rev
This commit is contained in:
commit
5bd4ea30ad
88 changed files with 2066 additions and 706 deletions
|
@ -50,7 +50,7 @@
|
|||
} else if (initOptions && initOptions.adapter === 'default') {
|
||||
adapter = loadAdapter();
|
||||
} else {
|
||||
if (window.Cordova) {
|
||||
if (window.Cordova || window.cordova) {
|
||||
adapter = loadAdapter('cordova');
|
||||
} else {
|
||||
adapter = loadAdapter();
|
||||
|
@ -948,7 +948,14 @@
|
|||
|
||||
if (type == 'cordova') {
|
||||
loginIframe.enable = false;
|
||||
|
||||
var cordovaOpenWindowWrapper = function(loginUrl, target, options) {
|
||||
if (window.cordova && window.cordova.InAppBrowser) {
|
||||
// Use inappbrowser for IOS and Android if available
|
||||
return window.cordova.InAppBrowser.open(loginUrl, target, options);
|
||||
} else {
|
||||
return window.open(loginUrl, target, options);
|
||||
}
|
||||
};
|
||||
return {
|
||||
login: function(options) {
|
||||
var promise = createPromise();
|
||||
|
@ -959,8 +966,7 @@
|
|||
}
|
||||
|
||||
var loginUrl = kc.createLoginUrl(options);
|
||||
var ref = window.open(loginUrl, '_blank', o);
|
||||
|
||||
var ref = cordovaOpenWindowWrapper(loginUrl, '_blank', o);
|
||||
var completed = false;
|
||||
|
||||
ref.addEventListener('loadstart', function(event) {
|
||||
|
@ -993,7 +999,7 @@
|
|||
var promise = createPromise();
|
||||
|
||||
var logoutUrl = kc.createLogoutUrl(options);
|
||||
var ref = window.open(logoutUrl, '_blank', 'location=no,hidden=yes');
|
||||
var ref = cordovaOpenWindowWrapper(logoutUrl, '_blank', 'location=no,hidden=yes');
|
||||
|
||||
var error;
|
||||
|
||||
|
@ -1026,7 +1032,7 @@
|
|||
|
||||
register : function() {
|
||||
var registerUrl = kc.createRegisterUrl();
|
||||
var ref = window.open(registerUrl, '_blank', 'location=no');
|
||||
var ref = cordovaOpenWindowWrapper(registerUrl, '_blank', 'location=no');
|
||||
ref.addEventListener('loadstart', function(event) {
|
||||
if (event.url.indexOf('http://localhost') == 0) {
|
||||
ref.close();
|
||||
|
@ -1036,7 +1042,7 @@
|
|||
|
||||
accountManagement : function() {
|
||||
var accountUrl = kc.createAccountUrl();
|
||||
var ref = window.open(accountUrl, '_blank', 'location=no');
|
||||
var ref = cordovaOpenWindowWrapper(accountUrl, '_blank', 'location=no');
|
||||
ref.addEventListener('loadstart', function(event) {
|
||||
if (event.url.indexOf('http://localhost') == 0) {
|
||||
ref.close();
|
||||
|
|
|
@ -28,6 +28,7 @@ import org.keycloak.common.VerificationException;
|
|||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.jose.jws.JWSBuilder;
|
||||
import org.keycloak.representations.AccessToken;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
import org.keycloak.util.TokenUtil;
|
||||
|
||||
import javax.security.auth.x500.X500Principal;
|
||||
|
@ -126,28 +127,28 @@ public class RSAVerifierTest {
|
|||
return RSATokenVerifier.verifyToken(encoded, idpPair.getPublic(), "http://localhost:8080/auth/realm");
|
||||
}
|
||||
|
||||
/*
|
||||
@Test
|
||||
|
||||
// @Test
|
||||
public void testSpeed() throws Exception
|
||||
{
|
||||
// Took 44 seconds with 50000 iterations
|
||||
byte[] tokenBytes = JsonSerialization.writeValueAsBytes(token);
|
||||
|
||||
byte[] tokenBytes = JsonSerialization.toByteArray(token, false);
|
||||
|
||||
long start = System.currentTimeMillis();
|
||||
int count = 50000;
|
||||
for (int i = 0; i < count; i++)
|
||||
{
|
||||
String encoded = new JWSBuilder()
|
||||
.content(tokenBytes)
|
||||
.rsa256(idpPair.getPrivate());
|
||||
|
||||
long start = System.currentTimeMillis();
|
||||
int count = 10000;
|
||||
for (int i = 0; i < count; i++)
|
||||
{
|
||||
SkeletonKeyTokenVerification v = RSATokenVerifier.verify(null, encoded, metadata);
|
||||
verifySkeletonKeyToken(encoded);
|
||||
|
||||
}
|
||||
long end = System.currentTimeMillis() - start;
|
||||
System.out.println("rate: " + ((double)end/(double)count));
|
||||
System.out.println("took: " + end);
|
||||
}
|
||||
*/
|
||||
|
||||
|
||||
|
||||
@Test
|
||||
|
|
|
@ -16,6 +16,7 @@
|
|||
*/
|
||||
package org.keycloak.models.sessions.infinispan;
|
||||
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.cluster.ClusterProvider;
|
||||
import org.keycloak.common.util.Time;
|
||||
import org.keycloak.models.*;
|
||||
|
@ -33,6 +34,8 @@ import org.infinispan.Cache;
|
|||
*/
|
||||
public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvider {
|
||||
|
||||
private static final Logger LOG = Logger.getLogger(InfinispanActionTokenStoreProvider.class);
|
||||
|
||||
private final Cache<ActionTokenReducedKey, ActionTokenValueEntity> actionKeyCache;
|
||||
private final InfinispanKeycloakTransaction tx;
|
||||
private final KeycloakSession session;
|
||||
|
@ -58,6 +61,8 @@ public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvi
|
|||
ActionTokenReducedKey tokenKey = new ActionTokenReducedKey(key.getUserId(), key.getActionId(), key.getActionVerificationNonce());
|
||||
ActionTokenValueEntity tokenValue = new ActionTokenValueEntity(notes);
|
||||
|
||||
LOG.debugf("Adding used action token to actionTokens cache: %s", tokenKey.toString());
|
||||
|
||||
this.tx.put(actionKeyCache, tokenKey, tokenValue, key.getExpiration() - Time.currentTime(), TimeUnit.SECONDS);
|
||||
}
|
||||
|
||||
|
@ -68,7 +73,15 @@ public class InfinispanActionTokenStoreProvider implements ActionTokenStoreProvi
|
|||
}
|
||||
|
||||
ActionTokenReducedKey key = new ActionTokenReducedKey(actionTokenKey.getUserId(), actionTokenKey.getActionId(), actionTokenKey.getActionVerificationNonce());
|
||||
return this.actionKeyCache.getAdvancedCache().get(key);
|
||||
|
||||
ActionTokenValueModel value = this.actionKeyCache.getAdvancedCache().get(key);
|
||||
if (value == null) {
|
||||
LOG.debugf("Not found any value in actionTokens cache for key: %s", key.toString());
|
||||
} else {
|
||||
LOG.debugf("Found value in actionTokens cache for key: %s", key.toString());
|
||||
}
|
||||
|
||||
return value;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
|
|
@ -45,6 +45,11 @@ public class ActionTokenValueEntity implements ActionTokenValueModel {
|
|||
return notes.get(name);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return String.format("ActionTokenValueEntity [ notes=%s ]", notes.toString());
|
||||
}
|
||||
|
||||
public static class ExternalizerImpl implements Externalizer<ActionTokenValueEntity> {
|
||||
|
||||
private static final int VERSION_1 = 1;
|
||||
|
|
1
pom.xml
1
pom.xml
|
@ -1433,6 +1433,7 @@
|
|||
<configuration>
|
||||
<forkMode>once</forkMode>
|
||||
<argLine>${surefire.memory.settings}</argLine>
|
||||
<argLine>-Djava.awt.headless=true</argLine>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
|
|
|
@ -22,6 +22,7 @@ import org.keycloak.models.RoleModel;
|
|||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.utils.FormMessage;
|
||||
import org.keycloak.provider.Provider;
|
||||
import org.keycloak.sessions.AuthenticationSessionModel;
|
||||
|
||||
import javax.ws.rs.core.MultivaluedMap;
|
||||
import javax.ws.rs.core.Response;
|
||||
|
@ -75,6 +76,8 @@ public interface LoginFormsProvider extends Provider {
|
|||
|
||||
public Response createCode();
|
||||
|
||||
public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authenticationSession);
|
||||
|
||||
public LoginFormsProvider setClientSessionCode(String accessCode);
|
||||
|
||||
public LoginFormsProvider setAccessRequest(List<RoleModel> realmRolesRequested, MultivaluedMap<String,RoleModel> resourceRolesRequested, List<ProtocolMapperModel> protocolMappers);
|
||||
|
|
|
@ -469,6 +469,7 @@ public class AuthenticationProcessor {
|
|||
String accessCode = generateAccessCode();
|
||||
URI action = getActionUrl(accessCode);
|
||||
LoginFormsProvider provider = getSession().getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(getAuthenticationSession())
|
||||
.setUser(getUser())
|
||||
.setActionUri(action)
|
||||
.setExecution(getExecution().getId())
|
||||
|
@ -609,25 +610,25 @@ public class AuthenticationProcessor {
|
|||
if (e.getError() == AuthenticationFlowError.INVALID_USER) {
|
||||
ServicesLogger.LOGGER.failedAuthentication(e);
|
||||
event.error(Errors.USER_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.INVALID_USER);
|
||||
return ErrorPage.error(session, authenticationSession, Messages.INVALID_USER);
|
||||
} else if (e.getError() == AuthenticationFlowError.USER_DISABLED) {
|
||||
ServicesLogger.LOGGER.failedAuthentication(e);
|
||||
event.error(Errors.USER_DISABLED);
|
||||
return ErrorPage.error(session, Messages.ACCOUNT_DISABLED);
|
||||
return ErrorPage.error(session,authenticationSession, Messages.ACCOUNT_DISABLED);
|
||||
} else if (e.getError() == AuthenticationFlowError.USER_TEMPORARILY_DISABLED) {
|
||||
ServicesLogger.LOGGER.failedAuthentication(e);
|
||||
event.error(Errors.USER_TEMPORARILY_DISABLED);
|
||||
return ErrorPage.error(session, Messages.INVALID_USER);
|
||||
return ErrorPage.error(session,authenticationSession, Messages.INVALID_USER);
|
||||
|
||||
} else if (e.getError() == AuthenticationFlowError.INVALID_CLIENT_SESSION) {
|
||||
ServicesLogger.LOGGER.failedAuthentication(e);
|
||||
event.error(Errors.INVALID_CODE);
|
||||
return ErrorPage.error(session, Messages.INVALID_CODE);
|
||||
return ErrorPage.error(session, authenticationSession, Messages.INVALID_CODE);
|
||||
|
||||
} else if (e.getError() == AuthenticationFlowError.EXPIRED_CODE) {
|
||||
ServicesLogger.LOGGER.failedAuthentication(e);
|
||||
event.error(Errors.EXPIRED_CODE);
|
||||
return ErrorPage.error(session, Messages.EXPIRED_CODE);
|
||||
return ErrorPage.error(session, authenticationSession, Messages.EXPIRED_CODE);
|
||||
|
||||
} else if (e.getError() == AuthenticationFlowError.FORK_FLOW) {
|
||||
ForkFlowException reset = (ForkFlowException)e;
|
||||
|
@ -654,13 +655,13 @@ public class AuthenticationProcessor {
|
|||
} else {
|
||||
ServicesLogger.LOGGER.failedAuthentication(e);
|
||||
event.error(Errors.INVALID_USER_CREDENTIALS);
|
||||
return ErrorPage.error(session, Messages.INVALID_USER);
|
||||
return ErrorPage.error(session, authenticationSession, Messages.INVALID_USER);
|
||||
}
|
||||
|
||||
} else {
|
||||
ServicesLogger.LOGGER.failedAuthentication(failure);
|
||||
event.error(Errors.INVALID_USER_CREDENTIALS);
|
||||
return ErrorPage.error(session, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST);
|
||||
return ErrorPage.error(session, authenticationSession, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST);
|
||||
}
|
||||
|
||||
}
|
||||
|
@ -885,7 +886,7 @@ public class AuthenticationProcessor {
|
|||
if (!authSession.getAuthenticatedUser().equals(userSession.getUser())) {
|
||||
event.detail(Details.EXISTING_USER, userSession.getUser().getId());
|
||||
event.error(Errors.DIFFERENT_USER_AUTHENTICATED);
|
||||
throw new ErrorPageException(session, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername());
|
||||
throw new ErrorPageException(session, authSession, Messages.DIFFERENT_USER_AUTHENTICATED, userSession.getUser().getUsername());
|
||||
}
|
||||
}
|
||||
userSession.setState(UserSessionModel.State.LOGGED_IN);
|
||||
|
@ -921,7 +922,8 @@ public class AuthenticationProcessor {
|
|||
if (!authenticatedUser.isEnabled()) throw new AuthenticationFlowException(AuthenticationFlowError.USER_DISABLED);
|
||||
if (realm.isBruteForceProtected() && !realm.isPermanentLockout()) {
|
||||
if (getBruteForceProtector().isTemporarilyDisabled(session, realm, authenticatedUser)) {
|
||||
throw new AuthenticationFlowException(AuthenticationFlowError.USER_TEMPORARILY_DISABLED);
|
||||
getEvent().error(Errors.RESET_CREDENTIAL_DISABLED);
|
||||
ServicesLogger.LOGGER.passwordResetFailed(new AuthenticationFlowException(AuthenticationFlowError.USER_TEMPORARILY_DISABLED));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -269,6 +269,7 @@ public class FormAuthenticationFlow implements AuthenticationFlow {
|
|||
String code = processor.generateCode();
|
||||
URI actionUrl = getActionUrl(executionId, code);
|
||||
LoginFormsProvider form = processor.getSession().getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(processor.getAuthenticationSession())
|
||||
.setActionUri(actionUrl)
|
||||
.setExecution(executionId)
|
||||
.setClientSessionCode(code)
|
||||
|
|
|
@ -166,6 +166,7 @@ public class RequiredActionContextResult implements RequiredActionContext {
|
|||
String accessCode = generateCode();
|
||||
URI action = getActionUrl(accessCode);
|
||||
LoginFormsProvider provider = getSession().getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(getAuthenticationSession())
|
||||
.setUser(getUser())
|
||||
.setActionUri(action)
|
||||
.setExecution(getExecution())
|
||||
|
|
|
@ -80,6 +80,7 @@ public class ExecuteActionsActionTokenHandler extends AbstractActionTokenHander<
|
|||
String confirmUri = builder.build(realm.getName()).toString();
|
||||
|
||||
return session.getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(authSession)
|
||||
.setSuccess(Messages.CONFIRM_EXECUTION_OF_ACTIONS)
|
||||
.setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri)
|
||||
.setAttribute(Constants.TEMPLATE_ATTR_REQUIRED_ACTIONS, token.getRequiredActions())
|
||||
|
|
|
@ -81,6 +81,7 @@ public class IdpVerifyAccountLinkActionTokenHandler extends AbstractActionTokenH
|
|||
String confirmUri = builder.build(realm.getName()).toString();
|
||||
|
||||
return session.getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(authSession)
|
||||
.setSuccess(Messages.CONFIRM_ACCOUNT_LINKING, token.getIdentityProviderUsername(), token.getIdentityProviderAlias())
|
||||
.setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri)
|
||||
.createInfoPage();
|
||||
|
@ -106,6 +107,7 @@ public class IdpVerifyAccountLinkActionTokenHandler extends AbstractActionTokenH
|
|||
}
|
||||
|
||||
return session.getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(authSession)
|
||||
.setSuccess(Messages.IDENTITY_PROVIDER_LINK_SUCCESS, token.getIdentityProviderAlias(), token.getIdentityProviderUsername())
|
||||
.setAttribute(Constants.SKIP_LINK, true)
|
||||
.createInfoPage();
|
||||
|
|
|
@ -85,7 +85,7 @@ public class ResetCredentialsActionTokenHandler extends AbstractActionTokenHande
|
|||
|
||||
UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realm, authenticationSession);
|
||||
if (!linkingUser.getId().equals(authenticationSession.getAuthenticatedUser().getId())) {
|
||||
return ErrorPage.error(session,
|
||||
return ErrorPage.error(session, authenticationSession,
|
||||
Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE,
|
||||
authenticationSession.getAuthenticatedUser().getUsername(),
|
||||
linkingUser.getUsername()
|
||||
|
|
|
@ -82,6 +82,7 @@ public class VerifyEmailActionTokenHandler extends AbstractActionTokenHander<Ver
|
|||
String confirmUri = builder.build(realm.getName()).toString();
|
||||
|
||||
return session.getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(authSession)
|
||||
.setSuccess(Messages.CONFIRM_EMAIL_ADDRESS_VERIFICATION, user.getEmail())
|
||||
.setAttribute(Constants.TEMPLATE_ATTR_ACTION_URI, confirmUri)
|
||||
.createInfoPage();
|
||||
|
@ -99,6 +100,7 @@ public class VerifyEmailActionTokenHandler extends AbstractActionTokenHander<Ver
|
|||
asm.removeAuthenticationSession(tokenContext.getRealm(), authSession, true);
|
||||
|
||||
return tokenContext.getSession().getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(authSession)
|
||||
.setSuccess(Messages.EMAIL_VERIFIED)
|
||||
.createInfoPage();
|
||||
}
|
||||
|
|
|
@ -119,6 +119,7 @@ public class SpnegoAuthenticator extends AbstractUsernameFormAuthenticator imple
|
|||
}
|
||||
if (context.getExecution().isRequired()) {
|
||||
return context.getSession().getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(context.getAuthenticationSession())
|
||||
.setStatus(Response.Status.UNAUTHORIZED)
|
||||
.setResponseHeader(HttpHeaders.WWW_AUTHENTICATE, negotiateHeader)
|
||||
.setError(Messages.KERBEROS_NOT_ENABLED).createErrorPage();
|
||||
|
|
|
@ -39,7 +39,6 @@ import org.keycloak.models.KeycloakSession;
|
|||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.models.UserModel;
|
||||
import org.keycloak.models.UserSessionModel;
|
||||
import org.keycloak.representations.AccessToken;
|
||||
