak-saml/testsaml.json"));
}
public AuthnRequestType createLoginRequestDocument(String issuer, String assertionConsumerURL, String realmName) {
return SamlClient.createLoginRequestDocument(issuer, assertionConsumerURL, getAuthServerSamlEndpoint(realmName));
}
private URI getAuthServerSamlEndpoint(String realm) throws IllegalArgumentException, UriBuilderException {
return RealmsResource
.protocolUrl(UriBuilder.fromUri(getAuthServerRoot()))
.build(realm, SamlProtocol.LOGIN_PROTOCOL);
}
private void testLogin(Binding requestBinding) throws Exception {
AuthnRequestType loginRep = createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, REALM_NAME);
Document samlRequest = SAML2Request.convert(loginRep);
loginRepeatedly(bburkeUser, getAuthServerSamlEndpoint(REALM_NAME), samlRequest, null, requestBinding);
}
@Test
public void testConcurrentPostLogins() throws Exception {
testLogin(Binding.POST);
}
}

32
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/Matchers.java
View file

@ -16,12 +16,11 @@
*/
package org.keycloak.testsuite.util;
import org.keycloak.testsuite.util.matchers.ResponseBodyMatcher;
import org.keycloak.testsuite.util.matchers.ResponseHeaderMatcher;
import org.keycloak.testsuite.util.matchers.ResponseStatusCodeMatcher;
import org.keycloak.testsuite.util.matchers.*;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.apache.http.HttpResponse;
import org.hamcrest.Matcher;
/**
@ -48,6 +47,15 @@ public class Matchers {
return new ResponseStatusCodeMatcher(matcher);
}
/**
* Matcher on HTTP status code of a {@link Response} instance (HttpClient variant).
* @param matcher
* @return
*/
public static Matcher<HttpResponse> statusCodeHC(Matcher<? extends Number> matcher) {
return new HttpResponseStatusCodeMatcher(matcher);
}
/**
* Matches when the HTTP status code of a {@link Response} instance is equal to the given code.
* @param expectedStatusCode
@ -57,6 +65,15 @@ public class Matchers {
return new ResponseStatusCodeMatcher(org.hamcrest.Matchers.is(expectedStatusCode.getStatusCode()));
}
/**
* Matches when the HTTP status code of a {@link Response} instance is equal to the given code (HttpClient variant).
* @param expectedStatusCode
* @return
*/
public static Matcher<HttpResponse> statusCodeIsHC(Response.Status expectedStatusCode) {
return new HttpResponseStatusCodeMatcher(org.hamcrest.Matchers.is(expectedStatusCode.getStatusCode()));
}
/**
* Matches when the HTTP status code of a {@link Response} instance is equal to the given code.
* @param expectedStatusCode
@ -66,6 +83,15 @@ public class Matchers {
return new ResponseStatusCodeMatcher(org.hamcrest.Matchers.is(expectedStatusCode));
}
/**
* Matches when the HTTP status code of a {@link Response} instance is equal to the given code (HttpClient variant).
* @param expectedStatusCode
* @return
*/
public static Matcher<HttpResponse> statusCodeIsHC(int expectedStatusCode) {
return new HttpResponseStatusCodeMatcher(org.hamcrest.Matchers.is(expectedStatusCode));
}
/**
* Matches when the HTTP status code of a {@link Response} instance is equal to the given code.
* @param expectedStatusCode

266
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/SamlClient.java Normal file
View file

