libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

rev

Browse source
This commit is contained in:
Bill Burke 2017-10-10 09:09:51 -04:00
commit 5bd4ea30ad
88 changed files with 2066 additions and 706 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
adapters/oidc/js/src/main/resources/keycloak.js
View file

@ -50,7 +50,7 @@
} else if (initOptions && initOptions.adapter === 'default') { } else if (initOptions && initOptions.adapter === 'default') {
adapter = loadAdapter(); adapter = loadAdapter();
} else { } else {
if (window.Cordova) { if (window.Cordova || window.cordova) {
adapter = loadAdapter('cordova'); adapter = loadAdapter('cordova');
} else { } else {
adapter = loadAdapter(); adapter = loadAdapter();
@ -948,7 +948,14 @@
if (type == 'cordova') { if (type == 'cordova') {
loginIframe.enable = false; loginIframe.enable = false;
var cordovaOpenWindowWrapper = function(loginUrl, target, options) {
if (window.cordova && window.cordova.InAppBrowser) {
// Use inappbrowser for IOS and Android if available
return window.cordova.InAppBrowser.open(loginUrl, target, options);
} else {
return window.open(loginUrl, target, options);
}
};
return { return {
login: function(options) { login: function(options) {
var promise = createPromise(); var promise = createPromise();
@ -959,8 +966,7 @@
} }
var loginUrl = kc.createLoginUrl(options); var loginUrl = kc.createLoginUrl(options);
var ref = window.open(loginUrl, '_blank', o); var ref = cordovaOpenWindowWrapper(loginUrl, '_blank', o);
var completed = false; var completed = false;
ref.addEventListener('loadstart', function(event) { ref.addEventListener('loadstart', function(event) {
@ -993,7 +999,7 @@
var promise = createPromise(); var promise = createPromise();
var logoutUrl = kc.createLogoutUrl(options); var logoutUrl = kc.createLogoutUrl(options);
var ref = window.open(logoutUrl, '_blank', 'location=no,hidden=yes'); var ref = cordovaOpenWindowWrapper(logoutUrl, '_blank', 'location=no,hidden=yes');
var error; var error;
@ -1026,7 +1032,7 @@
register : function() { register : function() {
var registerUrl = kc.createRegisterUrl(); var registerUrl = kc.createRegisterUrl();
var ref = window.open(registerUrl, '_blank', 'location=no'); var ref = cordovaOpenWindowWrapper(registerUrl, '_blank', 'location=no');
ref.addEventListener('loadstart', function(event) { ref.addEventListener('loadstart', function(event) {
if (event.url.indexOf('http://localhost') == 0) { if (event.url.indexOf('http://localhost') == 0) {
ref.close(); ref.close();
@ -1036,7 +1042,7 @@
accountManagement : function() { accountManagement : function() {
var accountUrl = kc.createAccountUrl(); var accountUrl = kc.createAccountUrl();
var ref = window.open(accountUrl, '_blank', 'location=no'); var ref = cordovaOpenWindowWrapper(accountUrl, '_blank', 'location=no');
ref.addEventListener('loadstart', function(event) { ref.addEventListener('loadstart', function(event) {
if (event.url.indexOf('http://localhost') == 0) { if (event.url.indexOf('http://localhost') == 0) {
ref.close(); ref.close();

25
core/src/test/java/org/keycloak/RSAVerifierTest.java
View file

@ -28,6 +28,7 @@ import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Time; import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSBuilder; import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil; import org.keycloak.util.TokenUtil;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
@ -126,28 +127,28 @@ public class RSAVerifierTest {
return RSATokenVerifier.verifyToken(encoded, idpPair.getPublic(), "http://localhost:8080/auth/realm"); return RSATokenVerifier.verifyToken(encoded, idpPair.getPublic(), "http://localhost:8080/auth/realm");
} }
/*
@Test // @Test
public void testSpeed() throws Exception public void testSpeed() throws Exception
{ {
// Took 44 seconds with 50000 iterations
byte[] tokenBytes = JsonSerialization.toByteArray(token, false); byte[] tokenBytes = JsonSerialization.writeValueAsBytes(token);
String encoded = new JWSBuilder()
.content(tokenBytes)
.rsa256(idpPair.getPrivate());
long start = System.currentTimeMillis(); long start = System.currentTimeMillis();
int count = 10000; int count = 50000;
for (int i = 0; i < count; i++) for (int i = 0; i < count; i++)
{ {
SkeletonKeyTokenVerification v = RSATokenVerifier.verify(null, encoded, metadata); String encoded = new JWSBuilder()
.content(tokenBytes)
.rsa256(idpPair.getPrivate());
verifySkeletonKeyToken(encoded);
} }
long end = System.currentTimeMillis() - start; long end = System.currentTimeMillis() - start;
System.out.println("rate: " + ((double)end/(double)count)); System.out.println("took: " + end);
} }
*/
@Test @Test

2
core/src/test/java/org/keycloak/jose/JWETest.java
View file

@ -94,7 +94,7 @@ public class JWETest {
} }
// @Test //@Test
public void testPerfDirect() throws Exception { public void testPerfDirect() throws Exception {
int iterations = 50000; int iterations = 50000;

15
model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/InfinispanActionTokenStoreProvider.java
View file

@ -16,6 +16,7 @@
*/ */
package org.keycloak.models.sessions.infinispan; package org.keycloak.models.sessions.infinispan;
import org.jboss.logging.Logger;
import org.keycloak.cluster.ClusterProvider; import org.keycloak.cluster.ClusterProvider;
import org.keycloak.common.util.Time; import org.keycloak.common.util.Time;
import org.keycloak.models.*; import org.keycloak.models.*;
@ -33,6 +34,8 @@ import org.infinispan.Cache;
*/ */
public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvider { public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvider {
private static final Logger LOG = Logger.getLogger(InfinispanActionTokenStoreProvider.class);
private final Cache<ActionTokenReducedKey, ActionTokenValueEntity> actionKeyCache; private final Cache<ActionTokenReducedKey, ActionTokenValueEntity> actionKeyCache;
private final InfinispanKeycloakTransaction tx; private final InfinispanKeycloakTransaction tx;
private final KeycloakSession session; private final KeycloakSession session;
@ -58,6 +61,8 @@ public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvi
ActionTokenReducedKey tokenKey = new ActionTokenReducedKey(key.getUserId(), key.getActionId(), key.getActionVerificationNonce()); ActionTokenReducedKey tokenKey = new ActionTokenReducedKey(key.getUserId(), key.getActionId(), key.getActionVerificationNonce());
ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(notes); ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(notes);
LOG.debugf("Adding used action token to actionTokens cache: %s", tokenKey.toString());
this.tx.put(actionKeyCache, tokenKey, tokenValue, key.getExpiration() - Time.currentTime(), TimeUnit.SECONDS); this.tx.put(actionKeyCache, tokenKey, tokenValue, key.getExpiration() - Time.currentTime(), TimeUnit.SECONDS);
} }
@ -68,7 +73,15 @@ public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvi
} }
ActionTokenReducedKey key = new ActionTokenReducedKey(actionTokenKey.getUserId(), actionTokenKey.getActionId(), actionTokenKey.getActionVerificationNonce()); ActionTokenReducedKey key = new ActionTokenReducedKey(actionTokenKey.getUserId(), actionTokenKey.getActionId(), actionTokenKey.getActionVerificationNonce());
return this.actionKeyCache.getAdvancedCache().get(key);
ActionTokenValueModel value = this.actionKeyCache.getAdvancedCache().get(key);
if (value == null) {
LOG.debugf("Not found any value in actionTokens cache for key: %s", key.toString());
} else {
LOG.debugf("Found value in actionTokens cache for key: %s", key.toString());
}
return value;
} }
@Override @Override

5
model/infinispan/src/main/java/org/keycloak/models/sessions/infinispan/entities/ActionTokenValueEntity.java
View file

@ -45,6 +45,11 @@ public class ActionTokenValueEntity implements ActionTokenValueModel {
return notes.get(name); return notes.get(name);
} }
@Override
public String toString() {
return String.format("ActionTokenValueEntity [ notes=%s ]", notes.toString());
}
public static class ExternalizerImpl implements Externalizer<ActionTokenValueEntity> { public static class ExternalizerImpl implements Externalizer<ActionTokenValueEntity> {
private static final int VERSION_1 = 1; private static final int VERSION_1 = 1;

1
pom.xml
View file

@ -1433,6 +1433,7 @@
<configuration> <configuration>
<forkMode>once</forkMode> <forkMode>once</forkMode>
<argLine>${surefire.memory.settings}</argLine> <argLine>${surefire.memory.settings}</argLine>
<argLine>-Djava.awt.headless=true</argLine>
</configuration> </configuration>
</plugin> </plugin>
<plugin> <plugin>

3
server-spi-private/src/main/java/org/keycloak/forms/login/LoginFormsProvider.java
View file

@ -22,6 +22,7 @@ import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage; import org.keycloak.models.utils.FormMessage;
import org.keycloak.provider.Provider; import org.keycloak.provider.Provider;
import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
@ -74,6 +75,8 @@ public interface LoginFormsProvider extends Provider {
public Response createOAuthGrant(); public Response createOAuthGrant();
public Response createCode(); public Response createCode();
public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authenticationSession);
public LoginFormsProvider setClientSessionCode(String accessCode); public LoginFormsProvider setClientSessionCode(String accessCode);

20
services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java
View file

@ -469,6 +469,7 @@ public class AuthenticationProcessor {
String accessCode = generateAccessCode(); String accessCode = generateAccessCode();
URI action = getActionUrl(accessCode); URI action = getActionUrl(accessCode);
LoginFormsProvider provider = getSession().getProvider(LoginFormsProvider.class) LoginFormsProvider provider = getSession().getProvider(LoginFormsProvider.class)
.setAuthenticationSession(getAuthenticationSession())
.setUser(getUser()) .setUser(getUser())
.setActionUri(action) .setActionUri(action)
.setExecution(getExecution().getId()) .setExecution(getExecution().getId())
@ -609,25 +610,25 @@ public class AuthenticationProcessor {
if (e.getError() == AuthenticationFlowError.INVALID_USER) { if (e.getError() == AuthenticationFlowError.INVALID_USER) {
ServicesLogger.LOGGER.failedAuthentication(e); ServicesLogger.LOGGER.failedAuthentication(e);
event.error(Errors.USER_NOT_FOUND); event.error(Errors.USER_NOT_FOUND);
return ErrorPage.error(session, Messages.INVALID_USER); return ErrorPage.error(session, authenticationSession, Messages.INVALID_USER);
} else if (e.getError() == AuthenticationFlowError.USER_DISABLED) { } else if (e.getError() == AuthenticationFlowError.USER_DISABLED) {
ServicesLogger.LOGGER.failedAuthentication(e); ServicesLogger.LOGGER.failedAuthentication(e);
event.error(Errors.USER_DISABLED); event.error(Errors.USER_DISABLED);
return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); return ErrorPage.error(session,authenticationSession, Messages.ACCOUNT_DISABLED);
} else if (e.getError() == AuthenticationFlowError.USER_TEMPORARILY_DISABLED) { } else if (e.getError() == AuthenticationFlowError.USER_TEMPORARILY_DISABLED) {
ServicesLogger.LOGGER.failedAuthentication(e); ServicesLogger.LOGGER.failedAuthentication(e);
event.error(Errors.USER_TEMPORARILY_DISABLED); event.error(Errors.USER_TEMPORARILY_DISABLED);
return ErrorPage.error(session, Messages.INVALID_USER); return ErrorPage.error(session,authenticationSession, Messages.INVALID_USER);
} else if (e.getError() == AuthenticationFlowError.INVALID_CLIENT_SESSION) { } else if (e.getError() == AuthenticationFlowError.INVALID_CLIENT_SESSION) {
ServicesLogger.LOGGER.failedAuthentication(e); ServicesLogger.LOGGER.failedAuthentication(e);
event.error(Errors.INVALID_CODE); event.error(Errors.INVALID_CODE);
return ErrorPage.error(session, Messages.INVALID_CODE); return ErrorPage.error(session, authenticationSession, Messages.INVALID_CODE);
} else if (e.getError() == AuthenticationFlowError.EXPIRED_CODE) { } else if (e.getError() == AuthenticationFlowError.EXPIRED_CODE) {
ServicesLogger.LOGGER.failedAuthentication(e); ServicesLogger.LOGGER.failedAuthentication(e);
event.error(Errors.EXPIRED_CODE); event.error(Errors.EXPIRED_CODE);
return ErrorPage.error(session, Messages.EXPIRED_CODE); return ErrorPage.error(session, authenticationSession, Messages.EXPIRED_CODE);
} else if (e.getError() == AuthenticationFlowError.FORK_FLOW) { } else if (e.getError() == AuthenticationFlowError.FORK_FLOW) {
ForkFlowException reset = (ForkFlowException)e; ForkFlowException reset = (ForkFlowException)e;
@ -654,13 +655,13 @@ public class AuthenticationProcessor {
} else { } else {
ServicesLogger.LOGGER.failedAuthentication(e); ServicesLogger.LOGGER.failedAuthentication(e);
event.error(Errors.INVALID_USER_CREDENTIALS); event.error(Errors.INVALID_USER_CREDENTIALS);
return ErrorPage.error(session, Messages.INVALID_USER); return ErrorPage.error(session, authenticationSession, Messages.INVALID_USER);
} }
} else { } else {
ServicesLogger.LOGGER.failedAuthentication(failure); ServicesLogger.LOGGER.failedAuthentication(failure);
event.error(Errors.INVALID_USER_CREDENTIALS); event.error(Errors.INVALID_USER_CREDENTIALS);
return ErrorPage.error(session, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST); return ErrorPage.error(session, authenticationSession, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST);
} }
} }
@ -885,7 +886,7 @@ public class AuthenticationProcessor {
if (!authSession.getAuthenticatedUser().equals(userSession.getUser())) { if (!authSession.getAuthenticatedUser().equals(userSession.getUser())) {
event.detail(Details.EXISTING_USER, userSession.getUser().getId()); event.detail(Details.EXISTING_USER, userSession.getUser().getId());
event.error(Errors.DIFFERENT_USER_AUTHENTICATED); event.error(Errors.DIFFERENT_USER_AUTHENTICATED);
throw new ErrorPageException(session, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername()); throw new ErrorPageException(session, authSession, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername());
} }
} }
userSession.setState(UserSessionModel.State.LOGGED_IN); userSession.setState(UserSessionModel.State.LOGGED_IN);
@ -921,7 +922,8 @@ public class AuthenticationProcessor {
if (!authenticatedUser.isEnabled()) throw new AuthenticationFlowException(AuthenticationFlowError.USER_DISABLED); if (!authenticatedUser.isEnabled()) throw new AuthenticationFlowException(AuthenticationFlowError.USER_DISABLED);
if (realm.isBruteForceProtected() && !realm.isPermanentLockout()) { if (realm.isBruteForceProtected() && !realm.isPermanentLockout()) {
if (getBruteForceProtector().isTemporarilyDisabled(session, realm, authenticatedUser)) { if (getBruteForceProtector().isTemporarilyDisabled(session, realm, authenticatedUser)) {
throw new AuthenticationFlowException(AuthenticationFlowError.USER_TEMPORARILY_DISABLED); getEvent().error(Errors.RESET_CREDENTIAL_DISABLED);
ServicesLogger.LOGGER.passwordResetFailed(new AuthenticationFlowException(AuthenticationFlowError.USER_TEMPORARILY_DISABLED));
} }
} }
} }

1
services/src/main/java/org/keycloak/authentication/FormAuthenticationFlow.java
View file

@ -269,6 +269,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
String code = processor.generateCode(); String code = processor.generateCode();
URI actionUrl = getActionUrl(executionId, code); URI actionUrl = getActionUrl(executionId, code);
LoginFormsProvider form = processor.getSession().getProvider(LoginFormsProvider.class) LoginFormsProvider form = processor.getSession().getProvider(LoginFormsProvider.class)
.setAuthenticationSession(processor.getAuthenticationSession())
.setActionUri(actionUrl) .setActionUri(actionUrl)
.setExecution(executionId) .setExecution(executionId)
.setClientSessionCode(code) .setClientSessionCode(code)

1
services/src/main/java/org/keycloak/authentication/RequiredActionContextResult.java
View file

@ -166,6 +166,7 @@ public class RequiredActionContextResult implements RequiredActionContext {
String accessCode = generateCode(); String accessCode = generateCode();
URI action = getActionUrl(accessCode); URI action = getActionUrl(accessCode);
LoginFormsProvider provider = getSession().getProvider(LoginFormsProvider.class) LoginFormsProvider provider = getSession().getProvider(LoginFormsProvider.class)
.setAuthenticationSession(getAuthenticationSession())
.setUser(getUser()) .setUser(getUser())
.setActionUri(action) .setActionUri(action)
.setExecution(getExecution()) .setExecution(getExecution())

1
services/src/main/java/org/keycloak/authentication/actiontoken/execactions/ExecuteActionsActionTokenHandler.java
View file

@ -80,6 +80,7 @@ public class ExecuteActionsActionTokenHandler extends AbstractActionTokenHander<
String confirmUri = builder.build(realm.getName()).toString(); String confirmUri = builder.build(realm.getName()).toString();
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class)
.setAuthenticationSession(authSession)
.setSuccess(Messages.CONFIRM_EXECUTION_OF_ACTIONS) .setSuccess(Messages.CONFIRM_EXECUTION_OF_ACTIONS)
.setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri) .setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri)
.setAttribute(Constants.TEMPLATE_ATTR_REQUIRED_ACTIONS, token.getRequiredActions()) .setAttribute(Constants.TEMPLATE_ATTR_REQUIRED_ACTIONS, token.getRequiredActions())

2
services/src/main/java/org/keycloak/authentication/actiontoken/idpverifyemail/IdpVerifyAccountLinkActionTokenHandler.java
View file

@ -81,6 +81,7 @@ public class IdpVerifyAccountLinkActionTokenHandler extends AbstractActionTokenH
String confirmUri = builder.build(realm.getName()).toString(); String confirmUri = builder.build(realm.getName()).toString();
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class)
.setAuthenticationSession(authSession)
.setSuccess(Messages.CONFIRM_ACCOUNT_LINKING, token.getIdentityProviderUsername(), token.getIdentityProviderAlias()) .setSuccess(Messages.CONFIRM_ACCOUNT_LINKING, token.getIdentityProviderUsername(), token.getIdentityProviderAlias())
.setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri) .setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri)
.createInfoPage(); .createInfoPage();
@ -106,6 +107,7 @@ public class IdpVerifyAccountLinkActionTokenHandler extends AbstractActionTokenH
} }
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class)
.setAuthenticationSession(authSession)
.setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, token.getIdentityProviderAlias(), token.getIdentityProviderUsername()) .setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, token.getIdentityProviderAlias(), token.getIdentityProviderUsername())
.setAttribute(Constants.SKIP_LINK, true) .setAttribute(Constants.SKIP_LINK, true)
.createInfoPage(); .createInfoPage();

2
services/src/main/java/org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionTokenHandler.java
View file

@ -85,7 +85,7 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande
UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realm, authenticationSession); UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realm, authenticationSession);
if (!linkingUser.getId().equals(authenticationSession.getAuthenticatedUser().getId())) { if (!linkingUser.getId().equals(authenticationSession.getAuthenticatedUser().getId())) {
return ErrorPage.error(session, return ErrorPage.error(session, authenticationSession,
Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE,
authenticationSession.getAuthenticatedUser().getUsername(), authenticationSession.getAuthenticatedUser().getUsername(),
linkingUser.getUsername() linkingUser.getUsername()

2
services/src/main/java/org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.java
View file

@ -82,6 +82,7 @@ public class VerifyEmailActionTokenHandler extends AbstractActionTokenHander<Ver
String confirmUri = builder.build(realm.getName()).toString(); String confirmUri = builder.build(realm.getName()).toString();
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class)
.setAuthenticationSession(authSession)
.setSuccess(Messages.CONFIRM_EMAIL_ADDRESS_VERIFICATION, user.getEmail()) .setSuccess(Messages.CONFIRM_EMAIL_ADDRESS_VERIFICATION, user.getEmail())
.setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri) .setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri)
.createInfoPage(); .createInfoPage();
@ -99,6 +100,7 @@ public class VerifyEmailActionTokenHandler extends AbstractActionTokenHander<Ver
asm.removeAuthenticationSession(tokenContext.getRealm(), authSession, true); asm.removeAuthenticationSession(tokenContext.getRealm(), authSession, true);
return tokenContext.getSession().getProvider(LoginFormsProvider.class) return tokenContext.getSession().getProvider(LoginFormsProvider.class)
.setAuthenticationSession(authSession)
.setSuccess(Messages.EMAIL_VERIFIED) .setSuccess(Messages.EMAIL_VERIFIED)
.createInfoPage(); .createInfoPage();
} }

1
services/src/main/java/org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.java
View file

@ -119,6 +119,7 @@ public class SpnegoAuthenticator extends AbstractUsernameFormAuthenticator imple
} }
if (context.getExecution().isRequired()) { if (context.getExecution().isRequired()) {
return context.getSession().getProvider(LoginFormsProvider.class) return context.getSession().getProvider(LoginFormsProvider.class)
.setAuthenticationSession(context.getAuthenticationSession())
.setStatus(Response.Status.UNAUTHORIZED) .setStatus(Response.Status.UNAUTHORIZED)
.setResponseHeader(HttpHeaders.WWW_AUTHENTICATE, negotiateHeader) .setResponseHeader(HttpHeaders.WWW_AUTHENTICATE, negotiateHeader)
.setError(Messages.KERBEROS_NOT_ENABLED).createErrorPage(); .setError(Messages.KERBEROS_NOT_ENABLED).createErrorPage();

3
services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
View file

@ -39,7 +39,6 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse; import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.services.ErrorPage; import org.keycloak.services.ErrorPage;
@ -404,7 +403,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
} }
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.IDENTITY_PROVIDER_LOGIN_FAILURE); event.error(Errors.IDENTITY_PROVIDER_LOGIN_FAILURE);
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR); return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
} }
public SimpleHttp generateTokenRequest(String authorizationCode) { public SimpleHttp generateTokenRequest(String authorizationCode) {

4
services/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProvider.java
View file

@ -111,14 +111,14 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
EventBuilder event = new EventBuilder(realm, session, clientConnection); EventBuilder event = new EventBuilder(realm, session, clientConnection);
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.USER_SESSION_NOT_FOUND); event.error(Errors.USER_SESSION_NOT_FOUND);
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR); return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
} }
if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) { if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
logger.error("usersession in different state"); logger.error("usersession in different state");
EventBuilder event = new EventBuilder(realm, session, clientConnection); EventBuilder event = new EventBuilder(realm, session, clientConnection);
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.USER_SESSION_NOT_FOUND); event.error(Errors.USER_SESSION_NOT_FOUND);
return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE); return ErrorPage.error(session, null, Messages.SESSION_NOT_ACTIVE);
} }
return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers); return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers);
} }

29
services/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
View file

@ -87,12 +87,10 @@ import java.util.List;
import org.keycloak.rotation.HardcodedKeyLocator; import org.keycloak.rotation.HardcodedKeyLocator;
import org.keycloak.rotation.KeyLocator; import org.keycloak.rotation.KeyLocator;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator; import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
import org.w3c.dom.Element; import org.w3c.dom.Element;
import java.util.*; import java.util.*;
import javax.xml.crypto.dsig.XMLSignature; import javax.xml.crypto.dsig.XMLSignature;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList; import org.w3c.dom.NodeList;
/** /**
@ -194,18 +192,18 @@ public class SAMLEndpoint {
if (!checkSsl()) { if (!checkSsl()) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.SSL_REQUIRED); event.error(Errors.SSL_REQUIRED);
return ErrorPage.error(session, Messages.HTTPS_REQUIRED); return ErrorPage.error(session, null, Messages.HTTPS_REQUIRED);
} }
if (!realm.isEnabled()) { if (!realm.isEnabled()) {
event.event(EventType.LOGIN_ERROR); event.event(EventType.LOGIN_ERROR);
event.error(Errors.REALM_DISABLED); event.error(Errors.REALM_DISABLED);
return ErrorPage.error(session, Messages.REALM_NOT_ENABLED); return ErrorPage.error(session, null, Messages.REALM_NOT_ENABLED);
} }
if (samlRequest == null && samlResponse == null) { if (samlRequest == null && samlResponse == null) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.INVALID_REQUEST); event.error(Errors.INVALID_REQUEST);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
return null; return null;
@ -247,7 +245,7 @@ public class SAMLEndpoint {
event.event(EventType.IDENTITY_PROVIDER_RESPONSE); event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
event.detail(Details.REASON, "invalid_destination"); event.detail(Details.REASON, "invalid_destination");
event.error(Errors.INVALID_SAML_RESPONSE); event.error(Errors.INVALID_SAML_RESPONSE);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
if (config.isValidateSignature()) { if (config.isValidateSignature()) {
try { try {
@ -256,7 +254,7 @@ public class SAMLEndpoint {
logger.error("validation failed", e); logger.error("validation failed", e);
event.event(EventType.IDENTITY_PROVIDER_RESPONSE); event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
event.error(Errors.INVALID_SIGNATURE); event.error(Errors.INVALID_SIGNATURE);
return ErrorPage.error(session, Messages.INVALID_REQUESTER); return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
} }
} }
@ -269,7 +267,7 @@ public class SAMLEndpoint {
} else { } else {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.INVALID_TOKEN); event.error(Errors.INVALID_TOKEN);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
} }
@ -342,6 +340,7 @@ public class SAMLEndpoint {
private String getEntityId(UriInfo uriInfo, RealmModel realm) { private String getEntityId(UriInfo uriInfo, RealmModel realm) {
return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realm.getName()).build().toString(); return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realm.getName()).build().toString();
} }
protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder holder, ResponseType responseType, String relayState, String clientId) { protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder holder, ResponseType responseType, String relayState, String clientId) {
try { try {
@ -360,7 +359,7 @@ public class SAMLEndpoint {
logger.error("The assertion is not encrypted, which is required."); logger.error("The assertion is not encrypted, which is required.");
event.event(EventType.IDENTITY_PROVIDER_RESPONSE); event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
event.error(Errors.INVALID_SAML_RESPONSE); event.error(Errors.INVALID_SAML_RESPONSE);
return ErrorPage.error(session, Messages.INVALID_REQUESTER); return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
} }
Element assertionElement; Element assertionElement;
@ -380,7 +379,7 @@ public class SAMLEndpoint {
logger.error("validation failed"); logger.error("validation failed");
event.event(EventType.IDENTITY_PROVIDER_RESPONSE); event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
event.error(Errors.INVALID_SIGNATURE); event.error(Errors.INVALID_SIGNATURE);
return ErrorPage.error(session, Messages.INVALID_REQUESTER); return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
} }
AssertionType assertion = responseType.getAssertions().get(0).getAssertion(); AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
@ -464,7 +463,7 @@ public class SAMLEndpoint {
event.event(EventType.IDENTITY_PROVIDER_RESPONSE); event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
event.detail(Details.REASON, "invalid_destination"); event.detail(Details.REASON, "invalid_destination");
event.error(Errors.INVALID_SAML_RESPONSE); event.error(Errors.INVALID_SAML_RESPONSE);
return ErrorPage.error(session, Messages.INVALID_FEDERATED_IDENTITY_ACTION); return ErrorPage.error(session, null, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
} }
if (config.isValidateSignature()) { if (config.isValidateSignature()) {
try { try {
@ -473,7 +472,7 @@ public class SAMLEndpoint {
logger.error("validation failed", e); logger.error("validation failed", e);
event.event(EventType.IDENTITY_PROVIDER_RESPONSE); event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
event.error(Errors.INVALID_SIGNATURE); event.error(Errors.INVALID_SIGNATURE);
return ErrorPage.error(session, Messages.INVALID_FEDERATED_IDENTITY_ACTION); return ErrorPage.error(session, null, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
} }
} }
if (statusResponse instanceof ResponseType) { if (statusResponse instanceof ResponseType) {
@ -492,20 +491,20 @@ public class SAMLEndpoint {
logger.error("no valid user session"); logger.error("no valid user session");
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.USER_SESSION_NOT_FOUND); event.error(Errors.USER_SESSION_NOT_FOUND);
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR); return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
} }
UserSessionModel userSession = session.sessions().getUserSession(realm, relayState); UserSessionModel userSession = session.sessions().getUserSession(realm, relayState);
if (userSession == null) { if (userSession == null) {
logger.error("no valid user session"); logger.error("no valid user session");
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.USER_SESSION_NOT_FOUND); event.error(Errors.USER_SESSION_NOT_FOUND);
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR); return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
} }
if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) { if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
logger.error("usersession in different state"); logger.error("usersession in different state");
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.USER_SESSION_NOT_FOUND); event.error(Errors.USER_SESSION_NOT_FOUND);
return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE); return ErrorPage.error(session, null, Messages.SESSION_NOT_ACTIVE);
} }
return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers); return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers);
} }

13
services/src/main/java/org/keycloak/email/freemarker/FreeMarkerEmailTemplateProvider.java
View file

@ -35,6 +35,7 @@ import org.keycloak.theme.Theme;
import org.keycloak.theme.ThemeProvider; import org.keycloak.theme.ThemeProvider;
import org.keycloak.theme.beans.MessageFormatterMethod; import org.keycloak.theme.beans.MessageFormatterMethod;
import java.io.IOException;
import java.text.MessageFormat; import java.text.MessageFormat;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
@ -150,7 +151,6 @@ public class FreeMarkerEmailTemplateProvider implements EmailTemplateProvider {
attributes.put("realmName", getRealmName()); attributes.put("realmName", getRealmName());
send("executeActionsSubject", "executeActions.ftl", attributes); send("executeActionsSubject", "executeActions.ftl", attributes);
} }
@Override @Override
@ -171,8 +171,7 @@ public class FreeMarkerEmailTemplateProvider implements EmailTemplateProvider {
protected EmailTemplate processTemplate(String subjectKey, List<Object> subjectAttributes, String template, Map<String, Object> attributes) throws EmailException { protected EmailTemplate processTemplate(String subjectKey, List<Object> subjectAttributes, String template, Map<String, Object> attributes) throws EmailException {
try { try {
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending"); Theme theme = getTheme();
Theme theme = themeProvider.getTheme(realm.getEmailTheme(), Theme.Type.EMAIL);
Locale locale = session.getContext().resolveLocale(user); Locale locale = session.getContext().resolveLocale(user);
attributes.put("locale", locale); attributes.put("locale", locale);
Properties rb = theme.getMessages(locale); Properties rb = theme.getMessages(locale);
@ -198,10 +197,18 @@ public class FreeMarkerEmailTemplateProvider implements EmailTemplateProvider {
throw new EmailException("Failed to template email", e); throw new EmailException("Failed to template email", e);
} }
} }
protected Theme getTheme() throws IOException {
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
return themeProvider.getTheme(realm.getEmailTheme(), Theme.Type.EMAIL);
}
protected void send(String subjectKey, List<Object> subjectAttributes, String template, Map<String, Object> attributes) throws EmailException { protected void send(String subjectKey, List<Object> subjectAttributes, String template, Map<String, Object> attributes) throws EmailException {
try { try {
EmailTemplate email = processTemplate(subjectKey, subjectAttributes, template, attributes); EmailTemplate email = processTemplate(subjectKey, subjectAttributes, template, attributes);
send(email.getSubject(), email.getTextBody(), email.getHtmlBody()); send(email.getSubject(), email.getTextBody(), email.getHtmlBody());
} catch (EmailException e){
throw e;
} catch (Exception e) { } catch (Exception e) {
throw new EmailException("Failed to template email", e); throw new EmailException("Failed to template email", e);
} }