import org.keycloak.representations.AccessTokenResponse;
|
||||
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||
import org.keycloak.services.ErrorPage;
|
||||
|
@ -404,7 +403,7 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
|
|||
}
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.IDENTITY_PROVIDER_LOGIN_FAILURE);
|
||||
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
}
|
||||
|
||||
public SimpleHttp generateTokenRequest(String authorizationCode) {
|
||||
|
|
|
@ -111,14 +111,14 @@ public class OIDCIdentityProvider extends AbstractOAuth2IdentityProvider<OIDCIde
|
|||
EventBuilder event = new EventBuilder(realm, session, clientConnection);
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.USER_SESSION_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
}
|
||||
if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
|
||||
logger.error("usersession in different state");
|
||||
EventBuilder event = new EventBuilder(realm, session, clientConnection);
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.USER_SESSION_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE);
|
||||
return ErrorPage.error(session, null, Messages.SESSION_NOT_ACTIVE);
|
||||
}
|
||||
return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers);
|
||||
}
|
||||
|
|
|
@ -87,12 +87,10 @@ import java.util.List;
|
|||
import org.keycloak.rotation.HardcodedKeyLocator;
|
||||
import org.keycloak.rotation.KeyLocator;
|
||||
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
|
||||
import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
|
||||
import org.w3c.dom.Element;
|
||||
|
||||
import java.util.*;
|
||||
import javax.xml.crypto.dsig.XMLSignature;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.NodeList;
|
||||
|
||||
/**
|
||||
|
@ -194,18 +192,18 @@ public class SAMLEndpoint {
|
|||
if (!checkSsl()) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.SSL_REQUIRED);
|
||||
return ErrorPage.error(session, Messages.HTTPS_REQUIRED);
|
||||
return ErrorPage.error(session, null, Messages.HTTPS_REQUIRED);
|
||||
}
|
||||
if (!realm.isEnabled()) {
|
||||
event.event(EventType.LOGIN_ERROR);
|
||||
event.error(Errors.REALM_DISABLED);
|
||||
return ErrorPage.error(session, Messages.REALM_NOT_ENABLED);
|
||||
return ErrorPage.error(session, null, Messages.REALM_NOT_ENABLED);
|
||||
}
|
||||
|
||||
if (samlRequest == null && samlResponse == null) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
|
||||
}
|
||||
return null;
|
||||
|
@ -247,7 +245,7 @@ public class SAMLEndpoint {
|
|||
event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
|
||||
event.detail(Details.REASON, "invalid_destination");
|
||||
event.error(Errors.INVALID_SAML_RESPONSE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
if (config.isValidateSignature()) {
|
||||
try {
|
||||
|
@ -256,7 +254,7 @@ public class SAMLEndpoint {
|
|||
logger.error("validation failed", e);
|
||||
event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
|
||||
event.error(Errors.INVALID_SIGNATURE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUESTER);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -269,7 +267,7 @@ public class SAMLEndpoint {
|
|||
} else {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.INVALID_TOKEN);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -342,6 +340,7 @@ public class SAMLEndpoint {
|
|||
private String getEntityId(UriInfo uriInfo, RealmModel realm) {
|
||||
return UriBuilder.fromUri(uriInfo.getBaseUri()).path("realms").path(realm.getName()).build().toString();
|
||||
}
|
||||
|
||||
protected Response handleLoginResponse(String samlResponse, SAMLDocumentHolder holder, ResponseType responseType, String relayState, String clientId) {
|
||||
|
||||
try {
|
||||
|
@ -360,7 +359,7 @@ public class SAMLEndpoint {
|
|||
logger.error("The assertion is not encrypted, which is required.");
|
||||
event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
|
||||
event.error(Errors.INVALID_SAML_RESPONSE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUESTER);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
|
||||
}
|
||||
|
||||
Element assertionElement;
|
||||
|
@ -380,7 +379,7 @@ public class SAMLEndpoint {
|
|||
logger.error("validation failed");
|
||||
event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
|
||||
event.error(Errors.INVALID_SIGNATURE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUESTER);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
|
||||
}
|
||||
|
||||
AssertionType assertion = responseType.getAssertions().get(0).getAssertion();
|
||||
|
@ -464,7 +463,7 @@ public class SAMLEndpoint {
|
|||
event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
|
||||
event.detail(Details.REASON, "invalid_destination");
|
||||
event.error(Errors.INVALID_SAML_RESPONSE);
|
||||
return ErrorPage.error(session, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
|
||||
}
|
||||
if (config.isValidateSignature()) {
|
||||
try {
|
||||
|
@ -473,7 +472,7 @@ public class SAMLEndpoint {
|
|||
logger.error("validation failed", e);
|
||||
event.event(EventType.IDENTITY_PROVIDER_RESPONSE);
|
||||
event.error(Errors.INVALID_SIGNATURE);
|
||||
return ErrorPage.error(session, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_FEDERATED_IDENTITY_ACTION);
|
||||
}
|
||||
}
|
||||
if (statusResponse instanceof ResponseType) {
|
||||
|
@ -492,20 +491,20 @@ public class SAMLEndpoint {
|
|||
logger.error("no valid user session");
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.USER_SESSION_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
}
|
||||
UserSessionModel userSession = session.sessions().getUserSession(realm, relayState);
|
||||
if (userSession == null) {
|
||||
logger.error("no valid user session");
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.USER_SESSION_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
return ErrorPage.error(session, null, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
|
||||
}
|
||||
if (userSession.getState() != UserSessionModel.State.LOGGING_OUT) {
|
||||
logger.error("usersession in different state");
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.USER_SESSION_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE);
|
||||
return ErrorPage.error(session, null, Messages.SESSION_NOT_ACTIVE);
|
||||
}
|
||||
return AuthenticationManager.finishBrowserLogout(session, realm, userSession, uriInfo, clientConnection, headers);
|
||||
}
|
||||
|
|
|
@ -35,6 +35,7 @@ import org.keycloak.theme.Theme;
|
|||
import org.keycloak.theme.ThemeProvider;
|
||||
import org.keycloak.theme.beans.MessageFormatterMethod;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.text.MessageFormat;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collections;
|
||||
|
@ -150,7 +151,6 @@ public class FreeMarkerEmailTemplateProvider implements EmailTemplateProvider {
|
|||
attributes.put("realmName", getRealmName());
|
||||
|
||||
send("executeActionsSubject", "executeActions.ftl", attributes);
|
||||
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -171,8 +171,7 @@ public class FreeMarkerEmailTemplateProvider implements EmailTemplateProvider {
|
|||
|
||||
protected EmailTemplate processTemplate(String subjectKey, List<Object> subjectAttributes, String template, Map<String, Object> attributes) throws EmailException {
|
||||
try {
|
||||
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
|
||||
Theme theme = themeProvider.getTheme(realm.getEmailTheme(), Theme.Type.EMAIL);
|
||||
Theme theme = getTheme();
|
||||
Locale locale = session.getContext().resolveLocale(user);
|
||||
attributes.put("locale", locale);
|
||||
Properties rb = theme.getMessages(locale);
|
||||
|
@ -198,10 +197,18 @@ public class FreeMarkerEmailTemplateProvider implements EmailTemplateProvider {
|
|||
throw new EmailException("Failed to template email", e);
|
||||
}
|
||||
}
|
||||
|
||||
protected Theme getTheme() throws IOException {
|
||||
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
|
||||
return themeProvider.getTheme(realm.getEmailTheme(), Theme.Type.EMAIL);
|
||||
}
|
||||
|
||||
protected void send(String subjectKey, List<Object> subjectAttributes, String template, Map<String, Object> attributes) throws EmailException {
|
||||
try {
|
||||
EmailTemplate email = processTemplate(subjectKey, subjectAttributes, template, attributes);
|
||||
send(email.getSubject(), email.getTextBody(), email.getHtmlBody());
|
||||
} catch (EmailException e){
|
||||
throw e;
|
||||
} catch (Exception e) {
|
||||
throw new EmailException("Failed to template email", e);
|
||||
}
|
||||
|
|
|
@ -71,26 +71,26 @@ public class FreeMarkerAccountProvider implements AccountProvider {
|
|||
|
||||
private static final Logger logger = Logger.getLogger(FreeMarkerAccountProvider.class);
|
||||
|
||||
private UserModel user;
|
||||
private MultivaluedMap<String, String> profileFormData;
|
||||
private Response.Status status = Response.Status.OK;
|
||||
private RealmModel realm;
|
||||
private String[] referrer;
|
||||
private List<Event> events;
|
||||
private String stateChecker;
|
||||
private List<UserSessionModel> sessions;
|
||||
private boolean identityProviderEnabled;
|
||||
private boolean eventsEnabled;
|
||||
private boolean passwordUpdateSupported;
|
||||
private boolean passwordSet;
|
||||
private KeycloakSession session;
|
||||
private FreeMarkerUtil freeMarker;
|
||||
private HttpHeaders headers;
|
||||
protected UserModel user;
|
||||
protected MultivaluedMap<String, String> profileFormData;
|
||||
protected Response.Status status = Response.Status.OK;
|
||||
protected RealmModel realm;
|
||||
protected String[] referrer;
|
||||
protected List<Event> events;
|
||||
protected String stateChecker;
|
||||
protected List<UserSessionModel> sessions;
|
||||
protected boolean identityProviderEnabled;
|
||||
protected boolean eventsEnabled;
|
||||
protected boolean passwordUpdateSupported;
|
||||
protected boolean passwordSet;
|
||||
protected KeycloakSession session;
|
||||
protected FreeMarkerUtil freeMarker;
|
||||
protected HttpHeaders headers;
|
||||
|
||||
private UriInfo uriInfo;
|
||||
protected UriInfo uriInfo;
|
||||
|
||||
private List<FormMessage> messages = null;
|
||||
private MessageType messageType = MessageType.ERROR;
|
||||
protected List<FormMessage> messages = null;
|
||||
protected MessageType messageType = MessageType.ERROR;
|
||||
|
||||
public FreeMarkerAccountProvider(KeycloakSession session, FreeMarkerUtil freeMarker) {
|
||||
this.session = session;
|
||||
|
@ -112,30 +112,16 @@ public class FreeMarkerAccountProvider implements AccountProvider {
|
|||
public Response createResponse(AccountPages page) {
|
||||
Map<String, Object> attributes = new HashMap<String, Object>();
|
||||
|
||||
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
|
||||
Theme theme;
|
||||
try {
|
||||
theme = themeProvider.getTheme(realm.getAccountTheme(), Theme.Type.ACCOUNT);
|
||||
theme = getTheme();
|
||||
} catch (IOException e) {
|
||||
logger.error("Failed to create theme", e);
|
||||
return Response.serverError().build();
|
||||
}
|
||||
|
||||
try {
|
||||
attributes.put("properties", theme.getProperties());
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load properties", e);
|
||||
}
|
||||
|
||||
Locale locale = session.getContext().resolveLocale(user);
|
||||
Properties messagesBundle;
|
||||
try {
|
||||
messagesBundle = theme.getMessages(locale);
|
||||
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load messages", e);
|
||||
messagesBundle = new Properties();
|
||||
}
|
||||
Properties messagesBundle = handleThemeResources(theme, locale, attributes);
|
||||
|
||||
URI baseUri = uriInfo.getBaseUri();
|
||||
UriBuilder baseUriBuilder = uriInfo.getBaseUriBuilder();
|
||||
|
@ -148,19 +134,7 @@ public class FreeMarkerAccountProvider implements AccountProvider {
|
|||
attributes.put("stateChecker", stateChecker);
|
||||
}
|
||||
|
||||
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean();
|
||||
if (messages != null) {
|
||||
MessageBean wholeMessage = new MessageBean(null, messageType);
|
||||
for (FormMessage message : this.messages) {
|
||||
String formattedMessageText = formatMessage(message, messagesBundle, locale);
|
||||
if (formattedMessageText != null) {
|
||||
wholeMessage.appendSummaryLine(formattedMessageText);
|
||||
messagesPerField.addMessage(message.getField(), formattedMessageText, messageType);
|
||||
}
|
||||
}
|
||||
attributes.put("message", wholeMessage);
|
||||
}
|
||||
attributes.put("messagesPerField", messagesPerField);
|
||||
handleMessages(locale, messagesBundle, attributes);
|
||||
|
||||
if (referrer != null) {
|
||||
attributes.put("referrer", new ReferrerBean(referrer));
|
||||
|
@ -173,12 +147,7 @@ public class FreeMarkerAccountProvider implements AccountProvider {
|
|||
attributes.put("url", new UrlBean(realm, theme, baseUri, baseQueryUri, uriInfo.getRequestUri(), stateChecker));
|
||||
|
||||
if (realm.isInternationalizationEnabled()) {
|
||||
UriBuilder b;
|
||||
switch (page) {
|
||||
default:
|
||||
b = UriBuilder.fromUri(baseQueryUri).path(uriInfo.getPath());
|
||||
break;
|
||||
}
|
||||
UriBuilder b = UriBuilder.fromUri(baseQueryUri).path(uriInfo.getPath());
|
||||
attributes.put("locale", new LocaleBean(realm, locale, b, messagesBundle));
|
||||
}
|
||||
|
||||
|
@ -204,8 +173,84 @@ public class FreeMarkerAccountProvider implements AccountProvider {
|
|||
break;
|
||||
case PASSWORD:
|
||||
attributes.put("password", new PasswordBean(passwordSet));
|
||||
break;
|
||||
default:
|
||||
}
|
||||
|
||||
return processTemplate(theme, page, attributes, locale);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get Theme used for page rendering.
|
||||
*
|
||||
* @return theme for page rendering, never null
|
||||
* @throws IOException in case of Theme loading problem
|
||||
*/
|
||||
protected Theme getTheme() throws IOException {
|
||||
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
|
||||
return themeProvider.getTheme(realm.getAccountTheme(), Theme.Type.ACCOUNT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Load message bundle and place it into <code>msg</code> template attribute. Also load Theme properties and place them into <code>properties</code> template attribute.
|
||||
*
|
||||
* @param theme actual Theme to load bundle from
|
||||
* @param locale to load bundle for
|
||||
* @param attributes template attributes to add resources to
|
||||
* @return message bundle for other use
|
||||
*/
|
||||
protected Properties handleThemeResources(Theme theme, Locale locale, Map<String, Object> attributes) {
|
||||
Properties messagesBundle;
|
||||
try {
|
||||
messagesBundle = theme.getMessages(locale);
|
||||
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load messages", e);
|
||||
messagesBundle = new Properties();
|
||||
}
|
||||
try {
|
||||
attributes.put("properties", theme.getProperties());
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load properties", e);
|
||||
}
|
||||
return messagesBundle;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle messages to be shown on the page - set them to template attributes
|
||||
*
|
||||
* @param locale to be used for message text loading
|
||||
* @param messagesBundle to be used for message text loading
|
||||
* @param attributes template attributes to messages related info to
|
||||
* @see #messageType
|
||||
* @see #messages
|
||||
*/
|
||||
protected void handleMessages(Locale locale, Properties messagesBundle, Map<String, Object> attributes) {
|
||||
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean();
|
||||
if (messages != null) {
|
||||
MessageBean wholeMessage = new MessageBean(null, messageType);
|
||||
for (FormMessage message : this.messages) {
|
||||
String formattedMessageText = formatMessage(message, messagesBundle, locale);
|
||||
if (formattedMessageText != null) {
|
||||
wholeMessage.appendSummaryLine(formattedMessageText);
|
||||
messagesPerField.addMessage(message.getField(), formattedMessageText, messageType);
|
||||
}
|
||||
}
|
||||
attributes.put("message", wholeMessage);
|
||||
}
|
||||
attributes.put("messagesPerField", messagesPerField);
|
||||
}
|
||||
|
||||
/**
|
||||
* Process FreeMarker template and prepare Response. Some fields are used for rendering also.