@ -0,0 +1,266 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.util;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.saml.BaseSAML2BindingBuilder;
import org.keycloak.saml.SAMLRequestParser;
import org.keycloak.saml.common.constants.GeneralConstants;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.apache.http.NameValuePair;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.http.impl.client.LaxRedirectStrategy;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Element;
import org.jsoup.select.Elements;
import org.w3c.dom.Document;
import static org.hamcrest.Matchers.*;
import static org.junit.Assert.assertThat;
import static org.keycloak.testsuite.admin.Users.getPasswordOf;
import static org.keycloak.testsuite.util.Matchers.*;
/**
*
* @author hmlnarik
*/
public class SamlClient {
/**
* SAML bindings and related HttpClient methods.
*/
public enum Binding {
POST {
@Override
public SAMLDocumentHolder extractResponse(CloseableHttpResponse response) throws IOException {
assertThat(response, statusCodeIsHC(Response.Status.OK));
String responsePage = EntityUtils.toString(response.getEntity(), "UTF-8");
response.close();
return extractSamlResponseFromForm(responsePage);
}
@Override
public HttpPost createSamlRequest(URI samlEndpoint, String relayState, Document samlRequest) {
HttpPost post = new HttpPost(samlEndpoint);
List<NameValuePair> parameters = new LinkedList<>();
try {
parameters.add(
new BasicNameValuePair(GeneralConstants.SAML_REQUEST_KEY,
new BaseSAML2BindingBuilder()
.postBinding(samlRequest)
.encoded())
);
} catch (ProcessingException | ConfigurationException | IOException ex) {
throw new RuntimeException(ex);
}
if (relayState != null) {
parameters.add(new BasicNameValuePair(GeneralConstants.RELAY_STATE, relayState));
}
UrlEncodedFormEntity formEntity;
try {
formEntity = new UrlEncodedFormEntity(parameters, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
post.setEntity(formEntity);
return post;
}
@Override
public URI getBindingUri() {
return URI.create(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.get());
}
},
REDIRECT {
@Override
public SAMLDocumentHolder extractResponse(CloseableHttpResponse response) throws IOException {
assertThat(response, statusCodeIsHC(Response.Status.FOUND));
String location = response.getFirstHeader("Location").getValue();
response.close();
return extractSamlResponseFromRedirect(location);
}
@Override
public HttpGet createSamlRequest(URI samlEndpoint, String relayState, Document samlRequest) {
try {
URI requestURI = new BaseSAML2BindingBuilder()
.relayState(relayState)
.redirectBinding(samlRequest)
.requestURI(samlEndpoint.toString());
return new HttpGet(requestURI);
} catch (ProcessingException | ConfigurationException | IOException ex) {
throw new RuntimeException(ex);
}
}
@Override
public URI getBindingUri() {
return URI.create(JBossSAMLURIConstants.SAML_HTTP_REDIRECT_BINDING.get());
}
};
public abstract SAMLDocumentHolder extractResponse(CloseableHttpResponse response) throws IOException;
public abstract HttpUriRequest createSamlRequest(URI samlEndpoint, String relayState, Document samlRequest);
public abstract URI getBindingUri();
}
public static class RedirectStrategyWithSwitchableFollowRedirect extends LaxRedirectStrategy {
public boolean redirectable = true;
@Override
protected boolean isRedirectable(String method) {
return redirectable && super.isRedirectable(method);
}
public void setRedirectable(boolean redirectable) {
this.redirectable = redirectable;
}
}
/**
* Extracts and parses value of SAMLResponse input field of a form present in the given page.
* @param responsePage HTML code of the page
* @return
*/
public static SAMLDocumentHolder extractSamlResponseFromForm(String responsePage) {
org.jsoup.nodes.Document theResponsePage = Jsoup.parse(responsePage);
Elements samlResponses = theResponsePage.select("input[name=SAMLResponse]");
assertThat("Checking uniqueness of SAMLResponse input field in the page", samlResponses, hasSize(1));
Element respElement = samlResponses.first();
return SAMLRequestParser.parseResponsePostBinding(respElement.val());
}
/**
* Extracts and parses value of SAMLResponse query parameter from the given URI.
* @param responseUri
* @return
*/
public static SAMLDocumentHolder extractSamlResponseFromRedirect(String responseUri) {
List<NameValuePair> params = URLEncodedUtils.parse(URI.create(responseUri), "UTF-8");
String samlResponse = null;
for (NameValuePair param : params) {
if ("SAMLResponse".equals(param.getName())) {
assertThat(samlResponse, nullValue());
samlResponse = param.getValue();
}
}
return SAMLRequestParser.parseResponseRedirectBinding(samlResponse);
}
/**
* Prepares a GET/POST request for logging the given user into the given login page. The login page is expected
* to have at least input fields with id "username" and "password".
* @param user
* @param loginPage
* @return
*/
public static HttpUriRequest handleLoginPage(UserRepresentation user, String loginPage) {
String username = user.getUsername();
String password = getPasswordOf(user);
org.jsoup.nodes.Document theLoginPage = Jsoup.parse(loginPage);
List<NameValuePair> parameters = new LinkedList<>();
for (Element form : theLoginPage.getElementsByTag("form")) {
String method = form.attr("method");
String action = form.attr("action");
boolean isPost = method != null && "post".equalsIgnoreCase(method);
for (Element input : form.getElementsByTag("input")) {
if (Objects.equals(input.id(), "username")) {
parameters.add(new BasicNameValuePair(input.attr("name"), username));
} else if (Objects.equals(input.id(), "password")) {
parameters.add(new BasicNameValuePair(input.attr("name"), password));
} else {
parameters.add(new BasicNameValuePair(input.attr("name"), input.val()));
}
}
if (isPost) {
HttpPost res = new HttpPost(action);
UrlEncodedFormEntity formEntity;
try {
formEntity = new UrlEncodedFormEntity(parameters, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
res.setEntity(formEntity);
return res;
} else {
UriBuilder b = UriBuilder.fromPath(action);
for (NameValuePair parameter : parameters) {
b.queryParam(parameter.getName(), parameter.getValue());
}
return new HttpGet(b.build());
}
}
throw new IllegalArgumentException("Invalid login form: " + loginPage);
}
/**
* Creates a SAML login request document with the given parameters. See SAML &lt;AuthnRequest&gt; description for more details.
* @param issuer
* @param assertionConsumerURL
* @param destination
* @return
*/
public static AuthnRequestType createLoginRequestDocument(String issuer, String assertionConsumerURL, URI destination) {
try {
SAML2Request samlReq = new SAML2Request();
AuthnRequestType loginReq = samlReq.createAuthnRequestType(UUID.randomUUID().toString(), assertionConsumerURL, destination.toString(), issuer);
return loginReq;
} catch (ConfigurationException ex) {
throw new RuntimeException(ex);
}
}
}