151
services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java
View file

@ -71,26 +71,26 @@ public class FreeMarkerAccountProvider implements AccountProvider {
private static final Logger logger = Logger.getLogger(FreeMarkerAccountProvider.class); private static final Logger logger = Logger.getLogger(FreeMarkerAccountProvider.class);
private UserModel user; protected UserModel user;
private MultivaluedMap<String, String> profileFormData; protected MultivaluedMap<String, String> profileFormData;
private Response.Status status = Response.Status.OK; protected Response.Status status = Response.Status.OK;
private RealmModel realm; protected RealmModel realm;
private String[] referrer; protected String[] referrer;
private List<Event> events; protected List<Event> events;
private String stateChecker; protected String stateChecker;
private List<UserSessionModel> sessions; protected List<UserSessionModel> sessions;
private boolean identityProviderEnabled; protected boolean identityProviderEnabled;
private boolean eventsEnabled; protected boolean eventsEnabled;
private boolean passwordUpdateSupported; protected boolean passwordUpdateSupported;
private boolean passwordSet; protected boolean passwordSet;
private KeycloakSession session; protected KeycloakSession session;
private FreeMarkerUtil freeMarker; protected FreeMarkerUtil freeMarker;
private HttpHeaders headers; protected HttpHeaders headers;
private UriInfo uriInfo; protected UriInfo uriInfo;
private List<FormMessage> messages = null; protected List<FormMessage> messages = null;
private MessageType messageType = MessageType.ERROR; protected MessageType messageType = MessageType.ERROR;
public FreeMarkerAccountProvider(KeycloakSession session, FreeMarkerUtil freeMarker) { public FreeMarkerAccountProvider(KeycloakSession session, FreeMarkerUtil freeMarker) {
this.session = session; this.session = session;
@ -112,30 +112,16 @@ public class FreeMarkerAccountProvider implements AccountProvider {
public Response createResponse(AccountPages page) { public Response createResponse(AccountPages page) {
Map<String, Object> attributes = new HashMap<String, Object>(); Map<String, Object> attributes = new HashMap<String, Object>();
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
Theme theme; Theme theme;
try { try {
theme = themeProvider.getTheme(realm.getAccountTheme(), Theme.Type.ACCOUNT); theme = getTheme();
} catch (IOException e) { } catch (IOException e) {
logger.error("Failed to create theme", e); logger.error("Failed to create theme", e);
return Response.serverError().build(); return Response.serverError().build();
} }
try {
attributes.put("properties", theme.getProperties());
} catch (IOException e) {
logger.warn("Failed to load properties", e);
}
Locale locale = session.getContext().resolveLocale(user); Locale locale = session.getContext().resolveLocale(user);
Properties messagesBundle; Properties messagesBundle = handleThemeResources(theme, locale, attributes);
try {
messagesBundle = theme.getMessages(locale);
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
} catch (IOException e) {
logger.warn("Failed to load messages", e);
messagesBundle = new Properties();
}
URI baseUri = uriInfo.getBaseUri(); URI baseUri = uriInfo.getBaseUri();
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder(); UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
@ -148,19 +134,7 @@ public class FreeMarkerAccountProvider implements AccountProvider {
attributes.put("stateChecker", stateChecker); attributes.put("stateChecker", stateChecker);
} }
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean(); handleMessages(locale, messagesBundle, attributes);
if (messages != null) {
MessageBean wholeMessage = new MessageBean(null, messageType);
for (FormMessage message : this.messages) {
String formattedMessageText = formatMessage(message, messagesBundle, locale);
if (formattedMessageText != null) {
wholeMessage.appendSummaryLine(formattedMessageText);
messagesPerField.addMessage(message.getField(), formattedMessageText, messageType);
}
}
attributes.put("message", wholeMessage);
}
attributes.put("messagesPerField", messagesPerField);
if (referrer != null) { if (referrer != null) {
attributes.put("referrer", new ReferrerBean(referrer)); attributes.put("referrer", new ReferrerBean(referrer));
@ -173,12 +147,7 @@ public class FreeMarkerAccountProvider implements AccountProvider {
attributes.put("url", new UrlBean(realm, theme, baseUri, baseQueryUri, uriInfo.getRequestUri(), stateChecker)); attributes.put("url", new UrlBean(realm, theme, baseUri, baseQueryUri, uriInfo.getRequestUri(), stateChecker));
if (realm.isInternationalizationEnabled()) { if (realm.isInternationalizationEnabled()) {
UriBuilder b; UriBuilder b = UriBuilder.fromUri(baseQueryUri).path(uriInfo.getPath());
switch (page) {
default:
b = UriBuilder.fromUri(baseQueryUri).path(uriInfo.getPath());
break;
}
attributes.put("locale", new LocaleBean(realm, locale, b, messagesBundle)); attributes.put("locale", new LocaleBean(realm, locale, b, messagesBundle));
} }
@ -204,8 +173,84 @@ public class FreeMarkerAccountProvider implements AccountProvider {
break; break;
case PASSWORD: case PASSWORD:
attributes.put("password", new PasswordBean(passwordSet)); attributes.put("password", new PasswordBean(passwordSet));
break;
default:
} }
return processTemplate(theme, page, attributes, locale);
}
/**
* Get Theme used for page rendering.
*
* @return theme for page rendering, never null
* @throws IOException in case of Theme loading problem
*/
protected Theme getTheme() throws IOException {
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
return themeProvider.getTheme(realm.getAccountTheme(), Theme.Type.ACCOUNT);
}
/**
* Load message bundle and place it into <code>msg</code> template attribute. Also load Theme properties and place them into <code>properties</code> template attribute.
*
* @param theme actual Theme to load bundle from
* @param locale to load bundle for
* @param attributes template attributes to add resources to
* @return message bundle for other use
*/
protected Properties handleThemeResources(Theme theme, Locale locale, Map<String, Object> attributes) {
Properties messagesBundle;
try {
messagesBundle = theme.getMessages(locale);
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
} catch (IOException e) {
logger.warn("Failed to load messages", e);
messagesBundle = new Properties();
}
try {
attributes.put("properties", theme.getProperties());
} catch (IOException e) {
logger.warn("Failed to load properties", e);
}
return messagesBundle;
}
/**
* Handle messages to be shown on the page - set them to template attributes
*
* @param locale to be used for message text loading
* @param messagesBundle to be used for message text loading
* @param attributes template attributes to messages related info to
* @see #messageType
* @see #messages
*/
protected void handleMessages(Locale locale, Properties messagesBundle, Map<String, Object> attributes) {
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean();
if (messages != null) {
MessageBean wholeMessage = new MessageBean(null, messageType);
for (FormMessage message : this.messages) {
String formattedMessageText = formatMessage(message, messagesBundle, locale);
if (formattedMessageText != null) {
wholeMessage.appendSummaryLine(formattedMessageText);
messagesPerField.addMessage(message.getField(), formattedMessageText, messageType);
}
}
attributes.put("message", wholeMessage);
}
attributes.put("messagesPerField", messagesPerField);
}
/**
* Process FreeMarker template and prepare Response. Some fields are used for rendering also.
*
* @param theme to be used (provided by <code>getTheme()</code>)
* @param page to be rendered
* @param attributes pushed to the template
* @param locale to be used
* @return Response object to be returned to the browser, never null
*/
protected Response processTemplate(Theme theme, AccountPages page, Map<String, Object> attributes, Locale locale) {
try { try {
String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme); String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme);
Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8_TYPE).language(locale).entity(result); Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8_TYPE).language(locale).entity(result);

330
services/src/main/java/org/keycloak/forms/login/freemarker/FreeMarkerLoginFormsProvider.java
View file

@ -39,6 +39,7 @@ import org.keycloak.models.*;
import org.keycloak.models.utils.FormMessage; import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.Urls; import org.keycloak.services.Urls;
import org.keycloak.services.messages.Messages; import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.theme.BrowserSecurityHeaderSetup; import org.keycloak.theme.BrowserSecurityHeaderSetup;
import org.keycloak.theme.FreeMarkerException; import org.keycloak.theme.FreeMarkerException;
import org.keycloak.theme.FreeMarkerUtil; import org.keycloak.theme.FreeMarkerUtil;
@ -68,42 +69,52 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
private static final Logger logger = Logger.getLogger(FreeMarkerLoginFormsProvider.class); private static final Logger logger = Logger.getLogger(FreeMarkerLoginFormsProvider.class);
private String accessCode; protected String accessCode;
private Response.Status status; protected Response.Status status;
private List<RoleModel> realmRolesRequested; protected List<RoleModel> realmRolesRequested;
private MultivaluedMap<String, RoleModel> resourceRolesRequested; protected MultivaluedMap<String, RoleModel> resourceRolesRequested;
private List<ProtocolMapperModel> protocolMappersRequested; protected List<ProtocolMapperModel> protocolMappersRequested;
private Map<String, String> httpResponseHeaders = new HashMap<String, String>(); protected Map<String, String> httpResponseHeaders = new HashMap<String, String>();
private String accessRequestMessage; protected String accessRequestMessage;
private URI actionUri; protected URI actionUri;
private String execution; protected String execution;
private List<FormMessage> messages = null; protected List<FormMessage> messages = null;
private MessageType messageType = MessageType.ERROR; protected MessageType messageType = MessageType.ERROR;
private MultivaluedMap<String, String> formData; protected MultivaluedMap<String, String> formData;
private KeycloakSession session; protected KeycloakSession session;
private FreeMarkerUtil freeMarker; /** authenticationSession can be null for some renderings, mainly error pages */
protected AuthenticationSessionModel authenticationSession;
protected RealmModel realm;
protected ClientModel client;
protected UriInfo uriInfo;
private UserModel user; protected FreeMarkerUtil freeMarker;
private final Map<String, Object> attributes = new HashMap<String, Object>(); protected UserModel user;
protected final Map<String, Object> attributes = new HashMap<String, Object>();
public FreeMarkerLoginFormsProvider(KeycloakSession session, FreeMarkerUtil freeMarker) { public FreeMarkerLoginFormsProvider(KeycloakSession session, FreeMarkerUtil freeMarker) {
this.session = session; this.session = session;
this.freeMarker = freeMarker; this.freeMarker = freeMarker;
this.attributes.put("scripts", new LinkedList<String>()); this.attributes.put("scripts", new LinkedList<String>());
this.realm = session.getContext().getRealm();
this.client = session.getContext().getClient();
this.uriInfo = session.getContext().getUri();
} }
@SuppressWarnings("unchecked")
@Override @Override
public void addScript(String scriptUrl) { public void addScript(String scriptUrl) {
List<String> scripts = (List<String>)this.attributes.get("scripts"); List<String> scripts = (List<String>) this.attributes.get("scripts");
scripts.add(scriptUrl); scripts.add(scriptUrl);
} }
@Override
public Response createResponse(UserModel.RequiredAction action) { public Response createResponse(UserModel.RequiredAction action) {
RealmModel realm = session.getContext().getRealm();
String actionMessage; String actionMessage;
LoginFormsPages page; LoginFormsPages page;
@ -139,110 +150,29 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
return createResponse(page); return createResponse(page);
} }
private Response createResponse(LoginFormsPages page) { @SuppressWarnings("incomplete-switch")
RealmModel realm = session.getContext().getRealm(); protected Response createResponse(LoginFormsPages page) {
ClientModel client = session.getContext().getClient();
UriInfo uriInfo = session.getContext().getUri();
String requestURI = uriInfo.getBaseUri().getPath(); if (status == null) {
UriBuilder uriBuilder = UriBuilder.fromUri(requestURI); status = Response.Status.OK;
if (page == LoginFormsPages.OAUTH_GRANT) {
// for some reason Resteasy 2.3.7 doesn't like query params and form params with the same name and will null out the code form param
uriBuilder.replaceQuery(null);
} }
if (client != null) {
uriBuilder.queryParam(Constants.CLIENT_ID, client.getClientId());
}
URI baseUri = uriBuilder.build();
if (accessCode != null) {
uriBuilder.queryParam(OAuth2Constants.CODE, accessCode);
}
URI baseUriWithCodeAndClientId = uriBuilder.build();
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
Theme theme; Theme theme;
try { try {
theme = themeProvider.getTheme(realm.getLoginTheme(), Theme.Type.LOGIN); theme = getTheme();
} catch (IOException e) { } catch (IOException e) {
logger.error("Failed to create theme", e); logger.error("Failed to create theme", e);
return Response.serverError().build(); return Response.serverError().build();
} }
try {
attributes.put("properties", theme.getProperties());
} catch (IOException e) {
logger.warn("Failed to load properties", e);
}
Properties messagesBundle;
Locale locale = session.getContext().resolveLocale(user); Locale locale = session.getContext().resolveLocale(user);
try { Properties messagesBundle = handleThemeResources(theme, locale);
messagesBundle = theme.getMessages(locale);
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
} catch (IOException e) {
logger.warn("Failed to load messages", e);
messagesBundle = new Properties();
}
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean(); handleMessages(locale, messagesBundle);
if (messages != null) {
MessageBean wholeMessage = new MessageBean(null, messageType);
for (FormMessage message : this.messages) {
String formattedMessageText = formatMessage(message, messagesBundle, locale);
if (formattedMessageText != null) {
wholeMessage.appendSummaryLine(formattedMessageText);
messagesPerField.addMessage(message.getField(), formattedMessageText, messageType);
}
}
attributes.put("message", wholeMessage);
} else {
attributes.put("message", null);
}
attributes.put("messagesPerField", messagesPerField);
attributes.put("requiredActionUrl", new RequiredActionUrlFormatterMethod(realm, baseUri)); // for some reason Resteasy 2.3.7 doesn't like query params and form params with the same name and will null out the code form param
if (realm != null && user != null && session != null) { UriBuilder uriBuilder = prepareBaseUriBuilder(page == LoginFormsPages.OAUTH_GRANT);
attributes.put("authenticatorConfigured", new AuthenticatorConfiguredMethod(realm, user, session)); createCommonAttributes(theme, locale, messagesBundle, uriBuilder, page);
}
if (realm != null) {
attributes.put("realm", new RealmBean(realm));
List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData);
attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCodeAndClientId));
attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri));
if (realm.isInternationalizationEnabled()) {
UriBuilder b;
switch (page) {
case LOGIN:
b = UriBuilder.fromUri(Urls.realmLoginPage(baseUri, realm.getName()));
break;
case REGISTER:
b = UriBuilder.fromUri(Urls.realmRegisterPage(baseUri, realm.getName()));
break;
default:
b = UriBuilder.fromUri(baseUri).path(uriInfo.getPath());
break;
}
if (execution != null) {
b.queryParam(Constants.EXECUTION, execution);
}
attributes.put("locale", new LocaleBean(realm, locale, b, messagesBundle));
}
}
if (client != null) {
attributes.put("client", new ClientBean(client, baseUri));
}
attributes.put("login", new LoginBean(formData)); attributes.put("login", new LoginBean(formData));
@ -267,7 +197,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
attributes.put("register", new RegisterBean(formData)); attributes.put("register", new RegisterBean(formData));
break; break;
case OAUTH_GRANT: case OAUTH_GRANT:
attributes.put("oauth", new OAuthGrantBean(accessCode, client, realmRolesRequested, resourceRolesRequested, protocolMappersRequested, this.accessRequestMessage)); attributes.put("oauth",
new OAuthGrantBean(accessCode, client, realmRolesRequested, resourceRolesRequested, protocolMappersRequested, this.accessRequestMessage));
attributes.put("advancedMsg", new AdvancedMessageFormatterMethod(locale, messagesBundle)); attributes.put("advancedMsg", new AdvancedMessageFormatterMethod(locale, messagesBundle));
break; break;
case CODE: case CODE:
@ -279,62 +210,74 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
status = Response.Status.OK; status = Response.Status.OK;
} }
try { return processTemplate(theme, Templates.getTemplate(page), locale);
String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme);
Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8).entity(result);
BrowserSecurityHeaderSetup.headers(builder, realm);
for (Map.Entry<String, String> entry : httpResponseHeaders.entrySet()) {
builder.header(entry.getKey(), entry.getValue());
}
return builder.build();
} catch (FreeMarkerException e) {
logger.error("Failed to process template", e);
return Response.serverError().build();
}
} }
@Override @Override
public Response createForm(String form) { public Response createForm(String form) {
RealmModel realm = session.getContext().getRealm(); if (status == null) {
ClientModel client = session.getContext().getClient(); status = Response.Status.OK;
UriInfo uriInfo = session.getContext().getUri();
String requestURI = uriInfo.getBaseUri().getPath();
UriBuilder uriBuilder = UriBuilder.fromUri(requestURI);
if (client != null) {
uriBuilder.queryParam(Constants.CLIENT_ID, client.getClientId());
} }
URI baseUri = uriBuilder.build();
if (accessCode != null) {
uriBuilder.queryParam(OAuth2Constants.CODE, accessCode);
}
URI baseUriWithCode = uriBuilder.build();
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
Theme theme; Theme theme;
try { try {
theme = themeProvider.getTheme(realm.getLoginTheme(), Theme.Type.LOGIN); theme = getTheme();
} catch (IOException e) { } catch (IOException e) {
logger.error("Failed to create theme", e); logger.error("Failed to create theme", e);
return Response.serverError().build(); return Response.serverError().build();
} }
try { Locale locale = session.getContext().resolveLocale(user);
attributes.put("properties", theme.getProperties()); Properties messagesBundle = handleThemeResources(theme, locale);
} catch (IOException e) {
logger.warn("Failed to load properties", e); handleMessages(locale, messagesBundle);
}
if (client != null) { UriBuilder uriBuilder = prepareBaseUriBuilder(false);
attributes.put("client", new ClientBean(client, baseUri)); createCommonAttributes(theme, locale, messagesBundle, uriBuilder, null);
return processTemplate(theme, form, locale);
}
/**
* Prepare base uri builder for later use
*
* @param resetRequestUriParams - for some reason Resteasy 2.3.7 doesn't like query params and form params with the same name and will null out the code form param, so we have to reset them for some pages
* @return base uri builder
*/
protected UriBuilder prepareBaseUriBuilder(boolean resetRequestUriParams) {
String requestURI = uriInfo.getBaseUri().getPath();
UriBuilder uriBuilder = UriBuilder.fromUri(requestURI);
if (resetRequestUriParams) {
uriBuilder.replaceQuery(null);
} }
if (client != null) {
uriBuilder.queryParam(Constants.CLIENT_ID, client.getClientId());
}
return uriBuilder;
}
/**
* Get Theme used for page rendering.
*
* @return theme for page rendering, never null
* @throws IOException in case of Theme loading problem
*/
protected Theme getTheme() throws IOException {
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
return themeProvider.getTheme(realm.getLoginTheme(), Theme.Type.LOGIN);
}
/**
* Load message bundle and place it into <code>msg</code> template attribute. Also load Theme properties and place them into <code>properties</code> template attribute.
*
* @param theme actual Theme to load bundle from
* @param locale to load bundle for
* @return message bundle for other use
*/
protected Properties handleThemeResources(Theme theme, Locale locale) {
Properties messagesBundle; Properties messagesBundle;
Locale locale = session.getContext().resolveLocale(user);
try { try {
messagesBundle = theme.getMessages(locale); messagesBundle = theme.getMessages(locale);
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle)); attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
@ -343,6 +286,24 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
messagesBundle = new Properties(); messagesBundle = new Properties();
} }
try {
attributes.put("properties", theme.getProperties());
} catch (IOException e) {
logger.warn("Failed to load properties", e);
}
return messagesBundle;
}
/**
* Handle messages to be shown on the page - set them to template attributes
*
* @param locale to be used for message text loading
* @param messagesBundle to be used for message text loading
* @see #messageType
* @see #messages
*/
protected void handleMessages(Locale locale, Properties messagesBundle) {
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean(); MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean();
if (messages != null) { if (messages != null) {
MessageBean wholeMessage = new MessageBean(null, messageType); MessageBean wholeMessage = new MessageBean(null, messageType);
@ -354,11 +315,31 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
} }
} }
attributes.put("message", wholeMessage); attributes.put("message", wholeMessage);
} else {
attributes.put("message", null);
} }
attributes.put("messagesPerField", messagesPerField); attributes.put("messagesPerField", messagesPerField);
}
/**
* Create common attributes used in all templates.
*
* @param theme actual Theme used (provided by <code>getTheme()</code>)
* @param locale actual locale
* @param messagesBundle actual message bundle (provided by <code>handleThemeResources()</code>)
* @param baseUriBuilder actual base uri builder (provided by <code>prepareBaseUriBuilder()</code>)
* @param page in case if common page is rendered, is null if called from <code>createForm()</code>
*
*/
protected void createCommonAttributes(Theme theme, Locale locale, Properties messagesBundle, UriBuilder baseUriBuilder, LoginFormsPages page) {
URI baseUri = baseUriBuilder.build();
if (accessCode != null) {
baseUriBuilder.queryParam(OAuth2Constants.CODE, accessCode);
}
URI baseUriWithCodeAndClientId = baseUriBuilder.build();
if (status == null) { if (client != null) {
status = Response.Status.OK; attributes.put("client", new ClientBean(client, baseUri));
} }
if (realm != null) { if (realm != null) {
@ -366,14 +347,29 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
List<IdentityProviderModel> identityProviders = realm.getIdentityProviders(); List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData); identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData);
attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCode)); attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCodeAndClientId));
attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri)); attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri));
attributes.put("requiredActionUrl", new RequiredActionUrlFormatterMethod(realm, baseUri)); attributes.put("requiredActionUrl", new RequiredActionUrlFormatterMethod(realm, baseUri));
if (realm.isInternationalizationEnabled()) { if (realm.isInternationalizationEnabled()) {
UriBuilder b = UriBuilder.fromUri(baseUri) UriBuilder b;
.path(uriInfo.getPath()); if (page != null) {
switch (page) {
case LOGIN:
b = UriBuilder.fromUri(Urls.realmLoginPage(baseUri, realm.getName()));
break;
case REGISTER:
b = UriBuilder.fromUri(Urls.realmRegisterPage(baseUri, realm.getName()));
break;
default:
b = UriBuilder.fromUri(baseUri).path(uriInfo.getPath());
break;
}
} else {
b = UriBuilder.fromUri(baseUri)
.path(uriInfo.getPath());
}
if (execution != null) { if (execution != null) {
b.queryParam(Constants.EXECUTION, execution); b.queryParam(Constants.EXECUTION, execution);
@ -385,8 +381,19 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
if (realm != null && user != null && session != null) { if (realm != null && user != null && session != null) {
attributes.put("authenticatorConfigured", new AuthenticatorConfiguredMethod(realm, user, session)); attributes.put("authenticatorConfigured", new AuthenticatorConfiguredMethod(realm, user, session));
} }
}
/**
* Process FreeMarker template and prepare Response. Some fields are used for rendering also.
*
* @param theme to be used (provided by <code>getTheme()</code>)
* @param templateName name of the template to be rendered
* @param locale to be used
* @return Response object to be returned to the browser, never null
*/
protected Response processTemplate(Theme theme, String templateName, Locale locale) {
try { try {
String result = freeMarker.processTemplate(attributes, form, theme); String result = freeMarker.processTemplate(attributes, templateName, theme);
Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8_TYPE).language(locale).entity(result); Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8_TYPE).language(locale).entity(result);
BrowserSecurityHeaderSetup.headers(builder, realm); BrowserSecurityHeaderSetup.headers(builder, realm);
for (Map.Entry<String, String> entry : httpResponseHeaders.entrySet()) { for (Map.Entry<String, String> entry : httpResponseHeaders.entrySet()) {
@ -434,7 +441,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
return createResponse(LoginFormsPages.LOGIN_UPDATE_PROFILE); return createResponse(LoginFormsPages.LOGIN_UPDATE_PROFILE);
} }
@Override @Override
public Response createIdpLinkConfirmLinkPage() { public Response createIdpLinkConfirmLinkPage() {
return createResponse(LoginFormsPages.LOGIN_IDP_LINK_CONFIRM); return createResponse(LoginFormsPages.LOGIN_IDP_LINK_CONFIRM);
@ -504,7 +510,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
@Override @Override
public LoginFormsProvider setErrors(List<FormMessage> messages) { public LoginFormsProvider setErrors(List<FormMessage> messages) {
if (messages == null) return this; if (messages == null)
return this;
this.messageType = MessageType.ERROR; this.messageType = MessageType.ERROR;
this.messages = new ArrayList<>(messages); this.messages = new ArrayList<>(messages);
return this; return this;
@ -552,6 +559,12 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
return this; return this;
} }
@Override
public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authenticationSession) {
this.authenticationSession = authenticationSession;
return this;
}
@Override @Override
public FreeMarkerLoginFormsProvider setUser(UserModel user) { public FreeMarkerLoginFormsProvider setUser(UserModel user) {
this.user = user; this.user = user;
@ -571,7 +584,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
} }
@Override @Override
public LoginFormsProvider setAccessRequest(List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested, List<ProtocolMapperModel> protocolMappersRequested) { public LoginFormsProvider setAccessRequest(List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested,
List<ProtocolMapperModel> protocolMappersRequested) {
this.realmRolesRequested = realmRolesRequested; this.realmRolesRequested = realmRolesRequested;
this.resourceRolesRequested = resourceRolesRequested; this.resourceRolesRequested = resourceRolesRequested;
this.protocolMappersRequested = protocolMappersRequested; this.protocolMappersRequested = protocolMappersRequested;

4
services/src/main/java/org/keycloak/protocol/RestartLoginCookie.java
View file

@ -64,6 +64,10 @@ public class RestartLoginCookie {
@JsonProperty("notes") @JsonProperty("notes")
protected Map<String, String> notes = new HashMap<>(); protected Map<String, String> notes = new HashMap<>();
@Deprecated // Backwards compatibility
@JsonProperty("cs")
protected String cs;
public Map<String, String> getNotes() { public Map<String, String> getNotes() {
return notes; return notes;
} }

14
services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java
View file

@ -153,7 +153,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
action = Action.REGISTER; action = Action.REGISTER;
if (!realm.isRegistrationAllowed()) { if (!realm.isRegistrationAllowed()) {
throw new ErrorPageException(session, Messages.REGISTRATION_NOT_ALLOWED); throw new ErrorPageException(session, authenticationSession, Messages.REGISTRATION_NOT_ALLOWED);
} }
return this; return this;
@ -164,7 +164,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
action = Action.FORGOT_CREDENTIALS; action = Action.FORGOT_CREDENTIALS;
if (!realm.isResetPasswordAllowed()) { if (!realm.isResetPasswordAllowed()) {
throw new ErrorPageException(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); throw new ErrorPageException(session, authenticationSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
} }
return this; return this;
@ -173,7 +173,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
private void checkClient(String clientId) { private void checkClient(String clientId) {
if (clientId == null) { if (clientId == null) {
event.error(Errors.INVALID_REQUEST); event.error(Errors.INVALID_REQUEST);
throw new ErrorPageException(session, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM); throw new ErrorPageException(session, authenticationSession, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
} }
event.client(clientId); event.client(clientId);
@ -181,17 +181,17 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
client = realm.getClientByClientId(clientId); client = realm.getClientByClientId(clientId);
if (client == null) { if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND); event.error(Errors.CLIENT_NOT_FOUND);
throw new ErrorPageException(session, Messages.CLIENT_NOT_FOUND); throw new ErrorPageException(session, authenticationSession, Messages.CLIENT_NOT_FOUND);
} }
if (!client.isEnabled()) { if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED); event.error(Errors.CLIENT_DISABLED);
throw new ErrorPageException(session, Messages.CLIENT_DISABLED); throw new ErrorPageException(session, authenticationSession, Messages.CLIENT_DISABLED);
} }
if (client.isBearerOnly()) { if (client.isBearerOnly()) {
event.error(Errors.NOT_ALLOWED); event.error(Errors.NOT_ALLOWED);
throw new ErrorPageException(session, Messages.BEARER_ONLY); throw new ErrorPageException(session, authenticationSession, Messages.BEARER_ONLY);
} }
session.getContext().setClient(client); session.getContext().setClient(client);
@ -354,7 +354,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, redirectUriParam, realm, client, isOIDCRequest); redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, redirectUriParam, realm, client, isOIDCRequest);
if (redirectUri == null) { if (redirectUri == null) {
event.error(Errors.INVALID_REDIRECT_URI); event.error(Errors.INVALID_REDIRECT_URI);
throw new ErrorPageException(session, Messages.INVALID_PARAMETER, OIDCLoginProtocol.REDIRECT_URI_PARAM); throw new ErrorPageException(session, authenticationSession, Messages.INVALID_PARAMETER, OIDCLoginProtocol.REDIRECT_URI_PARAM);
} }
} }

4
services/src/main/java/org/keycloak/protocol/oidc/endpoints/LogoutEndpoint.java
View file

@ -107,7 +107,7 @@ public class LogoutEndpoint {
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.detail(Details.REDIRECT_URI, redirect); event.detail(Details.REDIRECT_URI, redirect);
event.error(Errors.INVALID_REDIRECT_URI); event.error(Errors.INVALID_REDIRECT_URI);
return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); return ErrorPage.error(session, null, Messages.INVALID_REDIRECT_URI);
} }
redirect = validatedUri; redirect = validatedUri;
} }
@ -120,7 +120,7 @@ public class LogoutEndpoint {
} catch (OAuthErrorException e) { } catch (OAuthErrorException e) {
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.INVALID_TOKEN); event.error(Errors.INVALID_TOKEN);
return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE); return ErrorPage.error(session, null, Messages.SESSION_NOT_ACTIVE);
} }
} }

12
services/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
View file

@ -173,7 +173,7 @@ public class SamlProtocol implements LoginProtocol {
URI redirect = builder.buildFromMap(params); URI redirect = builder.buildFromMap(params);
return Response.status(302).location(redirect).build(); return Response.status(302).location(redirect).build();
} else { } else {
return ErrorPage.error(session, translateErrorToIdpInitiatedErrorMessage(error)); return ErrorPage.error(session, authSession, translateErrorToIdpInitiatedErrorMessage(error));
} }
} else { } else {
SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(authSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get()); SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(authSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get());
@ -196,7 +196,7 @@ public class SamlProtocol implements LoginProtocol {
Document document = builder.buildDocument(); Document document = builder.buildDocument();
return buildErrorResponse(authSession, binding, document); return buildErrorResponse(authSession, binding, document);
} catch (Exception e) { } catch (Exception e) {
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE); return ErrorPage.error(session, authSession, Messages.FAILED_TO_PROCESS_RESPONSE);
} }
} }
} finally { } finally {
@ -427,7 +427,7 @@ public class SamlProtocol implements LoginProtocol {
samlDocument = builder.buildDocument(samlModel); samlDocument = builder.buildDocument(samlModel);
} catch (Exception e) { } catch (Exception e) {
logger.error("failed", e); logger.error("failed", e);
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE); return ErrorPage.error(session, null, Messages.FAILED_TO_PROCESS_RESPONSE);
} }
JaxrsSAML2BindingBuilder bindingBuilder = new JaxrsSAML2BindingBuilder(); JaxrsSAML2BindingBuilder bindingBuilder = new JaxrsSAML2BindingBuilder();
@ -453,7 +453,7 @@ public class SamlProtocol implements LoginProtocol {
publicKey = SamlProtocolUtils.getEncryptionKey(client); publicKey = SamlProtocolUtils.getEncryptionKey(client);
} catch (Exception e) { } catch (Exception e) {
logger.error("failed", e); logger.error("failed", e);
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE); return ErrorPage.error(session, null, Messages.FAILED_TO_PROCESS_RESPONSE);
} }
bindingBuilder.encrypt(publicKey); bindingBuilder.encrypt(publicKey);
} }
@ -461,7 +461,7 @@ public class SamlProtocol implements LoginProtocol {
return buildAuthenticatedResponse(clientSession, redirectUri, samlDocument, bindingBuilder); return buildAuthenticatedResponse(clientSession, redirectUri, samlDocument, bindingBuilder);
} catch (Exception e) { } catch (Exception e) {
logger.error("failed", e); logger.error("failed", e);
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE); return ErrorPage.error(session, null, Messages.FAILED_TO_PROCESS_RESPONSE);
} }
} }
@ -568,7 +568,7 @@ public class SamlProtocol implements LoginProtocol {
String logoutBindingUri = userSession.getNote(SAML_LOGOUT_BINDING_URI); String logoutBindingUri = userSession.getNote(SAML_LOGOUT_BINDING_URI);
if (logoutBindingUri == null) { if (logoutBindingUri == null) {
logger.error("Can't finish SAML logout as there is no logout binding set. Please configure the logout service url in the admin console for your client applications."); logger.error("Can't finish SAML logout as there is no logout binding set. Please configure the logout service url in the admin console for your client applications.");
return ErrorPage.error(session, Messages.FAILED_LOGOUT); return ErrorPage.error(session, null, Messages.FAILED_LOGOUT);
} }
String logoutRelayState = userSession.getNote(SAML_LOGOUT_RELAY_STATE); String logoutRelayState = userSession.getNote(SAML_LOGOUT_RELAY_STATE);