|
||||
*
|
||||
* @param theme to be used (provided by <code>getTheme()</code>)
|
||||
* @param page to be rendered
|
||||
* @param attributes pushed to the template
|
||||
* @param locale to be used
|
||||
* @return Response object to be returned to the browser, never null
|
||||
*/
|
||||
protected Response processTemplate(Theme theme, AccountPages page, Map<String, Object> attributes, Locale locale) {
|
||||
try {
|
||||
String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme);
|
||||
Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8_TYPE).language(locale).entity(result);
|
||||
|
|
|
@ -39,6 +39,7 @@ import org.keycloak.models.*;
|
|||
import org.keycloak.models.utils.FormMessage;
|
||||
import org.keycloak.services.Urls;
|
||||
import org.keycloak.services.messages.Messages;
|
||||
import org.keycloak.sessions.AuthenticationSessionModel;
|
||||
import org.keycloak.theme.BrowserSecurityHeaderSetup;
|
||||
import org.keycloak.theme.FreeMarkerException;
|
||||
import org.keycloak.theme.FreeMarkerUtil;
|
||||
|
@ -68,42 +69,52 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
|
||||
private static final Logger logger = Logger.getLogger(FreeMarkerLoginFormsProvider.class);
|
||||
|
||||
private String accessCode;
|
||||
private Response.Status status;
|
||||
private List<RoleModel> realmRolesRequested;
|
||||
private MultivaluedMap<String, RoleModel> resourceRolesRequested;
|
||||
private List<ProtocolMapperModel> protocolMappersRequested;
|
||||
private Map<String, String> httpResponseHeaders = new HashMap<String, String>();
|
||||
private String accessRequestMessage;
|
||||
private URI actionUri;
|
||||
private String execution;
|
||||
protected String accessCode;
|
||||
protected Response.Status status;
|
||||
protected List<RoleModel> realmRolesRequested;
|
||||
protected MultivaluedMap<String, RoleModel> resourceRolesRequested;
|
||||
protected List<ProtocolMapperModel> protocolMappersRequested;
|
||||
protected Map<String, String> httpResponseHeaders = new HashMap<String, String>();
|
||||
protected String accessRequestMessage;
|
||||
protected URI actionUri;
|
||||
protected String execution;
|
||||
|
||||
private List<FormMessage> messages = null;
|
||||
private MessageType messageType = MessageType.ERROR;
|
||||
protected List<FormMessage> messages = null;
|
||||
protected MessageType messageType = MessageType.ERROR;
|
||||
|
||||
private MultivaluedMap<String, String> formData;
|
||||
protected MultivaluedMap<String, String> formData;
|
||||
|
||||
private KeycloakSession session;
|
||||
private FreeMarkerUtil freeMarker;
|
||||
protected KeycloakSession session;
|
||||
/** authenticationSession can be null for some renderings, mainly error pages */
|
||||
protected AuthenticationSessionModel authenticationSession;
|
||||
protected RealmModel realm;
|
||||
protected ClientModel client;
|
||||
protected UriInfo uriInfo;
|
||||
|
||||
private UserModel user;
|
||||
protected FreeMarkerUtil freeMarker;
|
||||
|
||||
private final Map<String, Object> attributes = new HashMap<String, Object>();
|
||||
protected UserModel user;
|
||||
|
||||
protected final Map<String, Object> attributes = new HashMap<String, Object>();
|
||||
|
||||
public FreeMarkerLoginFormsProvider(KeycloakSession session, FreeMarkerUtil freeMarker) {
|
||||
this.session = session;
|
||||
this.freeMarker = freeMarker;
|
||||
this.attributes.put("scripts", new LinkedList<String>());
|
||||
this.realm = session.getContext().getRealm();
|
||||
this.client = session.getContext().getClient();
|
||||
this.uriInfo = session.getContext().getUri();
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
@Override
|
||||
public void addScript(String scriptUrl) {
|
||||
List<String> scripts = (List<String>) this.attributes.get("scripts");
|
||||
scripts.add(scriptUrl);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response createResponse(UserModel.RequiredAction action) {
|
||||
RealmModel realm = session.getContext().getRealm();
|
||||
|
||||
String actionMessage;
|
||||
LoginFormsPages page;
|
||||
|
@ -139,110 +150,29 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
return createResponse(page);
|
||||
}
|
||||
|
||||
private Response createResponse(LoginFormsPages page) {
|
||||
RealmModel realm = session.getContext().getRealm();
|
||||
ClientModel client = session.getContext().getClient();
|
||||
UriInfo uriInfo = session.getContext().getUri();
|
||||
@SuppressWarnings("incomplete-switch")
|
||||
protected Response createResponse(LoginFormsPages page) {
|
||||
|
||||
String requestURI = uriInfo.getBaseUri().getPath();
|
||||
UriBuilder uriBuilder = UriBuilder.fromUri(requestURI);
|
||||
if (page == LoginFormsPages.OAUTH_GRANT) {
|
||||
// for some reason Resteasy 2.3.7 doesn't like query params and form params with the same name and will null out the code form param
|
||||
uriBuilder.replaceQuery(null);
|
||||
if (status == null) {
|
||||
status = Response.Status.OK;
|
||||
}
|
||||
|
||||
if (client != null) {
|
||||
uriBuilder.queryParam(Constants.CLIENT_ID, client.getClientId());
|
||||
}
|
||||
|
||||
URI baseUri = uriBuilder.build();
|
||||
|
||||
if (accessCode != null) {
|
||||
uriBuilder.queryParam(OAuth2Constants.CODE, accessCode);
|
||||
}
|
||||
|
||||
URI baseUriWithCodeAndClientId = uriBuilder.build();
|
||||
|
||||
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
|
||||
Theme theme;
|
||||
try {
|
||||
theme = themeProvider.getTheme(realm.getLoginTheme(), Theme.Type.LOGIN);
|
||||
theme = getTheme();
|
||||
} catch (IOException e) {
|
||||
logger.error("Failed to create theme", e);
|
||||
return Response.serverError().build();
|
||||
}
|
||||
|
||||
try {
|
||||
attributes.put("properties", theme.getProperties());
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load properties", e);
|
||||
}
|
||||
|
||||
Properties messagesBundle;
|
||||
Locale locale = session.getContext().resolveLocale(user);
|
||||
try {
|
||||
messagesBundle = theme.getMessages(locale);
|
||||
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load messages", e);
|
||||
messagesBundle = new Properties();
|
||||
}
|
||||
Properties messagesBundle = handleThemeResources(theme, locale);
|
||||
|
||||
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean();
|
||||
if (messages != null) {
|
||||
MessageBean wholeMessage = new MessageBean(null, messageType);
|
||||
for (FormMessage message : this.messages) {
|
||||
String formattedMessageText = formatMessage(message, messagesBundle, locale);
|
||||
if (formattedMessageText != null) {
|
||||
wholeMessage.appendSummaryLine(formattedMessageText);
|
||||
messagesPerField.addMessage(message.getField(), formattedMessageText, messageType);
|
||||
}
|
||||
}
|
||||
attributes.put("message", wholeMessage);
|
||||
} else {
|
||||
attributes.put("message", null);
|
||||
}
|
||||
attributes.put("messagesPerField", messagesPerField);
|
||||
handleMessages(locale, messagesBundle);
|
||||
|
||||
attributes.put("requiredActionUrl", new RequiredActionUrlFormatterMethod(realm, baseUri));
|
||||
if (realm != null && user != null && session != null) {
|
||||
attributes.put("authenticatorConfigured", new AuthenticatorConfiguredMethod(realm, user, session));
|
||||
}
|
||||
|
||||
if (realm != null) {
|
||||
attributes.put("realm", new RealmBean(realm));
|
||||
|
||||
List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
|
||||
identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData);
|
||||
attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCodeAndClientId));
|
||||
|
||||
attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri));
|
||||
|
||||
if (realm.isInternationalizationEnabled()) {
|
||||
UriBuilder b;
|
||||
switch (page) {
|
||||
case LOGIN:
|
||||
b = UriBuilder.fromUri(Urls.realmLoginPage(baseUri, realm.getName()));
|
||||
break;
|
||||
case REGISTER:
|
||||
b = UriBuilder.fromUri(Urls.realmRegisterPage(baseUri, realm.getName()));
|
||||
break;
|
||||
default:
|
||||
b = UriBuilder.fromUri(baseUri).path(uriInfo.getPath());
|
||||
break;
|
||||
}
|
||||
|
||||
if (execution != null) {
|
||||
b.queryParam(Constants.EXECUTION, execution);
|
||||
}
|
||||
|
||||
attributes.put("locale", new LocaleBean(realm, locale, b, messagesBundle));
|
||||
}
|
||||
}
|
||||
|
||||
if (client != null) {
|
||||
attributes.put("client", new ClientBean(client, baseUri));
|
||||
}
|
||||
// for some reason Resteasy 2.3.7 doesn't like query params and form params with the same name and will null out the code form param
|
||||
UriBuilder uriBuilder = prepareBaseUriBuilder(page == LoginFormsPages.OAUTH_GRANT);
|
||||
createCommonAttributes(theme, locale, messagesBundle, uriBuilder, page);
|
||||
|
||||
attributes.put("login", new LoginBean(formData));
|
||||
|
||||
|
@ -267,7 +197,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
attributes.put("register", new RegisterBean(formData));
|
||||
break;
|
||||
case OAUTH_GRANT:
|
||||
attributes.put("oauth", new OAuthGrantBean(accessCode, client, realmRolesRequested, resourceRolesRequested, protocolMappersRequested, this.accessRequestMessage));
|
||||
attributes.put("oauth",
|
||||
new OAuthGrantBean(accessCode, client, realmRolesRequested, resourceRolesRequested, protocolMappersRequested, this.accessRequestMessage));
|
||||
attributes.put("advancedMsg", new AdvancedMessageFormatterMethod(locale, messagesBundle));
|
||||
break;
|
||||
case CODE:
|
||||
|
@ -279,62 +210,74 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
status = Response.Status.OK;
|
||||
}
|
||||
|
||||
try {
|
||||
String result = freeMarker.processTemplate(attributes, Templates.getTemplate(page), theme);
|
||||
Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8).entity(result);
|
||||
BrowserSecurityHeaderSetup.headers(builder, realm);
|
||||
for (Map.Entry<String, String> entry : httpResponseHeaders.entrySet()) {
|
||||
builder.header(entry.getKey(), entry.getValue());
|
||||
}
|
||||
return builder.build();
|
||||
} catch (FreeMarkerException e) {
|
||||
logger.error("Failed to process template", e);
|
||||
return Response.serverError().build();
|
||||
}
|
||||
return processTemplate(theme, Templates.getTemplate(page), locale);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Response createForm(String form) {
|
||||
|
||||
RealmModel realm = session.getContext().getRealm();
|
||||
ClientModel client = session.getContext().getClient();
|
||||
UriInfo uriInfo = session.getContext().getUri();
|
||||
|
||||
String requestURI = uriInfo.getBaseUri().getPath();
|
||||
UriBuilder uriBuilder = UriBuilder.fromUri(requestURI);
|
||||
|
||||
if (client != null) {
|
||||
uriBuilder.queryParam(Constants.CLIENT_ID, client.getClientId());
|
||||
if (status == null) {
|
||||
status = Response.Status.OK;
|
||||
}
|
||||
|
||||
URI baseUri = uriBuilder.build();
|
||||
|
||||
if (accessCode != null) {
|
||||
uriBuilder.queryParam(OAuth2Constants.CODE, accessCode);
|
||||
}
|
||||
|
||||
URI baseUriWithCode = uriBuilder.build();
|
||||
|
||||
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
|
||||
Theme theme;
|
||||
try {
|
||||
theme = themeProvider.getTheme(realm.getLoginTheme(), Theme.Type.LOGIN);
|
||||
theme = getTheme();
|
||||
} catch (IOException e) {
|
||||
logger.error("Failed to create theme", e);
|
||||
return Response.serverError().build();
|
||||
}
|
||||
|
||||
try {
|
||||
attributes.put("properties", theme.getProperties());
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load properties", e);
|
||||
}
|
||||
if (client != null) {
|
||||
attributes.put("client", new ClientBean(client, baseUri));
|
||||
Locale locale = session.getContext().resolveLocale(user);
|
||||
Properties messagesBundle = handleThemeResources(theme, locale);
|
||||
|
||||
handleMessages(locale, messagesBundle);
|
||||
|
||||
UriBuilder uriBuilder = prepareBaseUriBuilder(false);
|
||||
createCommonAttributes(theme, locale, messagesBundle, uriBuilder, null);
|
||||
|
||||
return processTemplate(theme, form, locale);
|
||||
}
|
||||
|
||||
/**
|
||||
* Prepare base uri builder for later use
|
||||
*
|
||||
* @param resetRequestUriParams - for some reason Resteasy 2.3.7 doesn't like query params and form params with the same name and will null out the code form param, so we have to reset them for some pages
|
||||
* @return base uri builder
|
||||
*/
|
||||
protected UriBuilder prepareBaseUriBuilder(boolean resetRequestUriParams) {
|
||||
String requestURI = uriInfo.getBaseUri().getPath();
|
||||
UriBuilder uriBuilder = UriBuilder.fromUri(requestURI);
|
||||
if (resetRequestUriParams) {
|
||||
uriBuilder.replaceQuery(null);
|
||||
}
|
||||
|
||||
if (client != null) {
|
||||
uriBuilder.queryParam(Constants.CLIENT_ID, client.getClientId());
|
||||
}
|
||||
return uriBuilder;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get Theme used for page rendering.
|
||||
*
|
||||
* @return theme for page rendering, never null
|
||||
* @throws IOException in case of Theme loading problem
|
||||
*/
|
||||
protected Theme getTheme() throws IOException {
|
||||
ThemeProvider themeProvider = session.getProvider(ThemeProvider.class, "extending");
|
||||
return themeProvider.getTheme(realm.getLoginTheme(), Theme.Type.LOGIN);
|
||||
}
|
||||
|
||||
/**
|
||||
* Load message bundle and place it into <code>msg</code> template attribute. Also load Theme properties and place them into <code>properties</code> template attribute.
|
||||
*
|
||||
* @param theme actual Theme to load bundle from
|
||||
* @param locale to load bundle for
|
||||
* @return message bundle for other use
|
||||
*/
|
||||
protected Properties handleThemeResources(Theme theme, Locale locale) {
|
||||
Properties messagesBundle;
|
||||
Locale locale = session.getContext().resolveLocale(user);
|
||||
try {
|
||||
messagesBundle = theme.getMessages(locale);
|
||||
attributes.put("msg", new MessageFormatterMethod(locale, messagesBundle));
|
||||
|
@ -343,6 +286,24 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
messagesBundle = new Properties();
|
||||
}
|
||||
|
||||
try {
|
||||
attributes.put("properties", theme.getProperties());
|
||||
} catch (IOException e) {
|
||||
logger.warn("Failed to load properties", e);
|
||||
}
|
||||
|
||||
return messagesBundle;
|
||||
}
|
||||
|
||||
/**
|
||||
* Handle messages to be shown on the page - set them to template attributes
|
||||
*
|
||||
* @param locale to be used for message text loading
|
||||
* @param messagesBundle to be used for message text loading
|
||||
* @see #messageType
|
||||
* @see #messages
|
||||
*/
|
||||
protected void handleMessages(Locale locale, Properties messagesBundle) {
|
||||
MessagesPerFieldBean messagesPerField = new MessagesPerFieldBean();
|
||||
if (messages != null) {
|
||||
MessageBean wholeMessage = new MessageBean(null, messageType);
|
||||
|
@ -354,11 +315,31 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
}
|
||||
}
|
||||
attributes.put("message", wholeMessage);
|
||||
} else {
|
||||
attributes.put("message", null);
|
||||
}
|
||||
attributes.put("messagesPerField", messagesPerField);
|
||||
}
|
||||
|
||||
if (status == null) {
|
||||
status = Response.Status.OK;
|
||||
/**
|
||||
* Create common attributes used in all templates.
|
||||
*
|
||||
* @param theme actual Theme used (provided by <code>getTheme()</code>)
|
||||
* @param locale actual locale
|
||||
* @param messagesBundle actual message bundle (provided by <code>handleThemeResources()</code>)
|
||||
* @param baseUriBuilder actual base uri builder (provided by <code>prepareBaseUriBuilder()</code>)
|
||||
* @param page in case if common page is rendered, is null if called from <code>createForm()</code>
|
||||
*
|
||||
*/
|
||||
protected void createCommonAttributes(Theme theme, Locale locale, Properties messagesBundle, UriBuilder baseUriBuilder, LoginFormsPages page) {
|
||||
URI baseUri = baseUriBuilder.build();
|
||||
if (accessCode != null) {
|
||||
baseUriBuilder.queryParam(OAuth2Constants.CODE, accessCode);
|
||||
}
|
||||
URI baseUriWithCodeAndClientId = baseUriBuilder.build();
|
||||
|
||||
if (client != null) {
|
||||
attributes.put("client", new ClientBean(client, baseUri));
|
||||
}
|
||||
|
||||
if (realm != null) {
|
||||
|
@ -366,14 +347,29 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
|
||||
List<IdentityProviderModel> identityProviders = realm.getIdentityProviders();
|
||||
identityProviders = LoginFormsUtil.filterIdentityProviders(identityProviders, session, realm, attributes, formData);
|
||||
attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCode));
|
||||
attributes.put("social", new IdentityProviderBean(realm, session, identityProviders, baseUriWithCodeAndClientId));
|
||||
|
||||
attributes.put("url", new UrlBean(realm, theme, baseUri, this.actionUri));
|
||||
attributes.put("requiredActionUrl", new RequiredActionUrlFormatterMethod(realm, baseUri));
|
||||
|
||||
if (realm.isInternationalizationEnabled()) {
|
||||
UriBuilder b = UriBuilder.fromUri(baseUri)
|
||||
UriBuilder b;
|
||||
if (page != null) {
|
||||
switch (page) {
|
||||
case LOGIN:
|
||||
b = UriBuilder.fromUri(Urls.realmLoginPage(baseUri, realm.getName()));
|
||||
break;
|
||||
case REGISTER:
|
||||
b = UriBuilder.fromUri(Urls.realmRegisterPage(baseUri, realm.getName()));
|
||||
break;
|
||||
default:
|
||||
b = UriBuilder.fromUri(baseUri).path(uriInfo.getPath());
|
||||
break;
|
||||
}
|
||||
} else {
|
||||
b = UriBuilder.fromUri(baseUri)
|
||||
.path(uriInfo.getPath());
|
||||
}
|
||||
|
||||
if (execution != null) {
|
||||
b.queryParam(Constants.EXECUTION, execution);
|
||||
|
@ -385,8 +381,19 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
if (realm != null && user != null && session != null) {
|
||||
attributes.put("authenticatorConfigured", new AuthenticatorConfiguredMethod(realm, user, session));
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Process FreeMarker template and prepare Response. Some fields are used for rendering also.