47
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/matchers/HttpResponseStatusCodeMatcher.java Normal file
View file

@ -0,0 +1,47 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.util.matchers;
import javax.ws.rs.core.Response;
import org.apache.http.HttpResponse;
import org.hamcrest.BaseMatcher;
import org.hamcrest.Description;
import org.hamcrest.Matcher;
/**
* Matcher for matching status code of {@link Response} instance.
* @author hmlnarik
*/
public class HttpResponseStatusCodeMatcher extends BaseMatcher<HttpResponse> {
private final Matcher<? extends Number> matcher;
public HttpResponseStatusCodeMatcher(Matcher<? extends Number> matcher) {
this.matcher = matcher;
}
@Override
public boolean matches(Object item) {
return (item instanceof HttpResponse) && this.matcher.matches(((HttpResponse) item).getStatusLine().getStatusCode());
}
@Override
public void describeTo(Description description) {
description.appendText("response status code matches ").appendDescriptionOf(this.matcher);
}
}

8
testsuite/integration-arquillian/tests/other/console/src/main/java/org/keycloak/testsuite/console/page/authentication/PasswordPolicy.java
View file

@ -50,7 +50,9 @@ public class PasswordPolicy extends Authentication {
public void removePolicy(Type policy) {
getPolicyRow(policy).findElement(By.cssSelector("td.kc-action-cell")).click();
primaryButton.click();
if (primaryButton.isEnabled()) {
primaryButton.click();
}
waitForPageToLoad(driver);
}
@ -60,7 +62,9 @@ public class PasswordPolicy extends Authentication {
public void editPolicy(Type policy, String value) {
setPolicyValue(policy, value);
primaryButton.click();
if (primaryButton.isEnabled()) {
primaryButton.click();
}
waitForPageToLoad(driver);
}

2
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -821,7 +821,7 @@ resource-types=Resource Types
select-operations.placeholder=Select operations...
select-resource-types.placeholder=Select resource types...
resource-path=Resource Path
resource-path.tooltip=Filter by resource path. Supports wildcards '*' to match a single part of the path and '**' matches multiple parts. For example 'realms/*/clients/asbc' matches client with id asbc in any realm, while or 'realms/master/**' matches anything in the master realm.
resource-path.tooltip=Filter by resource path. Supports wildcard '*' (for example 'users/*').
date-(from)=Date (From)
date-(to)=Date (To)
authentication-details=Authentication Details

2
themes/src/main/resources/theme/base/admin/resources/js/controllers/users.js
View file

@ -1228,7 +1228,7 @@ module.controller('LDAPUserStorageCtrl', function($scope, $location, Notificatio
$scope.cancel = function() {
if ($scope.create) {
$location.url("/realms/" + realm.realm + "/user-storage");
$location.url("/realms/" + realm.realm + "/user-federation");
} else {
$route.reload();
}