48
services/src/main/java/org/keycloak/protocol/saml/SamlService.java
View file

@ -118,18 +118,18 @@ public class SamlService extends AuthorizationEndpointBase {
if (!checkSsl()) { if (!checkSsl()) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.SSL_REQUIRED); event.error(Errors.SSL_REQUIRED);
return ErrorPage.error(session, Messages.HTTPS_REQUIRED); return ErrorPage.error(session, null, Messages.HTTPS_REQUIRED);
} }
if (!realm.isEnabled()) { if (!realm.isEnabled()) {
event.event(EventType.LOGIN_ERROR); event.event(EventType.LOGIN_ERROR);
event.error(Errors.REALM_DISABLED); event.error(Errors.REALM_DISABLED);
return ErrorPage.error(session, Messages.REALM_NOT_ENABLED); return ErrorPage.error(session, null, Messages.REALM_NOT_ENABLED);
} }
if (samlRequest == null && samlResponse == null) { if (samlRequest == null && samlResponse == null) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.INVALID_TOKEN); event.error(Errors.INVALID_TOKEN);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
return null; return null;
@ -142,7 +142,7 @@ public class SamlService extends AuthorizationEndpointBase {
if (! (holder.getSamlObject() instanceof StatusResponseType)) { if (! (holder.getSamlObject() instanceof StatusResponseType)) {
event.detail(Details.REASON, "invalid_saml_response"); event.detail(Details.REASON, "invalid_saml_response");
event.error(Errors.INVALID_SAML_RESPONSE); event.error(Errors.INVALID_SAML_RESPONSE);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject(); StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
@ -150,7 +150,7 @@ public class SamlService extends AuthorizationEndpointBase {
if (statusResponse.getDestination() != null && !uriInfo.getAbsolutePath().toString().equals(statusResponse.getDestination())) { if (statusResponse.getDestination() != null && !uriInfo.getAbsolutePath().toString().equals(statusResponse.getDestination())) {
event.detail(Details.REASON, "invalid_destination"); event.detail(Details.REASON, "invalid_destination");
event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE); event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, false); AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, false);
@ -158,7 +158,7 @@ public class SamlService extends AuthorizationEndpointBase {
logger.warn("Unknown saml response."); logger.warn("Unknown saml response.");
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.INVALID_TOKEN); event.error(Errors.INVALID_TOKEN);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
// assume this is a logout response // assume this is a logout response
UserSessionModel userSession = authResult.getSession(); UserSessionModel userSession = authResult.getSession();
@ -167,7 +167,7 @@ public class SamlService extends AuthorizationEndpointBase {
logger.warn("UserSession is not tagged as logging out."); logger.warn("UserSession is not tagged as logging out.");
event.event(EventType.LOGOUT); event.event(EventType.LOGOUT);
event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE); event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
logger.debug("logout response"); logger.debug("logout response");
Response response = authManager.browserLogout(session, realm, userSession, uriInfo, clientConnection, headers); Response response = authManager.browserLogout(session, realm, userSession, uriInfo, clientConnection, headers);
@ -180,7 +180,7 @@ public class SamlService extends AuthorizationEndpointBase {
if (documentHolder == null) { if (documentHolder == null) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.INVALID_TOKEN); event.error(Errors.INVALID_TOKEN);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
SAML2Object samlObject = documentHolder.getSamlObject(); SAML2Object samlObject = documentHolder.getSamlObject();
@ -188,7 +188,7 @@ public class SamlService extends AuthorizationEndpointBase {
if (! (samlObject instanceof RequestAbstractType)) { if (! (samlObject instanceof RequestAbstractType)) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.INVALID_SAML_AUTHN_REQUEST); event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject; RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
@ -199,23 +199,23 @@ public class SamlService extends AuthorizationEndpointBase {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.client(issuer); event.client(issuer);
event.error(Errors.CLIENT_NOT_FOUND); event.error(Errors.CLIENT_NOT_FOUND);
return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); return ErrorPage.error(session, null, Messages.UNKNOWN_LOGIN_REQUESTER);
} }
if (!client.isEnabled()) { if (!client.isEnabled()) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.CLIENT_DISABLED); event.error(Errors.CLIENT_DISABLED);
return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); return ErrorPage.error(session, null, Messages.LOGIN_REQUESTER_NOT_ENABLED);
} }
if (client.isBearerOnly()) { if (client.isBearerOnly()) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.NOT_ALLOWED); event.error(Errors.NOT_ALLOWED);
return ErrorPage.error(session, Messages.BEARER_ONLY); return ErrorPage.error(session, null, Messages.BEARER_ONLY);
} }
if (!client.isStandardFlowEnabled()) { if (!client.isStandardFlowEnabled()) {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.NOT_ALLOWED); event.error(Errors.NOT_ALLOWED);
return ErrorPage.error(session, Messages.STANDARD_FLOW_DISABLED); return ErrorPage.error(session, null, Messages.STANDARD_FLOW_DISABLED);
} }
session.getContext().setClient(client); session.getContext().setClient(client);
@ -226,7 +226,7 @@ public class SamlService extends AuthorizationEndpointBase {
SamlService.logger.error("request validation failed", e); SamlService.logger.error("request validation failed", e);
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.INVALID_SIGNATURE); event.error(Errors.INVALID_SIGNATURE);
return ErrorPage.error(session, Messages.INVALID_REQUESTER); return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
} }
logger.debug("verified request"); logger.debug("verified request");
if (samlObject instanceof AuthnRequestType) { if (samlObject instanceof AuthnRequestType) {
@ -244,7 +244,7 @@ public class SamlService extends AuthorizationEndpointBase {
} else { } else {
event.event(EventType.LOGIN); event.event(EventType.LOGIN);
event.error(Errors.INVALID_TOKEN); event.error(Errors.INVALID_TOKEN);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
} }
@ -260,12 +260,12 @@ public class SamlService extends AuthorizationEndpointBase {
if (requestAbstractType.getDestination() == null && samlClient.requiresClientSignature()) { if (requestAbstractType.getDestination() == null && samlClient.requiresClientSignature()) {
event.detail(Details.REASON, "invalid_destination"); event.detail(Details.REASON, "invalid_destination");
event.error(Errors.INVALID_SAML_AUTHN_REQUEST); event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
if (! isValidDestination(requestAbstractType.getDestination())) { if (! isValidDestination(requestAbstractType.getDestination())) {
event.detail(Details.REASON, "invalid_destination"); event.detail(Details.REASON, "invalid_destination");
event.error(Errors.INVALID_SAML_AUTHN_REQUEST); event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
String bindingType = getBindingType(requestAbstractType); String bindingType = getBindingType(requestAbstractType);
if (samlClient.forcePostBinding()) if (samlClient.forcePostBinding())
@ -288,7 +288,7 @@ public class SamlService extends AuthorizationEndpointBase {
if (redirect == null) { if (redirect == null) {
event.error(Errors.INVALID_REDIRECT_URI); event.error(Errors.INVALID_REDIRECT_URI);
return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); return ErrorPage.error(session, null, Messages.INVALID_REDIRECT_URI);
} }
AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, relayState); AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, relayState);
@ -316,7 +316,7 @@ public class SamlService extends AuthorizationEndpointBase {
} else { } else {
event.detail(Details.REASON, "unsupported_nameid_format"); event.detail(Details.REASON, "unsupported_nameid_format");
event.error(Errors.INVALID_SAML_AUTHN_REQUEST); event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
return ErrorPage.error(session, Messages.UNSUPPORTED_NAME_ID_FORMAT); return ErrorPage.error(session, null, Messages.UNSUPPORTED_NAME_ID_FORMAT);
} }
} }
@ -367,12 +367,12 @@ public class SamlService extends AuthorizationEndpointBase {
if (logoutRequest.getDestination() == null && samlClient.requiresClientSignature()) { if (logoutRequest.getDestination() == null && samlClient.requiresClientSignature()) {
event.detail(Details.REASON, "invalid_destination"); event.detail(Details.REASON, "invalid_destination");
event.error(Errors.INVALID_SAML_LOGOUT_REQUEST); event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
if (! isValidDestination(logoutRequest.getDestination())) { if (! isValidDestination(logoutRequest.getDestination())) {
event.detail(Details.REASON, "invalid_destination"); event.detail(Details.REASON, "invalid_destination");
event.error(Errors.INVALID_SAML_LOGOUT_REQUEST); event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
return ErrorPage.error(session, Messages.INVALID_REQUEST); return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
} }
// authenticate identity cookie, but ignore an access token timeout as we're logging out anyways. // authenticate identity cookie, but ignore an access token timeout as we're logging out anyways.
@ -620,16 +620,16 @@ public class SamlService extends AuthorizationEndpointBase {
} }
if (client == null) { if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND); event.error(Errors.CLIENT_NOT_FOUND);
return ErrorPage.error(session, Messages.CLIENT_NOT_FOUND); return ErrorPage.error(session, null, Messages.CLIENT_NOT_FOUND);
} }
if (!client.isEnabled()) { if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED); event.error(Errors.CLIENT_DISABLED);
return ErrorPage.error(session, Messages.CLIENT_DISABLED); return ErrorPage.error(session, null, Messages.CLIENT_DISABLED);
} }
if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) == null) { if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) == null) {
logger.error("SAML assertion consumer url not set up"); logger.error("SAML assertion consumer url not set up");
event.error(Errors.INVALID_REDIRECT_URI); event.error(Errors.INVALID_REDIRECT_URI);
return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI); return ErrorPage.error(session, null, Messages.INVALID_REDIRECT_URI);
} }
AuthenticationSessionModel authSession = getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState); AuthenticationSessionModel authSession = getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState);

5
services/src/main/java/org/keycloak/services/ErrorPage.java
View file

@ -18,6 +18,7 @@ package org.keycloak.services;
import org.keycloak.forms.login.LoginFormsProvider; import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
@ -26,8 +27,8 @@ import javax.ws.rs.core.Response;
*/ */
public class ErrorPage { public class ErrorPage {
public static Response error(KeycloakSession session, String message, Object... parameters) { public static Response error(KeycloakSession session, AuthenticationSessionModel authenticationSession, String message, Object... parameters) {
return session.getProvider(LoginFormsProvider.class).setError(message, parameters).createErrorPage(); return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setError(message, parameters).createErrorPage();
} }

13
services/src/main/java/org/keycloak/services/ErrorPageException.java
View file

@ -18,6 +18,7 @@
package org.keycloak.services; package org.keycloak.services;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.sessions.AuthenticationSessionModel;
import javax.ws.rs.WebApplicationException; import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
@ -30,18 +31,28 @@ public class ErrorPageException extends WebApplicationException {
private final KeycloakSession session; private final KeycloakSession session;
private final String errorMessage; private final String errorMessage;
private final Object[] parameters; private final Object[] parameters;
private final AuthenticationSessionModel authSession;
public ErrorPageException(KeycloakSession session, String errorMessage, Object... parameters) { public ErrorPageException(KeycloakSession session, String errorMessage, Object... parameters) {
this.session = session; this.session = session;
this.errorMessage = errorMessage; this.errorMessage = errorMessage;
this.parameters = parameters; this.parameters = parameters;
this.authSession = null;
}
public ErrorPageException(KeycloakSession session, AuthenticationSessionModel authSession, String errorMessage, Object... parameters) {
this.session = session;
this.errorMessage = errorMessage;
this.parameters = parameters;
this.authSession = authSession;
} }
@Override @Override
public Response getResponse() { public Response getResponse() {
return ErrorPage.error(session, errorMessage, parameters); return ErrorPage.error(session, authSession, errorMessage, parameters);
} }
} }

4
services/src/main/java/org/keycloak/services/ServicesLogger.java
View file

@ -451,4 +451,8 @@ public interface ServicesLogger extends BasicLogger {
@Message(id=102, value= "URL '%s' doesn't match any trustedHost or trustedDomain") @Message(id=102, value= "URL '%s' doesn't match any trustedHost or trustedDomain")
void urlDoesntMatch(String url); void urlDoesntMatch(String url);
@LogMessage(level = DEBUG)
@Message(id=103, value="Failed to reset password. User is temporarily disabled")
void passwordResetFailed(@Cause Throwable t);
} }

3
services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
View file

@ -710,7 +710,7 @@ public class AuthenticationManager {
} }
if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) { if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) {
LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class) LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
.setSuccess(Messages.ACCOUNT_UPDATED); .setSuccess(Messages.ACCOUNT_UPDATED);
if (authSession.getAuthNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) { if (authSession.getAuthNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) {
if (authSession.getRedirectUri() != null) { if (authSession.getRedirectUri() != null) {
@ -848,6 +848,7 @@ public class AuthenticationManager {
authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution); authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution);
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class)
.setAuthenticationSession(authSession)
.setExecution(execution) .setExecution(execution)
.setClientSessionCode(accessCode.getOrGenerateCode()) .setClientSessionCode(accessCode.getOrGenerateCode())
.setAccessRequest(realmRoles, resourceRoles, protocolMappers) .setAccessRequest(realmRoles, resourceRoles, protocolMappers)

34
services/src/main/java/org/keycloak/services/resources/IdentityBrokerService.java
View file

@ -317,12 +317,12 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
return response; return response;
} }
} catch (IdentityBrokerException e) { } catch (IdentityBrokerException e) {
return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId); return redirectToErrorPage(authSession, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
} catch (Exception e) { } catch (Exception e) {
return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId); return redirectToErrorPage(authSession, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
} }
return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST); return redirectToErrorPage(authSession, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);
} }
@ -545,7 +545,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
return Response.status(302).location(redirect).build(); return Response.status(302).location(redirect).build();
} else { } else {
Response response = validateUser(federatedUser, realmModel); Response response = validateUser(authenticationSession, federatedUser, realmModel);
if (response != null) { if (response != null) {
return response; return response;
} }
@ -558,15 +558,15 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
} }
public Response validateUser(UserModel user, RealmModel realm) { public Response validateUser(AuthenticationSessionModel authSession, UserModel user, RealmModel realm) {
if (!user.isEnabled()) { if (!user.isEnabled()) {
event.error(Errors.USER_DISABLED); event.error(Errors.USER_DISABLED);
return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); return ErrorPage.error(session, authSession, Messages.ACCOUNT_DISABLED);
} }
if (realm.isBruteForceProtected()) { if (realm.isBruteForceProtected()) {
if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) { if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) {
event.error(Errors.USER_TEMPORARILY_DISABLED); event.error(Errors.USER_TEMPORARILY_DISABLED);
return ErrorPage.error(session, Messages.ACCOUNT_DISABLED); return ErrorPage.error(session, authSession, Messages.ACCOUNT_DISABLED);
} }
} }
return null; return null;
@ -670,7 +670,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
return finishOrRedirectToPostBrokerLogin(authSession, context, true, clientSessionCode); return finishOrRedirectToPostBrokerLogin(authSession, context, true, clientSessionCode);
} catch (Exception e) { } catch (Exception e) {
return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); return redirectToErrorPage(authSession,Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
} }
} }
@ -734,7 +734,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode); return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode);
} catch (IdentityBrokerException e) { } catch (IdentityBrokerException e) {
return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e); return redirectToErrorPage(authenticationSession, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
} }
} }
@ -752,7 +752,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, authSession); UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, authSession);
if (!linkingUser.getId().equals(federatedUser.getId())) { if (!linkingUser.getId().equals(federatedUser.getId())) {
return redirectToErrorPage(Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername()); return redirectToErrorPage(authSession, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername());
} }
SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE); SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
@ -866,7 +866,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
} }
if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT))) { if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT))) {
return redirectToErrorPage(Messages.INSUFFICIENT_PERMISSION); return redirectToErrorPage(authSession, Messages.INSUFFICIENT_PERMISSION);
} }
if (!authenticatedUser.isEnabled()) { if (!authenticatedUser.isEnabled()) {
@ -919,7 +919,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
if (authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) { if (authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) {
return redirectToAccountErrorPage(authSession, message, parameters); return redirectToAccountErrorPage(authSession, message, parameters);
} else { } else {
return redirectToErrorPage(message, parameters); // Should rather redirect to app instead and display error here? return redirectToErrorPage(authSession, message, parameters); // Should rather redirect to app instead and display error here?
} }
} }
@ -1057,11 +1057,15 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), providerId, this.realmModel.getName()).toString(); return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), providerId, this.realmModel.getName()).toString();
} }
private Response redirectToErrorPage(AuthenticationSessionModel authSession,String message, Object ... parameters) {
return redirectToErrorPage(authSession, message, null, parameters);
}
private Response redirectToErrorPage(String message, Object ... parameters) { private Response redirectToErrorPage(String message, Object ... parameters) {
return redirectToErrorPage(message, null, parameters); return redirectToErrorPage(null, message, null, parameters);
} }
private Response redirectToErrorPage(String message, Throwable throwable, Object ... parameters) { private Response redirectToErrorPage(AuthenticationSessionModel authSession, String message, Throwable throwable, Object ... parameters) {
if (message == null) { if (message == null) {
message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR; message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR;
} }
@ -1073,7 +1077,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
return webEx.getResponse(); return webEx.getResponse();
} }
return ErrorPage.error(this.session, message, parameters); return ErrorPage.error(this.session, authSession, message, parameters);
} }
private Response redirectToAccountErrorPage(AuthenticationSessionModel authSession, String message, Object ... parameters) { private Response redirectToAccountErrorPage(AuthenticationSessionModel authSession, String message, Object ... parameters) {

18
services/src/main/java/org/keycloak/services/resources/LoginActionsService.java
View file

@ -340,7 +340,7 @@ public class LoginActionsService {
if (!realm.isResetPasswordAllowed()) { if (!realm.isResetPasswordAllowed()) {
event.event(EventType.RESET_PASSWORD); event.event(EventType.RESET_PASSWORD);
event.error(Errors.NOT_ALLOWED); event.error(Errors.NOT_ALLOWED);
return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
} }
authSession = createAuthenticationSessionForClient(); authSession = createAuthenticationSessionForClient();
@ -384,7 +384,7 @@ public class LoginActionsService {
if (!realm.isResetPasswordAllowed()) { if (!realm.isResetPasswordAllowed()) {
event.error(Errors.NOT_ALLOWED); event.error(Errors.NOT_ALLOWED);
return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED); return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
} }
@ -553,7 +553,7 @@ public class LoginActionsService {
} else if (RESET_CREDENTIALS_PATH.equals(flowPath)) { } else if (RESET_CREDENTIALS_PATH.equals(flowPath)) {
return processResetCredentials(false, null, authSession, errorMessage); return processResetCredentials(false, null, authSession, errorMessage);
} else { } else {
return ErrorPage.error(session, errorMessage == null ? Messages.INVALID_REQUEST : errorMessage); return ErrorPage.error(session, authSession, errorMessage == null ? Messages.INVALID_REQUEST : errorMessage);
} }
} }
@ -577,7 +577,7 @@ public class LoginActionsService {
event event
.detail(Details.REASON, ex == null ? "<unknown>" : ex.getMessage()) .detail(Details.REASON, ex == null ? "<unknown>" : ex.getMessage())
.error(eventError == null ? Errors.INVALID_CODE : eventError); .error(eventError == null ? Errors.INVALID_CODE : eventError);
return ErrorPage.error(session, errorMessage == null ? Messages.INVALID_CODE : errorMessage); return ErrorPage.error(session, null, errorMessage == null ? Messages.INVALID_CODE : errorMessage);
} }
protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession, String errorMessage) { protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession, String errorMessage) {
@ -626,7 +626,7 @@ public class LoginActionsService {
event.event(EventType.REGISTER); event.event(EventType.REGISTER);
if (!realm.isRegistrationAllowed()) { if (!realm.isRegistrationAllowed()) {
event.error(Errors.REGISTRATION_DISABLED); event.error(Errors.REGISTRATION_DISABLED);
return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED); return ErrorPage.error(session, null, Messages.REGISTRATION_NOT_ALLOWED);
} }
SessionCodeChecks checks = checksForCode(code, execution, clientId, REGISTRATION_PATH); SessionCodeChecks checks = checksForCode(code, execution, clientId, REGISTRATION_PATH);
@ -692,7 +692,7 @@ public class LoginActionsService {
SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, noteKey); SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, noteKey);
if (serializedCtx == null) { if (serializedCtx == null) {
ServicesLogger.LOGGER.notFoundSerializedCtxInClientSession(noteKey); ServicesLogger.LOGGER.notFoundSerializedCtxInClientSession(noteKey);
throw new WebApplicationException(ErrorPage.error(session, "Not found serialized context in authenticationSession.")); throw new WebApplicationException(ErrorPage.error(session, authSession, "Not found serialized context in authenticationSession."));
} }
BrokeredIdentityContext brokerContext = serializedCtx.deserialize(session, authSession); BrokeredIdentityContext brokerContext = serializedCtx.deserialize(session, authSession);
final String identityProviderAlias = brokerContext.getIdpConfig().getAlias(); final String identityProviderAlias = brokerContext.getIdpConfig().getAlias();
@ -700,12 +700,12 @@ public class LoginActionsService {
String flowId = firstBrokerLogin ? brokerContext.getIdpConfig().getFirstBrokerLoginFlowId() : brokerContext.getIdpConfig().getPostBrokerLoginFlowId(); String flowId = firstBrokerLogin ? brokerContext.getIdpConfig().getFirstBrokerLoginFlowId() : brokerContext.getIdpConfig().getPostBrokerLoginFlowId();
if (flowId == null) { if (flowId == null) {
ServicesLogger.LOGGER.flowNotConfigForIDP(identityProviderAlias); ServicesLogger.LOGGER.flowNotConfigForIDP(identityProviderAlias);
throw new WebApplicationException(ErrorPage.error(session, "Flow not configured for identity provider")); throw new WebApplicationException(ErrorPage.error(session, authSession, "Flow not configured for identity provider"));
} }
AuthenticationFlowModel brokerLoginFlow = realm.getAuthenticationFlowById(flowId); AuthenticationFlowModel brokerLoginFlow = realm.getAuthenticationFlowById(flowId);
if (brokerLoginFlow == null) { if (brokerLoginFlow == null) {
ServicesLogger.LOGGER.flowNotFoundForIDP(flowId, identityProviderAlias); ServicesLogger.LOGGER.flowNotFoundForIDP(flowId, identityProviderAlias);
throw new WebApplicationException(ErrorPage.error(session, "Flow not found for identity provider")); throw new WebApplicationException(ErrorPage.error(session, authSession, "Flow not found for identity provider"));
} }
event.detail(Details.IDENTITY_PROVIDER, identityProviderAlias) event.detail(Details.IDENTITY_PROVIDER, identityProviderAlias)
@ -886,7 +886,7 @@ public class LoginActionsService {
if (factory == null) { if (factory == null) {
ServicesLogger.LOGGER.actionProviderNull(); ServicesLogger.LOGGER.actionProviderNull();
event.error(Errors.INVALID_CODE); event.error(Errors.INVALID_CODE);
throw new WebApplicationException(ErrorPage.error(session, Messages.INVALID_CODE)); throw new WebApplicationException(ErrorPage.error(session, authSession, Messages.INVALID_CODE));
} }
RequiredActionProvider provider = factory.create(session); RequiredActionProvider provider = factory.create(session);

2
services/src/main/java/org/keycloak/services/resources/LoginActionsServiceChecks.java
View file

@ -116,7 +116,7 @@ public class LoginActionsServiceChecks {
UserSessionModel userSession = context.getSession().sessions().getUserSession(context.getRealm(), authSessionId); UserSessionModel userSession = context.getSession().sessions().getUserSession(context.getRealm(), authSessionId);
if (userSession != null) { if (userSession != null) {
LoginFormsProvider loginForm = context.getSession().getProvider(LoginFormsProvider.class) LoginFormsProvider loginForm = context.getSession().getProvider(LoginFormsProvider.class).setAuthenticationSession(context.getAuthenticationSession())
.setSuccess(Messages.ALREADY_LOGGED_IN); .setSuccess(Messages.ALREADY_LOGGED_IN);
if (context.getSession().getContext().getClient() == null) { if (context.getSession().getContext().getClient() == null) {

14
services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java
View file

@ -123,12 +123,12 @@ public class SessionCodeChecks {
// Basic realm checks // Basic realm checks
if (!checkSsl()) { if (!checkSsl()) {
event.error(Errors.SSL_REQUIRED); event.error(Errors.SSL_REQUIRED);
response = ErrorPage.error(session, Messages.HTTPS_REQUIRED); response = ErrorPage.error(session, null, Messages.HTTPS_REQUIRED);
return null; return null;
} }
if (!realm.isEnabled()) { if (!realm.isEnabled()) {
event.error(Errors.REALM_DISABLED); event.error(Errors.REALM_DISABLED);
response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); response = ErrorPage.error(session, null, Messages.REALM_NOT_ENABLED);
return null; return null;
} }
@ -154,7 +154,7 @@ public class SessionCodeChecks {
UserSessionModel userSession = session.sessions().getUserSession(realm, sessionId); UserSessionModel userSession = session.sessions().getUserSession(realm, sessionId);
if (userSession != null) { if (userSession != null) {
LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class) LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
.setSuccess(Messages.ALREADY_LOGGED_IN); .setSuccess(Messages.ALREADY_LOGGED_IN);
if (client == null) { if (client == null) {
@ -190,7 +190,7 @@ public class SessionCodeChecks {
ClientModel client = authSession.getClient(); ClientModel client = authSession.getClient();
if (client == null) { if (client == null) {
event.error(Errors.CLIENT_NOT_FOUND); event.error(Errors.CLIENT_NOT_FOUND);
response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); response = ErrorPage.error(session, authSession, Messages.UNKNOWN_LOGIN_REQUESTER);
clientCode.removeExpiredClientSession(); clientCode.removeExpiredClientSession();
return false; return false;
} }
@ -200,7 +200,7 @@ public class SessionCodeChecks {
if (!client.isEnabled()) { if (!client.isEnabled()) {
event.error(Errors.CLIENT_DISABLED); event.error(Errors.CLIENT_DISABLED);
response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); response = ErrorPage.error(session,authSession, Messages.LOGIN_REQUESTER_NOT_ENABLED);
clientCode.removeExpiredClientSession(); clientCode.removeExpiredClientSession();
return false; return false;
} }
@ -285,7 +285,7 @@ public class SessionCodeChecks {
return false; return false;
} else { } else {
logger.errorf("Bad action. Expected action '%s', current action '%s'", expectedAction, authSession.getAction()); logger.errorf("Bad action. Expected action '%s', current action '%s'", expectedAction, authSession.getAction());
response = ErrorPage.error(session, Messages.EXPIRED_CODE); response = ErrorPage.error(session, authSession, Messages.EXPIRED_CODE);
return false; return false;
} }
} }
@ -370,7 +370,7 @@ public class SessionCodeChecks {
} else { } else {
// Finally need to show error as all the fallbacks failed // Finally need to show error as all the fallbacks failed
event.error(Errors.INVALID_CODE); event.error(Errors.INVALID_CODE);
return ErrorPage.error(session, Messages.INVALID_CODE); return ErrorPage.error(session, authSession, Messages.INVALID_CODE);
} }
} }

3
services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
View file

@ -833,6 +833,9 @@ public class RealmAdminResource {
if (user.getEmail() == null) { if (user.getEmail() == null) {
return ErrorResponse.error("Logged in user does not have an e-mail.", Response.Status.INTERNAL_SERVER_ERROR); return ErrorResponse.error("Logged in user does not have an e-mail.", Response.Status.INTERNAL_SERVER_ERROR);
} }
if (ComponentRepresentation.SECRET_VALUE.equals(settings.get("password"))) {
settings.put("password", realm.getSmtpConfig().get("password"));
}
session.getProvider(EmailTemplateProvider.class).sendSmtpTestEmail(settings, user); session.getProvider(EmailTemplateProvider.class).sendSmtpTestEmail(settings, user);
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace(); e.printStackTrace();

2
services/src/main/java/org/keycloak/services/util/AuthenticationFlowURLHelper.java
View file

@ -56,7 +56,7 @@ public class AuthenticationFlowURLHelper {
logger.debugf("Redirecting to 'page expired' now. Will use last step URL: %s", lastStepUrl); logger.debugf("Redirecting to 'page expired' now. Will use last step URL: %s", lastStepUrl);
return session.getProvider(LoginFormsProvider.class) return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
.setActionUri(lastStepUrl) .setActionUri(lastStepUrl)
.setExecution(getExecutionId(authSession)) .setExecution(getExecutionId(authSession))
.createLoginExpiredPage(); .createLoginExpiredPage();

7
services/src/main/java/org/keycloak/social/twitter/TwitterIdentityProvider.java
View file

@ -191,14 +191,13 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
return callback.cancelled(state); return callback.cancelled(state);
} }
Response errorResponse = null; AuthenticationSessionModel authSession = null;
try { try {
Twitter twitter = new TwitterFactory().getInstance(); Twitter twitter = new TwitterFactory().getInstance();
twitter.setOAuthConsumer(getConfig().getClientId(), getConfig().getClientSecret()); twitter.setOAuthConsumer(getConfig().getClientId(), getConfig().getClientSecret());
AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(state, session, realm, event, AuthenticationSessionModel.class); authSession = ClientSessionCode.getClientSession(state, session, realm, event, AuthenticationSessionModel.class);
String twitterToken = authSession.getAuthNote(TWITTER_TOKEN); String twitterToken = authSession.getAuthNote(TWITTER_TOKEN);
String twitterSecret = authSession.getAuthNote(TWITTER_TOKENSECRET); String twitterSecret = authSession.getAuthNote(TWITTER_TOKENSECRET);
@ -239,7 +238,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
} catch (Exception e) { } catch (Exception e) {
logger.error("Could get user profile from twitter.", e); logger.error("Could get user profile from twitter.", e);
sendErrorEvent(); sendErrorEvent();
return ErrorPage.error(session, Messages.UNEXPECTED_ERROR_HANDLING_RESPONSE); return ErrorPage.error(session, authSession, Messages.UNEXPECTED_ERROR_HANDLING_RESPONSE);
} }
} }