|
||||
*
|
||||
* @param theme to be used (provided by <code>getTheme()</code>)
|
||||
* @param templateName name of the template to be rendered
|
||||
* @param locale to be used
|
||||
* @return Response object to be returned to the browser, never null
|
||||
*/
|
||||
protected Response processTemplate(Theme theme, String templateName, Locale locale) {
|
||||
try {
|
||||
String result = freeMarker.processTemplate(attributes, form, theme);
|
||||
String result = freeMarker.processTemplate(attributes, templateName, theme);
|
||||
Response.ResponseBuilder builder = Response.status(status).type(MediaType.TEXT_HTML_UTF_8_TYPE).language(locale).entity(result);
|
||||
BrowserSecurityHeaderSetup.headers(builder, realm);
|
||||
for (Map.Entry<String, String> entry : httpResponseHeaders.entrySet()) {
|
||||
|
@ -434,7 +441,6 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
return createResponse(LoginFormsPages.LOGIN_UPDATE_PROFILE);
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public Response createIdpLinkConfirmLinkPage() {
|
||||
return createResponse(LoginFormsPages.LOGIN_IDP_LINK_CONFIRM);
|
||||
|
@ -504,7 +510,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
|
||||
@Override
|
||||
public LoginFormsProvider setErrors(List<FormMessage> messages) {
|
||||
if (messages == null) return this;
|
||||
if (messages == null)
|
||||
return this;
|
||||
this.messageType = MessageType.ERROR;
|
||||
this.messages = new ArrayList<>(messages);
|
||||
return this;
|
||||
|
@ -552,6 +559,12 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public LoginFormsProvider setAuthenticationSession(AuthenticationSessionModel authenticationSession) {
|
||||
this.authenticationSession = authenticationSession;
|
||||
return this;
|
||||
}
|
||||
|
||||
@Override
|
||||
public FreeMarkerLoginFormsProvider setUser(UserModel user) {
|
||||
this.user = user;
|
||||
|
@ -571,7 +584,8 @@ public class FreeMarkerLoginFormsProvider implements LoginFormsProvider {
|
|||
}
|
||||
|
||||
@Override
|
||||
public LoginFormsProvider setAccessRequest(List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested, List<ProtocolMapperModel> protocolMappersRequested) {
|
||||
public LoginFormsProvider setAccessRequest(List<RoleModel> realmRolesRequested, MultivaluedMap<String, RoleModel> resourceRolesRequested,
|
||||
List<ProtocolMapperModel> protocolMappersRequested) {
|
||||
this.realmRolesRequested = realmRolesRequested;
|
||||
this.resourceRolesRequested = resourceRolesRequested;
|
||||
this.protocolMappersRequested = protocolMappersRequested;
|
||||
|
|
|
@ -64,6 +64,10 @@ public class RestartLoginCookie {
|
|||
@JsonProperty("notes")
|
||||
protected Map<String, String> notes = new HashMap<>();
|
||||
|
||||
@Deprecated // Backwards compatibility
|
||||
@JsonProperty("cs")
|
||||
protected String cs;
|
||||
|
||||
public Map<String, String> getNotes() {
|
||||
return notes;
|
||||
}
|
||||
|
|
|
@ -153,7 +153,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
|
|||
action = Action.REGISTER;
|
||||
|
||||
if (!realm.isRegistrationAllowed()) {
|
||||
throw new ErrorPageException(session, Messages.REGISTRATION_NOT_ALLOWED);
|
||||
throw new ErrorPageException(session, authenticationSession, Messages.REGISTRATION_NOT_ALLOWED);
|
||||
}
|
||||
|
||||
return this;
|
||||
|
@ -164,7 +164,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
|
|||
action = Action.FORGOT_CREDENTIALS;
|
||||
|
||||
if (!realm.isResetPasswordAllowed()) {
|
||||
throw new ErrorPageException(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
|
||||
throw new ErrorPageException(session, authenticationSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
|
||||
}
|
||||
|
||||
return this;
|
||||
|
@ -173,7 +173,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
|
|||
private void checkClient(String clientId) {
|
||||
if (clientId == null) {
|
||||
event.error(Errors.INVALID_REQUEST);
|
||||
throw new ErrorPageException(session, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
|
||||
throw new ErrorPageException(session, authenticationSession, Messages.MISSING_PARAMETER, OIDCLoginProtocol.CLIENT_ID_PARAM);
|
||||
}
|
||||
|
||||
event.client(clientId);
|
||||
|
@ -181,17 +181,17 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
|
|||
client = realm.getClientByClientId(clientId);
|
||||
if (client == null) {
|
||||
event.error(Errors.CLIENT_NOT_FOUND);
|
||||
throw new ErrorPageException(session, Messages.CLIENT_NOT_FOUND);
|
||||
throw new ErrorPageException(session, authenticationSession, Messages.CLIENT_NOT_FOUND);
|
||||
}
|
||||
|
||||
if (!client.isEnabled()) {
|
||||
event.error(Errors.CLIENT_DISABLED);
|
||||
throw new ErrorPageException(session, Messages.CLIENT_DISABLED);
|
||||
throw new ErrorPageException(session, authenticationSession, Messages.CLIENT_DISABLED);
|
||||
}
|
||||
|
||||
if (client.isBearerOnly()) {
|
||||
event.error(Errors.NOT_ALLOWED);
|
||||
throw new ErrorPageException(session, Messages.BEARER_ONLY);
|
||||
throw new ErrorPageException(session, authenticationSession, Messages.BEARER_ONLY);
|
||||
}
|
||||
|
||||
session.getContext().setClient(client);
|
||||
|
@ -354,7 +354,7 @@ public class AuthorizationEndpoint extends AuthorizationEndpointBase {
|
|||
redirectUri = RedirectUtils.verifyRedirectUri(uriInfo, redirectUriParam, realm, client, isOIDCRequest);
|
||||
if (redirectUri == null) {
|
||||
event.error(Errors.INVALID_REDIRECT_URI);
|
||||
throw new ErrorPageException(session, Messages.INVALID_PARAMETER, OIDCLoginProtocol.REDIRECT_URI_PARAM);
|
||||
throw new ErrorPageException(session, authenticationSession, Messages.INVALID_PARAMETER, OIDCLoginProtocol.REDIRECT_URI_PARAM);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -107,7 +107,7 @@ public class LogoutEndpoint {
|
|||
event.event(EventType.LOGOUT);
|
||||
event.detail(Details.REDIRECT_URI, redirect);
|
||||
event.error(Errors.INVALID_REDIRECT_URI);
|
||||
return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REDIRECT_URI);
|
||||
}
|
||||
redirect = validatedUri;
|
||||
}
|
||||
|
@ -120,7 +120,7 @@ public class LogoutEndpoint {
|
|||
} catch (OAuthErrorException e) {
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.INVALID_TOKEN);
|
||||
return ErrorPage.error(session, Messages.SESSION_NOT_ACTIVE);
|
||||
return ErrorPage.error(session, null, Messages.SESSION_NOT_ACTIVE);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -173,7 +173,7 @@ public class SamlProtocol implements LoginProtocol {
|
|||
URI redirect = builder.buildFromMap(params);
|
||||
return Response.status(302).location(redirect).build();
|
||||
} else {
|
||||
return ErrorPage.error(session, translateErrorToIdpInitiatedErrorMessage(error));
|
||||
return ErrorPage.error(session, authSession, translateErrorToIdpInitiatedErrorMessage(error));
|
||||
}
|
||||
} else {
|
||||
SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(authSession.getRedirectUri()).issuer(getResponseIssuer(realm)).status(translateErrorToSAMLStatus(error).get());
|
||||
|
@ -196,7 +196,7 @@ public class SamlProtocol implements LoginProtocol {
|
|||
Document document = builder.buildDocument();
|
||||
return buildErrorResponse(authSession, binding, document);
|
||||
} catch (Exception e) {
|
||||
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
return ErrorPage.error(session, authSession, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
}
|
||||
}
|
||||
} finally {
|
||||
|
@ -427,7 +427,7 @@ public class SamlProtocol implements LoginProtocol {
|
|||
samlDocument = builder.buildDocument(samlModel);
|
||||
} catch (Exception e) {
|
||||
logger.error("failed", e);
|
||||
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
return ErrorPage.error(session, null, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
}
|
||||
|
||||
JaxrsSAML2BindingBuilder bindingBuilder = new JaxrsSAML2BindingBuilder();
|
||||
|
@ -453,7 +453,7 @@ public class SamlProtocol implements LoginProtocol {
|
|||
publicKey = SamlProtocolUtils.getEncryptionKey(client);
|
||||
} catch (Exception e) {
|
||||
logger.error("failed", e);
|
||||
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
return ErrorPage.error(session, null, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
}
|
||||
bindingBuilder.encrypt(publicKey);
|
||||
}
|
||||
|
@ -461,7 +461,7 @@ public class SamlProtocol implements LoginProtocol {
|
|||
return buildAuthenticatedResponse(clientSession, redirectUri, samlDocument, bindingBuilder);
|
||||
} catch (Exception e) {
|
||||
logger.error("failed", e);
|
||||
return ErrorPage.error(session, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
return ErrorPage.error(session, null, Messages.FAILED_TO_PROCESS_RESPONSE);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -568,7 +568,7 @@ public class SamlProtocol implements LoginProtocol {
|
|||
String logoutBindingUri = userSession.getNote(SAML_LOGOUT_BINDING_URI);
|
||||
if (logoutBindingUri == null) {
|
||||
logger.error("Can't finish SAML logout as there is no logout binding set. Please configure the logout service url in the admin console for your client applications.");
|
||||
return ErrorPage.error(session, Messages.FAILED_LOGOUT);
|
||||
return ErrorPage.error(session, null, Messages.FAILED_LOGOUT);
|
||||
|
||||
}
|
||||
String logoutRelayState = userSession.getNote(SAML_LOGOUT_RELAY_STATE);
|
||||
|
|
|
@ -118,18 +118,18 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
if (!checkSsl()) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.SSL_REQUIRED);
|
||||
return ErrorPage.error(session, Messages.HTTPS_REQUIRED);
|
||||
return ErrorPage.error(session, null, Messages.HTTPS_REQUIRED);
|
||||
}
|
||||
if (!realm.isEnabled()) {
|
||||
event.event(EventType.LOGIN_ERROR);
|
||||
event.error(Errors.REALM_DISABLED);
|
||||
return ErrorPage.error(session, Messages.REALM_NOT_ENABLED);
|
||||
return ErrorPage.error(session, null, Messages.REALM_NOT_ENABLED);
|
||||
}
|
||||
|
||||
if (samlRequest == null && samlResponse == null) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.INVALID_TOKEN);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
|
||||
}
|
||||
return null;
|
||||
|
@ -142,7 +142,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
if (! (holder.getSamlObject() instanceof StatusResponseType)) {
|
||||
event.detail(Details.REASON, "invalid_saml_response");
|
||||
event.error(Errors.INVALID_SAML_RESPONSE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
|
||||
StatusResponseType statusResponse = (StatusResponseType) holder.getSamlObject();
|
||||
|
@ -150,7 +150,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
if (statusResponse.getDestination() != null && !uriInfo.getAbsolutePath().toString().equals(statusResponse.getDestination())) {
|
||||
event.detail(Details.REASON, "invalid_destination");
|
||||
event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
|
||||
AuthenticationManager.AuthResult authResult = authManager.authenticateIdentityCookie(session, realm, false);
|
||||
|
@ -158,7 +158,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
logger.warn("Unknown saml response.");
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.INVALID_TOKEN);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
// assume this is a logout response
|
||||
UserSessionModel userSession = authResult.getSession();
|
||||
|
@ -167,7 +167,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
logger.warn("UserSession is not tagged as logging out.");
|
||||
event.event(EventType.LOGOUT);
|
||||
event.error(Errors.INVALID_SAML_LOGOUT_RESPONSE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
logger.debug("logout response");
|
||||
Response response = authManager.browserLogout(session, realm, userSession, uriInfo, clientConnection, headers);
|
||||
|
@ -180,7 +180,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
if (documentHolder == null) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.INVALID_TOKEN);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
|
||||
SAML2Object samlObject = documentHolder.getSamlObject();
|
||||
|
@ -188,7 +188,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
if (! (samlObject instanceof RequestAbstractType)) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
|
||||
RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject;
|
||||
|
@ -199,23 +199,23 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
event.event(EventType.LOGIN);
|
||||
event.client(issuer);
|
||||
event.error(Errors.CLIENT_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER);
|
||||
return ErrorPage.error(session, null, Messages.UNKNOWN_LOGIN_REQUESTER);
|
||||
}
|
||||
|
||||
if (!client.isEnabled()) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.CLIENT_DISABLED);
|
||||
return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED);
|
||||
return ErrorPage.error(session, null, Messages.LOGIN_REQUESTER_NOT_ENABLED);
|
||||
}
|
||||
if (client.isBearerOnly()) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.NOT_ALLOWED);
|
||||
return ErrorPage.error(session, Messages.BEARER_ONLY);
|
||||
return ErrorPage.error(session, null, Messages.BEARER_ONLY);
|
||||
}
|
||||
if (!client.isStandardFlowEnabled()) {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.NOT_ALLOWED);
|
||||
return ErrorPage.error(session, Messages.STANDARD_FLOW_DISABLED);
|
||||
return ErrorPage.error(session, null, Messages.STANDARD_FLOW_DISABLED);
|
||||
}
|
||||
|
||||
session.getContext().setClient(client);
|
||||
|
@ -226,7 +226,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
SamlService.logger.error("request validation failed", e);
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.INVALID_SIGNATURE);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUESTER);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUESTER);
|
||||
}
|
||||
logger.debug("verified request");
|
||||
if (samlObject instanceof AuthnRequestType) {
|
||||
|
@ -244,7 +244,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
} else {
|
||||
event.event(EventType.LOGIN);
|
||||
event.error(Errors.INVALID_TOKEN);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -260,12 +260,12 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
if (requestAbstractType.getDestination() == null && samlClient.requiresClientSignature()) {
|
||||
event.detail(Details.REASON, "invalid_destination");
|
||||
event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
if (! isValidDestination(requestAbstractType.getDestination())) {
|
||||
event.detail(Details.REASON, "invalid_destination");
|
||||
event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
String bindingType = getBindingType(requestAbstractType);
|
||||
if (samlClient.forcePostBinding())
|
||||
|
@ -288,7 +288,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
|
||||
if (redirect == null) {
|
||||
event.error(Errors.INVALID_REDIRECT_URI);
|
||||
return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REDIRECT_URI);
|
||||
}
|
||||
|
||||
AuthorizationEndpointChecks checks = getOrCreateAuthenticationSession(client, relayState);
|
||||
|
@ -316,7 +316,7 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
} else {
|
||||
event.detail(Details.REASON, "unsupported_nameid_format");
|
||||
event.error(Errors.INVALID_SAML_AUTHN_REQUEST);
|
||||
return ErrorPage.error(session, Messages.UNSUPPORTED_NAME_ID_FORMAT);
|
||||
return ErrorPage.error(session, null, Messages.UNSUPPORTED_NAME_ID_FORMAT);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -367,12 +367,12 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
if (logoutRequest.getDestination() == null && samlClient.requiresClientSignature()) {
|
||||
event.detail(Details.REASON, "invalid_destination");
|
||||
event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
if (! isValidDestination(logoutRequest.getDestination())) {
|
||||
event.detail(Details.REASON, "invalid_destination");
|
||||
event.error(Errors.INVALID_SAML_LOGOUT_REQUEST);
|
||||
return ErrorPage.error(session, Messages.INVALID_REQUEST);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REQUEST);
|
||||
}
|
||||
|
||||
// authenticate identity cookie, but ignore an access token timeout as we're logging out anyways.
|
||||
|
@ -620,16 +620,16 @@ public class SamlService extends AuthorizationEndpointBase {
|
|||
}
|
||||
if (client == null) {
|
||||
event.error(Errors.CLIENT_NOT_FOUND);
|
||||
return ErrorPage.error(session, Messages.CLIENT_NOT_FOUND);
|
||||
return ErrorPage.error(session, null, Messages.CLIENT_NOT_FOUND);
|
||||
}
|
||||
if (!client.isEnabled()) {
|
||||
event.error(Errors.CLIENT_DISABLED);
|
||||
return ErrorPage.error(session, Messages.CLIENT_DISABLED);
|
||||
return ErrorPage.error(session, null, Messages.CLIENT_DISABLED);
|
||||
}
|
||||
if (client.getManagementUrl() == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE) == null && client.getAttribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE) == null) {
|
||||
logger.error("SAML assertion consumer url not set up");
|
||||
event.error(Errors.INVALID_REDIRECT_URI);
|
||||
return ErrorPage.error(session, Messages.INVALID_REDIRECT_URI);
|
||||
return ErrorPage.error(session, null, Messages.INVALID_REDIRECT_URI);
|
||||
}
|
||||
|
||||
AuthenticationSessionModel authSession = getOrCreateLoginSessionForIdpInitiatedSso(this.session, this.realm, client, relayState);
|
||||
|
|
|
@ -18,6 +18,7 @@ package org.keycloak.services;
|
|||
|
||||
import org.keycloak.forms.login.LoginFormsProvider;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.sessions.AuthenticationSessionModel;
|
||||
|
||||
import javax.ws.rs.core.Response;
|
||||
|
||||
|
@ -26,8 +27,8 @@ import javax.ws.rs.core.Response;
|
|||
*/
|
||||
public class ErrorPage {
|
||||
|
||||
public static Response error(KeycloakSession session, String message, Object... parameters) {
|
||||
return session.getProvider(LoginFormsProvider.class).setError(message, parameters).createErrorPage();
|
||||
public static Response error(KeycloakSession session, AuthenticationSessionModel authenticationSession, String message, Object... parameters) {
|
||||
return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setError(message, parameters).createErrorPage();
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
package org.keycloak.services;
|
||||
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.sessions.AuthenticationSessionModel;
|
||||
|
||||
import javax.ws.rs.WebApplicationException;
|
||||
import javax.ws.rs.core.Response;
|
||||
|
@ -30,18 +31,28 @@ public class ErrorPageException extends WebApplicationException {
|
|||
private final KeycloakSession session;
|
||||
private final String errorMessage;
|
||||
private final Object[] parameters;
|
||||
private final AuthenticationSessionModel authSession;
|
||||
|
||||
|
||||
public ErrorPageException(KeycloakSession session, String errorMessage, Object... parameters) {
|
||||
this.session = session;
|
||||
this.errorMessage = errorMessage;
|
||||
this.parameters = parameters;
|
||||
this.authSession = null;
|
||||
}
|
||||
|
||||
public ErrorPageException(KeycloakSession session, AuthenticationSessionModel authSession, String errorMessage, Object... parameters) {
|
||||
this.session = session;
|
||||
this.errorMessage = errorMessage;
|
||||
this.parameters = parameters;
|
||||
this.authSession = authSession;
|
||||
}
|
||||
|
||||
|
||||
|
||||
@Override
|
||||
public Response getResponse() {
|
||||
return ErrorPage.error(session, errorMessage, parameters);
|
||||
return ErrorPage.error(session, authSession, errorMessage, parameters);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -451,4 +451,8 @@ public interface ServicesLogger extends BasicLogger {
|
|||
@Message(id=102, value= "URL '%s' doesn't match any trustedHost or trustedDomain")
|
||||
void urlDoesntMatch(String url);
|
||||
|
||||
@LogMessage(level = DEBUG)
|
||||
@Message(id=103, value="Failed to reset password. User is temporarily disabled")
|
||||
void passwordResetFailed(@Cause Throwable t);
|
||||
|
||||
}
|
||||
|
|
|
@ -710,7 +710,7 @@ public class AuthenticationManager {
|
|||
}
|
||||
|
||||
if (authSession.getAuthNote(END_AFTER_REQUIRED_ACTIONS) != null) {
|
||||
LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class)
|
||||
LoginFormsProvider infoPage = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
|
||||
.setSuccess(Messages.ACCOUNT_UPDATED);
|
||||
if (authSession.getAuthNote(SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS) != null) {
|
||||
if (authSession.getRedirectUri() != null) {
|
||||
|
@ -848,6 +848,7 @@ public class AuthenticationManager {
|
|||
authSession.setAuthNote(AuthenticationProcessor.CURRENT_AUTHENTICATION_EXECUTION, execution);
|
||||
|
||||
return session.getProvider(LoginFormsProvider.class)
|
||||
.setAuthenticationSession(authSession)
|
||||
.setExecution(execution)
|
||||
.setClientSessionCode(accessCode.getOrGenerateCode())
|
||||
.setAccessRequest(realmRoles, resourceRoles, protocolMappers)
|
||||
|
|
|
@ -317,12 +317,12 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
return response;
|
||||
}
|
||||
} catch (IdentityBrokerException e) {
|
||||
return redirectToErrorPage(Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
|
||||
return redirectToErrorPage(authSession, Messages.COULD_NOT_SEND_AUTHENTICATION_REQUEST, e, providerId);
|
||||
} catch (Exception e) {
|
||||
return redirectToErrorPage(Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
|
||||
return redirectToErrorPage(authSession, Messages.UNEXPECTED_ERROR_HANDLING_REQUEST, e, providerId);
|
||||
}
|
||||
|
||||
return redirectToErrorPage(Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);
|
||||
return redirectToErrorPage(authSession, Messages.COULD_NOT_PROCEED_WITH_AUTHENTICATION_REQUEST);
|
||||
|
||||
}
|
||||
|
||||
|
@ -545,7 +545,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
return Response.status(302).location(redirect).build();
|
||||
|
||||
} else {
|
||||
Response response = validateUser(federatedUser, realmModel);
|
||||
Response response = validateUser(authenticationSession, federatedUser, realmModel);
|
||||
if (response != null) {
|
||||
return response;
|
||||
}
|
||||
|
@ -558,15 +558,15 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
}
|
||||
|
||||
|
||||
public Response validateUser(UserModel user, RealmModel realm) {
|
||||
public Response validateUser(AuthenticationSessionModel authSession, UserModel user, RealmModel realm) {
|
||||
if (!user.isEnabled()) {
|
||||
event.error(Errors.USER_DISABLED);
|
||||
return ErrorPage.error(session, Messages.ACCOUNT_DISABLED);
|
||||
return ErrorPage.error(session, authSession, Messages.ACCOUNT_DISABLED);
|
||||
}
|
||||
if (realm.isBruteForceProtected()) {
|
||||
if (session.getProvider(BruteForceProtector.class).isTemporarilyDisabled(session, realm, user)) {
|
||||
event.error(Errors.USER_TEMPORARILY_DISABLED);
|
||||
return ErrorPage.error(session, Messages.ACCOUNT_DISABLED);
|
||||
return ErrorPage.error(session, authSession, Messages.ACCOUNT_DISABLED);
|
||||
}
|
||||
}
|
||||
return null;
|
||||
|
@ -670,7 +670,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
return finishOrRedirectToPostBrokerLogin(authSession, context, true, clientSessionCode);
|
||||
|
||||
} catch (Exception e) {
|
||||
return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
|
||||
return redirectToErrorPage(authSession,Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -734,7 +734,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
|
||||
return afterPostBrokerLoginFlowSuccess(authenticationSession, context, wasFirstBrokerLogin, parsedCode.clientSessionCode);
|
||||
} catch (IdentityBrokerException e) {
|
||||
return redirectToErrorPage(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
|
||||
return redirectToErrorPage(authenticationSession, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, e);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -752,7 +752,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
|
||||
UserModel linkingUser = AbstractIdpAuthenticator.getExistingUser(session, realmModel, authSession);
|
||||
if (!linkingUser.getId().equals(federatedUser.getId())) {
|
||||
return redirectToErrorPage(Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername());
|
||||
return redirectToErrorPage(authSession, Messages.IDENTITY_PROVIDER_DIFFERENT_USER_MESSAGE, federatedUser.getUsername(), linkingUser.getUsername());
|
||||
}
|
||||
|
||||
SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, AbstractIdpAuthenticator.BROKERED_CONTEXT_NOTE);
|
||||
|
@ -866,7 +866,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
}
|
||||
|
||||
if (!authenticatedUser.hasRole(this.realmModel.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID).getRole(AccountRoles.MANAGE_ACCOUNT))) {
|
||||
return redirectToErrorPage(Messages.INSUFFICIENT_PERMISSION);
|
||||
return redirectToErrorPage(authSession, Messages.INSUFFICIENT_PERMISSION);
|
||||
}
|
||||
|
||||
if (!authenticatedUser.isEnabled()) {
|
||||
|
@ -919,7 +919,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
if (authSession.getClient() != null && authSession.getClient().getClientId().equals(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID)) {
|
||||
return redirectToAccountErrorPage(authSession, message, parameters);
|
||||
} else {
|
||||
return redirectToErrorPage(message, parameters); // Should rather redirect to app instead and display error here?
|
||||
return redirectToErrorPage(authSession, message, parameters); // Should rather redirect to app instead and display error here?
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1057,11 +1057,15 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
return Urls.identityProviderAuthnResponse(this.uriInfo.getBaseUri(), providerId, this.realmModel.getName()).toString();
|
||||
}
|
||||
|
||||
private Response redirectToErrorPage(String message, Object ... parameters) {
|
||||
return redirectToErrorPage(message, null, parameters);
|
||||
private Response redirectToErrorPage(AuthenticationSessionModel authSession,String message, Object ... parameters) {
|
||||
return redirectToErrorPage(authSession, message, null, parameters);
|
||||
}
|
||||
|
||||
private Response redirectToErrorPage(String message, Throwable throwable, Object ... parameters) {
|
||||
private Response redirectToErrorPage(String message, Object ... parameters) {
|
||||
return redirectToErrorPage(null, message, null, parameters);
|
||||
}
|
||||
|
||||
private Response redirectToErrorPage(AuthenticationSessionModel authSession, String message, Throwable throwable, Object ... parameters) {
|
||||
if (message == null) {
|
||||
message = Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR;
|
||||
}
|
||||
|
@ -1073,7 +1077,7 @@ public class IdentityBrokerService implements IdentityProvider.AuthenticationCal
|
|||
return webEx.getResponse();
|
||||
}
|
||||
|
||||
return ErrorPage.error(this.session, message, parameters);
|
||||
return ErrorPage.error(this.session, authSession, message, parameters);
|
||||
}
|
||||
|
||||
private Response redirectToAccountErrorPage(AuthenticationSessionModel authSession, String message, Object ... parameters) {
|
||||
|
|
|
@ -340,7 +340,7 @@ public class LoginActionsService {
|
|||
if (!realm.isResetPasswordAllowed()) {
|
||||
event.event(EventType.RESET_PASSWORD);
|
||||
event.error(Errors.NOT_ALLOWED);
|
||||
return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
|
||||
return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
|
||||
|
||||
}
|
||||
authSession = createAuthenticationSessionForClient();
|
||||
|
@ -384,7 +384,7 @@ public class LoginActionsService {
|
|||
|
||||
if (!realm.isResetPasswordAllowed()) {
|
||||
event.error(Errors.NOT_ALLOWED);
|
||||
return ErrorPage.error(session, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
|
||||
return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED);
|
||||
|
||||
}
|
||||
|
||||
|
@ -553,7 +553,7 @@ public class LoginActionsService {
|
|||
} else if (RESET_CREDENTIALS_PATH.equals(flowPath)) {
|
||||
return processResetCredentials(false, null, authSession, errorMessage);
|
||||
} else {
|
||||
return ErrorPage.error(session, errorMessage == null ? Messages.INVALID_REQUEST : errorMessage);
|
||||
return ErrorPage.error(session, authSession, errorMessage == null ? Messages.INVALID_REQUEST : errorMessage);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -577,7 +577,7 @@ public class LoginActionsService {
|
|||
event
|
||||
.detail(Details.REASON, ex == null ? "<unknown>" : ex.getMessage())
|
||||
.error(eventError == null ? Errors.INVALID_CODE : eventError);
|
||||
return ErrorPage.error(session, errorMessage == null ? Messages.INVALID_CODE : errorMessage);
|
||||
return ErrorPage.error(session, null, errorMessage == null ? Messages.INVALID_CODE : errorMessage);
|
||||
}
|
||||
|
||||
protected Response processResetCredentials(boolean actionRequest, String execution, AuthenticationSessionModel authSession, String errorMessage) {
|
||||
|
@ -626,7 +626,7 @@ public class LoginActionsService {
|
|||
event.event(EventType.REGISTER);
|
||||
if (!realm.isRegistrationAllowed()) {
|
||||
event.error(Errors.REGISTRATION_DISABLED);
|
||||
return ErrorPage.error(session, Messages.REGISTRATION_NOT_ALLOWED);
|
||||
return ErrorPage.error(session, null, Messages.REGISTRATION_NOT_ALLOWED);
|
||||
}
|
||||
|
||||
SessionCodeChecks checks = checksForCode(code, execution, clientId, REGISTRATION_PATH);
|
||||
|
@ -692,7 +692,7 @@ public class LoginActionsService {
|
|||
SerializedBrokeredIdentityContext serializedCtx = SerializedBrokeredIdentityContext.readFromAuthenticationSession(authSession, noteKey);
|
||||
if (serializedCtx == null) {
|
||||
ServicesLogger.LOGGER.notFoundSerializedCtxInClientSession(noteKey);
|
||||
throw new WebApplicationException(ErrorPage.error(session, "Not found serialized context in authenticationSession."));
|
||||
throw new WebApplicationException(ErrorPage.error(session, authSession, "Not found serialized context in authenticationSession."));
|
||||
}
|
||||
BrokeredIdentityContext brokerContext = serializedCtx.deserialize(session, authSession);
|
||||
final String identityProviderAlias = brokerContext.getIdpConfig().getAlias();
|
||||
|
@ -700,12 +700,12 @@ public class LoginActionsService {
|
|||
String flowId = firstBrokerLogin ? brokerContext.getIdpConfig().getFirstBrokerLoginFlowId() : brokerContext.getIdpConfig().getPostBrokerLoginFlowId();
|
||||
if (flowId == null) {
|
||||
ServicesLogger.LOGGER.flowNotConfigForIDP(identityProviderAlias);
|
||||
throw new WebApplicationException(ErrorPage.error(session, "Flow not configured for identity provider"));
|
||||
throw new WebApplicationException(ErrorPage.error(session, authSession, "Flow not configured for identity provider"));
|
||||
}
|
||||
AuthenticationFlowModel brokerLoginFlow = realm.getAuthenticationFlowById(flowId);
|
||||
if (brokerLoginFlow == null) {
|
||||
ServicesLogger.LOGGER.flowNotFoundForIDP(flowId, identityProviderAlias);
|
||||
throw new WebApplicationException(ErrorPage.error(session, "Flow not found for identity provider"));
|
||||
throw new WebApplicationException(ErrorPage.error(session, authSession, "Flow not found for identity provider"));
|
||||
}
|
||||
|
||||
event.detail(Details.IDENTITY_PROVIDER, identityProviderAlias)
|
||||
|
@ -886,7 +886,7 @@ public class LoginActionsService {
|
|||
if (factory == null) {
|
||||
ServicesLogger.LOGGER.actionProviderNull();
|
||||
event.error(Errors.INVALID_CODE);
|
||||
throw new WebApplicationException(ErrorPage.error(session, Messages.INVALID_CODE));
|
||||
throw new WebApplicationException(ErrorPage.error(session, authSession, Messages.INVALID_CODE));
|
||||
}
|
||||
RequiredActionProvider provider = factory.create(session);
|
||||
|
||||
|
|
|
@ -116,7 +116,7 @@ public class LoginActionsServiceChecks {
|
|||
|
||||
UserSessionModel userSession = context.getSession().sessions().getUserSession(context.getRealm(), authSessionId);
|
||||
if (userSession != null) {
|
||||
LoginFormsProvider loginForm = context.getSession().getProvider(LoginFormsProvider.class)
|
||||
LoginFormsProvider loginForm = context.getSession().getProvider(LoginFormsProvider.class).setAuthenticationSession(context.getAuthenticationSession())
|
||||
.setSuccess(Messages.ALREADY_LOGGED_IN);
|
||||
|
||||
if (context.getSession().getContext().getClient() == null) {
|
||||
|
|
|
@ -123,12 +123,12 @@ public class SessionCodeChecks {
|
|||
// Basic realm checks
|
||||
if (!checkSsl()) {
|
||||
event.error(Errors.SSL_REQUIRED);
|
||||
response = ErrorPage.error(session, Messages.HTTPS_REQUIRED);
|
||||
response = ErrorPage.error(session, null, Messages.HTTPS_REQUIRED);
|
||||
return null;
|
||||
}
|
||||
if (!realm.isEnabled()) {
|
||||
event.error(Errors.REALM_DISABLED);
|
||||
response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED);
|
||||
response = ErrorPage.error(session, null, Messages.REALM_NOT_ENABLED);
|
||||
return null;
|
||||
}
|
||||
|
||||
|
@ -154,7 +154,7 @@ public class SessionCodeChecks {
|
|||
UserSessionModel userSession = session.sessions().getUserSession(realm, sessionId);
|
||||
if (userSession != null) {
|
||||
|
||||
LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class)
|
||||
LoginFormsProvider loginForm = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
|
||||
.setSuccess(Messages.ALREADY_LOGGED_IN);
|
||||
|
||||
if (client == null) {
|
||||
|
@ -190,7 +190,7 @@ public class SessionCodeChecks {
|
|||
ClientModel client = authSession.getClient();
|
||||
if (client == null) {
|
||||
event.error(Errors.CLIENT_NOT_FOUND);
|
||||
response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER);
|
||||
response = ErrorPage.error(session, authSession, Messages.UNKNOWN_LOGIN_REQUESTER);
|
||||
clientCode.removeExpiredClientSession();
|
||||
return false;
|
||||
}
|
||||
|
@ -200,7 +200,7 @@ public class SessionCodeChecks {
|
|||
|
||||
if (!client.isEnabled()) {
|
||||
event.error(Errors.CLIENT_DISABLED);
|
||||
response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED);
|
||||
response = ErrorPage.error(session,authSession, Messages.LOGIN_REQUESTER_NOT_ENABLED);
|
||||
clientCode.removeExpiredClientSession();
|
||||
return false;
|
||||
}
|
||||
|
@ -285,7 +285,7 @@ public class SessionCodeChecks {
|
|||
return false;
|
||||
} else {
|
||||
logger.errorf("Bad action. Expected action '%s', current action '%s'", expectedAction, authSession.getAction());
|
||||
response = ErrorPage.error(session, Messages.EXPIRED_CODE);
|
||||
response = ErrorPage.error(session, authSession, Messages.EXPIRED_CODE);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
@ -370,7 +370,7 @@ public class SessionCodeChecks {
|
|||
} else {
|
||||
// Finally need to show error as all the fallbacks failed
|
||||
event.error(Errors.INVALID_CODE);
|
||||
return ErrorPage.error(session, Messages.INVALID_CODE);
|
||||
return ErrorPage.error(session, authSession, Messages.INVALID_CODE);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -833,6 +833,9 @@ public class RealmAdminResource {
|
|||
if (user.getEmail() == null) {
|
||||
return ErrorResponse.error("Logged in user does not have an e-mail.", Response.Status.INTERNAL_SERVER_ERROR);
|
||||
}
|
||||
if (ComponentRepresentation.SECRET_VALUE.equals(settings.get("password"))) {
|
||||
settings.put("password", realm.getSmtpConfig().get("password"));
|
||||
}
|
||||
session.getProvider(EmailTemplateProvider.class).sendSmtpTestEmail(settings, user);
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
|
|
|
@ -56,7 +56,7 @@ public class AuthenticationFlowURLHelper {
|
|||
|
||||
logger.debugf("Redirecting to 'page expired' now. Will use last step URL: %s", lastStepUrl);
|
||||
|
||||
return session.getProvider(LoginFormsProvider.class)
|
||||
return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authSession)
|
||||
.setActionUri(lastStepUrl)
|
||||
.setExecution(getExecutionId(authSession))
|
||||
.createLoginExpiredPage();
|
||||
|
|
|
@ -191,14 +191,13 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
return callback.cancelled(state);
|
||||
}
|
||||
|
||||
Response errorResponse = null;
|
||||
|
||||
AuthenticationSessionModel authSession = null;
|
||||
try {
|
||||
Twitter twitter = new TwitterFactory().getInstance();
|
||||
|
||||
twitter.setOAuthConsumer(getConfig().getClientId(), getConfig().getClientSecret());
|
||||
|
||||
AuthenticationSessionModel authSession = ClientSessionCode.getClientSession(state, session, realm, event, AuthenticationSessionModel.class);
|
||||
authSession = ClientSessionCode.getClientSession(state, session, realm, event, AuthenticationSessionModel.class);
|
||||
|
||||
String twitterToken = authSession.getAuthNote(TWITTER_TOKEN);
|
||||
String twitterSecret = authSession.getAuthNote(TWITTER_TOKENSECRET);
|
||||
|
@ -239,7 +238,7 @@ public class TwitterIdentityProvider extends AbstractIdentityProvider<OAuth2Iden
|
|||
} catch (Exception e) {
|
||||
logger.error("Could get user profile from twitter.", e);
|
||||
sendErrorEvent();
|
||||
return ErrorPage.error(session, Messages.UNEXPECTED_ERROR_HANDLING_RESPONSE);
|
||||
return ErrorPage.error(session, authSession, Messages.UNEXPECTED_ERROR_HANDLING_RESPONSE);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -446,39 +446,64 @@ and argument: `-p 8181`
|
|||
|
||||
## Cross-DC tests
|
||||
|
||||
Cross-DC tests use 2 data centers, each with one automatically started and one manually controlled backend servers
|
||||
(currently only Keycloak on Undertow), and 1 frontend loadbalancer server node that sits in front of all servers.