49
testsuite/integration-arquillian/HOW-TO-RUN.md
View file

@ -446,39 +446,64 @@ and argument: `-p 8181`
## Cross-DC tests ## Cross-DC tests
Cross-DC tests use 2 data centers, each with one automatically started and one manually controlled backend servers Cross-DC tests use 2 data centers, each with one automatically started and one manually controlled backend servers,
(currently only Keycloak on Undertow), and 1 frontend loadbalancer server node that sits in front of all servers. and 1 frontend loadbalancer server node that sits in front of all servers.
The browser usually communicates directly with the frontent node and the test controls where the HTTP requests The browser usually communicates directly with the frontent node and the test controls where the HTTP requests
land by adjusting load balancer configuration (e.g. to direct the traffic to only a single DC). land by adjusting load balancer configuration (e.g. to direct the traffic to only a single DC).
For an example of a test, see [org.keycloak.testsuite.crossdc.ActionTokenCrossDCTest](tests/base/src/test/java/org/keycloak/testsuite/crossdc/ActionTokenCrossDCTest.java). For an example of a test, see [org.keycloak.testsuite.crossdc.ActionTokenCrossDCTest](tests/base/src/test/java/org/keycloak/testsuite/crossdc/ActionTokenCrossDCTest.java).
The cross DC requires setting a profile specifying used cache server (currently only Infinispan) by specifying The cross DC requires setting a profile specifying used cache server by specifying
`cache-server-infinispan` profile in maven. `cache-server-infinispan` or `cache-server-jdg` profile in maven.
#### Run Cross-DC Tests from Maven #### Run Cross-DC Tests from Maven
First compile the Infinispan/JDG test server via the following command: a) First compile the Infinispan/JDG test server via the following command:
`mvn -Pcache-server-infinispan -f testsuite/integration-arquillian -DskipTests clean install` `mvn -Pcache-server-infinispan,auth-servers-crossdc-undertow -f testsuite/integration-arquillian -DskipTests clean install`
or or
`mvn -Pcache-server-jdg -f testsuite/integration-arquillian -DskipTests clean install` `mvn -Pcache-server-jdg,auth-servers-crossdc-undertow -f testsuite/integration-arquillian -DskipTests clean install`
Then you can run the tests using the following command (adjust the test specification according to your needs): b) Then in case you want to use **JBoss-based** Keycloak backend containers instead of containers on Embedded Undertow run following command:
`mvn -Pcache-server-infinispan -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base test` `mvn -Pauth-servers-crossdc-jboss,auth-server-wildfly -f testsuite/integration-arquillian -DskipTests clean install`
*note: 'auth-server-wildfly' can be replaced by 'auth-server-eap'*
By default JBoss-based containers use in-memory h2 database. It can be configured to use real DB, e.g. with following command:
`mvn -Pauth-servers-crossdc-jboss,auth-server-wildfly,jpa -f testsuite/integration-arquillian -DskipTests clean install -Djdbc.mvn.groupId=org.mariadb.jdbc -Djdbc.mvn.artifactId=mariadb-java-client -Djdbc.mvn.version=2.0.3 -Dkeycloak.connectionsJpa.url=jdbc:mariadb://localhost:3306/keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsJpa.user=keycloak`
c1) Then you can run the tests using the following command (adjust the test specification according to your needs) for Keycloak backend containers on **Undertow**:
`mvn -Pcache-server-infinispan,auth-servers-crossdc-undertow -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
or or
`mvn -Pcache-server-jdg -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base test` `mvn -Pcache-server-jdg,auth-servers-crossdc-undertow -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
c2) For **JBoss-based** Keycloak backend containers:
`mvn -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
or
`mvn -Pcache-server-jdg,auth-servers-crossdc-jboss,auth-server-wildfly -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
*note: 'auth-server-wildfly can be replaced by auth-server-eap'*
**note**
Previous commands can be "squashed" into one. E.g.:
`mvn -f testsuite/integration-arquillian clean install -Dtest=*.crossdc.* -Djdbc.mvn.groupId=org.mariadb.jdbc -Djdbc.mvn.artifactId=mariadb-java-client -Djdbc.mvn.version=2.0.3 -Dkeycloak.connectionsJpa.url=jdbc:mariadb://localhost:3306/keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsJpa.user=keycloak -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly,jpa clean install`
It can be useful to add additional system property to enable logging: It can be useful to add additional system property to enable logging:
-Dkeycloak.infinispan.logging.level=debug -Dkeycloak.infinispan.logging.level=debug
Tests from package "manual" uses manual lifecycle for all servers, so needs to be executed manually. Also needs to be executed with real DB like MySQL. You can run them with: **Tests from package "manual"** uses manual lifecycle for all servers, so needs to be executed manually. Also needs to be executed with real DB like MySQL. You can run them with:
mvn -Pcache-server-infinispan -Dtest=*.crossdc.manual.* -Dmanual.mode=true \ mvn -Pcache-server-infinispan -Dtest=*.crossdc.manual.* -Dmanual.mode=true \
-Dkeycloak.connectionsJpa.url.crossdc=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver.crossdc=com.mysql.jdbc.Driver \ -Dkeycloak.connectionsJpa.url.crossdc=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver.crossdc=com.mysql.jdbc.Driver \

4
testsuite/integration-arquillian/pom.xml
View file

@ -45,7 +45,7 @@
<selenium.version>3.5.3</selenium.version> <selenium.version>3.5.3</selenium.version>
<arquillian-drone.version>2.4.2</arquillian-drone.version> <arquillian-drone.version>2.4.2</arquillian-drone.version>
<arquillian-graphene.version>2.3.1</arquillian-graphene.version> <arquillian-graphene.version>2.3.1</arquillian-graphene.version>
<arquillian-wildfly-container.version>2.1.0.Beta1</arquillian-wildfly-container.version> <arquillian-wildfly-container.version>2.1.0.Final</arquillian-wildfly-container.version>
<arquillian-wls-container.version>1.0.1.Final</arquillian-wls-container.version> <arquillian-wls-container.version>1.0.1.Final</arquillian-wls-container.version>
<arquillian-infinispan-container.version>1.2.0.Beta2</arquillian-infinispan-container.version> <arquillian-infinispan-container.version>1.2.0.Beta2</arquillian-infinispan-container.version>
<version.shrinkwrap.resolvers>2.2.6</version.shrinkwrap.resolvers> <version.shrinkwrap.resolvers>2.2.6</version.shrinkwrap.resolvers>
@ -56,7 +56,7 @@
<migration.70.version>1.9.8.Final</migration.70.version> <migration.70.version>1.9.8.Final</migration.70.version>
<migration.70.authz.version>2.2.1.Final</migration.70.authz.version> <migration.70.authz.version>2.2.1.Final</migration.70.authz.version>
<migration.71.version>2.5.5.Final</migration.71.version> <migration.71.version>2.5.5.Final</migration.71.version>
<maven.compiler.target>1.8</maven.compiler.target> <maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.source>1.8</maven.compiler.source>
</properties> </properties>

2
testsuite/integration-arquillian/servers/app-server/jboss/common/install-adapters.sh
View file

@ -26,6 +26,8 @@ do
if [ "$ELYTRON_SUPPORTED" = true ]; then if [ "$ELYTRON_SUPPORTED" = true ]; then
./jboss-cli.sh -c --file="adapter-elytron-install.cli" ./jboss-cli.sh -c --file="adapter-elytron-install.cli"
else
./jboss-cli.sh -c --command="/subsystem=elytron:remove"
fi fi
if [ $? -ne 0 ]; then RESULT=1; fi if [ $? -ne 0 ]; then RESULT=1; fi

129
testsuite/integration-arquillian/servers/auth-server/jboss/common/crossdc/cross-dc-setup.cli Normal file
View file

@ -0,0 +1,129 @@
embed-server --server-config=standalone-ha.xml
echo **** Begin ****
echo *** Update jgoups subsystem ***
/subsystem=jgroups/stack=udp/transport=UDP:write-attribute(name=site, value=${jboss.site.name})
echo *** Update infinispan subsystem ***
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=module, value=org.keycloak.keycloak-model-infinispan)
echo ** Update replicated-cache work element **
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=custom:add( \
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
passivation=false, \
fetch-state=false, \
purge=false, \
preload=false, \
shared=true \
)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=custom:write-attribute( \
name=properties, value={ \
rawValues=true, \
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory, \
transportFactory=org.keycloak.models.sessions.infinispan.remotestore.KeycloakTcpTransportFactory, \
remoteServers=localhost:${remote.cache.port}, \
remoteCacheName=work, \
sessionCache=false \
} \
)
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache sessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=custom:add( \
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
passivation=false, \
fetch-state=false, \
purge=false, \
preload=false, \
shared=true \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=custom:write-attribute( \
name=properties, value={ \
remoteCacheName=sessions, \
useConfigTemplateFromCache=work, \
sessionCache=true \
} \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache offlineSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=custom:add( \
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
passivation=false, \
fetch-state=false, \
purge=false, \
preload=false, \
shared=true \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=custom:write-attribute( \
name=properties, value={ \
remoteCacheName=offlineSessions, \
useConfigTemplateFromCache=work, \
sessionCache=true \
} \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache loginFailures element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=custom:add( \
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
passivation=false, \
fetch-state=false, \
purge=false, \
preload=false, \
shared=true \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=custom:write-attribute( \
name=properties, value={ \
remoteCacheName=loginFailures, \
useConfigTemplateFromCache=work, \
sessionCache=true \
} \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache actionTokens element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=custom:add( \
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
passivation=false, \
fetch-state=false, \
purge=false, \
preload=true, \
shared=true \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=custom:write-attribute( \
name=properties, value={ \
remoteCacheName=actionTokens, \
useConfigTemplateFromCache=work, \
sessionCache=false \
} \
)
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
echo ** Update distributed-cache authenticationSessions element **
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
echo *** Enable debug logging ***
/subsystem=logging/logger=org.keycloak.cluster.infinispan:add(level=DEBUG)
/subsystem=logging/logger=org.keycloak.connections.infinispan:add(level=DEBUG)
/subsystem=logging/logger=org.keycloak.models.cache.infinispan:add(level=DEBUG)
/subsystem=logging/logger=org.keycloak.models.sessions.infinispan:add(level=DEBUG)
echo *** Update undertow subsystem ***
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
echo **** End ****

9
testsuite/integration-arquillian/servers/auth-server/jboss/eap/pom.xml
View file

@ -26,11 +26,11 @@
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<packaging>pom</packaging> <packaging>pom</packaging>
<artifactId>integration-arquillian-servers-auth-server-eap</artifactId> <artifactId>integration-arquillian-servers-auth-server-eap</artifactId>
<name>Auth Server - JBoss - EAP</name> <name>Auth Server - JBoss - EAP</name>
<properties> <properties>
<auth.server.jboss>eap</auth.server.jboss> <auth.server.jboss>eap</auth.server.jboss>
<auth.server.home>${project.build.directory}/unpacked/${product.unpacked.folder.name}</auth.server.home> <auth.server.home>${project.build.directory}/unpacked/${product.unpacked.folder.name}</auth.server.home>
@ -57,6 +57,7 @@
<goal>enforce</goal> <goal>enforce</goal>
</goals> </goals>
<configuration> <configuration>
<skip>false</skip>
<rules> <rules>
<requireProperty> <requireProperty>
<property>product.version</property> <property>product.version</property>
@ -71,5 +72,5 @@
</plugin> </plugin>
</plugins> </plugins>
</build> </build>
</project> </project>

115
testsuite/integration-arquillian/servers/auth-server/jboss/pom.xml
View file

@ -191,6 +191,7 @@
<dir>${auth.server.home}/standalone/configuration</dir> <dir>${auth.server.home}/standalone/configuration</dir>
<includes> <includes>
<include>standalone.xml</include> <include>standalone.xml</include>
<include>standalone-ha.xml</include>
</includes> </includes>
<stylesheet>${common.resources}/keycloak-server-subsystem.xsl</stylesheet> <stylesheet>${common.resources}/keycloak-server-subsystem.xsl</stylesheet>
<outputDir>${auth.server.home}/standalone/configuration</outputDir> <outputDir>${auth.server.home}/standalone/configuration</outputDir>
@ -575,6 +576,120 @@
</pluginManagement> </pluginManagement>
</build> </build>
</profile> </profile>
<profile>
<id>auth-servers-crossdc-jboss</id>
<properties>
<crossdc.jboss.jdbc.url>jdbc:h2:tcp://localhost:9092/mem:keycloak-dc-shared;DB_CLOSE_DELAY=-1</crossdc.jboss.jdbc.url>
</properties>
<build>
<plugins>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<configuration>
<skip>true</skip>
</configuration>
</plugin>
</plugins>
<pluginManagement>
<plugins>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>enforce-profile-activation</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<requireProperty>
<property>auth.server.jboss</property>
<message>Profile "auth-servers-crossdc-jboss" requires activation of another profile: either "auth-server-wildfly" or "auth-server-eap".</message>
<regex>(wildfly|eap)</regex>
</requireProperty>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>xml-maven-plugin</artifactId>
<executions>
<execution>
<id>jpa-h2-tcp</id>
<phase>process-resources</phase>
<goals>
<goal>transform</goal>
</goals>
<configuration>
<skip>${skip.h2.tcp}</skip>
<transformationSets>
<transformationSet>
<dir>${auth.server.home}/standalone/configuration</dir>
<includes>
<include>standalone-ha.xml</include>
</includes>
<stylesheet>${common.resources}/datasource-jdbc-url.xsl</stylesheet>
<outputDir>${auth.server.home}/standalone/configuration</outputDir>
<parameters>
<parameter>
<name>pool.name</name>
<value>KeycloakDS</value>
</parameter>
<parameter>
<name>jdbc.url</name>
<value>${crossdc.jboss.jdbc.url}</value>
</parameter>
</parameters>
</transformationSet>
</transformationSets>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<executions>
<execution>
<id>crossdc-setup</id>
<phase>process-resources</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<executable>${auth.server.home}/bin/jboss-cli.sh</executable>
<arguments>
<argument>--file=${common.resources}/crossdc/cross-dc-setup.cli</argument>
</arguments>
</configuration>
</execution>
<execution>
<id>remove-temp-data-crossdc-setup</id>
<phase>process-resources</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<workingDirectory>${auth.server.home}/standalone/</workingDirectory>
<executable>rm</executable>
<arguments>
<argument>-rf</argument>
<argument>data</argument>
<argument>log</argument>
<argument>tmp</argument>
</arguments>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</pluginManagement>
</build>
</profile>
<profile> <profile>
<id>auth-server-cluster</id> <id>auth-server-cluster</id>
<properties> <properties>

19
testsuite/integration-arquillian/servers/auth-server/jboss/wildfly/pom.xml
View file

@ -26,9 +26,9 @@
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<packaging>pom</packaging> <packaging>pom</packaging>
<artifactId>integration-arquillian-servers-auth-server-wildfly</artifactId> <artifactId>integration-arquillian-servers-auth-server-wildfly</artifactId>
<name>Auth Server - JBoss - Wildfly</name> <name>Auth Server - JBoss - Wildfly</name>
<dependencies> <dependencies>
@ -38,9 +38,20 @@
<type>zip</type> <type>zip</type>
</dependency> </dependency>
</dependencies> </dependencies>
<properties> <properties>
<auth.server.jboss>wildfly</auth.server.jboss> <auth.server.jboss>wildfly</auth.server.jboss>
</properties> </properties>
<build>
<plugins>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<configuration>
<skip>false</skip>
</configuration>
</plugin>
</plugins>
</build>
</project> </project>

1
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/resources/org/keycloak/testsuite/integration-arquillian-testsuite-providers/main/module.xml
View file

@ -33,6 +33,7 @@
<module name="org.keycloak.keycloak-model-infinispan"/> <module name="org.keycloak.keycloak-model-infinispan"/>
<module name="org.keycloak.keycloak-model-jpa"/> <module name="org.keycloak.keycloak-model-jpa"/>
<module name="org.infinispan"/> <module name="org.infinispan"/>
<module name="org.infinispan.client.hotrod"/>
<module name="org.jboss.logging"/> <module name="org.jboss.logging"/>
<module name="org.jboss.resteasy.resteasy-jaxrs"/> <module name="org.jboss.resteasy.resteasy-jaxrs"/>
<module name="javax.persistence.api"/> <module name="javax.persistence.api"/>

53
testsuite/integration-arquillian/servers/auth-server/undertow/src/main/java/org/keycloak/testsuite/arquillian/undertow/lb/SimpleUndertowLoadBalancer.java
View file

@ -17,7 +17,12 @@
package org.keycloak.testsuite.arquillian.undertow.lb; package org.keycloak.testsuite.arquillian.undertow.lb;
import java.lang.reflect.Field;
import java.net.URI; import java.net.URI;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
@ -34,6 +39,7 @@ import io.undertow.server.handlers.proxy.ProxyHandler;
import io.undertow.util.AttachmentKey; import io.undertow.util.AttachmentKey;
import io.undertow.util.Headers; import io.undertow.util.Headers;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.common.util.reflections.Reflections;
import org.keycloak.services.managers.AuthenticationSessionManager; import org.keycloak.services.managers.AuthenticationSessionManager;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.StringTokenizer; import java.util.StringTokenizer;
@ -94,7 +100,7 @@ public class SimpleUndertowLoadBalancer {
.build(); .build();
undertow.start(); undertow.start();
log.infof("Loadbalancer started and ready to serve requests on http://%s:%d", host, port); log.infof("#### Loadbalancer started and ready to serve requests on http://%s:%d ####", host, port);
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
@ -110,11 +116,12 @@ public class SimpleUndertowLoadBalancer {
lb.removeHost(uri); lb.removeHost(uri);
lb.addHost(uri, route); lb.addHost(uri, route);
}); });
log.infof("Load balancer: enable all nodes. All enabled nodes: %s", lb.toString());
} }
public void disableAllBackendNodes() { public void disableAllBackendNodes() {
log.debugf("Load balancer: disabling all nodes");
backendNodes.values().forEach(lb::removeHost); backendNodes.values().forEach(lb::removeHost);
log.infof("Load balancer: disabling all nodes");
} }
public void enableBackendNodeByName(String nodeName) { public void enableBackendNodeByName(String nodeName) {
@ -122,8 +129,8 @@ public class SimpleUndertowLoadBalancer {
if (uri == null) { if (uri == null) {
throw new IllegalArgumentException("Invalid node: " + nodeName); throw new IllegalArgumentException("Invalid node: " + nodeName);
} }
log.debugf("Load balancer: enabling node %s", nodeName);
lb.addHost(uri, nodeName); lb.addHost(uri, nodeName);
log.infof("Load balancer: enabled node '%s', All enabled nodes: %s", nodeName, lb.toString());
} }
public void disableBackendNodeByName(String nodeName) { public void disableBackendNodeByName(String nodeName) {
@ -131,8 +138,8 @@ public class SimpleUndertowLoadBalancer {
if (uri == null) { if (uri == null) {
throw new IllegalArgumentException("Invalid node: " + nodeName); throw new IllegalArgumentException("Invalid node: " + nodeName);
} }
log.debugf("Load balancer: disabling node %s", nodeName);
lb.removeHost(uri); lb.removeHost(uri);
log.infof("Load balancer: disabled node '%s', All enabled nodes: %s", nodeName, lb.toString());
} }
static Map<String, URI> parseNodes(String nodes) { static Map<String, URI> parseNodes(String nodes) {
@ -225,6 +232,19 @@ public class SimpleUndertowLoadBalancer {
} }
// For now, overriden just this "addHost" method to avoid adding duplicates
@Override
public synchronized LoadBalancingProxyClient addHost(URI host, String jvmRoute) {
List<String> current = getCurrentHostRoutes();
if (current.contains(jvmRoute)) {
log.infof("Route '%s' already present. Skip adding", jvmRoute);
return this;
} else {
return super.addHost(host, jvmRoute);
}
}
@Override @Override
public void getConnection(ProxyTarget target, HttpServerExchange exchange, ProxyCallback<ProxyConnection> callback, long timeout, TimeUnit timeUnit) { public void getConnection(ProxyTarget target, HttpServerExchange exchange, ProxyCallback<ProxyConnection> callback, long timeout, TimeUnit timeUnit) {
long timeoutMs = timeUnit.toMillis(timeout); long timeoutMs = timeUnit.toMillis(timeout);
@ -233,6 +253,31 @@ public class SimpleUndertowLoadBalancer {
super.getConnection(target, exchange, callbackDelegate, timeout, timeUnit); super.getConnection(target, exchange, callbackDelegate, timeout, timeUnit);
} }
@Override
public String toString() {
return getCurrentHostRoutes().toString();
}
private List<String> getCurrentHostRoutes() {
Field hostsField = Reflections.findDeclaredField(LoadBalancingProxyClient.class, "hosts");
hostsField.setAccessible(true);
Host[] hosts = (Host[]) Reflections.getFieldValue(hostsField, this);
if (hosts == null) {
return Collections.emptyList();
}
List<String> hostRoutes = new LinkedList<>();
for (Host host : hosts) {
Field hostField = Reflections.findDeclaredField(Host.class, "jvmRoute");
hostField.setAccessible(true);
String route = Reflections.getFieldValue(hostField, host).toString();
hostRoutes.add(route);
}
return hostRoutes;
}
} }

7
testsuite/integration-arquillian/tests/base/pom.xml
View file

@ -228,6 +228,13 @@
</execution> </execution>
</executions> </executions>
</plugin> </plugin>
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<configuration>
<skip>false</skip>
</configuration>
</plugin>
</plugins> </plugins>
</build> </build>

22
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/AuthServerTestEnricher.java
View file

@ -135,6 +135,11 @@ public class AuthServerTestEnricher {
return managementClient; return managementClient;
} }
public void distinguishContainersInConsoleOutput(@Observes(precedence = 5) StartContainer event) {
log.info("*****************************************************************"
+ "*****************************************************************************");
}
public void initializeSuiteContext(@Observes(precedence = 2) BeforeSuite event) { public void initializeSuiteContext(@Observes(precedence = 2) BeforeSuite event) {
Set<ContainerInfo> containers = containerRegistry.get().getContainers().stream() Set<ContainerInfo> containers = containerRegistry.get().getContainers().stream()
@ -165,15 +170,16 @@ public class AuthServerTestEnricher {
} }
containers.stream() containers.stream()
.filter(c -> c.getQualifier().startsWith(AUTH_SERVER_CONTAINER + "-cross-dc-")) .filter(c -> c.getQualifier().startsWith("auth-server-" + System.getProperty("node.name") + "-"))
.sorted((a, b) -> a.getQualifier().compareTo(b.getQualifier())) .sorted((a, b) -> a.getQualifier().compareTo(b.getQualifier()))
.forEach(c -> { .forEach(c -> {
String portOffsetString = c.getArquillianContainer().getContainerConfiguration().getContainerProperties().getOrDefault("bindHttpPortOffset", "0"); String portOffsetString = c.getArquillianContainer().getContainerConfiguration().getContainerProperties().getOrDefault("bindHttpPortOffset", "0");
String dcString = c.getArquillianContainer().getContainerConfiguration().getContainerProperties().getOrDefault("dataCenter", "0"); updateWithAuthServerInfo(c, Integer.valueOf(portOffsetString));
updateWithAuthServerInfo(c, Integer.valueOf(portOffsetString));
suiteContext.addAuthServerBackendsInfo(Integer.valueOf(dcString), c);
});
String dcString = c.getArquillianContainer().getContainerConfiguration().getContainerProperties().getOrDefault("dataCenter", "0");
suiteContext.addAuthServerBackendsInfo(Integer.valueOf(dcString), c);
});
containers.stream() containers.stream()
.filter(c -> c.getQualifier().startsWith("cache-server-cross-dc-")) .filter(c -> c.getQualifier().startsWith("cache-server-cross-dc-"))
.sorted((a, b) -> a.getQualifier().compareTo(b.getQualifier())) .sorted((a, b) -> a.getQualifier().compareTo(b.getQualifier()))

188
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/CacheStatisticsControllerEnricher.java
View file

@ -1,23 +1,18 @@
package org.keycloak.testsuite.arquillian; package org.keycloak.testsuite.arquillian;
import org.keycloak.connections.infinispan.InfinispanConnectionProvider; import java.io.IOException;
import org.keycloak.testsuite.Retry; import java.io.NotSerializableException;
import java.util.Map; import java.lang.management.ManagementFactory;
import org.jboss.arquillian.core.api.Instance;
import org.jboss.arquillian.core.api.annotation.Inject;
import java.lang.reflect.Field; import java.lang.reflect.Field;
import java.lang.reflect.Method; import java.lang.reflect.Method;
import java.net.MalformedURLException;
import javax.management.MBeanServerConnection;
import javax.management.ObjectName;
import javax.management.remote.JMXConnector;
import javax.management.remote.JMXServiceURL;
import org.jboss.arquillian.container.spi.Container;
import org.jboss.arquillian.container.spi.ContainerRegistry;
import org.jboss.arquillian.test.spi.TestEnricher;
import java.io.IOException;
import java.lang.reflect.Parameter; import java.lang.reflect.Parameter;
import java.net.MalformedURLException;
import java.util.Arrays; import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.management.Attribute; import javax.management.Attribute;
import javax.management.AttributeNotFoundException; import javax.management.AttributeNotFoundException;
@ -26,21 +21,26 @@ import javax.management.IntrospectionException;
import javax.management.MBeanAttributeInfo; import javax.management.MBeanAttributeInfo;
import javax.management.MBeanException; import javax.management.MBeanException;
import javax.management.MBeanInfo; import javax.management.MBeanInfo;
import javax.management.MBeanServerConnection;
import javax.management.MalformedObjectNameException; import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
import javax.management.ReflectionException; import javax.management.ReflectionException;
import javax.management.remote.JMXServiceURL;
import org.apache.commons.lang3.reflect.FieldUtils;
import org.jboss.arquillian.container.spi.Container;
import org.jboss.arquillian.container.spi.ContainerRegistry;
import org.jboss.arquillian.core.api.Instance;
import org.jboss.arquillian.core.api.annotation.Inject;
import org.jboss.arquillian.core.spi.Validate;
import org.jboss.arquillian.test.spi.TestEnricher;
import org.jboss.logging.Logger;
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
import org.keycloak.testsuite.Retry;
import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanCacheStatistics; import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanCacheStatistics;
import java.util.Set;
import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanChannelStatistics; import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanChannelStatistics;
import org.keycloak.testsuite.arquillian.jmx.JmxConnectorRegistry; import org.keycloak.testsuite.arquillian.jmx.JmxConnectorRegistry;
import org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow; import org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow;
import org.keycloak.testsuite.crossdc.DC; import org.keycloak.testsuite.crossdc.DC;
import java.io.NotSerializableException;
import java.lang.management.ManagementFactory;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.reflect.FieldUtils;
import org.jboss.arquillian.core.spi.Validate;
import org.jboss.logging.Logger;
/** /**
* *
@ -81,8 +81,6 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
} }
private InfinispanStatistics getInfinispanCacheStatistics(JmxInfinispanCacheStatistics annotation) throws MalformedObjectNameException, IOException, MalformedURLException { private InfinispanStatistics getInfinispanCacheStatistics(JmxInfinispanCacheStatistics annotation) throws MalformedObjectNameException, IOException, MalformedURLException {
MBeanServerConnection mbsc = getJmxServerConnection(annotation);
ObjectName mbeanName = new ObjectName(String.format( ObjectName mbeanName = new ObjectName(String.format(
"%s:type=%s,name=\"%s(%s)\",manager=\"%s\",component=%s", "%s:type=%s,name=\"%s(%s)\",manager=\"%s\",component=%s",
annotation.domain().isEmpty() ? getDefaultDomain(annotation.dc().getDcIndex(), annotation.dcNodeIndex()) : InfinispanConnectionProvider.JMX_DOMAIN, annotation.domain().isEmpty() ? getDefaultDomain(annotation.dc().getDcIndex(), annotation.dcNodeIndex()) : InfinispanConnectionProvider.JMX_DOMAIN,
@ -93,7 +91,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
annotation.component() annotation.component()
)); ));
InfinispanStatistics value = new InfinispanCacheStatisticsImpl(mbsc, mbeanName); InfinispanStatistics value = new InfinispanCacheStatisticsImpl(getJmxServerConnection(annotation), mbeanName);
if (annotation.domain().isEmpty()) { if (annotation.domain().isEmpty()) {
try { try {
@ -101,7 +99,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
} catch (RuntimeException ex) { } catch (RuntimeException ex) {
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1 if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1
&& suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex()).isStarted()) { && suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex()).isStarted()) {
LOG.warn("Could not reset statistics for " + mbeanName); LOG.warn("Could not reset statistics for " + mbeanName + ". The reason is: \"" + ex.getMessage() + "\"");
} }
} }
} }
@ -110,8 +108,6 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
} }
private InfinispanStatistics getJGroupsChannelStatistics(JmxInfinispanChannelStatistics annotation) throws MalformedObjectNameException, IOException, MalformedURLException { private InfinispanStatistics getJGroupsChannelStatistics(JmxInfinispanChannelStatistics annotation) throws MalformedObjectNameException, IOException, MalformedURLException {
MBeanServerConnection mbsc = getJmxServerConnection(annotation);
ObjectName mbeanName = new ObjectName(String.format( ObjectName mbeanName = new ObjectName(String.format(
"%s:type=%s,cluster=\"%s\"", "%s:type=%s,cluster=\"%s\"",
annotation.domain().isEmpty() ? getDefaultDomain(annotation.dc().getDcIndex(), annotation.dcNodeIndex()) : InfinispanConnectionProvider.JMX_DOMAIN, annotation.domain().isEmpty() ? getDefaultDomain(annotation.dc().getDcIndex(), annotation.dcNodeIndex()) : InfinispanConnectionProvider.JMX_DOMAIN,
@ -119,7 +115,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
annotation.cluster() annotation.cluster()
)); ));
InfinispanStatistics value = new InfinispanChannelStatisticsImpl(mbsc, mbeanName); InfinispanStatistics value = new InfinispanChannelStatisticsImpl(getJmxServerConnection(annotation), mbeanName);
if (annotation.domain().isEmpty()) { if (annotation.domain().isEmpty()) {
try { try {
@ -127,7 +123,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
} catch (RuntimeException ex) { } catch (RuntimeException ex) {
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1 if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1
&& suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex()).isStarted()) { && suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex()).isStarted()) {
LOG.warn("Could not reset statistics for " + mbeanName); LOG.warn("Could not reset statistics for " + mbeanName + ". The reason is: \"" + ex.getMessage() + "\"");
} }
} }
} }
@ -162,12 +158,20 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
private String getDefaultDomain(int dcIndex, int dcNodeIndex) { private String getDefaultDomain(int dcIndex, int dcNodeIndex) {
if (dcIndex != -1 && dcNodeIndex != -1) { if (dcIndex != -1 && dcNodeIndex != -1) {
if (Boolean.parseBoolean(System.getProperty("auth.server.jboss.crossdc"))) {
//backend-jboss-server
return "org.wildfly.clustering.infinispan";
}
//backend-undertow-server
return InfinispanConnectionProvider.JMX_DOMAIN + "-" + suiteContext.get().getAuthServerBackendsInfo(dcIndex).get(dcNodeIndex).getQualifier(); return InfinispanConnectionProvider.JMX_DOMAIN + "-" + suiteContext.get().getAuthServerBackendsInfo(dcIndex).get(dcNodeIndex).getQualifier();
} }
//cache-server
return InfinispanConnectionProvider.JMX_DOMAIN; return InfinispanConnectionProvider.JMX_DOMAIN;
} }
private MBeanServerConnection getJmxServerConnection(JmxInfinispanCacheStatistics annotation) throws MalformedURLException, IOException { private Supplier<MBeanServerConnection> getJmxServerConnection(JmxInfinispanCacheStatistics annotation) throws MalformedURLException {
final String host; final String host;
final int port; final int port;
@ -175,7 +179,46 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
ContainerInfo node = suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex()); ContainerInfo node = suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex());
Container container = node.getArquillianContainer(); Container container = node.getArquillianContainer();
if (container.getDeployableContainer() instanceof KeycloakOnUndertow) { if (container.getDeployableContainer() instanceof KeycloakOnUndertow) {
return ManagementFactory.getPlatformMBeanServer(); return () -> ManagementFactory.getPlatformMBeanServer();
}
host = "localhost";
port = container.getContainerConfiguration().getContainerProperties().containsKey("managementPort")
? Integer.valueOf(container.getContainerConfiguration().getContainerProperties().get("managementPort"))
: 9990;
} else {
host = annotation.host().isEmpty()
? System.getProperty((annotation.hostProperty().isEmpty()
? "keycloak.connectionsInfinispan.remoteStoreServer"
: annotation.hostProperty()))
: annotation.host();
port = annotation.managementPort() == -1
? Integer.valueOf(System.getProperty((annotation.managementPortProperty().isEmpty()
? "cache.server.management.port"
: annotation.managementPortProperty())))
: annotation.managementPort();
}
JMXServiceURL url = new JMXServiceURL("service:jmx:remote+http://" + host + ":" + port);
return () -> {
try {
return jmxConnectorRegistry.get().getConnection(url).getMBeanServerConnection();
} catch (IOException ex) {
throw new RuntimeException(ex);
}
};
}
private Supplier<MBeanServerConnection> getJmxServerConnection(JmxInfinispanChannelStatistics annotation) throws MalformedURLException {
final String host;
final int port;
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1) {
ContainerInfo node = suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex());
Container container = node.getArquillianContainer();
if (container.getDeployableContainer() instanceof KeycloakOnUndertow) {
return () -> ManagementFactory.getPlatformMBeanServer();
} }
host = "localhost"; host = "localhost";
port = container.getContainerConfiguration().getContainerProperties().containsKey("managementPort") port = container.getContainerConfiguration().getContainerProperties().containsKey("managementPort")
@ -196,79 +239,50 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
} }
JMXServiceURL url = new JMXServiceURL("service:jmx:remote+http://" + host + ":" + port); JMXServiceURL url = new JMXServiceURL("service:jmx:remote+http://" + host + ":" + port);
JMXConnector jmxc = jmxConnectorRegistry.get().getConnection(url); return () -> {
try {
return jmxc.getMBeanServerConnection(); return jmxConnectorRegistry.get().getConnection(url).getMBeanServerConnection();
} } catch (IOException ex) {
throw new RuntimeException(ex);
private MBeanServerConnection getJmxServerConnection(JmxInfinispanChannelStatistics annotation) throws MalformedURLException, IOException {
final String host;
final int port;
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1) {
ContainerInfo node = suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex());
Container container = node.getArquillianContainer();
if (container.getDeployableContainer() instanceof KeycloakOnUndertow) {
return ManagementFactory.getPlatformMBeanServer();
} }
host = "localhost"; };
port = container.getContainerConfiguration().getContainerProperties().containsKey("managementPort")
? Integer.valueOf(container.getContainerConfiguration().getContainerProperties().get("managementPort"))
: 9990;
} else {
host = annotation.host().isEmpty()
? System.getProperty((annotation.hostProperty().isEmpty()
? "keycloak.connectionsInfinispan.remoteStoreServer"
: annotation.hostProperty()))
: annotation.host();
port = annotation.managementPort() == -1
? Integer.valueOf(System.getProperty((annotation.managementPortProperty().isEmpty()
? "cache.server.management.port"
: annotation.managementPortProperty())))
: annotation.managementPort();
}
String jmxUrl = "service:jmx:remote+http://" + host + ":" + port;
LOG.infof("JMX Service URL: %s", jmxUrl);
JMXServiceURL url = new JMXServiceURL(jmxUrl);
JMXConnector jmxc = jmxConnectorRegistry.get().getConnection(url);
return jmxc.getMBeanServerConnection();
} }
private static abstract class CacheStatisticsImpl implements InfinispanStatistics { private static abstract class CacheStatisticsImpl implements InfinispanStatistics {
protected final MBeanServerConnection mbsc; private final Supplier<MBeanServerConnection> mbscCreateor;
private final ObjectName mbeanNameTemplate; private final ObjectName mbeanNameTemplate;
private ObjectName mbeanName; private ObjectName mbeanName;
public CacheStatisticsImpl(MBeanServerConnection mbsc, ObjectName mbeanNameTemplate) { public CacheStatisticsImpl(Supplier<MBeanServerConnection> mbscCreateor, ObjectName mbeanNameTemplate) {
this.mbsc = mbsc; this.mbscCreateor = mbscCreateor;
this.mbeanNameTemplate = mbeanNameTemplate; this.mbeanNameTemplate = mbeanNameTemplate;
} }
protected MBeanServerConnection getConnection() {
return mbscCreateor.get();
}
@Override @Override
public boolean exists() { public boolean exists() {
try { try {
getMbeanName(); getMbeanName();
return true; return true;
} catch (Exception ex) { } catch (IOException | RuntimeException ex) {
return false; return false;
} }
} }
@Override @Override
public Map<String, Object> getStatistics() { public Map<String, Object> getStatistics() {
try { try {
MBeanInfo mBeanInfo = mbsc.getMBeanInfo(getMbeanName()); MBeanInfo mBeanInfo = getConnection().getMBeanInfo(getMbeanName());
String[] statAttrs = Arrays.asList(mBeanInfo.getAttributes()).stream() String[] statAttrs = Arrays.asList(mBeanInfo.getAttributes()).stream()
.filter(MBeanAttributeInfo::isReadable) .filter(MBeanAttributeInfo::isReadable)
.map(MBeanAttributeInfo::getName) .map(MBeanAttributeInfo::getName)
.collect(Collectors.toList()) .collect(Collectors.toList())
.toArray(new String[] {}); .toArray(new String[] {});
return mbsc.getAttributes(getMbeanName(), statAttrs) return getConnection().getAttributes(getMbeanName(), statAttrs)
.asList() .asList()
.stream() .stream()
.collect(Collectors.toMap(Attribute::getName, Attribute::getValue)); .collect(Collectors.toMap(Attribute::getName, Attribute::getValue));
@ -279,7 +293,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
protected ObjectName getMbeanName() throws IOException, RuntimeException { protected ObjectName getMbeanName() throws IOException, RuntimeException {
if (this.mbeanName == null) { if (this.mbeanName == null) {
Set<ObjectName> queryNames = mbsc.queryNames(mbeanNameTemplate, null); Set<ObjectName> queryNames = getConnection().queryNames(mbeanNameTemplate, null);
if (queryNames.isEmpty()) { if (queryNames.isEmpty()) {
throw new RuntimeException("No MBean of template " + mbeanNameTemplate + " found at JMX server"); throw new RuntimeException("No MBean of template " + mbeanNameTemplate + " found at JMX server");
} }
@ -292,7 +306,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
@Override @Override
public Comparable getSingleStatistics(String statisticsName) { public Comparable getSingleStatistics(String statisticsName) {
try { try {
return (Comparable) mbsc.getAttribute(getMbeanName(), statisticsName); return (Comparable) getConnection().getAttribute(getMbeanName(), statisticsName);
} catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException | AttributeNotFoundException ex) { } catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException | AttributeNotFoundException ex) {
throw new RuntimeException(ex); throw new RuntimeException(ex);
} }
@ -305,7 +319,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
try { try {
getMbeanName(); getMbeanName();
if (! isAvailable()) throw new RuntimeException("Not available"); if (! isAvailable()) throw new RuntimeException("Not available");
} catch (Exception ex) { } catch (IOException | RuntimeException ex) {
throw new RuntimeException("Timed out while waiting for " + mbeanNameTemplate + " to become available", ex); throw new RuntimeException("Timed out while waiting for " + mbeanNameTemplate + " to become available", ex);
} }
}, 1 + (int) timeInMillis / 100, 100); }, 1 + (int) timeInMillis / 100, 100);
@ -316,14 +330,14 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
private static class InfinispanCacheStatisticsImpl extends CacheStatisticsImpl { private static class InfinispanCacheStatisticsImpl extends CacheStatisticsImpl {
public InfinispanCacheStatisticsImpl(MBeanServerConnection mbsc, ObjectName mbeanName) { public InfinispanCacheStatisticsImpl(Supplier<MBeanServerConnection> mbscCreator, ObjectName mbeanName) {
super(mbsc, mbeanName); super(mbscCreator, mbeanName);
} }
@Override @Override
public void reset() { public void reset() {
try { try {
mbsc.invoke(getMbeanName(), "resetStatistics", new Object[] {}, new String[] {}); getConnection().invoke(getMbeanName(), "resetStatistics", new Object[] {}, new String[] {});
} catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException ex) { } catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException ex) {
throw new RuntimeException(ex); throw new RuntimeException(ex);
} }
@ -337,14 +351,14 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
private static class InfinispanChannelStatisticsImpl extends CacheStatisticsImpl { private static class InfinispanChannelStatisticsImpl extends CacheStatisticsImpl {
public InfinispanChannelStatisticsImpl(MBeanServerConnection mbsc, ObjectName mbeanName) { public InfinispanChannelStatisticsImpl(Supplier<MBeanServerConnection> mbscCreator, ObjectName mbeanName) {
super(mbsc, mbeanName); super(mbscCreator, mbeanName);
} }
@Override @Override
public void reset() { public void reset() {
try { try {
mbsc.invoke(getMbeanName(), "resetStats", new Object[] {}, new String[] {}); getConnection().invoke(getMbeanName(), "resetStats", new Object[] {}, new String[] {});
} catch (NotSerializableException ex) { } catch (NotSerializableException ex) {
// Ignore return value not serializable, the invocation has already done its job // Ignore return value not serializable, the invocation has already done its job
} catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException ex) { } catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException ex) {