|
||||
Cross-DC tests use 2 data centers, each with one automatically started and one manually controlled backend servers,
|
||||
and 1 frontend loadbalancer server node that sits in front of all servers.
|
||||
The browser usually communicates directly with the frontent node and the test controls where the HTTP requests
|
||||
land by adjusting load balancer configuration (e.g. to direct the traffic to only a single DC).
|
||||
|
||||
For an example of a test, see [org.keycloak.testsuite.crossdc.ActionTokenCrossDCTest](tests/base/src/test/java/org/keycloak/testsuite/crossdc/ActionTokenCrossDCTest.java).
|
||||
|
||||
The cross DC requires setting a profile specifying used cache server (currently only Infinispan) by specifying
|
||||
`cache-server-infinispan` profile in maven.
|
||||
The cross DC requires setting a profile specifying used cache server by specifying
|
||||
`cache-server-infinispan` or `cache-server-jdg` profile in maven.
|
||||
|
||||
#### Run Cross-DC Tests from Maven
|
||||
|
||||
First compile the Infinispan/JDG test server via the following command:
|
||||
a) First compile the Infinispan/JDG test server via the following command:
|
||||
|
||||
`mvn -Pcache-server-infinispan -f testsuite/integration-arquillian -DskipTests clean install`
|
||||
`mvn -Pcache-server-infinispan,auth-servers-crossdc-undertow -f testsuite/integration-arquillian -DskipTests clean install`
|
||||
|
||||
or
|
||||
|
||||
`mvn -Pcache-server-jdg -f testsuite/integration-arquillian -DskipTests clean install`
|
||||
`mvn -Pcache-server-jdg,auth-servers-crossdc-undertow -f testsuite/integration-arquillian -DskipTests clean install`
|
||||
|
||||
Then you can run the tests using the following command (adjust the test specification according to your needs):
|
||||
b) Then in case you want to use **JBoss-based** Keycloak backend containers instead of containers on Embedded Undertow run following command:
|
||||
|
||||
`mvn -Pcache-server-infinispan -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base test`
|
||||
`mvn -Pauth-servers-crossdc-jboss,auth-server-wildfly -f testsuite/integration-arquillian -DskipTests clean install`
|
||||
|
||||
*note: 'auth-server-wildfly' can be replaced by 'auth-server-eap'*
|
||||
|
||||
By default JBoss-based containers use in-memory h2 database. It can be configured to use real DB, e.g. with following command:
|
||||
|
||||
`mvn -Pauth-servers-crossdc-jboss,auth-server-wildfly,jpa -f testsuite/integration-arquillian -DskipTests clean install -Djdbc.mvn.groupId=org.mariadb.jdbc -Djdbc.mvn.artifactId=mariadb-java-client -Djdbc.mvn.version=2.0.3 -Dkeycloak.connectionsJpa.url=jdbc:mariadb://localhost:3306/keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsJpa.user=keycloak`
|
||||
|
||||
c1) Then you can run the tests using the following command (adjust the test specification according to your needs) for Keycloak backend containers on **Undertow**:
|
||||
|
||||
`mvn -Pcache-server-infinispan,auth-servers-crossdc-undertow -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
|
||||
|
||||
or
|
||||
|
||||
`mvn -Pcache-server-jdg -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base test`
|
||||
`mvn -Pcache-server-jdg,auth-servers-crossdc-undertow -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
|
||||
|
||||
c2) For **JBoss-based** Keycloak backend containers:
|
||||
|
||||
`mvn -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
|
||||
|
||||
or
|
||||
|
||||
`mvn -Pcache-server-jdg,auth-servers-crossdc-jboss,auth-server-wildfly -Dtest=*.crossdc.* -pl testsuite/integration-arquillian/tests/base clean install`
|
||||
|
||||
*note: 'auth-server-wildfly can be replaced by auth-server-eap'*
|
||||
|
||||
**note**
|
||||
Previous commands can be "squashed" into one. E.g.:
|
||||
|
||||
`mvn -f testsuite/integration-arquillian clean install -Dtest=*.crossdc.* -Djdbc.mvn.groupId=org.mariadb.jdbc -Djdbc.mvn.artifactId=mariadb-java-client -Djdbc.mvn.version=2.0.3 -Dkeycloak.connectionsJpa.url=jdbc:mariadb://localhost:3306/keycloak -Dkeycloak.connectionsJpa.password=keycloak -Dkeycloak.connectionsJpa.user=keycloak -Pcache-server-infinispan,auth-servers-crossdc-jboss,auth-server-wildfly,jpa clean install`
|
||||
|
||||
It can be useful to add additional system property to enable logging:
|
||||
|
||||
-Dkeycloak.infinispan.logging.level=debug
|
||||
|
||||
Tests from package "manual" uses manual lifecycle for all servers, so needs to be executed manually. Also needs to be executed with real DB like MySQL. You can run them with:
|
||||
**Tests from package "manual"** uses manual lifecycle for all servers, so needs to be executed manually. Also needs to be executed with real DB like MySQL. You can run them with:
|
||||
|
||||
mvn -Pcache-server-infinispan -Dtest=*.crossdc.manual.* -Dmanual.mode=true \
|
||||
-Dkeycloak.connectionsJpa.url.crossdc=jdbc:mysql://localhost/keycloak -Dkeycloak.connectionsJpa.driver.crossdc=com.mysql.jdbc.Driver \
|
||||
|
|
|
@ -45,7 +45,7 @@
|
|||
<selenium.version>3.5.3</selenium.version>
|
||||
<arquillian-drone.version>2.4.2</arquillian-drone.version>
|
||||
<arquillian-graphene.version>2.3.1</arquillian-graphene.version>
|
||||
<arquillian-wildfly-container.version>2.1.0.Beta1</arquillian-wildfly-container.version>
|
||||
<arquillian-wildfly-container.version>2.1.0.Final</arquillian-wildfly-container.version>
|
||||
<arquillian-wls-container.version>1.0.1.Final</arquillian-wls-container.version>
|
||||
<arquillian-infinispan-container.version>1.2.0.Beta2</arquillian-infinispan-container.version>
|
||||
<version.shrinkwrap.resolvers>2.2.6</version.shrinkwrap.resolvers>
|
||||
|
|
|
@ -26,6 +26,8 @@ do
|
|||
|
||||
if [ "$ELYTRON_SUPPORTED" = true ]; then
|
||||
./jboss-cli.sh -c --file="adapter-elytron-install.cli"
|
||||
else
|
||||
./jboss-cli.sh -c --command="/subsystem=elytron:remove"
|
||||
fi
|
||||
|
||||
if [ $? -ne 0 ]; then RESULT=1; fi
|
||||
|
|
|
@ -0,0 +1,129 @@
|
|||
embed-server --server-config=standalone-ha.xml
|
||||
|
||||
echo **** Begin ****
|
||||
|
||||
echo *** Update jgoups subsystem ***
|
||||
/subsystem=jgroups/stack=udp/transport=UDP:write-attribute(name=site, value=${jboss.site.name})
|
||||
|
||||
echo *** Update infinispan subsystem ***
|
||||
/subsystem=infinispan/cache-container=keycloak:write-attribute(name=module, value=org.keycloak.keycloak-model-infinispan)
|
||||
|
||||
echo ** Update replicated-cache work element **
|
||||
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=custom:add( \
|
||||
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
|
||||
passivation=false, \
|
||||
fetch-state=false, \
|
||||
purge=false, \
|
||||
preload=false, \
|
||||
shared=true \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work/store=custom:write-attribute( \
|
||||
name=properties, value={ \
|
||||
rawValues=true, \
|
||||
marshaller=org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory, \
|
||||
transportFactory=org.keycloak.models.sessions.infinispan.remotestore.KeycloakTcpTransportFactory, \
|
||||
remoteServers=localhost:${remote.cache.port}, \
|
||||
remoteCacheName=work, \
|
||||
sessionCache=false \
|
||||
} \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/replicated-cache=work:write-attribute(name=statistics-enabled,value=true)
|
||||
|
||||
echo ** Update distributed-cache sessions element **
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=custom:add( \
|
||||
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
|
||||
passivation=false, \
|
||||
fetch-state=false, \
|
||||
purge=false, \
|
||||
preload=false, \
|
||||
shared=true \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions/store=custom:write-attribute( \
|
||||
name=properties, value={ \
|
||||
remoteCacheName=sessions, \
|
||||
useConfigTemplateFromCache=work, \
|
||||
sessionCache=true \
|
||||
} \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=statistics-enabled,value=true)
|
||||
|
||||
echo ** Update distributed-cache offlineSessions element **
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=custom:add( \
|
||||
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
|
||||
passivation=false, \
|
||||
fetch-state=false, \
|
||||
purge=false, \
|
||||
preload=false, \
|
||||
shared=true \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions/store=custom:write-attribute( \
|
||||
name=properties, value={ \
|
||||
remoteCacheName=offlineSessions, \
|
||||
useConfigTemplateFromCache=work, \
|
||||
sessionCache=true \
|
||||
} \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=statistics-enabled,value=true)
|
||||
|
||||
echo ** Update distributed-cache loginFailures element **
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=custom:add( \
|
||||
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
|
||||
passivation=false, \
|
||||
fetch-state=false, \
|
||||
purge=false, \
|
||||
preload=false, \
|
||||
shared=true \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures/store=custom:write-attribute( \
|
||||
name=properties, value={ \
|
||||
remoteCacheName=loginFailures, \
|
||||
useConfigTemplateFromCache=work, \
|
||||
sessionCache=true \
|
||||
} \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=statistics-enabled,value=true)
|
||||
|
||||
echo ** Update distributed-cache actionTokens element **
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=custom:add( \
|
||||
class=org.keycloak.models.sessions.infinispan.remotestore.KeycloakRemoteStoreConfigurationBuilder, \
|
||||
passivation=false, \
|
||||
fetch-state=false, \
|
||||
purge=false, \
|
||||
preload=true, \
|
||||
shared=true \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens/store=custom:write-attribute( \
|
||||
name=properties, value={ \
|
||||
remoteCacheName=actionTokens, \
|
||||
useConfigTemplateFromCache=work, \
|
||||
sessionCache=false \
|
||||
} \
|
||||
)
|
||||
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=actionTokens:write-attribute(name=statistics-enabled,value=true)
|
||||
|
||||
echo ** Update distributed-cache authenticationSessions element **
|
||||
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=statistics-enabled,value=true)
|
||||
|
||||
echo *** Enable debug logging ***
|
||||
/subsystem=logging/logger=org.keycloak.cluster.infinispan:add(level=DEBUG)
|
||||
|
||||
/subsystem=logging/logger=org.keycloak.connections.infinispan:add(level=DEBUG)
|
||||
|
||||
/subsystem=logging/logger=org.keycloak.models.cache.infinispan:add(level=DEBUG)
|
||||
|
||||
/subsystem=logging/logger=org.keycloak.models.sessions.infinispan:add(level=DEBUG)
|
||||
|
||||
echo *** Update undertow subsystem ***
|
||||
/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=proxy-address-forwarding,value=true)
|
||||
|
||||
echo **** End ****
|
|
@ -57,6 +57,7 @@
|
|||
<goal>enforce</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<skip>false</skip>
|
||||
<rules>
|
||||
<requireProperty>
|
||||
<property>product.version</property>
|
||||
|
|
|
@ -191,6 +191,7 @@
|
|||
<dir>${auth.server.home}/standalone/configuration</dir>
|
||||
<includes>
|
||||
<include>standalone.xml</include>
|
||||
<include>standalone-ha.xml</include>
|
||||
</includes>
|
||||
<stylesheet>${common.resources}/keycloak-server-subsystem.xsl</stylesheet>
|
||||
<outputDir>${auth.server.home}/standalone/configuration</outputDir>
|
||||
|
@ -575,6 +576,120 @@
|
|||
</pluginManagement>
|
||||
</build>
|
||||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>auth-servers-crossdc-jboss</id>
|
||||
<properties>
|
||||
<crossdc.jboss.jdbc.url>jdbc:h2:tcp://localhost:9092/mem:keycloak-dc-shared;DB_CLOSE_DELAY=-1</crossdc.jboss.jdbc.url>
|
||||
</properties>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<configuration>
|
||||
<skip>true</skip>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
<pluginManagement>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>enforce-profile-activation</id>
|
||||
<goals>
|
||||
<goal>enforce</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<rules>
|
||||
<requireProperty>
|
||||
<property>auth.server.jboss</property>
|
||||
<message>Profile "auth-servers-crossdc-jboss" requires activation of another profile: either "auth-server-wildfly" or "auth-server-eap".</message>
|
||||
<regex>(wildfly|eap)</regex>
|
||||
</requireProperty>
|
||||
</rules>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>xml-maven-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>jpa-h2-tcp</id>
|
||||
<phase>process-resources</phase>
|
||||
<goals>
|
||||
<goal>transform</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<skip>${skip.h2.tcp}</skip>
|
||||
<transformationSets>
|
||||
<transformationSet>
|
||||
<dir>${auth.server.home}/standalone/configuration</dir>
|
||||
<includes>
|
||||
<include>standalone-ha.xml</include>
|
||||
</includes>
|
||||
<stylesheet>${common.resources}/datasource-jdbc-url.xsl</stylesheet>
|
||||
<outputDir>${auth.server.home}/standalone/configuration</outputDir>
|
||||
<parameters>
|
||||
<parameter>
|
||||
<name>pool.name</name>
|
||||
<value>KeycloakDS</value>
|
||||
</parameter>
|
||||
<parameter>
|
||||
<name>jdbc.url</name>
|
||||
<value>${crossdc.jboss.jdbc.url}</value>
|
||||
</parameter>
|
||||
</parameters>
|
||||
</transformationSet>
|
||||
</transformationSets>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>exec-maven-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>crossdc-setup</id>
|
||||
<phase>process-resources</phase>
|
||||
<goals>
|
||||
<goal>exec</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<executable>${auth.server.home}/bin/jboss-cli.sh</executable>
|
||||
<arguments>
|
||||
<argument>--file=${common.resources}/crossdc/cross-dc-setup.cli</argument>
|
||||
</arguments>
|
||||
</configuration>
|
||||
</execution>
|
||||
<execution>
|
||||
<id>remove-temp-data-crossdc-setup</id>
|
||||
<phase>process-resources</phase>
|
||||
<goals>
|
||||
<goal>exec</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<workingDirectory>${auth.server.home}/standalone/</workingDirectory>
|
||||
<executable>rm</executable>
|
||||
<arguments>
|
||||
<argument>-rf</argument>
|
||||
<argument>data</argument>
|
||||
<argument>log</argument>
|
||||
<argument>tmp</argument>
|
||||
</arguments>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</pluginManagement>
|
||||
</build>
|
||||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>auth-server-cluster</id>
|
||||
<properties>
|
||||
|
|
|
@ -43,4 +43,15 @@
|
|||
<auth.server.jboss>wildfly</auth.server.jboss>
|
||||
</properties>
|
||||
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<configuration>
|
||||
<skip>false</skip>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
|
||||
</project>
|
||||
|
|
|
@ -33,6 +33,7 @@
|
|||
<module name="org.keycloak.keycloak-model-infinispan"/>
|
||||
<module name="org.keycloak.keycloak-model-jpa"/>
|
||||
<module name="org.infinispan"/>
|
||||
<module name="org.infinispan.client.hotrod"/>
|
||||
<module name="org.jboss.logging"/>
|
||||
<module name="org.jboss.resteasy.resteasy-jaxrs"/>
|
||||
<module name="javax.persistence.api"/>
|
||||
|
|
|
@ -17,7 +17,12 @@
|
|||
|
||||
package org.keycloak.testsuite.arquillian.undertow.lb;
|
||||
|
||||
import java.lang.reflect.Field;
|
||||
import java.net.URI;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
|
||||
|
@ -34,6 +39,7 @@ import io.undertow.server.handlers.proxy.ProxyHandler;
|
|||
import io.undertow.util.AttachmentKey;
|
||||
import io.undertow.util.Headers;
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.common.util.reflections.Reflections;
|
||||
import org.keycloak.services.managers.AuthenticationSessionManager;
|
||||
import java.util.LinkedHashMap;
|
||||
import java.util.StringTokenizer;
|
||||
|
@ -94,7 +100,7 @@ public class SimpleUndertowLoadBalancer {
|
|||
.build();
|
||||
undertow.start();
|
||||
|
||||
log.infof("Loadbalancer started and ready to serve requests on http://%s:%d", host, port);
|
||||
log.infof("#### Loadbalancer started and ready to serve requests on http://%s:%d ####", host, port);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
@ -110,11 +116,12 @@ public class SimpleUndertowLoadBalancer {
|
|||
lb.removeHost(uri);
|
||||
lb.addHost(uri, route);
|
||||
});
|
||||
log.infof("Load balancer: enable all nodes. All enabled nodes: %s", lb.toString());
|
||||
}
|
||||
|
||||
public void disableAllBackendNodes() {
|
||||
log.debugf("Load balancer: disabling all nodes");
|
||||
backendNodes.values().forEach(lb::removeHost);
|
||||
log.infof("Load balancer: disabling all nodes");
|
||||
}
|
||||
|
||||
public void enableBackendNodeByName(String nodeName) {
|
||||
|
@ -122,8 +129,8 @@ public class SimpleUndertowLoadBalancer {
|
|||
if (uri == null) {
|
||||
throw new IllegalArgumentException("Invalid node: " + nodeName);
|
||||
}
|
||||
log.debugf("Load balancer: enabling node %s", nodeName);
|
||||
lb.addHost(uri, nodeName);
|
||||
log.infof("Load balancer: enabled node '%s', All enabled nodes: %s", nodeName, lb.toString());
|
||||
}
|
||||
|
||||
public void disableBackendNodeByName(String nodeName) {
|
||||
|
@ -131,8 +138,8 @@ public class SimpleUndertowLoadBalancer {
|
|||
if (uri == null) {
|
||||
throw new IllegalArgumentException("Invalid node: " + nodeName);
|
||||
}
|
||||
log.debugf("Load balancer: disabling node %s", nodeName);
|
||||
lb.removeHost(uri);
|
||||
log.infof("Load balancer: disabled node '%s', All enabled nodes: %s", nodeName, lb.toString());
|
||||
}
|
||||
|
||||
static Map<String, URI> parseNodes(String nodes) {
|
||||
|
@ -225,6 +232,19 @@ public class SimpleUndertowLoadBalancer {
|
|||
}
|
||||
|
||||
|
||||
// For now, overriden just this "addHost" method to avoid adding duplicates
|
||||
@Override
|
||||
public synchronized LoadBalancingProxyClient addHost(URI host, String jvmRoute) {
|
||||
List<String> current = getCurrentHostRoutes();
|
||||
if (current.contains(jvmRoute)) {
|
||||
log.infof("Route '%s' already present. Skip adding", jvmRoute);
|
||||
return this;
|
||||
} else {
|
||||
return super.addHost(host, jvmRoute);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public void getConnection(ProxyTarget target, HttpServerExchange exchange, ProxyCallback<ProxyConnection> callback, long timeout, TimeUnit timeUnit) {
|
||||
long timeoutMs = timeUnit.toMillis(timeout);
|
||||
|
@ -233,6 +253,31 @@ public class SimpleUndertowLoadBalancer {
|
|||
super.getConnection(target, exchange, callbackDelegate, timeout, timeUnit);
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return getCurrentHostRoutes().toString();
|
||||
}
|
||||
|
||||
|
||||
private List<String> getCurrentHostRoutes() {
|
||||
Field hostsField = Reflections.findDeclaredField(LoadBalancingProxyClient.class, "hosts");
|
||||
hostsField.setAccessible(true);
|
||||
Host[] hosts = (Host[]) Reflections.getFieldValue(hostsField, this);
|
||||
|
||||
if (hosts == null) {
|
||||
return Collections.emptyList();
|
||||
}
|
||||
|
||||
List<String> hostRoutes = new LinkedList<>();
|
||||
for (Host host : hosts) {
|
||||
Field hostField = Reflections.findDeclaredField(Host.class, "jvmRoute");
|
||||
hostField.setAccessible(true);
|
||||
String route = Reflections.getFieldValue(hostField, host).toString();
|
||||
hostRoutes.add(route);
|
||||
}
|
||||
return hostRoutes;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -228,6 +228,13 @@
|
|||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
|
||||
<plugin>
|
||||
<artifactId>maven-antrun-plugin</artifactId>
|
||||
<configuration>
|
||||
<skip>false</skip>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
|
||||
</build>
|
||||
|
|
|
@ -136,6 +136,11 @@ public class AuthServerTestEnricher {
|
|||
return managementClient;
|
||||
}
|
||||
|
||||
public void distinguishContainersInConsoleOutput(@Observes(precedence = 5) StartContainer event) {
|
||||
log.info("*****************************************************************"
|
||||
+ "*****************************************************************************");
|
||||
}
|
||||
|
||||
public void initializeSuiteContext(@Observes(precedence = 2) BeforeSuite event) {
|
||||
Set<ContainerInfo> containers = containerRegistry.get().getContainers().stream()
|
||||
.map(ContainerInfo::new)
|
||||
|
@ -165,12 +170,13 @@ public class AuthServerTestEnricher {
|
|||
}
|
||||
|
||||
containers.stream()
|
||||
.filter(c -> c.getQualifier().startsWith(AUTH_SERVER_CONTAINER + "-cross-dc-"))
|
||||
.filter(c -> c.getQualifier().startsWith("auth-server-" + System.getProperty("node.name") + "-"))
|
||||
.sorted((a, b) -> a.getQualifier().compareTo(b.getQualifier()))
|
||||
.forEach(c -> {
|
||||
String portOffsetString = c.getArquillianContainer().getContainerConfiguration().getContainerProperties().getOrDefault("bindHttpPortOffset", "0");
|
||||
String dcString = c.getArquillianContainer().getContainerConfiguration().getContainerProperties().getOrDefault("dataCenter", "0");
|
||||
updateWithAuthServerInfo(c, Integer.valueOf(portOffsetString));
|
||||
|
||||
String dcString = c.getArquillianContainer().getContainerConfiguration().getContainerProperties().getOrDefault("dataCenter", "0");
|
||||
suiteContext.addAuthServerBackendsInfo(Integer.valueOf(dcString), c);
|
||||
});
|
||||
|
||||
|
|
|
@ -1,23 +1,18 @@
|
|||
package org.keycloak.testsuite.arquillian;
|
||||
|
||||
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
|
||||
import org.keycloak.testsuite.Retry;
|
||||
import java.util.Map;
|
||||
import org.jboss.arquillian.core.api.Instance;
|
||||
import org.jboss.arquillian.core.api.annotation.Inject;
|
||||
import java.io.IOException;
|
||||
import java.io.NotSerializableException;
|
||||
import java.lang.management.ManagementFactory;
|
||||
import java.lang.reflect.Field;
|
||||
import java.lang.reflect.Method;
|
||||
import java.net.MalformedURLException;
|
||||
import javax.management.MBeanServerConnection;
|
||||
import javax.management.ObjectName;
|
||||
import javax.management.remote.JMXConnector;
|
||||
import javax.management.remote.JMXServiceURL;
|
||||
import org.jboss.arquillian.container.spi.Container;
|
||||
import org.jboss.arquillian.container.spi.ContainerRegistry;
|
||||
import org.jboss.arquillian.test.spi.TestEnricher;
|
||||
import java.io.IOException;
|
||||
import java.lang.reflect.Parameter;
|
||||
import java.net.MalformedURLException;
|
||||
import java.util.Arrays;
|
||||
import java.util.Map;
|
||||
import java.util.Objects;
|
||||
import java.util.Set;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import java.util.function.Supplier;
|
||||
import java.util.stream.Collectors;
|
||||
import javax.management.Attribute;
|
||||
import javax.management.AttributeNotFoundException;
|
||||
|
@ -26,21 +21,26 @@ import javax.management.IntrospectionException;
|
|||
import javax.management.MBeanAttributeInfo;
|
||||
import javax.management.MBeanException;
|
||||
import javax.management.MBeanInfo;
|
||||
import javax.management.MBeanServerConnection;
|
||||
import javax.management.MalformedObjectNameException;
|
||||
import javax.management.ObjectName;
|
||||
import javax.management.ReflectionException;
|
||||
import javax.management.remote.JMXServiceURL;
|
||||
import org.apache.commons.lang3.reflect.FieldUtils;
|
||||
import org.jboss.arquillian.container.spi.Container;
|
||||
import org.jboss.arquillian.container.spi.ContainerRegistry;
|
||||
import org.jboss.arquillian.core.api.Instance;
|
||||
import org.jboss.arquillian.core.api.annotation.Inject;
|
||||
import org.jboss.arquillian.core.spi.Validate;
|
||||
import org.jboss.arquillian.test.spi.TestEnricher;
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
|
||||
import org.keycloak.testsuite.Retry;
|
||||
import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanCacheStatistics;
|
||||
import java.util.Set;
|
||||
import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanChannelStatistics;
|
||||
import org.keycloak.testsuite.arquillian.jmx.JmxConnectorRegistry;
|
||||
import org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow;
|
||||
import org.keycloak.testsuite.crossdc.DC;
|
||||
import java.io.NotSerializableException;
|
||||
import java.lang.management.ManagementFactory;
|
||||
import java.util.Objects;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import org.apache.commons.lang3.reflect.FieldUtils;
|
||||
import org.jboss.arquillian.core.spi.Validate;
|
||||
import org.jboss.logging.Logger;
|
||||
|
||||
/**
|
||||
*
|
||||
|
@ -81,8 +81,6 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
}
|
||||
|
||||
private InfinispanStatistics getInfinispanCacheStatistics(JmxInfinispanCacheStatistics annotation) throws MalformedObjectNameException, IOException, MalformedURLException {
|
||||
MBeanServerConnection mbsc = getJmxServerConnection(annotation);
|
||||
|
||||
ObjectName mbeanName = new ObjectName(String.format(
|
||||
"%s:type=%s,name=\"%s(%s)\",manager=\"%s\",component=%s",
|
||||
annotation.domain().isEmpty() ? getDefaultDomain(annotation.dc().getDcIndex(), annotation.dcNodeIndex()) : InfinispanConnectionProvider.JMX_DOMAIN,
|
||||
|
@ -93,7 +91,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
annotation.component()
|
||||
));
|
||||
|
||||
InfinispanStatistics value = new InfinispanCacheStatisticsImpl(mbsc, mbeanName);
|
||||
InfinispanStatistics value = new InfinispanCacheStatisticsImpl(getJmxServerConnection(annotation), mbeanName);
|
||||
|
||||
if (annotation.domain().isEmpty()) {
|
||||
try {
|
||||
|
@ -101,7 +99,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
} catch (RuntimeException ex) {
|
||||
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1
|
||||
&& suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex()).isStarted()) {
|
||||
LOG.warn("Could not reset statistics for " + mbeanName);
|
||||
LOG.warn("Could not reset statistics for " + mbeanName + ". The reason is: \"" + ex.getMessage() + "\"");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -110,8 +108,6 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
}
|
||||
|
||||
private InfinispanStatistics getJGroupsChannelStatistics(JmxInfinispanChannelStatistics annotation) throws MalformedObjectNameException, IOException, MalformedURLException {
|
||||
MBeanServerConnection mbsc = getJmxServerConnection(annotation);
|
||||
|
||||
ObjectName mbeanName = new ObjectName(String.format(
|
||||
"%s:type=%s,cluster=\"%s\"",
|
||||
annotation.domain().isEmpty() ? getDefaultDomain(annotation.dc().getDcIndex(), annotation.dcNodeIndex()) : InfinispanConnectionProvider.JMX_DOMAIN,
|
||||
|
@ -119,7 +115,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
annotation.cluster()
|
||||
));
|
||||
|
||||
InfinispanStatistics value = new InfinispanChannelStatisticsImpl(mbsc, mbeanName);
|
||||
InfinispanStatistics value = new InfinispanChannelStatisticsImpl(getJmxServerConnection(annotation), mbeanName);
|
||||
|
||||
if (annotation.domain().isEmpty()) {
|
||||
try {
|
||||
|
@ -127,7 +123,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
} catch (RuntimeException ex) {
|
||||
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1
|
||||
&& suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex()).isStarted()) {
|
||||
LOG.warn("Could not reset statistics for " + mbeanName);
|
||||
LOG.warn("Could not reset statistics for " + mbeanName + ". The reason is: \"" + ex.getMessage() + "\"");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -162,12 +158,20 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
|
||||
private String getDefaultDomain(int dcIndex, int dcNodeIndex) {
|
||||
if (dcIndex != -1 && dcNodeIndex != -1) {
|
||||
if (Boolean.parseBoolean(System.getProperty("auth.server.jboss.crossdc"))) {
|
||||
//backend-jboss-server
|
||||
return "org.wildfly.clustering.infinispan";
|
||||
}
|
||||
|
||||
//backend-undertow-server
|
||||
return InfinispanConnectionProvider.JMX_DOMAIN + "-" + suiteContext.get().getAuthServerBackendsInfo(dcIndex).get(dcNodeIndex).getQualifier();
|
||||
}
|
||||
|
||||
//cache-server
|
||||
return InfinispanConnectionProvider.JMX_DOMAIN;
|
||||
}
|
||||
|
||||
private MBeanServerConnection getJmxServerConnection(JmxInfinispanCacheStatistics annotation) throws MalformedURLException, IOException {
|
||||
private Supplier<MBeanServerConnection> getJmxServerConnection(JmxInfinispanCacheStatistics annotation) throws MalformedURLException {
|
||||
final String host;
|
||||
final int port;
|
||||
|
||||
|
@ -175,7 +179,46 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
ContainerInfo node = suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex());
|
||||
Container container = node.getArquillianContainer();
|
||||
if (container.getDeployableContainer() instanceof KeycloakOnUndertow) {
|
||||
return ManagementFactory.getPlatformMBeanServer();
|
||||
return () -> ManagementFactory.getPlatformMBeanServer();
|
||||
}
|
||||
host = "localhost";
|
||||
port = container.getContainerConfiguration().getContainerProperties().containsKey("managementPort")
|
||||
? Integer.valueOf(container.getContainerConfiguration().getContainerProperties().get("managementPort"))
|
||||
: 9990;
|
||||
} else {
|
||||
host = annotation.host().isEmpty()
|
||||
? System.getProperty((annotation.hostProperty().isEmpty()
|
||||
? "keycloak.connectionsInfinispan.remoteStoreServer"
|
||||
: annotation.hostProperty()))
|
||||
: annotation.host();
|
||||
|
||||
port = annotation.managementPort() == -1
|
||||
? Integer.valueOf(System.getProperty((annotation.managementPortProperty().isEmpty()
|
||||
? "cache.server.management.port"
|
||||
: annotation.managementPortProperty())))
|
||||
: annotation.managementPort();
|
||||
}
|
||||
|
||||
|
||||
JMXServiceURL url = new JMXServiceURL("service:jmx:remote+http://" + host + ":" + port);