18
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/DeploymentTargetModifier.java
View file

@ -22,6 +22,7 @@ import org.jboss.arquillian.container.spi.client.deployment.TargetDescription;
import org.jboss.arquillian.container.test.impl.client.deployment.AnnotationDeploymentScenarioGenerator; import org.jboss.arquillian.container.test.impl.client.deployment.AnnotationDeploymentScenarioGenerator;
import org.jboss.arquillian.test.spi.TestClass; import org.jboss.arquillian.test.spi.TestClass;
import org.jboss.logging.Logger; import org.jboss.logging.Logger;
import org.keycloak.common.util.StringPropertyReplacer;
import java.util.List; import java.util.List;
@ -73,12 +74,23 @@ public class DeploymentTargetModifier extends AnnotationDeploymentScenarioGenera
if (deployment.getTarget() != null) { if (deployment.getTarget() != null) {
String containerQualifier = deployment.getTarget().getName(); String containerQualifier = deployment.getTarget().getName();
if (AUTH_SERVER_CURRENT.equals(containerQualifier)) { if (AUTH_SERVER_CURRENT.equals(containerQualifier)) {
String authServerQualifier = AuthServerTestEnricher.AUTH_SERVER_CONTAINER; String newAuthServerQualifier = AuthServerTestEnricher.AUTH_SERVER_CONTAINER;
log.infof("Setting target container for deployment %s.%s: %s", testClass.getName(), deployment.getName(), authServerQualifier); updateAuthServerQualifier(deployment, testClass, newAuthServerQualifier);
deployment.setTarget(new TargetDescription(authServerQualifier)); } else {
String newAuthServerQualifier = StringPropertyReplacer.replaceProperties(containerQualifier);
if (!newAuthServerQualifier.equals(containerQualifier)) {
updateAuthServerQualifier(deployment, testClass, newAuthServerQualifier);
}
} }
} }
} }
} }
private void updateAuthServerQualifier(DeploymentDescription deployment, TestClass testClass, String newAuthServerQualifier) {
log.infof("Setting target container for deployment %s.%s: %s", testClass.getName(), deployment.getName(), newAuthServerQualifier);
deployment.setTarget(new TargetDescription(newAuthServerQualifier));
}
} }

7
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/jmx/JmxConnectorRegistryCreator.java
View file

@ -27,6 +27,7 @@ import org.jboss.arquillian.core.api.annotation.ApplicationScoped;
import org.jboss.arquillian.core.api.annotation.Inject; import org.jboss.arquillian.core.api.annotation.Inject;
import org.jboss.arquillian.core.api.annotation.Observes; import org.jboss.arquillian.core.api.annotation.Observes;
import org.jboss.arquillian.test.spi.event.suite.BeforeSuite; import org.jboss.arquillian.test.spi.event.suite.BeforeSuite;
import org.jboss.logging.Logger;
/** /**
* *
@ -34,6 +35,8 @@ import org.jboss.arquillian.test.spi.event.suite.BeforeSuite;
*/ */
public class JmxConnectorRegistryCreator { public class JmxConnectorRegistryCreator {
private final Logger log = Logger.getLogger(JmxConnectorRegistryCreator.class);
@Inject @Inject
@ApplicationScoped @ApplicationScoped
private InstanceProducer<JmxConnectorRegistry> connectorRegistry; private InstanceProducer<JmxConnectorRegistry> connectorRegistry;
@ -46,6 +49,7 @@ public class JmxConnectorRegistryCreator {
@Override @Override
public JMXConnector getConnection(JMXServiceURL url) { public JMXConnector getConnection(JMXServiceURL url) {
JMXConnector res = connectors.get(url); JMXConnector res = connectors.get(url);
if (res == null) { if (res == null) {
try { try {
@ -55,7 +59,10 @@ public class JmxConnectorRegistryCreator {
res = conn; res = conn;
} }
res.connect(); res.connect();
log.infof("Connected to JMX Service URL: %s", url);
} catch (IOException ex) { } catch (IOException ex) {
//remove conn from connectors in case something goes wrong. The connection will be established on-demand
connectors.remove(url, res);
throw new RuntimeException("Could not instantiate JMX connector for " + url, ex); throw new RuntimeException("Could not instantiate JMX connector for " + url, ex);
} }
} }

4
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/KeycloakTestingClient.java
View file

@ -90,14 +90,14 @@ public class KeycloakTestingClient {
public <T> T fetch(FetchOnServer function, Class<T> clazz) throws RunOnServerException { public <T> T fetch(FetchOnServer function, Class<T> clazz) throws RunOnServerException {
try { try {
String s = fetch(function); String s = fetchString(function);
return JsonSerialization.readValue(s, clazz); return JsonSerialization.readValue(s, clazz);
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
} }
public String fetch(FetchOnServer function) throws RunOnServerException { public String fetchString(FetchOnServer function) throws RunOnServerException {
String encoded = SerializationUtil.encode(function); String encoded = SerializationUtil.encode(function);
String result = testing(realm != null ? realm : "master").runOnServer(encoded); String result = testing(realm != null ? realm : "master").runOnServer(encoded);

15
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/pages/social/TwitterLoginPage.java
View file

@ -17,6 +17,7 @@
package org.keycloak.testsuite.pages.social; package org.keycloak.testsuite.pages.social;
import org.openqa.selenium.NoSuchElementException;
import org.openqa.selenium.WebElement; import org.openqa.selenium.WebElement;
import org.openqa.selenium.support.FindBy; import org.openqa.selenium.support.FindBy;
@ -35,9 +36,15 @@ public class TwitterLoginPage extends AbstractSocialLoginPage {
@Override @Override
public void login(String user, String password) { public void login(String user, String password) {
usernameInput.clear(); try {
usernameInput.sendKeys(user); usernameInput.clear();
passwordInput.sendKeys(password); usernameInput.sendKeys(user);
loginButton.click(); passwordInput.sendKeys(password);
}
catch (NoSuchElementException e) { // at some conditions we are already logged in and just need to confirm it
}
finally {
loginButton.click();
}
} }
} }

24
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/DroneUtils.java
View file

@ -20,11 +20,33 @@ package org.keycloak.testsuite.util;
import org.jboss.arquillian.graphene.context.GrapheneContext; import org.jboss.arquillian.graphene.context.GrapheneContext;
import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebDriver;
import java.util.LinkedList;
import java.util.Queue;
import java.util.Stack;
/** /**
* @author Vaclav Muzikar <vmuzikar@redhat.com> * @author Vaclav Muzikar <vmuzikar@redhat.com>
*/ */
public final class DroneUtils { public final class DroneUtils {
private static Queue<WebDriver> driverQueue = new LinkedList<>();
public static WebDriver getCurrentDriver() { public static WebDriver getCurrentDriver() {
return GrapheneContext.lastContext().getWebDriver(); if (driverQueue.isEmpty()) {
return GrapheneContext.lastContext().getWebDriver();
}
return driverQueue.peek();
}
public static void addWebDriver(WebDriver driver) {
driverQueue.add(driver);
}
public static void removeWebDriver() {
driverQueue.poll();
}
public static void resetQueue() {
driverQueue = new LinkedList<>();
} }
} }

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/AbstractKeycloakTest.java
View file

@ -64,6 +64,7 @@ import org.keycloak.testsuite.auth.page.login.OIDCLogin;
import org.keycloak.testsuite.auth.page.login.UpdatePassword; import org.keycloak.testsuite.auth.page.login.UpdatePassword;
import org.keycloak.testsuite.client.KeycloakTestingClient; import org.keycloak.testsuite.client.KeycloakTestingClient;
import org.keycloak.testsuite.util.AdminClientUtil; import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.DroneUtils;
import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.TestCleanup; import org.keycloak.testsuite.util.TestCleanup;
import org.keycloak.testsuite.util.TestEventsLogger; import org.keycloak.testsuite.util.TestEventsLogger;
@ -213,6 +214,9 @@ public abstract class AbstractKeycloakTest {
} }
testContext.getCleanups().clear(); testContext.getCleanups().clear();
} }
// Remove all browsers from queue
DroneUtils.resetQueue();
} }
protected TestCleanup getCleanup(String realmName) { protected TestCleanup getCleanup(String realmName) {

11
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/account/AccountFormServiceTest.java
View file

@ -207,6 +207,17 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest {
events.clear(); events.clear();
} }
@Test
public void referrerEscaped() {
profilePage.open();
loginPage.login("test-user@localhost", "password");
driver.navigate().to(profilePage.getPath() + "?referrer=test-app&referrer_uri=http://localhost:8180/auth/realms/master/app/auth/test%2Ffkrenu%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E");
Assert.assertTrue(profilePage.isCurrent());
Assert.assertFalse(driver.getPageSource().contains("<script>alert"));
}
@Test @Test
public void changePassword() { public void changePassword() {
changePasswordPage.open(); changePasswordPage.open();

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/AbstractFuseAdminAdapterTest.java
View file

@ -78,7 +78,7 @@ public abstract class AbstractFuseAdminAdapterTest extends AbstractExampleAdapte
assertCurrentUrlDoesntStartWith(hawtioPage); assertCurrentUrlDoesntStartWith(hawtioPage);
testRealmLoginPage.form().login("root", "password"); testRealmLoginPage.form().login("root", "password");
assertCurrentUrlStartsWith(hawtioPage.getDriver(), hawtioPage.toString() + "/welcome"); assertCurrentUrlStartsWith(hawtioPage.toString() + "/welcome", hawtioPage.getDriver());
hawtioPage.logout(); hawtioPage.logout();
assertCurrentUrlStartsWith(testRealmLoginPage); assertCurrentUrlStartsWith(testRealmLoginPage);

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/AbstractHawtioAdapterTest.java
View file

@ -41,7 +41,7 @@ public abstract class AbstractHawtioAdapterTest extends AbstractExampleAdapterTe
testRealmLoginPage.form().login("root", "password"); testRealmLoginPage.form().login("root", "password");
waitUntilElement(By.xpath("//body")).is().present(); waitUntilElement(By.xpath("//body")).is().present();
assertCurrentUrlStartsWith(hawtioPage.getDriver(), hawtioPage.toString() + "/welcome"); assertCurrentUrlStartsWith(hawtioPage.toString() + "/welcome", hawtioPage.getDriver());
hawtioPage.logout(); hawtioPage.logout();
pause(1000); pause(1000);

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoServletsAdapterTest.java
View file

@ -194,7 +194,7 @@ public abstract class AbstractDemoServletsAdapterTest extends AbstractServletsAd
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage); assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
testRealmLoginPage.form().login("bburke@redhat.com", "password"); testRealmLoginPage.form().login("bburke@redhat.com", "password");
assertCurrentUrlEquals(driver, inputPortal + "/secured/post"); assertCurrentUrlEquals(inputPortal + "/secured/post");
waitForPageToLoad(); waitForPageToLoad();
String pageSource = driver.getPageSource(); String pageSource = driver.getPageSource();
assertThat(pageSource, containsString("parameter=hello")); assertThat(pageSource, containsString("parameter=hello"));

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractOIDCPublicKeyRotationAdapterTest.java
View file

@ -127,7 +127,7 @@ public abstract class AbstractOIDCPublicKeyRotationAdapterTest extends AbstractS
testRealmLoginPage.form().waitForUsernameInputPresent(); testRealmLoginPage.form().waitForUsernameInputPresent();
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage); assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
testRealmLoginPage.form().login("bburke@redhat.com", "password"); testRealmLoginPage.form().login("bburke@redhat.com", "password");
URLAssert.assertCurrentUrlStartsWith(driver, tokenMinTTLPage.getInjectedUrl().toString()); URLAssert.assertCurrentUrlStartsWith(tokenMinTTLPage.getInjectedUrl().toString());
Assert.assertNull(tokenMinTTLPage.getAccessToken()); Assert.assertNull(tokenMinTTLPage.getAccessToken());
driver.navigate().to(logoutUri); driver.navigate().to(logoutUri);

17
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSessionServletAdapterTest.java
View file

@ -37,9 +37,8 @@ import org.keycloak.testsuite.util.SecondBrowser;
import org.openqa.selenium.By; import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebDriver;
import static org.junit.Assert.assertEquals; import static org.hamcrest.CoreMatchers.containsString;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.*;
import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.auth.page.AuthRealm.DEMO; import static org.keycloak.testsuite.auth.page.AuthRealm.DEMO;
import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlEquals; import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlEquals;
import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWithLoginUrlOf; import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWithLoginUrlOf;
@ -84,13 +83,13 @@ public abstract class AbstractSessionServletAdapterTest extends AbstractServlets
// cannot pass to loginAndCheckSession becayse loginPage is not working together with driver2, therefore copypasta // cannot pass to loginAndCheckSession becayse loginPage is not working together with driver2, therefore copypasta
driver2.navigate().to(sessionPortalPage.toString()); driver2.navigate().to(sessionPortalPage.toString());
assertCurrentUrlStartsWithLoginUrlOf(driver2, testRealmPage); assertCurrentUrlStartsWithLoginUrlOf(testRealmPage, driver2);
driver2.findElement(By.id("username")).sendKeys("bburke@redhat.com"); driver2.findElement(By.id("username")).sendKeys("bburke@redhat.com");
driver2.findElement(By.id("password")).sendKeys("password"); driver2.findElement(By.id("password")).sendKeys("password");
driver2.findElement(By.id("password")).submit(); driver2.findElement(By.id("password")).submit();
assertCurrentUrlEquals(driver2, sessionPortalPage); assertCurrentUrlEquals(sessionPortalPage, driver2);
String pageSource = driver2.getPageSource(); String pageSource = driver2.getPageSource();
assertTrue(pageSource.contains("Counter=1")); assertThat(pageSource, containsString("Counter=1"));
// Counter increased now // Counter increased now
driver2.navigate().to(sessionPortalPage.toString()); driver2.navigate().to(sessionPortalPage.toString());
pageSource = driver2.getPageSource(); pageSource = driver2.getPageSource();
@ -108,12 +107,12 @@ public abstract class AbstractSessionServletAdapterTest extends AbstractServlets
// Assert that I am still logged in browser2 and same session is still preserved // Assert that I am still logged in browser2 and same session is still preserved
driver2.navigate().to(sessionPortalPage.toString()); driver2.navigate().to(sessionPortalPage.toString());
assertCurrentUrlEquals(driver2, sessionPortalPage); assertCurrentUrlEquals(sessionPortalPage, driver2);
pageSource = driver2.getPageSource(); pageSource = driver2.getPageSource();
assertTrue(pageSource.contains("Counter=3")); assertThat(pageSource, containsString("Counter=3"));
driver2.navigate().to(logoutUri); driver2.navigate().to(logoutUri);
assertCurrentUrlStartsWithLoginUrlOf(driver2, testRealmPage); assertCurrentUrlStartsWithLoginUrlOf(testRealmPage, driver2);
} }

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/SMTPConnectionTest.java
View file

@ -35,6 +35,7 @@ import java.util.Map;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import static org.keycloak.representations.idm.ComponentRepresentation.SECRET_VALUE;
import static org.keycloak.util.JsonSerialization.writeValueAsPrettyString; import static org.keycloak.util.JsonSerialization.writeValueAsPrettyString;
/** /**
@ -60,6 +61,11 @@ public class SMTPConnectionTest extends AbstractKeycloakTest {
private String settings(String host, String port, String from, String auth, String ssl, String starttls, private String settings(String host, String port, String from, String auth, String ssl, String starttls,
String username, String password) throws Exception { String username, String password) throws Exception {
Map<String, String> config = smtpMap(host, port, from, auth, ssl, starttls, username, password);
return writeValueAsPrettyString(config);
}
private Map<String, String> smtpMap(String host, String port, String from, String auth, String ssl, String starttls, String username, String password) {
Map<String, String> config = new HashMap<>(); Map<String, String> config = new HashMap<>();
config.put("host", host); config.put("host", host);
config.put("port", port); config.put("port", port);
@ -69,7 +75,7 @@ public class SMTPConnectionTest extends AbstractKeycloakTest {
config.put("starttls", starttls); config.put("starttls", starttls);
config.put("user", username); config.put("user", username);
config.put("password", password); config.put("password", password);
return writeValueAsPrettyString(config); return config;
} }
@Test @Test
@ -102,6 +108,26 @@ public class SMTPConnectionTest extends AbstractKeycloakTest {
assertStatus(response, 204); assertStatus(response, 204);
} }
@Test
public void testAuthEnabledAndSavedCredentials() throws Exception {
RealmRepresentation realmRep = realm.toRepresentation();
Map<String, String> oldSmtp = realmRep.getSmtpServer();
try {
realmRep.setSmtpServer(smtpMap("127.0.0.1", "3025", "auto@keycloak.org", "true", null, null,
"admin@localhost", "admin"));
realm.update(realmRep);
greenMailRule.credentials("admin@localhost", "admin");
Response response = realm.testSMTPConnection(settings("127.0.0.1", "3025", "auto@keycloak.org", "true", null, null,
"admin@localhost", SECRET_VALUE));
assertStatus(response, 204);
} finally {
// Revert SMTP back
realmRep.setSmtpServer(oldSmtp);
realm.update(realmRep);
}
}
private void assertStatus(Response response, int status) { private void assertStatus(Response response, int status) {
assertEquals(status, response.getStatus()); assertEquals(status, response.getStatus());
response.close(); response.close();

17
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java
View file

@ -21,8 +21,8 @@ import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
@ -58,10 +58,12 @@ import java.util.Arrays;
import java.util.LinkedHashMap; import java.util.LinkedHashMap;
import java.util.concurrent.atomic.AtomicInteger; import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference; import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import org.apache.http.client.CookieStore; import org.apache.http.client.CookieStore;
import org.apache.http.impl.client.BasicCookieStore; import org.apache.http.impl.client.BasicCookieStore;
import org.hamcrest.Matchers; import org.hamcrest.Matchers;
import static org.hamcrest.Matchers.containsString;
/** /**
@ -126,8 +128,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
CookieStore cookieStore = new BasicCookieStore(); CookieStore cookieStore = new BasicCookieStore();
context.setCookieStore(cookieStore); context.setCookieStore(cookieStore);
HttpUriRequest request = handleLogin(getPageContent(oauth.getLoginFormUrl(), httpClient, context), userName, password); HttpUriRequest request = handleLogin(getPageContent(oauth.getLoginFormUrl(), httpClient, context), userName, password);
log.debug("Executing login request"); Assert.assertThat(parseAndCloseResponse(httpClient.execute(request, context)), containsString("<title>AUTH_RESPONSE</title>"));
Assert.assertTrue(parseAndCloseResponse(httpClient.execute(request, context)).contains("<title>AUTH_RESPONSE</title>"));
return context; return context;
} }
@ -306,12 +307,8 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
} }
private static Map<String, String> getQueryFromUrl(String url) throws URISyntaxException { private static Map<String, String> getQueryFromUrl(String url) throws URISyntaxException {
Map<String, String> m = new HashMap<>(); return URLEncodedUtils.parse(new URI(url), Charset.forName("UTF-8")).stream()
List<NameValuePair> pairs = URLEncodedUtils.parse(new URI(url), "UTF-8"); .collect(Collectors.toMap(p -> p.getName(), p -> p.getValue()));
for (NameValuePair p : pairs) {
m.put(p.getName(), p.getValue());
}
return m;
} }
@ -411,4 +408,4 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
} }
} }

6
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/crossdc/AbstractAdminCrossDCTest.java
View file

@ -95,8 +95,10 @@ public abstract class AbstractAdminCrossDCTest extends AbstractCrossDCTest {
T newStat = (T) stats.getSingleStatistics(key); T newStat = (T) stats.getSingleStatistics(key);
Matcher<? super T> matcherInstance = matcherOnOldStat.apply(oldStat); Matcher<? super T> matcherInstance = matcherOnOldStat.apply(oldStat);
log.infof("assertSingleStatistics '%s' : oldStat: %s, newStat: %s", key, oldStat.toString(), newStat.toString());
assertThat(newStat, matcherInstance); assertThat(newStat, matcherInstance);
}, 20, 200); }, 50, 200);
} }
protected void assertStatistics(InfinispanStatistics stats, Runnable testedCode, BiConsumer<Map<String, Object>, Map<String, Object>> assertionOnStats) { protected void assertStatistics(InfinispanStatistics stats, Runnable testedCode, BiConsumer<Map<String, Object>, Map<String, Object>> assertionOnStats) {
@ -108,7 +110,7 @@ public abstract class AbstractAdminCrossDCTest extends AbstractCrossDCTest {
Retry.execute(() -> { Retry.execute(() -> {
Map<String, Object> newStat = stats.getStatistics(); Map<String, Object> newStat = stats.getStatistics();
assertionOnStats.accept(oldStat, newStat); assertionOnStats.accept(oldStat, newStat);
}, 5, 200); }, 50, 200);
} }
} }

30
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/crossdc/AbstractCrossDCTest.java
View file

@ -50,6 +50,8 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
// Keep the following constants in sync with arquillian // Keep the following constants in sync with arquillian
public static final String QUALIFIER_NODE_BALANCER = "auth-server-balancer-cross-dc"; public static final String QUALIFIER_NODE_BALANCER = "auth-server-balancer-cross-dc";
public static final String QUALIFIER_AUTH_SERVER_DC_0_NODE_1 = "auth-server-${node.name}-cross-dc-0_1";
public static final String QUALIFIER_AUTH_SERVER_DC_1_NODE_1 = "auth-server-${node.name}-cross-dc-1_1";
@ArquillianResource @ArquillianResource
@LoadBalancer(value = QUALIFIER_NODE_BALANCER) @LoadBalancer(value = QUALIFIER_NODE_BALANCER)
@ -208,17 +210,19 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
/** /**
* Disables routing requests to the given data center in the load balancer. * Disables routing requests to the given data center in the load balancer.
* @param dcIndex * @param dc
*/ */
public void disableDcOnLoadBalancer(DC dc) { public void disableDcOnLoadBalancer(DC dc) {
int dcIndex = dc.ordinal(); int dcIndex = dc.ordinal();
log.infof("Disabling load balancer for dc=%d", dcIndex); log.infof("Disabling load balancer for dc=%d", dcIndex);
this.suiteContext.getDcAuthServerBackendsInfo().get(dcIndex).forEach(c -> loadBalancerCtrl.disableBackendNodeByName(c.getQualifier())); this.suiteContext.getDcAuthServerBackendsInfo().get(dcIndex).forEach(containerInfo -> {
loadBalancerCtrl.disableBackendNodeByName(containerInfo.getQualifier());
});
} }
/** /**
* Enables routing requests to all started nodes to the given data center in the load balancer. * Enables routing requests to all started nodes to the given data center in the load balancer.
* @param dcIndex * @param dc
*/ */
public void enableDcOnLoadBalancer(DC dc) { public void enableDcOnLoadBalancer(DC dc) {
int dcIndex = dc.ordinal(); int dcIndex = dc.ordinal();
@ -229,13 +233,15 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
} else { } else {
dcNodes.stream() dcNodes.stream()
.filter(ContainerInfo::isStarted) .filter(ContainerInfo::isStarted)
.forEach(c -> loadBalancerCtrl.enableBackendNodeByName(c.getQualifier())); .forEach(containerInfo -> {
loadBalancerCtrl.enableBackendNodeByName(containerInfo.getQualifier());
});
} }
} }
/** /**
* Disables routing requests to the given node within the given data center in the load balancer. * Disables routing requests to the given node within the given data center in the load balancer.
* @param dcIndex * @param dc
* @param nodeIndex * @param nodeIndex
*/ */
public void disableLoadBalancerNode(DC dc, int nodeIndex) { public void disableLoadBalancerNode(DC dc, int nodeIndex) {
@ -246,7 +252,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
/** /**
* Enables routing requests to the given node within the given data center in the load balancer. * Enables routing requests to the given node within the given data center in the load balancer.
* @param dcIndex * @param dc
* @param nodeIndex * @param nodeIndex
*/ */
public void enableLoadBalancerNode(DC dc, int nodeIndex) { public void enableLoadBalancerNode(DC dc, int nodeIndex) {
@ -264,7 +270,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
/** /**
* Starts a manually-controlled backend auth-server node in cross-DC scenario. * Starts a manually-controlled backend auth-server node in cross-DC scenario.
* @param dcIndex * @param dc
* @param nodeIndex * @param nodeIndex
* @return Started instance descriptor. * @return Started instance descriptor.
*/ */
@ -275,6 +281,8 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
assertThat((Integer) nodeIndex, lessThan(dcNodes.size())); assertThat((Integer) nodeIndex, lessThan(dcNodes.size()));
ContainerInfo dcNode = dcNodes.get(nodeIndex); ContainerInfo dcNode = dcNodes.get(nodeIndex);
assertTrue("Node " + dcNode.getQualifier() + " has to be controlled manually", dcNode.isManual()); assertTrue("Node " + dcNode.getQualifier() + " has to be controlled manually", dcNode.isManual());
log.infof("Starting backend node: %s (dcIndex: %d, nodeIndex: %d)", dcNode.getQualifier(), dcIndex, nodeIndex);
containerController.start(dcNode.getQualifier()); containerController.start(dcNode.getQualifier());
createRESTClientsForNode(dcNode); createRESTClientsForNode(dcNode);
@ -284,7 +292,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
/** /**
* Stops a manually-controlled backend auth-server node in cross-DC scenario. * Stops a manually-controlled backend auth-server node in cross-DC scenario.
* @param dcIndex * @param dc
* @param nodeIndex * @param nodeIndex
* @return Stopped instance descriptor. * @return Stopped instance descriptor.
*/ */
@ -298,13 +306,15 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
removeRESTClientsForNode(dcNode); removeRESTClientsForNode(dcNode);
assertTrue("Node " + dcNode.getQualifier() + " has to be controlled manually", dcNode.isManual()); assertTrue("Node " + dcNode.getQualifier() + " has to be controlled manually", dcNode.isManual());
log.infof("Stopping backend node: %s (dcIndex: %d, nodeIndex: %d)", dcNode.getQualifier(), dcIndex, nodeIndex);
containerController.stop(dcNode.getQualifier()); containerController.stop(dcNode.getQualifier());
return dcNode; return dcNode;
} }
/** /**
* Returns stream of all nodes in the given dc that are started manually. * Returns stream of all nodes in the given dc that are started manually.
* @param dcIndex * @param dc
* @return * @return
*/ */
public Stream<ContainerInfo> getManuallyStartedBackendNodes(DC dc) { public Stream<ContainerInfo> getManuallyStartedBackendNodes(DC dc) {
@ -315,7 +325,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
/** /**
* Returns stream of all nodes in the given dc that are started automatically. * Returns stream of all nodes in the given dc that are started automatically.
* @param dcIndex * @param dc
* @return * @return
*/ */
public Stream<ContainerInfo> getAutomaticallyStartedBackendNodes(DC dc) { public Stream<ContainerInfo> getAutomaticallyStartedBackendNodes(DC dc) {

23
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/crossdc/ActionTokenCrossDCTest.java
View file

@ -42,6 +42,8 @@ import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanChannelStatisti
import org.keycloak.testsuite.arquillian.InfinispanStatistics; import org.keycloak.testsuite.arquillian.InfinispanStatistics;
import org.keycloak.testsuite.arquillian.InfinispanStatistics.Constants; import org.keycloak.testsuite.arquillian.InfinispanStatistics.Constants;
import org.keycloak.testsuite.pages.ProceedPage; import org.keycloak.testsuite.pages.ProceedPage;
import java.util.Map;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import org.hamcrest.Matchers; import org.hamcrest.Matchers;
import static org.hamcrest.Matchers.greaterThan; import static org.hamcrest.Matchers.greaterThan;
@ -104,8 +106,6 @@ public class ActionTokenCrossDCTest extends AbstractAdminCrossDCTest {
String link = MailUtils.getPasswordResetEmailLink(message); String link = MailUtils.getPasswordResetEmailLink(message);
Retry.execute(() -> channelStatisticsCrossDc.reset(), 3, 100);
assertSingleStatistics(cacheDc0Node0Statistics, Constants.STAT_CACHE_NUMBER_OF_ENTRIES, assertSingleStatistics(cacheDc0Node0Statistics, Constants.STAT_CACHE_NUMBER_OF_ENTRIES,
() -> driver.navigate().to(link), () -> driver.navigate().to(link),
Matchers::is Matchers::is
@ -115,10 +115,21 @@ public class ActionTokenCrossDCTest extends AbstractAdminCrossDCTest {
proceedPage.clickProceedLink(); proceedPage.clickProceedLink();
passwordUpdatePage.assertCurrent(); passwordUpdatePage.assertCurrent();
// Verify that there was at least one message sent via the channel // Verify that there was at least one message sent via the channel - Even if we did the change on DC0, the message may be sent either from DC0 or DC1. Seems it depends on the actionTokens key ownership.
assertSingleStatistics(channelStatisticsCrossDc, Constants.STAT_CHANNEL_SENT_MESSAGES, // In case that it was sent from DC1, we will receive it in DC0.
() -> passwordUpdatePage.changePassword("new-pass", "new-pass"), assertStatistics(channelStatisticsCrossDc,
old -> greaterThan((Comparable) 0l) () -> {
passwordUpdatePage.changePassword("new-pass", "new-pass");
},
(Map<String, Object> oldStats, Map<String, Object> newStats) -> {
int oldSent = ((Number) oldStats.get(Constants.STAT_CHANNEL_SENT_MESSAGES)).intValue();
int newSent = ((Number) newStats.get(Constants.STAT_CHANNEL_SENT_MESSAGES)).intValue();
int oldReceived = ((Number) oldStats.get(Constants.STAT_CHANNEL_RECEIVED_MESSAGES)).intValue();
int newReceived = ((Number) newStats.get(Constants.STAT_CHANNEL_RECEIVED_MESSAGES)).intValue();
log.infof("oldSent: %d, newSent: %d, oldReceived: %d, newReceived: %d", oldSent, newSent, oldReceived, newReceived);
Assert.assertTrue(newSent - oldSent > 0 || newReceived - oldReceived > 0);
}
); );
assertEquals("Your account has been updated.", driver.getTitle()); assertEquals("Your account has been updated.", driver.getTitle());

39
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/crossdc/BruteForceCrossDCTest.java
View file

@ -21,6 +21,9 @@ import java.io.IOException;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import javax.ws.rs.NotFoundException; import javax.ws.rs.NotFoundException;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.TargetsContainer;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
@ -31,9 +34,11 @@ import org.keycloak.models.UserLoginFailureModel;
import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.Assert; import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.Retry; import org.keycloak.testsuite.Retry;
import org.keycloak.testsuite.client.KeycloakTestingClient; import org.keycloak.testsuite.client.KeycloakTestingClient;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.OAuthClient;
import org.keycloak.testsuite.util.RealmBuilder; import org.keycloak.testsuite.util.RealmBuilder;
@ -45,7 +50,31 @@ import org.keycloak.testsuite.util.UserBuilder;
public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest { public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
private static final String REALM_NAME = "brute-force-test"; private static final String REALM_NAME = "brute-force-test";
@Deployment(name = "dc0")
@TargetsContainer(QUALIFIER_AUTH_SERVER_DC_0_NODE_1)
public static WebArchive deployDC0() {
return RunOnServerDeployment.create(
BruteForceCrossDCTest.class,
AbstractAdminCrossDCTest.class,
AbstractCrossDCTest.class,
AbstractTestRealmKeycloakTest.class,
KeycloakTestingClient.class
);
}
@Deployment(name = "dc1")
@TargetsContainer(QUALIFIER_AUTH_SERVER_DC_1_NODE_1)
public static WebArchive deployDC1() {
return RunOnServerDeployment.create(
BruteForceCrossDCTest.class,
AbstractAdminCrossDCTest.class,
AbstractCrossDCTest.class,
AbstractTestRealmKeycloakTest.class,
KeycloakTestingClient.class
);
}
@Before @Before
public void beforeTest() { public void beforeTest() {
try { try {
@ -93,7 +122,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
@Test @Test
public void testBruteForceWithUserOperations() throws Exception { public void testBruteForceWithUserOperations() throws Exception {
// Enable 1st DC only // Enable 1st node on each DC only
enableDcOnLoadBalancer(DC.FIRST); enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND); enableDcOnLoadBalancer(DC.SECOND);
@ -125,7 +154,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
@Test @Test
public void testBruteForceWithRealmOperations() throws Exception { public void testBruteForceWithRealmOperations() throws Exception {
// Enable 1st DC only // Enable 1st node on each DC only
enableDcOnLoadBalancer(DC.FIRST); enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND); enableDcOnLoadBalancer(DC.SECOND);
@ -162,7 +191,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
@Test @Test
public void testDuplicatedPutIfAbsentOperation() throws Exception { public void testDuplicatedPutIfAbsentOperation() throws Exception {
// Enable 1st DC only // Enable 1st node on each DC only
enableDcOnLoadBalancer(DC.FIRST); enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND); enableDcOnLoadBalancer(DC.SECOND);
@ -219,7 +248,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
} }
// TODO Having this working on Wildfly might be a challenge. Maybe require @Deployment with @TargetsContainer descriptor generated at runtime as we don't know the container qualifier at compile time... Maybe workaround by add endpoint to TestingResourceProvider if needed.. // resolution on Wildfly: make deployment available on both dc0_1 and dc1_1, see @Deployment methods
private void addUserLoginFailure(KeycloakTestingClient testingClient) throws URISyntaxException, IOException { private void addUserLoginFailure(KeycloakTestingClient testingClient) throws URISyntaxException, IOException {
testingClient.server().run(session -> { testingClient.server().run(session -> {
RealmModel realm = session.realms().getRealmByName(REALM_NAME); RealmModel realm = session.realms().getRealmByName(REALM_NAME);

216
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/crossdc/InvalidationCrossDCTest.java Normal file
View file

@ -0,0 +1,216 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.crossdc;
import java.util.List;
import java.util.concurrent.atomic.AtomicInteger;
import javax.ws.rs.core.Response;
import org.junit.Test;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ResourcesResource;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.Retry;
import org.keycloak.testsuite.admin.ApiUtil;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class InvalidationCrossDCTest extends AbstractAdminCrossDCTest {
private static final String REALM_NAME = "test";
@Test
public void realmInvalidationTest() throws Exception {
enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND);
RealmRepresentation realmDc0 = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).toRepresentation();
RealmRepresentation realmDc1 = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).toRepresentation();
// Test same realm on both DCs
Assert.assertNull(realmDc0.getDisplayName());
Assert.assertTrue(realmDc0.isRegistrationAllowed());
Assert.assertNull(realmDc1.getDisplayName());
Assert.assertTrue(realmDc1.isRegistrationAllowed());
// Update realm on DC0
realmDc0.setRegistrationAllowed(false);
realmDc0.setDisplayName("Cool Realm!");
getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).update(realmDc0);
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
realmDc0 = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).toRepresentation();
Assert.assertEquals("Cool Realm!", realmDc0.getDisplayName());
Assert.assertFalse(realmDc0.isRegistrationAllowed());
AtomicInteger i = new AtomicInteger(0);
Retry.execute(() -> {
i.incrementAndGet();
RealmRepresentation realmDcc1 = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).toRepresentation();
Assert.assertEquals("Cool Realm!", realmDcc1.getDisplayName());
Assert.assertFalse(realmDcc1.isRegistrationAllowed());
}, 50, 50);
log.infof("realmInvalidationTest: Passed after '%d' iterations", i.get());
}
@Test
public void clientInvalidationTest() throws Exception {
enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND);
ClientResource clientResourceDc0 = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME), "named-test-app");
ClientResource clientResourceDc1 = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME), "named-test-app");
ClientRepresentation clientDc0 = clientResourceDc0.toRepresentation();
ClientRepresentation clientDc1 = clientResourceDc1.toRepresentation();
// Test same client on both DCs
Assert.assertEquals("My Named Test App", clientDc0.getName());
Assert.assertEquals("My Named Test App", clientDc1.getName());
// Update client on DC0
clientDc0.setName("Changed Test App");
clientResourceDc0.update(clientDc0);
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
clientDc0 = clientResourceDc0.toRepresentation();
Assert.assertEquals("Changed Test App", clientDc0.getName());
AtomicInteger i = new AtomicInteger(0);
Retry.execute(() -> {
i.incrementAndGet();
ClientRepresentation clientDcc1 = clientResourceDc1.toRepresentation();
Assert.assertEquals("Changed Test App", clientDcc1.getName());
}, 50, 50);
log.infof("clientInvalidationTest: Passed after '%d' iterations", i.get());
}
@Test
public void clientListInvalidationTest() throws Exception {
enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND);
List<ClientRepresentation> dc0List = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).clients().findAll();
List<ClientRepresentation> dc1List = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).clients().findAll();
// Test same clients on both DCs
Assert.assertEquals(dc0List.size(), dc1List.size());
int initialSize = dc0List.size();
// Create client on DC0
ClientRepresentation rep = new ClientRepresentation();
rep.setClientId("some-new-client");
rep.setEnabled(true);
Response response = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).clients().create(rep);
Assert.assertEquals(201, response.getStatus());
response.close();
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
dc0List = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).clients().findAll();
Assert.assertEquals(initialSize + 1, dc0List.size());
AtomicInteger i = new AtomicInteger(0);
Retry.execute(() -> {
i.incrementAndGet();
List<ClientRepresentation> dc1Listt = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).clients().findAll();
Assert.assertEquals(initialSize + 1, dc1Listt.size());
}, 50, 50);
log.infof("clientListInvalidationTest: Passed after '%d' iterations", i.get());
}
@Test
public void userInvalidationTest() throws Exception {
enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND);
UserResource userResourceDc0 = ApiUtil.findUserByUsernameId(getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME), "test-user@localhost");
UserResource userResourceDc1 = ApiUtil.findUserByUsernameId(getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME), "test-user@localhost");
UserRepresentation userDc0 = userResourceDc0.toRepresentation();
UserRepresentation userDc1 = userResourceDc1.toRepresentation();
// Test same user on both DCs
Assert.assertEquals("Tom", userDc0.getFirstName());
Assert.assertEquals("Tom", userDc1.getFirstName());
// Update user on DC0
userDc0.setFirstName("Brad");
userResourceDc0.update(userDc0);
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
userDc0 = userResourceDc0.toRepresentation();
Assert.assertEquals("Brad", userDc0.getFirstName());
AtomicInteger i = new AtomicInteger(0);
Retry.execute(() -> {
i.incrementAndGet();
UserRepresentation userDcc1 = userResourceDc1.toRepresentation();
Assert.assertEquals("Brad", userDcc1.getFirstName());
}, 50, 50);
log.infof("userInvalidationTest: Passed after '%d' iterations", i.get());
}
@Test
public void authzResourceInvalidationTest() throws Exception {
enableDcOnLoadBalancer(DC.FIRST);
enableDcOnLoadBalancer(DC.SECOND);
ResourcesResource resourcesDc0Resource = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME), "test-app-authz").authorization().resources();
ResourcesResource resourcesDc1Resource = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME), "test-app-authz").authorization().resources();
ResourceRepresentation resDc0 = resourcesDc0Resource.findByName("Premium Resource").get(0);
ResourceRepresentation resDc1 = resourcesDc1Resource.findByName("Premium Resource").get(0);
// Test same resource on both DCs
Assert.assertEquals("/protected/premium/*", resDc0.getUri());
Assert.assertEquals("/protected/premium/*", resDc1.getUri());
// Update resource on DC0
resDc0.setUri("/protected/ultra/premium/*");
resourcesDc0Resource.resource(resDc0.getId()).update(resDc0);
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
resDc0 = resourcesDc0Resource.findByName("Premium Resource").get(0);
Assert.assertEquals("/protected/ultra/premium/*", resDc0.getUri());
AtomicInteger i = new AtomicInteger(0);
Retry.execute(() -> {
i.incrementAndGet();
ResourceRepresentation ressDc1 = resourcesDc1Resource.findByName("Premium Resource").get(0);
Assert.assertEquals("/protected/ultra/premium/*", ressDc1.getUri());
}, 50, 50);
log.infof("authzResourceInvalidationTest: Passed after '%d' iterations", i.get());
}
}

35
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
View file

@ -24,6 +24,7 @@ import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.events.Details; import org.keycloak.events.Details;
import org.keycloak.events.Errors; import org.keycloak.events.Errors;
import org.keycloak.events.EventType;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
import org.keycloak.models.utils.TimeBasedOTP; import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.CredentialRepresentation;
@ -35,6 +36,7 @@ import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.AppPage.RequestType; import org.keycloak.testsuite.pages.AppPage.RequestType;
import org.keycloak.testsuite.pages.LoginPage; import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.LoginPasswordResetPage;
import org.keycloak.testsuite.pages.LoginTotpPage; import org.keycloak.testsuite.pages.LoginTotpPage;
import org.keycloak.testsuite.pages.RegisterPage; import org.keycloak.testsuite.pages.RegisterPage;
import org.keycloak.testsuite.util.GreenMailRule; import org.keycloak.testsuite.util.GreenMailRule;
@ -44,12 +46,16 @@ import org.keycloak.testsuite.util.UserBuilder;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import static org.junit.Assert.assertEquals;
/** /**
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a> * @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
* @author Stan Silvert ssilvert@redhat.com (C) 2016 Red Hat Inc. * @author Stan Silvert ssilvert@redhat.com (C) 2016 Red Hat Inc.
*/ */
public class BruteForceTest extends AbstractTestRealmKeycloakTest { public class BruteForceTest extends AbstractTestRealmKeycloakTest {
private static String userId;
@Override @Override
public void configureTestRealm(RealmRepresentation testRealm) { public void configureTestRealm(RealmRepresentation testRealm) {
UserRepresentation user = RealmRepUtil.findUser(testRealm, "test-user@localhost"); UserRepresentation user = RealmRepUtil.findUser(testRealm, "test-user@localhost");
@ -62,6 +68,8 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
testRealm.setBruteForceProtected(true); testRealm.setBruteForceProtected(true);
testRealm.setFailureFactor(2); testRealm.setFailureFactor(2);
userId = user.getId();
RealmRepUtil.findClientByClientId(testRealm, "test-app").setDirectAccessGrantsEnabled(true); RealmRepUtil.findClientByClientId(testRealm, "test-app").setDirectAccessGrantsEnabled(true);
testRealm.getUsers().add(UserBuilder.create().username("user2").email("user2@localhost").password("password").build()); testRealm.getUsers().add(UserBuilder.create().username("user2").email("user2@localhost").password("password").build());
} }
@ -74,7 +82,6 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
@After @After
public void slowItDown() throws Exception { public void slowItDown() throws Exception {
Thread.sleep(100); Thread.sleep(100);
} }
@ -90,6 +97,9 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
@Page @Page
protected LoginPage loginPage; protected LoginPage loginPage;
@Page
protected LoginPasswordResetPage resetPasswordPage;
@Page @Page
private RegisterPage registerPage; private RegisterPage registerPage;
@ -215,8 +225,6 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
Assert.assertNull(response.getAccessToken()); Assert.assertNull(response.getAccessToken());
} }
@Test @Test
public void testGrantMissingOtp() throws Exception { public void testGrantMissingOtp() throws Exception {
{ {
@ -384,6 +392,27 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
} }
@Test
public void testResetPassword() throws Exception {
String userId = adminClient.realm("test").users().search("test-user@localhost", null, null, null, 0, 1).get(0).getId();
loginSuccess();
loginInvalidPassword();
loginInvalidPassword();
expectTemporarilyDisabled();
loginPage.resetPassword();
resetPasswordPage.assertCurrent();
resetPasswordPage.changePassword("test-user@localhost");
loginPage.assertCurrent();
assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
events.expectRequiredAction(EventType.RESET_PASSWORD_ERROR).user(userId);
events.clear();
clearUserFailures();
}
public void expectTemporarilyDisabled() throws Exception { public void expectTemporarilyDisabled() throws Exception {
expectTemporarilyDisabled("test-user@localhost", null); expectTemporarilyDisabled("test-user@localhost", null);
} }

128
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java Normal file
View file

@ -0,0 +1,128 @@
/*
* Copyright 2017 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.forms;
import java.io.IOException;
import javax.mail.MessagingException;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.graphene.page.Page;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Rule;
import org.junit.Test;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.RestartLoginCookie;
import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import org.openqa.selenium.Cookie;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class RestartCookieTest extends AbstractTestRealmKeycloakTest {
@Page
protected LoginPage loginPage;
@Rule
public AssertEvents events = new AssertEvents(this);
@Deployment
public static WebArchive deploy() {
return RunOnServerDeployment.create(UserResource.class)
.addPackages(true, "org.keycloak.testsuite");
}
// KC_RESTART cookie from Keycloak 3.1.0
private static final String OLD_RESTART_COOKIE_JSON = "{\n" +
" \"cs\": \"874a1ea8-5579-4f21-add0-903dd8e3ec1b\",\n" +
" \"cid\": \"test-app\",\n" +
" \"pty\": \"openid-connect\",\n" +
" \"ruri\": \"http://localhost:8081/auth/realms/master/app/auth\",\n" +
" \"act\": \"AUTHENTICATE\",\n" +
" \"notes\": {\n" +
" \"auth_type\": \"code\",\n" +
" \"scope\": \"openid\",\n" +
" \"iss\": \"http://localhost:8081/auth/realms/master/app/auth\",\n" +
" \"response_type\": \"code\",\n" +
" \"redirect_uri\": \"http://localhost:8081/auth/realms/master/app/auth/\",\n" +
" \"state\": \"6c983e5b-2dc1-411a-9ed1-0f51095949c5\",\n" +
" \"code_challenge_method\": \"plain\",\n" +
" \"nonce\": \"65639660-99b2-4cdf-bc9f-9978fdce5b03\",\n" +
" \"response_mode\": \"fragment\"\n" +
" }\n" +
"}";
@Override
public void configureTestRealm(RealmRepresentation testRealm) {
}
// KEYCLOAK-5440
@Test
public void invalidLoginAndBackButton() throws IOException, MessagingException {
String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> {
try {
String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", "");
RealmModel realm = session.realms().getRealmByName("test");
KeyManager.ActiveHmacKey activeKey = session.keys().getActiveHmacKey(realm);
String encodedToken = new JWSBuilder()
.kid(activeKey.getKid())
.content(cookieVal.getBytes("UTF-8"))
.hmac256(activeKey.getSecretKey());
return encodedToken;
} catch (IOException ioe) {
throw new RuntimeException(ioe);
}
});
oauth.openLoginForm();
driver.manage().deleteAllCookies();
driver.manage().addCookie(new Cookie(RestartLoginCookie.KC_RESTART, oldRestartCookie));
loginPage.login("foo", "bar");
loginPage.assertCurrent();
Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError());
events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
.detail(Details.RESTART_AFTER_TIMEOUT, "true")
.client((String) null)
.assertEvent();
}
}

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OIDCProtocolMappersTest.java
View file

@ -52,7 +52,7 @@ import static org.hamcrest.Matchers.containsInAnyOrder;
import static org.hamcrest.Matchers.hasItems; import static org.hamcrest.Matchers.hasItems;
import static org.hamcrest.Matchers.instanceOf; import static org.hamcrest.Matchers.instanceOf;
import static org.hamcrest.Matchers.is; import static org.hamcrest.Matchers.is;
import static org.hamcrest.Matchers.isEmptyString; import static org.hamcrest.Matchers.isEmptyOrNullString;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
@ -266,7 +266,7 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
IDToken idToken = oauth.verifyIDToken(response.getIdToken()); IDToken idToken = oauth.verifyIDToken(response.getIdToken());
Object empty = idToken.getOtherClaims().get("empty"); Object empty = idToken.getOtherClaims().get("empty");
assertThat((empty == null ? null : (String) empty), isEmptyString()); assertThat((empty == null ? null : (String) empty), isEmptyOrNullString());
Object nulll = idToken.getOtherClaims().get("null"); Object nulll = idToken.getOtherClaims().get("null");
assertNull(nulll); assertNull(nulll);

78
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/util/URLAssert.java
View file

@ -46,47 +46,85 @@ import static org.keycloak.testsuite.util.URLUtils.currentUrlStartWith;
*/ */
public class URLAssert { public class URLAssert {
public static void assertCurrentUrlEquals(AbstractPage page) { public static void assertCurrentUrlEquals(final AbstractPage page, WebDriver driver) {
assertCurrentUrlEquals(page.getDriver(), page); assertCurrentUrlEquals(page.toString(), driver);
} }
public static void assertCurrentUrlEquals(WebDriver driver, final AbstractPage page) { public static void assertCurrentUrlEquals(final String url, WebDriver driver) {
String expected = page.toString(); DroneUtils.addWebDriver(driver);
assertTrue("Expected URL: " + expected + "; actual: " + driver.getCurrentUrl(), assertCurrentUrlEquals(url);
currentUrlEqual(page.toString())); DroneUtils.removeWebDriver();
} }
public static void assertCurrentUrlEquals(WebDriver driver, final String url) { public static void assertCurrentUrlEquals(final AbstractPage page) {
assertTrue("Expected URL: " + url + "; actual: " + driver.getCurrentUrl(), assertCurrentUrlEquals(page.toString());
}
public static void assertCurrentUrlEquals(final String url) {
assertTrue("Expected URL: " + url + "; actual: " + DroneUtils.getCurrentDriver().getCurrentUrl(),
currentUrlEqual(url)); currentUrlEqual(url));
} }
public static void assertCurrentUrlStartsWith(AbstractPage page) {
assertCurrentUrlStartsWith(page.getDriver(), page.toString()); public static void assertCurrentUrlStartsWith(final AbstractPage page, WebDriver driver) {
assertCurrentUrlStartsWith(page.toString(), driver);
} }
public static void assertCurrentUrlStartsWith(WebDriver driver, final String url) { public static void assertCurrentUrlStartsWith(final String url, WebDriver driver) {
assertTrue("URL expected to begin with:" + url + "; actual URL: " + driver.getCurrentUrl(), DroneUtils.addWebDriver(driver);
currentUrlStartWith(url)); assertCurrentUrlStartsWith(url);
DroneUtils.removeWebDriver();
}
public static void assertCurrentUrlStartsWith(final AbstractPage page) {
assertCurrentUrlStartsWith(page.toString());
}
public static void assertCurrentUrlStartsWith(final String url){
assertTrue("URL expected to begin with:" + url + "; actual URL: " + DroneUtils.getCurrentDriver().getCurrentUrl(),
currentUrlStartWith(url));
}
public static void assertCurrentUrlDoesntStartWith(final AbstractPage page, WebDriver driver) {
assertCurrentUrlDoesntStartWith(page.toString(), driver);
}
public static void assertCurrentUrlDoesntStartWith(final String url, WebDriver driver) {
DroneUtils.addWebDriver(driver);
assertCurrentUrlDoesntStartWith(url);
DroneUtils.removeWebDriver();
} }
public static void assertCurrentUrlDoesntStartWith(AbstractPage page) { public static void assertCurrentUrlDoesntStartWith(AbstractPage page) {
assertCurrentUrlDoesntStartWith(page.getDriver(), page.toString()); assertCurrentUrlDoesntStartWith(page.toString());
} }
public static void assertCurrentUrlDoesntStartWith(WebDriver driver, final String url) { public static void assertCurrentUrlDoesntStartWith(final String url) {
assertTrue("URL expected NOT to begin with:" + url + "; actual URL: " + driver.getCurrentUrl(), assertTrue("URL expected NOT to begin with:" + url + "; actual URL: " + DroneUtils.getCurrentDriver().getCurrentUrl(),
currentUrlDoesntStartWith(url)); currentUrlDoesntStartWith(url));
} }
public static void assertCurrentUrlStartsWithLoginUrlOf(PageWithLoginUrl page) {
assertCurrentUrlStartsWithLoginUrlOf(page.getDriver(), page); public static void assertCurrentUrlStartsWithLoginUrlOf(final PageWithLoginUrl page, WebDriver driver) {
assertCurrentUrlStartsWithLoginUrlOf(page.getOIDCLoginUrl().toString(), driver);
} }
public static void assertCurrentUrlStartsWithLoginUrlOf(WebDriver driver, PageWithLoginUrl page) { public static void assertCurrentUrlStartsWithLoginUrlOf(final String url, WebDriver driver) {
assertCurrentUrlStartsWith(driver, page.getOIDCLoginUrl().toString()); DroneUtils.addWebDriver(driver);
assertCurrentUrlStartsWithLoginUrlOf(url);
DroneUtils.removeWebDriver();
} }
public static void assertCurrentUrlStartsWithLoginUrlOf(final PageWithLoginUrl page) {
assertCurrentUrlStartsWithLoginUrlOf(page.getOIDCLoginUrl().toString());
}
public static void assertCurrentUrlStartsWithLoginUrlOf(final String url) {
assertCurrentUrlStartsWith(url);
}
public static void assertGetURL(URI url, String accessToken, AssertResponseHandler handler) { public static void assertGetURL(URI url, String accessToken, AssertResponseHandler handler) {
CloseableHttpClient httpclient = HttpClients.createDefault(); CloseableHttpClient httpclient = HttpClients.createDefault();
try { try {

117
testsuite/integration-arquillian/tests/base/src/test/resources/arquillian.xml
View file

@ -64,7 +64,7 @@
<container qualifier="auth-server-undertow" mode="suite" > <container qualifier="auth-server-undertow" mode="suite" >
<configuration> <configuration>
<property name="enabled">${auth.server.undertow} &amp;&amp; ! ${auth.server.undertow.crossdc}</property> <property name="enabled">${auth.server.undertow} &amp;&amp; ! ${auth.server.crossdc}</property>
<property name="bindAddress">0.0.0.0</property> <property name="bindAddress">0.0.0.0</property>
<property name="adapterImplClass">org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow</property> <property name="adapterImplClass">org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow</property>
<property name="bindHttpPort">${auth.server.http.port}</property> <property name="bindHttpPort">${auth.server.http.port}</property>
@ -74,7 +74,7 @@
<container qualifier="auth-server-${auth.server}" mode="suite" > <container qualifier="auth-server-${auth.server}" mode="suite" >
<configuration> <configuration>
<property name="enabled">${auth.server.jboss}</property> <property name="enabled">${auth.server.jboss} &amp;&amp; ! ${auth.server.crossdc}</property>
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property> <property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
<property name="jbossHome">${auth.server.home}</property> <property name="jbossHome">${auth.server.home}</property>
<property name="${auth.server.config.property.name}">${auth.server.config.property.value}</property> <property name="${auth.server.config.property.name}">${auth.server.config.property.value}</property>
@ -186,18 +186,18 @@
</group> </group>
<!-- Cross DC with embedded undertow. Node numbering is [centre #].[node #] --> <!-- Cross DC. Node numbering is [centre #].[node #] -->
<group qualifier="auth-server-undertow-cross-dc"> <group qualifier="auth-server-jboss-cross-dc">
<container qualifier="cache-server-cross-dc-1" mode="suite" > <container qualifier="cache-server-cross-dc-1" mode="suite" >
<configuration> <configuration>
<property name="enabled">${auth.server.undertow.crossdc} &amp;&amp; ! ${cache.server.lifecycle.skip}</property> <property name="enabled">${auth.server.crossdc} &amp;&amp; ! ${cache.server.lifecycle.skip}</property>
<property name="adapterImplClass">org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</property> <property name="adapterImplClass">org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</property>
<property name="jbossHome">${cache.server.home}</property> <property name="jbossHome">${cache.server.home}</property>
<property name="serverConfig">clustered.xml</property> <property name="serverConfig">clustered.xml</property>
<property name="jbossArguments"> <property name="jbossArguments">
-Djboss.socket.binding.port-offset=${cache.server.port.offset} -Djboss.socket.binding.port-offset=${cache.server.port.offset}
-Djboss.default.multicast.address=234.56.78.99 -Djboss.default.multicast.address=234.56.78.99
-Djboss.node.name=cache-server -Djboss.node.name=cache-server-dc-1
${adapter.test.props} ${adapter.test.props}
${auth.server.profile} ${auth.server.profile}
</property> </property>
@ -213,7 +213,7 @@
<container qualifier="cache-server-cross-dc-2" mode="suite" > <container qualifier="cache-server-cross-dc-2" mode="suite" >
<configuration> <configuration>
<property name="enabled">${auth.server.undertow.crossdc} &amp;&amp; ! ${cache.server.lifecycle.skip}</property> <property name="enabled">${auth.server.crossdc} &amp;&amp; ! ${cache.server.lifecycle.skip}</property>
<property name="adapterImplClass">org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</property> <property name="adapterImplClass">org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</property>
<property name="jbossHome">${cache.server.home}</property> <property name="jbossHome">${cache.server.home}</property>
<property name="setupCleanServerBaseDir">true</property> <property name="setupCleanServerBaseDir">true</property>
@ -238,11 +238,11 @@
<container qualifier="auth-server-balancer-cross-dc" mode="suite" > <container qualifier="auth-server-balancer-cross-dc" mode="suite" >
<configuration> <configuration>
<property name="enabled">${auth.server.undertow.crossdc}</property> <property name="enabled">${auth.server.crossdc}</property>
<property name="adapterImplClass">org.keycloak.testsuite.arquillian.undertow.lb.SimpleUndertowLoadBalancerContainer</property> <property name="adapterImplClass">org.keycloak.testsuite.arquillian.undertow.lb.SimpleUndertowLoadBalancerContainer</property>
<property name="bindAddress">localhost</property> <property name="bindAddress">localhost</property>
<property name="bindHttpPort">${auth.server.http.port}</property> <property name="bindHttpPort">${auth.server.http.port}</property>
<property name="nodes">auth-server-undertow-cross-dc-0_1=http://localhost:8101,auth-server-undertow-cross-dc-0_2-manual=http://localhost:8102,auth-server-undertow-cross-dc-1_1=http://localhost:8111,auth-server-undertow-cross-dc-1_2-manual=http://localhost:8112</property> <property name="nodes">auth-server-${node.name}-cross-dc-0_1=http://localhost:8101,auth-server-${node.name}-cross-dc-0_2-manual=http://localhost:8102,auth-server-${node.name}-cross-dc-1_1=http://localhost:8111,auth-server-${node.name}-cross-dc-1_2-manual=http://localhost:8112</property>
</configuration> </configuration>
</container> </container>
@ -253,7 +253,6 @@
<property name="bindAddress">localhost</property> <property name="bindAddress">localhost</property>
<property name="bindHttpPort">${auth.server.http.port}</property> <property name="bindHttpPort">${auth.server.http.port}</property>
<property name="bindHttpPortOffset">-79</property> <property name="bindHttpPortOffset">-79</property>
<property name="route">auth-server-undertow-cross-dc-0_1</property>
<property name="remoteMode">${undertow.remote}</property> <property name="remoteMode">${undertow.remote}</property>
<property name="dataCenter">0</property> <property name="dataCenter">0</property>
<property name="keycloakConfigPropertyOverrides">{ <property name="keycloakConfigPropertyOverrides">{
@ -277,7 +276,6 @@
<property name="bindAddress">localhost</property> <property name="bindAddress">localhost</property>
<property name="bindHttpPort">${auth.server.http.port}</property> <property name="bindHttpPort">${auth.server.http.port}</property>
<property name="bindHttpPortOffset">-78</property> <property name="bindHttpPortOffset">-78</property>
<property name="route">auth-server-undertow-cross-dc-0_2-manual</property>
<property name="remoteMode">${undertow.remote}</property> <property name="remoteMode">${undertow.remote}</property>
<property name="dataCenter">0</property> <property name="dataCenter">0</property>
<property name="keycloakConfigPropertyOverrides">{ <property name="keycloakConfigPropertyOverrides">{
@ -302,7 +300,6 @@
<property name="bindAddress">localhost</property> <property name="bindAddress">localhost</property>
<property name="bindHttpPort">${auth.server.http.port}</property> <property name="bindHttpPort">${auth.server.http.port}</property>
<property name="bindHttpPortOffset">-69</property> <property name="bindHttpPortOffset">-69</property>
<property name="route">auth-server-undertow-cross-dc-1_1</property>
<property name="remoteMode">${undertow.remote}</property> <property name="remoteMode">${undertow.remote}</property>
<property name="dataCenter">1</property> <property name="dataCenter">1</property>
<property name="keycloakConfigPropertyOverrides">{ <property name="keycloakConfigPropertyOverrides">{
@ -326,7 +323,6 @@
<property name="bindAddress">localhost</property> <property name="bindAddress">localhost</property>
<property name="bindHttpPort">${auth.server.http.port}</property> <property name="bindHttpPort">${auth.server.http.port}</property>
<property name="bindHttpPortOffset">-68</property> <property name="bindHttpPortOffset">-68</property>
<property name="route">auth-server-undertow-cross-dc-1_2-manual</property>
<property name="remoteMode">${undertow.remote}</property> <property name="remoteMode">${undertow.remote}</property>
<property name="dataCenter">1</property> <property name="dataCenter">1</property>
<property name="keycloakConfigPropertyOverrides">{ <property name="keycloakConfigPropertyOverrides">{
@ -343,8 +339,101 @@
}</property> }</property>
</configuration> </configuration>
</container> </container>
</group> <container qualifier="auth-server-jboss-cross-dc-0_1" mode="suite" >
<configuration>
<property name="enabled">${auth.server.jboss.crossdc}</property>
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
<property name="jbossHome">${auth.server.crossdc01.home}</property>
<property name="serverConfig">standalone-ha.xml</property>
<property name="jbossArguments">
-Djboss.socket.binding.port-offset=${auth.server.crossdc01.port.offset}
-Djboss.default.multicast.address=234.56.78.1
-Dremote.cache.port=12232
-Djboss.site.name=dc0
-Djboss.node.name=auth-server-${node.name}-cross-dc-0_1
</property>
<property name="javaVmArguments">
-Djava.net.preferIPv4Stack=true
${auth.server.crossdc01.jvm.debug.args}
</property>
<property name="managementPort">${auth.server.crossdc01.management.port}</property>
<property name="bindHttpPortOffset">-79</property>
<property name="dataCenter">0</property>
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
</configuration>
</container>
<container qualifier="auth-server-jboss-cross-dc-0_2-manual" mode="manual" >
<configuration>
<property name="enabled">${auth.server.jboss.crossdc}</property>
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
<property name="jbossHome">${auth.server.crossdc02.home}</property>
<property name="serverConfig">standalone-ha.xml</property>
<property name="jbossArguments">
-Djboss.socket.binding.port-offset=${auth.server.crossdc02.port.offset}
-Djboss.default.multicast.address=234.56.78.1
-Dremote.cache.port=12232
-Djboss.site.name=dc0
-Djboss.node.name=auth-server-${node.name}-cross-dc-0_2-manual
</property>
<property name="javaVmArguments">
-Djava.net.preferIPv4Stack=true
${auth.server.crossdc02.jvm.debug.args}
</property>
<property name="managementPort">${auth.server.crossdc02.management.port}</property>
<property name="bindHttpPortOffset">-78</property>
<property name="dataCenter">0</property>
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
</configuration>
</container>
<container qualifier="auth-server-jboss-cross-dc-1_1" mode="suite" >
<configuration>
<property name="enabled">${auth.server.jboss.crossdc}</property>
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
<property name="jbossHome">${auth.server.crossdc11.home}</property>
<property name="serverConfig">standalone-ha.xml</property>
<property name="jbossArguments">
-Djboss.socket.binding.port-offset=${auth.server.crossdc11.port.offset}
-Djboss.default.multicast.address=234.56.78.2
-Dremote.cache.port=13232
-Djboss.site.name=dc1
-Djboss.node.name=auth-server-${node.name}-cross-dc-1_1
</property>
<property name="javaVmArguments">
-Djava.net.preferIPv4Stack=true
${auth.server.crossdc11.jvm.debug.args}
</property>
<property name="managementPort">${auth.server.crossdc11.management.port}</property>
<property name="bindHttpPortOffset">-69</property>
<property name="dataCenter">1</property>
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
</configuration>
</container>
<container qualifier="auth-server-jboss-cross-dc-1_2-manual" mode="manual" >
<configuration>
<property name="enabled">${auth.server.jboss.crossdc}</property>
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
<property name="jbossHome">${auth.server.crossdc12.home}</property>
<property name="serverConfig">standalone-ha.xml</property>
<property name="jbossArguments">
-Djboss.socket.binding.port-offset=${auth.server.crossdc12.port.offset}
-Djboss.default.multicast.address=234.56.78.2
-Dremote.cache.port=13232
-Djboss.site.name=dc1
-Djboss.node.name=auth-server-${node.name}-cross-dc-1_2-manual
</property>
<property name="javaVmArguments">
-Djava.net.preferIPv4Stack=true
${auth.server.crossdc12.jvm.debug.args}
</property>
<property name="managementPort">${auth.server.crossdc12.management.port}</property>
<property name="bindHttpPortOffset">-68</property>
<property name="dataCenter">1</property>
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
</configuration>
</container>
</group>
<container qualifier="auth-server-balancer-wildfly" mode="suite" > <container qualifier="auth-server-balancer-wildfly" mode="suite" >
<configuration> <configuration>

28
testsuite/integration-arquillian/tests/other/adapters/jboss/wildfly/src/test/java/org/keycloak/testsuite/adapter/example/hal/WildflyConsoleProtectionTest.java
View file

@ -19,20 +19,25 @@ package org.keycloak.testsuite.adapter.example.hal;
import static org.junit.Assert.assertTrue; import static org.junit.Assert.assertTrue;
import static org.keycloak.testsuite.util.IOUtil.loadRealm; import static org.keycloak.testsuite.util.IOUtil.loadRealm;
import java.io.IOException;
import java.util.List; import java.util.List;
import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.graphene.page.Page;
import org.junit.Assume;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.adapter.AbstractAdapterTest; import org.keycloak.testsuite.adapter.AbstractAdapterTest;
import org.keycloak.testsuite.arquillian.AppServerTestEnricher;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer; import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.pages.AccountUpdateProfilePage; import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
import org.keycloak.testsuite.pages.AppServerWelcomePage; import org.keycloak.testsuite.pages.AppServerWelcomePage;
import org.keycloak.testsuite.util.WaitUtils; import org.keycloak.testsuite.util.WaitUtils;
import org.wildfly.extras.creaper.core.ManagementClient; import org.wildfly.extras.creaper.core.online.CliException;
import org.wildfly.extras.creaper.core.online.OnlineManagementClient; import org.wildfly.extras.creaper.core.online.OnlineManagementClient;
import org.wildfly.extras.creaper.core.online.OnlineOptions; import org.wildfly.extras.creaper.core.online.operations.Address;
import org.wildfly.extras.creaper.core.online.operations.OperationException;
import org.wildfly.extras.creaper.core.online.operations.Operations;
/** /**
* *
@ -54,14 +59,17 @@ public class WildflyConsoleProtectionTest extends AbstractAdapterTest {
} }
@Before @Before
public void beforeAuthTest() { public void beforeAuthTest() throws IOException, OperationException {
super.beforeAuthTest(); super.beforeAuthTest();
OnlineManagementClient clientWorkerNodeClient = null;
try { try {
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions clientWorkerNodeClient = AppServerTestEnricher.getManagementClient();
.standalone()
.hostAndPort("localhost", 10190) Operations operations = new Operations(clientWorkerNodeClient);
.build());
Assume.assumeTrue(operations.exists(Address.subsystem("elytron")));
// Create a realm for both wildfly console and mgmt interface // Create a realm for both wildfly console and mgmt interface
clientWorkerNodeClient.execute("/subsystem=keycloak/realm=jboss-infra:add(auth-server-url=http://localhost:8180/auth,realm-public-key=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB)"); clientWorkerNodeClient.execute("/subsystem=keycloak/realm=jboss-infra:add(auth-server-url=http://localhost:8180/auth,realm-public-key=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB)");
@ -84,8 +92,12 @@ public class WildflyConsoleProtectionTest extends AbstractAdapterTest {
// reload // reload
clientWorkerNodeClient.execute("reload"); clientWorkerNodeClient.execute("reload");
} catch (Exception cause) { } catch (CliException cause) {
throw new RuntimeException("Failed to configure app server", cause); throw new RuntimeException("Failed to configure app server", cause);
} finally {
if (clientWorkerNodeClient != null) {
clientWorkerNodeClient.close();
}
} }
} }

261
testsuite/integration-arquillian/tests/pom.xml
View file

@ -41,10 +41,12 @@
<properties> <properties>
<auth.server>undertow</auth.server> <auth.server>undertow</auth.server>
<auth.server.undertow>true</auth.server.undertow> <auth.server.undertow>true</auth.server.undertow>
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
<auth.server.crossdc>false</auth.server.crossdc> <auth.server.crossdc>false</auth.server.crossdc>
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
<auth.server.jboss.crossdc>false</auth.server.jboss.crossdc>
<cache.server.lifecycle.skip>false</cache.server.lifecycle.skip> <cache.server.lifecycle.skip>false</cache.server.lifecycle.skip>
<auth.server.container>auth-server-${auth.server}</auth.server.container> <auth.server.container>auth-server-${auth.server}</auth.server.container>
<auth.server.home>${containers.home}/${auth.server.container}</auth.server.home> <auth.server.home>${containers.home}/${auth.server.container}</auth.server.home>
<auth.server.config.dir>${auth.server.home}</auth.server.config.dir> <auth.server.config.dir>${auth.server.home}</auth.server.config.dir>
@ -60,16 +62,16 @@
<auth.server.memory.settings>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</auth.server.memory.settings> <auth.server.memory.settings>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</auth.server.memory.settings>
<auth.server.config.property.name>serverConfig</auth.server.config.property.name> <auth.server.config.property.name>serverConfig</auth.server.config.property.name>
<auth.server.adapter.impl.class>org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</auth.server.adapter.impl.class> <auth.server.adapter.impl.class>org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</auth.server.adapter.impl.class>
<auth.server.jboss.artifactId>integration-arquillian-servers-auth-server-${auth.server}</auth.server.jboss.artifactId> <auth.server.jboss.artifactId>integration-arquillian-servers-auth-server-${auth.server}</auth.server.jboss.artifactId>
<auth.server.jboss.skip.unpack>${auth.server.undertow}</auth.server.jboss.skip.unpack> <auth.server.jboss.skip.unpack>${auth.server.undertow}</auth.server.jboss.skip.unpack>
<auth.server.jboss.startup.timeout>300</auth.server.jboss.startup.timeout> <auth.server.jboss.startup.timeout>300</auth.server.jboss.startup.timeout>
<!--debug properties--> <!--debug properties-->
<auth.server.debug.port>5005</auth.server.debug.port> <auth.server.debug.port>5005</auth.server.debug.port>
<auth.server.debug.suspend>n</auth.server.debug.suspend> <auth.server.debug.suspend>n</auth.server.debug.suspend>
<auth.server.jboss.jvm.debug.args>-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.debug.suspend},address=${auth.server.host}:${auth.server.debug.port}</auth.server.jboss.jvm.debug.args> <auth.server.jboss.jvm.debug.args>-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.debug.suspend},address=${auth.server.host}:${auth.server.debug.port}</auth.server.jboss.jvm.debug.args>
<auth.server.remote>false</auth.server.remote> <auth.server.remote>false</auth.server.remote>
<auth.server.profile/> <auth.server.profile/>
<auth.server.feature/> <auth.server.feature/>
@ -91,7 +93,7 @@
<adapter.test.props/> <adapter.test.props/>
<migration.import.properties/> <migration.import.properties/>
<kie.maven.settings/> <kie.maven.settings/>
<examples.home>${project.build.directory}/examples</examples.home> <examples.home>${project.build.directory}/examples</examples.home>
<browser>htmlUnit</browser> <browser>htmlUnit</browser>
@ -242,10 +244,10 @@
<auth.server.config.property.value>${auth.server.config.property.value}</auth.server.config.property.value> <auth.server.config.property.value>${auth.server.config.property.value}</auth.server.config.property.value>
<auth.server.adapter.impl.class>${auth.server.adapter.impl.class}</auth.server.adapter.impl.class> <auth.server.adapter.impl.class>${auth.server.adapter.impl.class}</auth.server.adapter.impl.class>
<auth.server.jboss.jvm.debug.args>${auth.server.jboss.jvm.debug.args}</auth.server.jboss.jvm.debug.args> <auth.server.jboss.jvm.debug.args>${auth.server.jboss.jvm.debug.args}</auth.server.jboss.jvm.debug.args>
<auth.server.profile>${auth.server.profile}</auth.server.profile> <auth.server.profile>${auth.server.profile}</auth.server.profile>
<auth.server.feature>${auth.server.feature}</auth.server.feature> <auth.server.feature>${auth.server.feature}</auth.server.feature>
<frontend.console.output>${frontend.console.output}</frontend.console.output> <frontend.console.output>${frontend.console.output}</frontend.console.output>
<backends.console.output>${backend.console.output}</backends.console.output> <backends.console.output>${backend.console.output}</backends.console.output>
@ -254,7 +256,7 @@
<adapter.test.props>${adapter.test.props}</adapter.test.props> <adapter.test.props>${adapter.test.props}</adapter.test.props>
<migration.import.properties>${migration.import.properties}</migration.import.properties> <migration.import.properties>${migration.import.properties}</migration.import.properties>
<kie.maven.settings>${kie.maven.settings}</kie.maven.settings> <kie.maven.settings>${kie.maven.settings}</kie.maven.settings>
<testsuite.constants>${testsuite.constants}</testsuite.constants> <testsuite.constants>${testsuite.constants}</testsuite.constants>
<cli.log.output>${cli.log.output}</cli.log.output> <cli.log.output>${cli.log.output}</cli.log.output>
<test.intermittent>${test.intermittent}</test.intermittent> <test.intermittent>${test.intermittent}</test.intermittent>
@ -287,10 +289,11 @@
<client.key.passphrase>${client.key.passphrase}</client.key.passphrase> <client.key.passphrase>${client.key.passphrase}</client.key.passphrase>
<auth.server.ocsp.responder.enabled>${auth.server.ocsp.responder.enabled}</auth.server.ocsp.responder.enabled> <auth.server.ocsp.responder.enabled>${auth.server.ocsp.responder.enabled}</auth.server.ocsp.responder.enabled>
<!--cache server properties--> <!--cache server properties-->
<auth.server.crossdc>${auth.server.crossdc}</auth.server.crossdc> <auth.server.crossdc>${auth.server.crossdc}</auth.server.crossdc>
<auth.server.undertow.crossdc>${auth.server.undertow.crossdc}</auth.server.undertow.crossdc> <auth.server.undertow.crossdc>${auth.server.undertow.crossdc}</auth.server.undertow.crossdc>
<auth.server.jboss.crossdc>${auth.server.jboss.crossdc}</auth.server.jboss.crossdc>
<cache.server.lifecycle.skip>${cache.server.lifecycle.skip}</cache.server.lifecycle.skip> <cache.server.lifecycle.skip>${cache.server.lifecycle.skip}</cache.server.lifecycle.skip>
<cache.server>${cache.server}</cache.server> <cache.server>${cache.server}</cache.server>
@ -367,14 +370,13 @@
</dependency> </dependency>
</dependencies> </dependencies>
</profile> </profile>
<profile> <profile>
<id>auth-server-wildfly</id> <id>auth-server-wildfly</id>
<properties> <properties>
<auth.server>wildfly</auth.server> <auth.server>wildfly</auth.server>
<auth.server.jboss>true</auth.server.jboss> <auth.server.jboss>true</auth.server.jboss>
<auth.server.undertow>false</auth.server.undertow> <auth.server.undertow>false</auth.server.undertow>
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
<auth.server.config.property.value>standalone.xml</auth.server.config.property.value> <auth.server.config.property.value>standalone.xml</auth.server.config.property.value>
<auth.server.config.dir>${auth.server.home}/standalone/configuration</auth.server.config.dir> <auth.server.config.dir>${auth.server.home}/standalone/configuration</auth.server.config.dir>
<h2.version>1.3.173</h2.version> <h2.version>1.3.173</h2.version>
@ -393,7 +395,6 @@
<auth.server>eap</auth.server> <auth.server>eap</auth.server>
<auth.server.jboss>true</auth.server.jboss> <auth.server.jboss>true</auth.server.jboss>
<auth.server.undertow>false</auth.server.undertow> <auth.server.undertow>false</auth.server.undertow>
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
<auth.server.config.property.value>standalone.xml</auth.server.config.property.value> <auth.server.config.property.value>standalone.xml</auth.server.config.property.value>
<auth.server.config.dir>${auth.server.home}/standalone/configuration</auth.server.config.dir> <auth.server.config.dir>${auth.server.home}/standalone/configuration</auth.server.config.dir>
<h2.version>1.3.173</h2.version> <h2.version>1.3.173</h2.version>
@ -406,14 +407,199 @@
</dependencies> </dependencies>
</profile> </profile>
<profile>
<id>auth-servers-crossdc-undertow</id>
<properties>
<auth.servers.crossdc>true</auth.servers.crossdc>
<auth.server.undertow.crossdc>true</auth.server.undertow.crossdc>
<node.name>undertow</node.name>
</properties>
<build>
<plugins>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>enforce-profile-activation</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<requireProperty>
<property>cache.server.jboss</property>
<message>Profile "auth-servers-crossdc-undertow" requires activation of another profile: either "cache-server-infinispan" or "cache-server-jdg".</message>
<regex>true</regex>
</requireProperty>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<node.name>${node.name}</node.name>
<pageload.timeout>20000</pageload.timeout>
</systemPropertyVariables>
</configuration>
</plugin>
</plugins>
</build>
</profile>
<profile>
<id>auth-servers-crossdc-jboss</id>
<properties>
<auth.servers.crossdc>true</auth.servers.crossdc>
<auth.server.jboss.crossdc>true</auth.server.jboss.crossdc>
<node.name>jboss</node.name>
<auth.server.crossdc01.home>${containers.home}/auth-server-${auth.server}-crossdc01</auth.server.crossdc01.home>
<auth.server.crossdc02.home>${containers.home}/auth-server-${auth.server}-crossdc02</auth.server.crossdc02.home>
<auth.server.crossdc11.home>${containers.home}/auth-server-${auth.server}-crossdc11</auth.server.crossdc11.home>
<auth.server.crossdc12.home>${containers.home}/auth-server-${auth.server}-crossdc12</auth.server.crossdc12.home>
<!-- property specifies keycloak-add-user.json file destination -->
<auth.server.config.dir>${auth.server.crossdc01.home}/standalone/configuration</auth.server.config.dir>
<auth.server.crossdc01.jvm.debug.port>5001</auth.server.crossdc01.jvm.debug.port>
<auth.server.crossdc02.jvm.debug.port>5002</auth.server.crossdc02.jvm.debug.port>
<auth.server.crossdc11.jvm.debug.port>5011</auth.server.crossdc11.jvm.debug.port>
<auth.server.crossdc12.jvm.debug.port>5012</auth.server.crossdc12.jvm.debug.port>
<!-- default is "n", possible to override by e.g. -Dauth.server.crossdc01.debug.suspend=y -->
<auth.server.crossdc01.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc01.debug.suspend>
<auth.server.crossdc02.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc02.debug.suspend>
<auth.server.crossdc11.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc11.debug.suspend>
<auth.server.crossdc12.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc12.debug.suspend>
</properties>
<build>
<pluginManagement>
<plugins>
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<executions>
<execution>
<id>copy-auth-server-crossdc-nodes</id>
<phase>process-resources</phase>
<goals>
<goal>run</goal>
</goals>
<configuration>
<target>
<move todir="${auth.server.crossdc01.home}">
<fileset dir="${auth.server.home}"/>
</move>
<copy todir="${auth.server.crossdc02.home}">
<fileset dir="${auth.server.crossdc01.home}"/>
</copy>
<copy todir="${auth.server.crossdc11.home}">
<fileset dir="${auth.server.crossdc01.home}"/>
</copy>
<copy todir="${auth.server.crossdc12.home}">
<fileset dir="${auth.server.crossdc01.home}"/>
</copy>
</target>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</pluginManagement>
<plugins>
<plugin>
<artifactId>maven-enforcer-plugin</artifactId>
<executions>
<execution>
<id>enforce-profiles-activation</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<requireProperty>
<property>cache.server.jboss</property>
<message>Profile "auth-servers-crossdc-jboss" requires activation of another profile: either "cache-server-infinispan" or "cache-server-jdg".</message>
<regex>true</regex>
</requireProperty>
<requireProperty>
<property>auth.server.jboss</property>
<message>Profile "auth-servers-crossdc-jboss" requires activation of another profile: either "auth-server-wildfly" or "auth-server-eap".</message>
<regex>true</regex>
</requireProperty>
</rules>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<configuration>
<systemPropertyVariables>
<pageload.timeout>20000</pageload.timeout>
<run.h2>true</run.h2>
<node.name>${node.name}</node.name>
<auth.server.crossdc01.home>${auth.server.crossdc01.home}</auth.server.crossdc01.home>
<auth.server.crossdc02.home>${auth.server.crossdc02.home}</auth.server.crossdc02.home>
<auth.server.crossdc11.home>${auth.server.crossdc11.home}</auth.server.crossdc11.home>
<auth.server.crossdc12.home>${auth.server.crossdc12.home}</auth.server.crossdc12.home>
<!--8101-->
<auth.server.crossdc01.port.offset>21</auth.server.crossdc01.port.offset>
<!--8102-->
<auth.server.crossdc02.port.offset>22</auth.server.crossdc02.port.offset>
<!--8111-->
<auth.server.crossdc11.port.offset>31</auth.server.crossdc11.port.offset>
<!--8112-->
<auth.server.crossdc12.port.offset>32</auth.server.crossdc12.port.offset>
<auth.server.crossdc01.management.port>10011</auth.server.crossdc01.management.port>
<auth.server.crossdc02.management.port>10012</auth.server.crossdc02.management.port>
<auth.server.crossdc11.management.port>10021</auth.server.crossdc11.management.port>
<auth.server.crossdc12.management.port>10022</auth.server.crossdc12.management.port>
<auth.server.crossdc01.jvm.debug.args>
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc01.debug.suspend},address=localhost:${auth.server.crossdc01.jvm.debug.port}
</auth.server.crossdc01.jvm.debug.args>
<auth.server.crossdc02.jvm.debug.args>
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc02.debug.suspend},address=localhost:${auth.server.crossdc02.jvm.debug.port}
</auth.server.crossdc02.jvm.debug.args>
<auth.server.crossdc11.jvm.debug.args>
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc11.debug.suspend},address=localhost:${auth.server.crossdc11.jvm.debug.port}
</auth.server.crossdc11.jvm.debug.args>
<auth.server.crossdc12.jvm.debug.args>
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc12.debug.suspend},address=localhost:${auth.server.crossdc12.jvm.debug.port}
</auth.server.crossdc12.jvm.debug.args>
</systemPropertyVariables>
</configuration>
</plugin>
<plugin>
<artifactId>maven-antrun-plugin</artifactId>
<configuration>
<!--
skipping execution for <artifactId>integration-arquillian-tests</artifactId>,
it's re-enabled in <artifactId>integration-arquillian-tests-base</artifactId>
-->
<skip>true</skip>
</configuration>
</plugin>
</plugins>
</build>
</profile>
<profile> <profile>
<id>cache-server-infinispan</id> <id>cache-server-infinispan</id>
<properties> <properties>
<cache.server>infinispan</cache.server> <cache.server>infinispan</cache.server>
<auth.server.undertow.crossdc>true</auth.server.undertow.crossdc>
<auth.server.crossdc>true</auth.server.crossdc> <auth.server.crossdc>true</auth.server.crossdc>
<cache.server.jboss>true</cache.server.jboss> <cache.server.jboss>true</cache.server.jboss>
<cache.server.config.dir>${cache.server.home}/standalone/configuration</cache.server.config.dir> <cache.server.config.dir>${cache.server.home}/standalone/configuration</cache.server.config.dir>
<keycloak.testsuite.logging.pattern>%d{HH:mm:ss,SSS} [%t] %-5p [%c{1.}] %m%n</keycloak.testsuite.logging.pattern> <keycloak.testsuite.logging.pattern>%d{HH:mm:ss,SSS} [%t] %-5p [%c{1.}] %m%n</keycloak.testsuite.logging.pattern>
</properties> </properties>
<dependencies> <dependencies>
@ -429,17 +615,15 @@
<artifactId>maven-enforcer-plugin</artifactId> <artifactId>maven-enforcer-plugin</artifactId>
<executions> <executions>
<execution> <execution>
<id>enforce-profile-activation</id>
<goals> <goals>
<goal>enforce</goal> <goal>enforce</goal>
</goals> </goals>
<configuration> <configuration>
<rules> <rules>
<!--requireActiveProfile 'auth-server-wildfly/eap' doesn't work unless the profiles are defined in all submodule poms
using requireProperty instead-->
<requireProperty> <requireProperty>
<property>cache.server</property> <property>auth.servers.crossdc</property>
<regex>(infinispan)|(jdg)</regex> <message>Profile "cache-server-infinispan" requires activation of another profile: either "auth-servers-crossdc-undertow" or "auth-servers-crossdc-jboss".</message>
<regexMessage>Profile "cache-server-infinispan" requires activation of profile "cache-server-infinispan" or "cache-server-jdg".</regexMessage>
</requireProperty> </requireProperty>
</rules> </rules>
</configuration> </configuration>
@ -480,12 +664,11 @@
</pluginManagement> </pluginManagement>
</build> </build>
</profile> </profile>
<profile> <profile>
<id>cache-server-jdg</id> <id>cache-server-jdg</id>
<properties> <properties>
<cache.server>jdg</cache.server> <cache.server>jdg</cache.server>
<auth.server.undertow.crossdc>true</auth.server.undertow.crossdc>
<auth.server.crossdc>true</auth.server.crossdc> <auth.server.crossdc>true</auth.server.crossdc>
<cache.server.jboss>true</cache.server.jboss> <cache.server.jboss>true</cache.server.jboss>
<cache.server.config.dir>${cache.server.home}/standalone/configuration</cache.server.config.dir> <cache.server.config.dir>${cache.server.home}/standalone/configuration</cache.server.config.dir>
@ -504,17 +687,15 @@
<artifactId>maven-enforcer-plugin</artifactId> <artifactId>maven-enforcer-plugin</artifactId>
<executions> <executions>
<execution> <execution>
<id>enforce-profile-activation</id>
<goals> <goals>
<goal>enforce</goal> <goal>enforce</goal>
</goals> </goals>
<configuration> <configuration>
<rules> <rules>
<!--requireActiveProfile 'auth-server-wildfly/eap' doesn't work unless the profiles are defined in all submodule poms
using requireProperty instead-->
<requireProperty> <requireProperty>
<property>cache.server</property> <property>auth.servers.crossdc</property>
<regex>(infinispan)|(jdg)</regex> <message>Profile "cache-server-jdg" requires activation of another profile: either "auth-servers-crossdc-undertow" or "auth-servers-crossdc-jboss".</message>
<regexMessage>Profile "cache-server-jdg" requires activation of profile "cache-server-infinispan" or "cache-server-jdg".</regexMessage>
</requireProperty> </requireProperty>
</rules> </rules>
</configuration> </configuration>
@ -569,8 +750,8 @@
</profile> </profile>
<!-- <!--
profile that enables/disables specified feature, for more details see profile that enables/disables specified feature, for more details see
https://keycloak.gitbooks.io/documentation/content/server_installation/topics/profiles.html https://keycloak.gitbooks.io/documentation/content/server_installation/topics/profiles.html
--> -->
<profile> <profile>
<id>auth-server-enable-disable-feature</id> <id>auth-server-enable-disable-feature</id>
@ -765,7 +946,7 @@
</pluginManagement> </pluginManagement>
</build> </build>
</profile> </profile>
<profile> <profile>
<id>jdbc-driver-dependency</id> <id>jdbc-driver-dependency</id>
<activation> <activation>
@ -807,13 +988,13 @@
</profile> </profile>
<!-- Profiles for migration tests--> <!-- Profiles for migration tests-->
<profile> <profile>
<id>auth-server-migration</id> <id>auth-server-migration</id>
<properties> <properties>
<migration.import.file>target/test-classes/migration-test/migration-realm-${migrated.auth.server.version}.json</migration.import.file> <migration.import.file>target/test-classes/migration-test/migration-realm-${migrated.auth.server.version}.json</migration.import.file>
<migration.import.props.previous> <migration.import.props.previous>
-Dkeycloak.migration.action=import -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=${migration.import.file} -Dkeycloak.migration.file=${migration.import.file}
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
@ -883,8 +1064,8 @@
</plugins> </plugins>
</pluginManagement> </pluginManagement>
</build> </build>
</profile> </profile>
<profile> <profile>
<id>migration-import</id> <id>migration-import</id>
<activation> <activation>
@ -896,7 +1077,7 @@
<properties> <properties>
<migration.import.file>target/test-classes/migration-test/migration-realm-${migrated.auth.server.version}.json</migration.import.file> <migration.import.file>target/test-classes/migration-test/migration-realm-${migrated.auth.server.version}.json</migration.import.file>
<migration.import.properties> <migration.import.properties>
-Dkeycloak.migration.action=import -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=${migration.import.file} -Dkeycloak.migration.file=${migration.import.file}
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
@ -934,7 +1115,7 @@
</plugins> </plugins>
</build> </build>
</profile> </profile>
<profile> <profile>
<id>migration-productized</id> <id>migration-productized</id>
<activation> <activation>
@ -946,7 +1127,7 @@
<migration.import.file>target/test-classes/migration-test/migration-realm-${migrated.version.import.file.suffix}.json</migration.import.file> <migration.import.file>target/test-classes/migration-test/migration-realm-${migrated.version.import.file.suffix}.json</migration.import.file>
</properties> </properties>
</profile> </profile>
<profile> <profile>
<id>no-account</id> <id>no-account</id>
<properties> <properties>
@ -1280,7 +1461,7 @@
<auth.server.management.port.jmx>9999</auth.server.management.port.jmx> <auth.server.management.port.jmx>9999</auth.server.management.port.jmx>
</properties> </properties>
</profile> </profile>
<profile> <profile>
<!--see KEYCLOAK-4793--> <!--see KEYCLOAK-4793-->
<id>kie.maven.settings</id> <id>kie.maven.settings</id>
@ -1299,7 +1480,7 @@
</kie.maven.settings> </kie.maven.settings>
</properties> </properties>
</profile> </profile>
</profiles> </profiles>
</project> </project>

2
testsuite/performance/README.log-tool.md
View file

@ -6,7 +6,7 @@ Perform the usual test run:
``` ```
mvn verify -Pteardown mvn verify -Pteardown
mvn verify -Pprovision mvn verify -Pprovision
mvn verify -Pimport-data -Ddataset=100users -Dimport.workers=10 -DhashIterations=100 mvn verify -Pgenerate-data -Ddataset=100users -Dimport.workers=10 -DhashIterations=100
mvn verify -Ptest -Ddataset=100users -DrunUsers=200 -DrampUpPeriod=10 -DuserThinkTime=0 -DbadLoginAttempts=1 -DrefreshTokenCount=1 -DnumOfIterations=3 mvn verify -Ptest -Ddataset=100users -DrunUsers=200 -DrampUpPeriod=10 -DuserThinkTime=0 -DbadLoginAttempts=1 -DrefreshTokenCount=1 -DnumOfIterations=3
``` ```

39
testsuite/performance/README.md
View file

@ -24,7 +24,7 @@ mvn clean install
# Make sure your Docker daemon is running THEN # Make sure your Docker daemon is running THEN
mvn verify -Pprovision mvn verify -Pprovision
mvn verify -Pimport-data -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100 mvn verify -Pgenerate-data -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100
mvn verify -Ptest -Ddataset=100u -DrunUsers=200 -DrampUpPeriod=10 -DuserThinkTime=0 -DbadLoginAttempts=1 -DrefreshTokenCount=1 -DnumOfIterations=3 mvn verify -Ptest -Ddataset=100u -DrunUsers=200 -DrampUpPeriod=10 -DuserThinkTime=0 -DbadLoginAttempts=1 -DrefreshTokenCount=1 -DnumOfIterations=3
``` ```
@ -38,7 +38,7 @@ mvn verify -Pteardown
You can perform all phases in a single run: You can perform all phases in a single run:
``` ```
mvn verify -Pprovision,import-data,test,teardown -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100 -DrunUsers=200 -DrampUpPeriod=10 mvn verify -Pprovision,generate-data,test,teardown -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100 -DrunUsers=200 -DrampUpPeriod=10
``` ```
Note: The order in which maven profiles are listed does not determine the order in which profile related plugins are executed. `teardown` profile always executes last. Note: The order in which maven profiles are listed does not determine the order in which profile related plugins are executed. `teardown` profile always executes last.
@ -68,25 +68,26 @@ Provisioning/teardown is performed via `docker-compose` tool. More details in [R
## Testing ## Testing
### Import Data ### Generate Test Data
Usage: `mvn verify -Pimport-data[,cluster] [-Ddataset=DATASET] [-D<dataset.property>=<value>]`. Usage: `mvn verify -Pgenerate-data[,cluster] [-Ddataset=DATASET] [-Dexport-dump] [-D<dataset.property>=<value>]`.
Dataset properties are loaded from `datasets/${dataset}.properties` file. Individual properties can be overriden by specifying `-D` params. Dataset properties are loaded from `datasets/${dataset}.properties` file. Individual properties can be overriden by specifying `-D` params.
Dataset data is first generated as a .json file, and then imported into Keycloak via Admin Client REST API. Dataset data is first generated as a .json file, and then imported into Keycloak via Admin Client REST API.
#### Examples: #### Examples:
- `mvn verify -Pimport-data` - import default dataset - `mvn verify -Pgenerate-data` - generate default dataset
- `mvn verify -Pimport-data -DusersPerRealm=5` - import default dataset, override the `usersPerRealm` property - `mvn verify -Pgenerate-data -DusersPerRealm=5` - generate default dataset, override the `usersPerRealm` property
- `mvn verify -Pimport-data -Ddataset=100u` - import `100u` dataset - `mvn verify -Pgenerate-data -Ddataset=100u` - generate `100u` dataset
- `mvn verify -Pimport-data -Ddataset=100r/default` - import dataset from `datasets/100r/default.properties` - `mvn verify -Pgenerate-data -Ddataset=100r/default` - generate dataset based on `datasets/100r/default.properties`
The data can also be exported from the database, and stored locally as `datasets/${dataset}.sql.gz` The data can also be exported from the database, and stored locally as `datasets/${dataset}.sql.gz`
`DATASET=100u ./prepare-dump.sh` `DATASET=100u ./prepare-dump.sh`
If there is a data dump file available then -Pimport-dump can be used to import the data directly into the database, To speed up dataset initialization part, it is possible to pass `-Dexport-dump` option to have the generated dataset
by-passing Keycloak server completely. exported right after it has been generated. Then, if there is a data dump file available then `-Pimport-dump`
can be used to import the data directly into the database, bypassing Keycloak server completely.
Usage: `mvn verify -Pimport-dump [-Ddataset=DATASET]` Usage: `mvn verify -Pimport-dump [-Ddataset=DATASET]`
@ -98,7 +99,7 @@ Usage: `mvn verify -Pimport-dump [-Ddataset=DATASET]`
Usage: `mvn verify -Ptest[,cluster] [-DrunUsers=N] [-DrampUpPeriod=SECONDS] [-DnumOfIterations=N] [-Ddataset=DATASET] [-D<dataset.property>=<value>]* [-D<test.property>=<value>]* `. Usage: `mvn verify -Ptest[,cluster] [-DrunUsers=N] [-DrampUpPeriod=SECONDS] [-DnumOfIterations=N] [-Ddataset=DATASET] [-D<dataset.property>=<value>]* [-D<test.property>=<value>]* `.
_*Note:* The same dataset properties which were used for data import should be supplied to the `test` phase._ _*Note:* The same dataset properties which were used for data generation/import should be supplied to the `test` phase._
The default test `keycloak.DefaultSimulation` takes the following additional properties: The default test `keycloak.DefaultSimulation` takes the following additional properties:
@ -145,13 +146,13 @@ To view monitoring dashboard open Grafana UI at: `http://localhost:3000/dashboar
### Single-node ### Single-node
- Provision single node of KC + DB, import data, run test, and tear down the provisioned system: - Provision single node of KC + DB, generate data, run test, and tear down the provisioned system:
`mvn verify -Pprovision,import-data,test,teardown -Ddataset=100u -DrunUsers=100` `mvn verify -Pprovision,generate-data,test,teardown -Ddataset=100u -DrunUsers=100`
- Provision single node of KC + DB, import data, no test, no teardown: - Provision single node of KC + DB, generate data, no test, no teardown:
`mvn verify -Pprovision,import-data -Ddataset=100u` `mvn verify -Pprovision,generate-data -Ddataset=100u`
- Run test against provisioned system using 100 concurrent users ramped up over 10 seconds, then tear it down: - Run test against provisioned system using 100 concurrent users ramped up over 10 seconds, then tear it down:
@ -159,13 +160,13 @@ To view monitoring dashboard open Grafana UI at: `http://localhost:3000/dashboar
### Cluster ### Cluster
- Provision a 1-node KC cluster + DB, import data, run test against the provisioned system, then tear it down: - Provision a 1-node KC cluster + DB, generate data, run test against the provisioned system, then tear it down:
`mvn verify -Pprovision,cluster,import-data,test,teardown -Ddataset=100u -DrunUsers=100` `mvn verify -Pprovision,cluster,generate-data,test,teardown -Ddataset=100u -DrunUsers=100`
- Provision a 2-node KC cluster + DB, import data, run test against the provisioned system, then tear it down: - Provision a 2-node KC cluster + DB, generate data, run test against the provisioned system, then tear it down:
`mvn verify -Pprovision,cluster,import-data,test,teardown -Dkeycloak.scale=2 -DusersPerRealm=200 -DrunUsers=200` `mvn verify -Pprovision,cluster,generate-data,test,teardown -Dkeycloak.scale=2 -DusersPerRealm=200 -DrunUsers=200`
## Developing tests in IntelliJ IDEA ## Developing tests in IntelliJ IDEA

45
testsuite/performance/README.provisioning-parameters.md
View file

@ -4,7 +4,7 @@
| Category | Setting | Property | Default value | | Category | Setting | Property | Default value |
|-------------|-------------------------------|------------------------------------|------------------------------------------------------------------| |-------------|-------------------------------|------------------------------------|------------------------------------------------------------------|
| JVM | Memory settings | `keycloak.jvm.memory` | -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m | | JVM | Memory settings | `keycloak.jvm.memory` | -Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m |
| Undertow | HTTP Listener max connections | `keycloak.http.max-connections` | 500 | | Undertow | HTTP Listener max connections | `keycloak.http.max-connections` | 500 |
| | AJP Listener max connections | `keycloak.ajp.max-connections` | 500 | | | AJP Listener max connections | `keycloak.ajp.max-connections` | 500 |
| IO | Worker IO thread pool | `keycloak.worker.io-threads` | 2 | | IO | Worker IO thread pool | `keycloak.worker.io-threads` | 2 |
@ -29,35 +29,20 @@
|-------------|-------------------------------|-------------------------|-----------------------------------------------------------------------------------------| |-------------|-------------------------------|-------------------------|-----------------------------------------------------------------------------------------|
| JVM | Memory settings | `infinispan.jvm.memory` | -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -XX:+DisableExplicitGC | | JVM | Memory settings | `infinispan.jvm.memory` | -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -XX:+DisableExplicitGC |
## CPUs ## Docker settings
At the moment it is not possible to dynamically parametrize the number of CPUs for a service via Maven properties or environment variables. By default, there are 4 CPU cores allocated: core 0 for monitoring, core 1 for database (MariaDB), and cores 2 and 3 for Keycloak server.
Default memory limits for database and Keycloak server are 2g. The `cpuset` and `memlimit` parameters set here are set to `cpuset` and
`mem_limit` parameters of docker-compose configuration. See docker-compose documentation for meaning of the values. How to set the parameters
correctly depends on number of factors - number of cpu cores, NUMA, available memory etc., hence it is out of scope of this document.
To change the default value (`cpus: 1`) it is necessary to edit the Docker Compose file. | Container | Setting | Property | Default value |
|-------------|-------------------------------|---------------------------------|-------------------------------------------------------|
| Keycloak | Allocated CPUs | `keycloak.docker.cpuset` | 2-3 |
| | Allocated CPUs for DC1 | `keycloak.dc1.docker.cpuset` | 2-3 |
| | Allocated CPUs for DC2 | `keycloak.dc2.docker.cpuset` | 2-3 |
| | Available memory | `keycloak.docker.memlimit` | 2g |
| MariaDB | Allocated CPUs | `db.docker.cpuset` | 1 |
| | Available memory | `db.docker.memlimit` | 2g |
| Monitoring | Allocated CPUs | `monitoring.docker.cpuset` | 0 |
### Example: Keycloak service using 2 CPU cores
`docker-compose.yml` and `docker-compose-cluster.yml`:
```
services:
...
keycloak:
...
cpus: 2
...
```
`docker-compose-crossdc.yml`:
```
services:
...
keycloak_dc1:
...
cpus: 2
...
keycloak_dc2:
...
cpus: 2
...
```

8
testsuite/performance/docker-compose-cluster.yml
View file

@ -15,7 +15,8 @@ services:
mariadb: mariadb:
build: db/mariadb build: db/mariadb
image: keycloak_test_mariadb:${KEYCLOAK_VERSION:-latest} image: keycloak_test_mariadb:${KEYCLOAK_VERSION:-latest}
cpus: 1 cpuset: ${DB_CPUSET:-1}
mem_limit: ${DB_MEMLIMIT:-1g}
networks: networks:
- keycloak - keycloak
environment: environment:
@ -32,7 +33,8 @@ services:
depends_on: depends_on:
mariadb: mariadb:
condition: service_healthy condition: service_healthy
cpus: 1 cpuset: ${KEYCLOAK_CPUSET:-2-3}
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
networks: networks:
- keycloak - keycloak
environment: environment:
@ -46,7 +48,7 @@ services:
KEYCLOAK_USER: admin KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin KEYCLOAK_PASSWORD: admin
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500} HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500} AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500}
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2} WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}

13
testsuite/performance/docker-compose-crossdc.yml
View file

@ -95,7 +95,8 @@ services:
depends_on: depends_on:
mariadb_dc1: mariadb_dc1:
condition: service_healthy condition: service_healthy
cpus: 1 cpuset: ${DB_CPUSET:-1}
mem_limit: ${DB_MEMLIMIT:-1g}
networks: networks:
- db_replication - db_replication
- dc2_keycloak - dc2_keycloak
@ -122,7 +123,8 @@ services:
# wait for the ispn cluster to be ready before starting keycloak # wait for the ispn cluster to be ready before starting keycloak
infinispan_dc2: infinispan_dc2:
condition: service_healthy condition: service_healthy
cpus: 1 cpuset: ${KEYCLOAK_DC1_CPUSET:-2}
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
networks: networks:
- dc1_keycloak - dc1_keycloak
environment: environment:
@ -138,7 +140,7 @@ services:
INFINISPAN_HOST: infinispan_dc1 INFINISPAN_HOST: infinispan_dc1
SITE: dc1 SITE: dc1
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500} HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500} AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500}
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2} WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}
@ -162,7 +164,8 @@ services:
# wait for first kc instance to be ready before starting another # wait for first kc instance to be ready before starting another
keycloak_dc1: keycloak_dc1:
condition: service_healthy condition: service_healthy
cpus: 1 cpuset: ${KEYCLOAK_DC2_CPUSET:-3}
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
networks: networks:
- dc2_keycloak - dc2_keycloak
environment: environment:
@ -176,7 +179,7 @@ services:
INFINISPAN_HOST: infinispan_dc2 INFINISPAN_HOST: infinispan_dc2
SITE: dc2 SITE: dc2
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500} HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500} AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500}
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2} WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}

3
testsuite/performance/docker-compose-monitoring.yml
View file

@ -11,6 +11,7 @@ services:
monitoring_influxdb: monitoring_influxdb:
image: influxdb image: influxdb
cpuset: ${MONITORING_CPUSET:-1}
volumes: volumes:
- influx:/var/lib/influxdb - influx:/var/lib/influxdb
networks: networks:
@ -26,6 +27,7 @@ services:
monitoring_cadvisor: monitoring_cadvisor:
build: monitoring/cadvisor build: monitoring/cadvisor
image: monitoring_cadvisor image: monitoring_cadvisor
cpuset: ${MONITORING_CPUSET:-1}
hostname: '{{.Node.ID}}' hostname: '{{.Node.ID}}'
volumes: volumes:
- /:/rootfs:ro - /:/rootfs:ro
@ -50,6 +52,7 @@ services:
monitoring_grafana: monitoring_grafana:
build: monitoring/grafana build: monitoring/grafana
image: monitoring_grafana image: monitoring_grafana
cpuset: ${MONITORING_CPUSET:-1}
depends_on: depends_on:
- monitoring_influxdb - monitoring_influxdb
volumes: volumes:

16
testsuite/performance/docker-compose.yml
View file

@ -5,13 +5,14 @@ networks:
ipam: ipam:
config: config:
- subnet: 10.0.1.0/24 - subnet: 10.0.1.0/24
services: services:
mariadb: mariadb:
build: db/mariadb build: db/mariadb
image: keycloak_test_mariadb:${KEYCLOAK_VERSION:-latest} image: keycloak_test_mariadb:${KEYCLOAK_VERSION:-latest}
cpus: 1 cpuset: ${DB_CPUSET:-1}
mem_limit: ${DB_MEMLIMIT:-1g}
networks: networks:
- keycloak - keycloak
environment: environment:
@ -22,14 +23,15 @@ services:
MYSQL_INITDB_SKIP_TZINFO: 1 MYSQL_INITDB_SKIP_TZINFO: 1
ports: ports:
- "3306:3306" - "3306:3306"
keycloak: keycloak:
build: keycloak build: keycloak
image: keycloak_test_keycloak:${KEYCLOAK_VERSION:-latest} image: keycloak_test_keycloak:${KEYCLOAK_VERSION:-latest}
depends_on: depends_on:
mariadb: mariadb:
condition: service_healthy condition: service_healthy
cpus: 1 cpuset: ${KEYCLOAK_CPUSET:-2-3}
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
networks: networks:
- keycloak - keycloak
environment: environment:
@ -40,7 +42,7 @@ services:
KEYCLOAK_USER: admin KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin KEYCLOAK_PASSWORD: admin
# docker-compose syntax note: ${ENV_VAR:-<DEFAULT_VALUE>} # docker-compose syntax note: ${ENV_VAR:-<DEFAULT_VALUE>}
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500} HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2} WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}
WORKER_TASK_MAX_THREADS: ${KEYCLOAK_WORKER_TASK_MAX_THREADS:-16} WORKER_TASK_MAX_THREADS: ${KEYCLOAK_WORKER_TASK_MAX_THREADS:-16}
@ -50,4 +52,4 @@ services:
DS_PS_CACHE_SIZE: ${KEYCLOAK_DS_PS_CACHE_SIZE:-100} DS_PS_CACHE_SIZE: ${KEYCLOAK_DS_PS_CACHE_SIZE:-100}
ports: ports:
- "8080:8080" - "8080:8080"
- "9990:9990" - "9990:9990"

29
testsuite/performance/keycloak/Dockerfile
View file

@ -17,26 +17,23 @@ ADD target/keycloak configs/ ./
ADD *.sh /usr/local/bin/ ADD *.sh /usr/local/bin/
USER root USER root
RUN chown -R jboss .; chgrp -R jboss .; RUN chown -R jboss .; chgrp -R jboss .; \
RUN chmod -R -v +x /usr/local/bin/ chmod -R -v +x /usr/local/bin/ ; \
RUN yum install -y epel-release jq iproute && yum clean all yum install -y epel-release jq iproute && yum clean all
USER jboss USER jboss
# install mariadb JDBC driver # install mariadb JDBC driver
RUN mkdir -p modules/system/layers/base/org/mariadb/jdbc/main; \ RUN curl --create-dirs --output modules/system/layers/base/org/mariadb/jdbc/main/mariadb-java-client-2.0.3.jar http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/2.0.3/mariadb-java-client-2.0.3.jar ; \
cd modules/system/layers/base/org/mariadb/jdbc/main; \ $JBOSS_HOME/bin/jboss-cli.sh --file=set-keycloak-ds.cli && \
curl -O http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/2.0.3/mariadb-java-client-2.0.3.jar $JBOSS_HOME/bin/jboss-cli.sh --file=io-worker-threads.cli && \
ADD module.xml modules/system/layers/base/org/mariadb/jdbc/main/ $JBOSS_HOME/bin/jboss-cli.sh --file=undertow.cli && \
# apply configurations $JBOSS_HOME/bin/jboss-cli.sh --file=distributed-cache-owners.cli && \
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=set-keycloak-ds.cli $JBOSS_HOME/bin/jboss-cli.sh --file=modcluster-simple-load-provider.cli && \
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=io-worker-threads.cli if [ "$REMOTE_CACHES" == "true" ]; then $JBOSS_HOME/bin/jboss-cli.sh --file=add-remote-cache-stores.cli; fi && \
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=undertow.cli cd $JBOSS_HOME/standalone; rm -rf configuration/standalone_xml_history log data tmp ; \
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=distributed-cache-owners.cli $JBOSS_HOME/bin/add-user.sh -u $DEBUG_USER -p $DEBUG_USER_PASSWORD
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=modcluster-simple-load-provider.cli
RUN if [ "$REMOTE_CACHES" == "true" ]; then $JBOSS_HOME/bin/jboss-cli.sh --file=add-remote-cache-stores.cli; fi
RUN cd $JBOSS_HOME/standalone; rm -rf configuration/standalone_xml_history log data tmp
RUN $JBOSS_HOME/bin/add-user.sh -u $DEBUG_USER -p $DEBUG_USER_PASSWORD ADD module.xml modules/system/layers/base/org/mariadb/jdbc/main/
EXPOSE 8080 EXPOSE 8080
EXPOSE 9990 EXPOSE 9990

1
testsuite/performance/keycloak/docker-entrypoint.sh
View file

@ -15,4 +15,3 @@ if [ $KEYCLOAK_USER ] && [ $KEYCLOAK_PASSWORD ]; then
fi fi
exec /opt/jboss/keycloak/bin/standalone.sh $PARAMS exec /opt/jboss/keycloak/bin/standalone.sh $PARAMS
exit $?

8
testsuite/performance/prepare-dump.sh
View file

@ -4,13 +4,7 @@ GATLING_HOME=$DIRNAME/tests
if [ -z "$DATASET" ]; then if [ -z "$DATASET" ]; then
echo "This script requires DATASET env variable to be set" echo "This script requires DATASET env variable to be set"
echo 1 exit 1
fi
./prepare-data.sh $@
if [ $? -ne 0 ]; then
echo "Failed! See log file for details."
exit $?
fi fi
echo "Exporting dump file" echo "Exporting dump file"

68
testsuite/performance/tests/pom.xml
View file

@ -39,7 +39,7 @@
<keycloak.server.uris>http://localhost:8080/auth</keycloak.server.uris> <keycloak.server.uris>http://localhost:8080/auth</keycloak.server.uris>
<db.url>jdbc:mariadb://keycloak:keycloak@localhost:3306/keycloak</db.url> <db.url>jdbc:mariadb://keycloak:keycloak@localhost:3306/keycloak</db.url>
<keycloak.jvm.memory>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</keycloak.jvm.memory> <keycloak.jvm.memory>-Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</keycloak.jvm.memory>
<keycloak.http.max-connections>500</keycloak.http.max-connections> <keycloak.http.max-connections>500</keycloak.http.max-connections>
<keycloak.ajp.max-connections>500</keycloak.ajp.max-connections> <keycloak.ajp.max-connections>500</keycloak.ajp.max-connections>
<keycloak.worker.io-threads>2</keycloak.worker.io-threads> <keycloak.worker.io-threads>2</keycloak.worker.io-threads>
@ -48,14 +48,25 @@
<keycloak.ds.max-pool-size>100</keycloak.ds.max-pool-size> <keycloak.ds.max-pool-size>100</keycloak.ds.max-pool-size>
<keycloak.ds.pool-prefill>true</keycloak.ds.pool-prefill> <keycloak.ds.pool-prefill>true</keycloak.ds.pool-prefill>
<keycloak.ds.ps-cache-size>100</keycloak.ds.ps-cache-size> <keycloak.ds.ps-cache-size>100</keycloak.ds.ps-cache-size>
<keycloak-lb.jvm.memory>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</keycloak-lb.jvm.memory> <keycloak-lb.jvm.memory>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</keycloak-lb.jvm.memory>
<keycloak-lb.http.max-connections>500</keycloak-lb.http.max-connections> <keycloak-lb.http.max-connections>500</keycloak-lb.http.max-connections>
<keycloak-lb.worker.io-threads>2</keycloak-lb.worker.io-threads> <keycloak-lb.worker.io-threads>2</keycloak-lb.worker.io-threads>
<keycloak-lb.worker.task-max-threads>16</keycloak-lb.worker.task-max-threads> <keycloak-lb.worker.task-max-threads>16</keycloak-lb.worker.task-max-threads>
<!-- Docker-related properties -->
<db.docker.cpuset>1</db.docker.cpuset>
<keycloak.docker.cpuset>2-3</keycloak.docker.cpuset>
<keycloak.dc1.docker.cpuset>2</keycloak.dc1.docker.cpuset>
<keycloak.dc2.docker.cpuset>3</keycloak.dc2.docker.cpuset>
<monitoring.docker.cpuset>0</monitoring.docker.cpuset>
<db.docker.memlimit>2g</db.docker.memlimit>
<keycloak.docker.memlimit>2g</keycloak.docker.memlimit>
<!-- End of docker-related properties -->
<infinispan.jvm.memory>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -XX:+DisableExplicitGC</infinispan.jvm.memory> <infinispan.jvm.memory>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -XX:+DisableExplicitGC</infinispan.jvm.memory>
<dataset>default</dataset> <dataset>default</dataset>
<numOfWorkers>1</numOfWorkers> <numOfWorkers>1</numOfWorkers>
@ -321,6 +332,13 @@
<commandlineArgs>-f ${compose.file} up -d --build ${compose.up.params}</commandlineArgs> <commandlineArgs>-f ${compose.file} up -d --build ${compose.up.params}</commandlineArgs>
<environmentVariables> <environmentVariables>
<KEYCLOAK_VERSION>${project.version}</KEYCLOAK_VERSION> <KEYCLOAK_VERSION>${project.version}</KEYCLOAK_VERSION>
<KEYCLOAK_CPUSET>${keycloak.docker.cpuset}</KEYCLOAK_CPUSET>
<KEYCLOAK_DC1_CPUSET>${keycloak.dc1.docker.cpuset}</KEYCLOAK_DC1_CPUSET>
<KEYCLOAK_DC2_CPUSET>${keycloak.dc2.docker.cpuset}</KEYCLOAK_DC2_CPUSET>
<KEYCLOAK_MEMLIMIT>${keycloak.docker.memlimit}</KEYCLOAK_MEMLIMIT>
<DB_CPUSET>${db.docker.cpuset}</DB_CPUSET>
<DB_MEMLIMIT>${db.docker.memlimit}</DB_MEMLIMIT>
<KEYCLOAK_JVM_MEMORY>${keycloak.jvm.memory}</KEYCLOAK_JVM_MEMORY> <KEYCLOAK_JVM_MEMORY>${keycloak.jvm.memory}</KEYCLOAK_JVM_MEMORY>
<KEYCLOAK_HTTP_MAX_CONNECTIONS>${keycloak.http.max-connections}</KEYCLOAK_HTTP_MAX_CONNECTIONS> <KEYCLOAK_HTTP_MAX_CONNECTIONS>${keycloak.http.max-connections}</KEYCLOAK_HTTP_MAX_CONNECTIONS>
@ -381,7 +399,7 @@
</profile> </profile>
<profile> <profile>
<id>import-data</id> <id>generate-data</id>
<build> <build>
<plugins> <plugins>
<plugin> <plugin>
@ -462,6 +480,43 @@
</build> </build>
</profile> </profile>
<profile>
<id>export-dump-after-generation</id>
<activation>
<activeByDefault>false</activeByDefault>
<property>
<name>export-dump</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<executions>
<execution>
<id>export-dump</id>
<phase>pre-integration-test</phase>
<goals>
<goal>exec</goal>
</goals>
<configuration>
<workingDirectory>${project.basedir}/..</workingDirectory>
<executable>./prepare-dump.sh</executable>
<environmentVariables>
<DATASET>${dataset}</DATASET>
</environmentVariables>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
<profile> <profile>
<id>import-dump</id> <id>import-dump</id>
<build> <build>
@ -581,6 +636,9 @@
<workingDirectory>${project.basedir}/..</workingDirectory> <workingDirectory>${project.basedir}/..</workingDirectory>
<executable>docker-compose</executable> <executable>docker-compose</executable>
<commandlineArgs>-f docker-compose-monitoring.yml up -d --build</commandlineArgs> <commandlineArgs>-f docker-compose-monitoring.yml up -d --build</commandlineArgs>
<environmentVariables>
<MONITORING_CPUSET>${monitoring.docker.cpuset}</MONITORING_CPUSET>
</environmentVariables>
</configuration> </configuration>
</execution> </execution>
</executions> </executions>

4
themes/src/main/resources/theme/base/admin/messages/admin-messages_en.properties
View file

@ -1236,7 +1236,7 @@ authz-add-aggregated-policy=Add Aggregated Policy
authz-add-group-policy=Add Group Policy authz-add-group-policy=Add Group Policy
authz-no-groups-assigned=No groups assigned. authz-no-groups-assigned=No groups assigned.
authz-policy-group-claim=Groups Claim authz-policy-group-claim=Groups Claim
authz-policy-group-claim.tooltip=A claim to use as the source for users group. If the claim is present it must be an array of strings. authz-policy-group-claim.tooltip=A claim to use as the source for user's group. If the claim is present it must be an array of strings.
authz-policy-group-groups.tooltip=Specifies the groups allowed by this policy. authz-policy-group-groups.tooltip=Specifies the groups allowed by this policy.
# Authz Permission List # Authz Permission List
@ -1358,7 +1358,7 @@ view-authz-client-scope-description=Policies that decide if an admin can view th
map-roles-authz-client-scope-description=Policies that decide if an admin can map roles defined by this client map-roles-authz-client-scope-description=Policies that decide if an admin can map roles defined by this client
map-roles-client-scope-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client to the client scope of another client map-roles-client-scope-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client to the client scope of another client
map-roles-composite-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client as a composite to another role map-roles-composite-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client as a composite to another role
map-role-authz-role-scope-description=Policies that decide if an admin can map role this role to a user or group map-role-authz-role-scope-description=Policies that decide if an admin can map this role to a user or group
map-role-client-scope-authz-role-scope-description=Policies that decide if an admin can apply this role to the client scope of a client map-role-client-scope-authz-role-scope-description=Policies that decide if an admin can apply this role to the client scope of a client
map-role-composite-authz-role-scope-description=Policies that decide if an admin can apply this role as a composite to another role map-role-composite-authz-role-scope-description=Policies that decide if an admin can apply this role as a composite to another role
manage-group-membership-authz-users-scope-description=Policies that decide if an admin can manage group membership for all users in the realm. This is used in conjunction with specific group policy manage-group-membership-authz-users-scope-description=Policies that decide if an admin can manage group membership for all users in the realm. This is used in conjunction with specific group policy

2
themes/src/main/resources/theme/base/admin/resources/templates/kc-tabs-client.html
View file

@ -26,7 +26,7 @@
data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && !disableAuthorizationTab && client.authorizationServicesEnabled"> data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && !disableAuthorizationTab && client.authorizationServicesEnabled">
<a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' | <a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' |
translate}}</a></li> translate}}</a></li>
<li ng-class="{active: path[4] == 'revocation'}" data-ng-show="client.protocol != 'docker-v2'"><a <li ng-class="{active: path[4] == 'revocation'}" data-ng-show="client.protocol != 'docker-v2' && client.protocol != 'saml'"><a
href="#/realms/{{realm.realm}}/clients/{{client.id}}/revocation">{{:: 'revocation' | translate}}</a> href="#/realms/{{realm.realm}}/clients/{{client.id}}/revocation">{{:: 'revocation' | translate}}</a>
</li> </li>
<!-- <li ng-class="{active: path[4] == 'identity-provider'}" data-ng-show="realm.identityFederationEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/identity-provider">Identity Provider</a></li> --> <!-- <li ng-class="{active: path[4] == 'identity-provider'}" data-ng-show="realm.identityFederationEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/identity-provider">Identity Provider</a></li> -->