|
||||
return () -> {
|
||||
try {
|
||||
return jmxConnectorRegistry.get().getConnection(url).getMBeanServerConnection();
|
||||
} catch (IOException ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
private Supplier<MBeanServerConnection> getJmxServerConnection(JmxInfinispanChannelStatistics annotation) throws MalformedURLException {
|
||||
final String host;
|
||||
final int port;
|
||||
|
||||
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1) {
|
||||
ContainerInfo node = suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex());
|
||||
Container container = node.getArquillianContainer();
|
||||
if (container.getDeployableContainer() instanceof KeycloakOnUndertow) {
|
||||
return () -> ManagementFactory.getPlatformMBeanServer();
|
||||
}
|
||||
host = "localhost";
|
||||
port = container.getContainerConfiguration().getContainerProperties().containsKey("managementPort")
|
||||
|
@ -196,65 +239,36 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
}
|
||||
|
||||
JMXServiceURL url = new JMXServiceURL("service:jmx:remote+http://" + host + ":" + port);
|
||||
JMXConnector jmxc = jmxConnectorRegistry.get().getConnection(url);
|
||||
|
||||
return jmxc.getMBeanServerConnection();
|
||||
return () -> {
|
||||
try {
|
||||
return jmxConnectorRegistry.get().getConnection(url).getMBeanServerConnection();
|
||||
} catch (IOException ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
|
||||
private MBeanServerConnection getJmxServerConnection(JmxInfinispanChannelStatistics annotation) throws MalformedURLException, IOException {
|
||||
final String host;
|
||||
final int port;
|
||||
|
||||
if (annotation.dc() != DC.UNDEFINED && annotation.dcNodeIndex() != -1) {
|
||||
ContainerInfo node = suiteContext.get().getAuthServerBackendsInfo(annotation.dc().getDcIndex()).get(annotation.dcNodeIndex());
|
||||
Container container = node.getArquillianContainer();
|
||||
if (container.getDeployableContainer() instanceof KeycloakOnUndertow) {
|
||||
return ManagementFactory.getPlatformMBeanServer();
|
||||
}
|
||||
host = "localhost";
|
||||
port = container.getContainerConfiguration().getContainerProperties().containsKey("managementPort")
|
||||
? Integer.valueOf(container.getContainerConfiguration().getContainerProperties().get("managementPort"))
|
||||
: 9990;
|
||||
} else {
|
||||
host = annotation.host().isEmpty()
|
||||
? System.getProperty((annotation.hostProperty().isEmpty()
|
||||
? "keycloak.connectionsInfinispan.remoteStoreServer"
|
||||
: annotation.hostProperty()))
|
||||
: annotation.host();
|
||||
|
||||
port = annotation.managementPort() == -1
|
||||
? Integer.valueOf(System.getProperty((annotation.managementPortProperty().isEmpty()
|
||||
? "cache.server.management.port"
|
||||
: annotation.managementPortProperty())))
|
||||
: annotation.managementPort();
|
||||
}
|
||||
|
||||
String jmxUrl = "service:jmx:remote+http://" + host + ":" + port;
|
||||
LOG.infof("JMX Service URL: %s", jmxUrl);
|
||||
|
||||
JMXServiceURL url = new JMXServiceURL(jmxUrl);
|
||||
JMXConnector jmxc = jmxConnectorRegistry.get().getConnection(url);
|
||||
|
||||
return jmxc.getMBeanServerConnection();
|
||||
};
|
||||
}
|
||||
|
||||
private static abstract class CacheStatisticsImpl implements InfinispanStatistics {
|
||||
|
||||
protected final MBeanServerConnection mbsc;
|
||||
private final Supplier<MBeanServerConnection> mbscCreateor;
|
||||
private final ObjectName mbeanNameTemplate;
|
||||
private ObjectName mbeanName;
|
||||
|
||||
public CacheStatisticsImpl(MBeanServerConnection mbsc, ObjectName mbeanNameTemplate) {
|
||||
this.mbsc = mbsc;
|
||||
public CacheStatisticsImpl(Supplier<MBeanServerConnection> mbscCreateor, ObjectName mbeanNameTemplate) {
|
||||
this.mbscCreateor = mbscCreateor;
|
||||
this.mbeanNameTemplate = mbeanNameTemplate;
|
||||
}
|
||||
|
||||
protected MBeanServerConnection getConnection() {
|
||||
return mbscCreateor.get();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean exists() {
|
||||
try {
|
||||
getMbeanName();
|
||||
return true;
|
||||
} catch (Exception ex) {
|
||||
} catch (IOException | RuntimeException ex) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
@ -262,13 +276,13 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
@Override
|
||||
public Map<String, Object> getStatistics() {
|
||||
try {
|
||||
MBeanInfo mBeanInfo = mbsc.getMBeanInfo(getMbeanName());
|
||||
MBeanInfo mBeanInfo = getConnection().getMBeanInfo(getMbeanName());
|
||||
String[] statAttrs = Arrays.asList(mBeanInfo.getAttributes()).stream()
|
||||
.filter(MBeanAttributeInfo::isReadable)
|
||||
.map(MBeanAttributeInfo::getName)
|
||||
.collect(Collectors.toList())
|
||||
.toArray(new String[] {});
|
||||
return mbsc.getAttributes(getMbeanName(), statAttrs)
|
||||
return getConnection().getAttributes(getMbeanName(), statAttrs)
|
||||
.asList()
|
||||
.stream()
|
||||
.collect(Collectors.toMap(Attribute::getName, Attribute::getValue));
|
||||
|
@ -279,7 +293,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
|
||||
protected ObjectName getMbeanName() throws IOException, RuntimeException {
|
||||
if (this.mbeanName == null) {
|
||||
Set<ObjectName> queryNames = mbsc.queryNames(mbeanNameTemplate, null);
|
||||
Set<ObjectName> queryNames = getConnection().queryNames(mbeanNameTemplate, null);
|
||||
if (queryNames.isEmpty()) {
|
||||
throw new RuntimeException("No MBean of template " + mbeanNameTemplate + " found at JMX server");
|
||||
}
|
||||
|
@ -292,7 +306,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
@Override
|
||||
public Comparable getSingleStatistics(String statisticsName) {
|
||||
try {
|
||||
return (Comparable) mbsc.getAttribute(getMbeanName(), statisticsName);
|
||||
return (Comparable) getConnection().getAttribute(getMbeanName(), statisticsName);
|
||||
} catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException | AttributeNotFoundException ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
|
@ -305,7 +319,7 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
try {
|
||||
getMbeanName();
|
||||
if (! isAvailable()) throw new RuntimeException("Not available");
|
||||
} catch (Exception ex) {
|
||||
} catch (IOException | RuntimeException ex) {
|
||||
throw new RuntimeException("Timed out while waiting for " + mbeanNameTemplate + " to become available", ex);
|
||||
}
|
||||
}, 1 + (int) timeInMillis / 100, 100);
|
||||
|
@ -316,14 +330,14 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
|
||||
private static class InfinispanCacheStatisticsImpl extends CacheStatisticsImpl {
|
||||
|
||||
public InfinispanCacheStatisticsImpl(MBeanServerConnection mbsc, ObjectName mbeanName) {
|
||||
super(mbsc, mbeanName);
|
||||
public InfinispanCacheStatisticsImpl(Supplier<MBeanServerConnection> mbscCreator, ObjectName mbeanName) {
|
||||
super(mbscCreator, mbeanName);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void reset() {
|
||||
try {
|
||||
mbsc.invoke(getMbeanName(), "resetStatistics", new Object[] {}, new String[] {});
|
||||
getConnection().invoke(getMbeanName(), "resetStatistics", new Object[] {}, new String[] {});
|
||||
} catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
|
@ -337,14 +351,14 @@ public class CacheStatisticsControllerEnricher implements TestEnricher {
|
|||
|
||||
private static class InfinispanChannelStatisticsImpl extends CacheStatisticsImpl {
|
||||
|
||||
public InfinispanChannelStatisticsImpl(MBeanServerConnection mbsc, ObjectName mbeanName) {
|
||||
super(mbsc, mbeanName);
|
||||
public InfinispanChannelStatisticsImpl(Supplier<MBeanServerConnection> mbscCreator, ObjectName mbeanName) {
|
||||
super(mbscCreator, mbeanName);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void reset() {
|
||||
try {
|
||||
mbsc.invoke(getMbeanName(), "resetStats", new Object[] {}, new String[] {});
|
||||
getConnection().invoke(getMbeanName(), "resetStats", new Object[] {}, new String[] {});
|
||||
} catch (NotSerializableException ex) {
|
||||
// Ignore return value not serializable, the invocation has already done its job
|
||||
} catch (IOException | InstanceNotFoundException | MBeanException | ReflectionException ex) {
|
||||
|
|
|
@ -22,6 +22,7 @@ import org.jboss.arquillian.container.spi.client.deployment.TargetDescription;
|
|||
import org.jboss.arquillian.container.test.impl.client.deployment.AnnotationDeploymentScenarioGenerator;
|
||||
import org.jboss.arquillian.test.spi.TestClass;
|
||||
import org.jboss.logging.Logger;
|
||||
import org.keycloak.common.util.StringPropertyReplacer;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
|
@ -73,12 +74,23 @@ public class DeploymentTargetModifier extends AnnotationDeploymentScenarioGenera
|
|||
if (deployment.getTarget() != null) {
|
||||
String containerQualifier = deployment.getTarget().getName();
|
||||
if (AUTH_SERVER_CURRENT.equals(containerQualifier)) {
|
||||
String authServerQualifier = AuthServerTestEnricher.AUTH_SERVER_CONTAINER;
|
||||
log.infof("Setting target container for deployment %s.%s: %s", testClass.getName(), deployment.getName(), authServerQualifier);
|
||||
deployment.setTarget(new TargetDescription(authServerQualifier));
|
||||
String newAuthServerQualifier = AuthServerTestEnricher.AUTH_SERVER_CONTAINER;
|
||||
updateAuthServerQualifier(deployment, testClass, newAuthServerQualifier);
|
||||
} else {
|
||||
String newAuthServerQualifier = StringPropertyReplacer.replaceProperties(containerQualifier);
|
||||
if (!newAuthServerQualifier.equals(containerQualifier)) {
|
||||
updateAuthServerQualifier(deployment, testClass, newAuthServerQualifier);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private void updateAuthServerQualifier(DeploymentDescription deployment, TestClass testClass, String newAuthServerQualifier) {
|
||||
log.infof("Setting target container for deployment %s.%s: %s", testClass.getName(), deployment.getName(), newAuthServerQualifier);
|
||||
deployment.setTarget(new TargetDescription(newAuthServerQualifier));
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -27,6 +27,7 @@ import org.jboss.arquillian.core.api.annotation.ApplicationScoped;
|
|||
import org.jboss.arquillian.core.api.annotation.Inject;
|
||||
import org.jboss.arquillian.core.api.annotation.Observes;
|
||||
import org.jboss.arquillian.test.spi.event.suite.BeforeSuite;
|
||||
import org.jboss.logging.Logger;
|
||||
|
||||
/**
|
||||
*
|
||||
|
@ -34,6 +35,8 @@ import org.jboss.arquillian.test.spi.event.suite.BeforeSuite;
|
|||
*/
|
||||
public class JmxConnectorRegistryCreator {
|
||||
|
||||
private final Logger log = Logger.getLogger(JmxConnectorRegistryCreator.class);
|
||||
|
||||
@Inject
|
||||
@ApplicationScoped
|
||||
private InstanceProducer<JmxConnectorRegistry> connectorRegistry;
|
||||
|
@ -46,6 +49,7 @@ public class JmxConnectorRegistryCreator {
|
|||
|
||||
@Override
|
||||
public JMXConnector getConnection(JMXServiceURL url) {
|
||||
|
||||
JMXConnector res = connectors.get(url);
|
||||
if (res == null) {
|
||||
try {
|
||||
|
@ -55,7 +59,10 @@ public class JmxConnectorRegistryCreator {
|
|||
res = conn;
|
||||
}
|
||||
res.connect();
|
||||
log.infof("Connected to JMX Service URL: %s", url);
|
||||
} catch (IOException ex) {
|
||||
//remove conn from connectors in case something goes wrong. The connection will be established on-demand
|
||||
connectors.remove(url, res);
|
||||
throw new RuntimeException("Could not instantiate JMX connector for " + url, ex);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -90,14 +90,14 @@ public class KeycloakTestingClient {
|
|||
|
||||
public <T> T fetch(FetchOnServer function, Class<T> clazz) throws RunOnServerException {
|
||||
try {
|
||||
String s = fetch(function);
|
||||
String s = fetchString(function);
|
||||
return JsonSerialization.readValue(s, clazz);
|
||||
} catch (Exception e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
public String fetch(FetchOnServer function) throws RunOnServerException {
|
||||
public String fetchString(FetchOnServer function) throws RunOnServerException {
|
||||
String encoded = SerializationUtil.encode(function);
|
||||
|
||||
String result = testing(realm != null ? realm : "master").runOnServer(encoded);
|
||||
|
|
|
@ -17,6 +17,7 @@
|
|||
|
||||
package org.keycloak.testsuite.pages.social;
|
||||
|
||||
import org.openqa.selenium.NoSuchElementException;
|
||||
import org.openqa.selenium.WebElement;
|
||||
import org.openqa.selenium.support.FindBy;
|
||||
|
||||
|
@ -35,9 +36,15 @@ public class TwitterLoginPage extends AbstractSocialLoginPage {
|
|||
|
||||
@Override
|
||||
public void login(String user, String password) {
|
||||
try {
|
||||
usernameInput.clear();
|
||||
usernameInput.sendKeys(user);
|
||||
passwordInput.sendKeys(password);
|
||||
}
|
||||
catch (NoSuchElementException e) { // at some conditions we are already logged in and just need to confirm it
|
||||
}
|
||||
finally {
|
||||
loginButton.click();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,11 +20,33 @@ package org.keycloak.testsuite.util;
|
|||
import org.jboss.arquillian.graphene.context.GrapheneContext;
|
||||
import org.openqa.selenium.WebDriver;
|
||||
|
||||
import java.util.LinkedList;
|
||||
import java.util.Queue;
|
||||
import java.util.Stack;
|
||||
|
||||
/**
|
||||
* @author Vaclav Muzikar <vmuzikar@redhat.com>
|
||||
*/
|
||||
public final class DroneUtils {
|
||||
private static Queue<WebDriver> driverQueue = new LinkedList<>();
|
||||
|
||||
public static WebDriver getCurrentDriver() {
|
||||
if (driverQueue.isEmpty()) {
|
||||
return GrapheneContext.lastContext().getWebDriver();
|
||||
}
|
||||
|
||||
return driverQueue.peek();
|
||||
}
|
||||
|
||||
public static void addWebDriver(WebDriver driver) {
|
||||
driverQueue.add(driver);
|
||||
}
|
||||
|
||||
public static void removeWebDriver() {
|
||||
driverQueue.poll();
|
||||
}
|
||||
|
||||
public static void resetQueue() {
|
||||
driverQueue = new LinkedList<>();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -64,6 +64,7 @@ import org.keycloak.testsuite.auth.page.login.OIDCLogin;
|
|||
import org.keycloak.testsuite.auth.page.login.UpdatePassword;
|
||||
import org.keycloak.testsuite.client.KeycloakTestingClient;
|
||||
import org.keycloak.testsuite.util.AdminClientUtil;
|
||||
import org.keycloak.testsuite.util.DroneUtils;
|
||||
import org.keycloak.testsuite.util.OAuthClient;
|
||||
import org.keycloak.testsuite.util.TestCleanup;
|
||||
import org.keycloak.testsuite.util.TestEventsLogger;
|
||||
|
@ -213,6 +214,9 @@ public abstract class AbstractKeycloakTest {
|
|||
}
|
||||
testContext.getCleanups().clear();
|
||||
}
|
||||
|
||||
// Remove all browsers from queue
|
||||
DroneUtils.resetQueue();
|
||||
}
|
||||
|
||||
protected TestCleanup getCleanup(String realmName) {
|
||||
|
|
|
@ -207,6 +207,17 @@ public class AccountFormServiceTest extends AbstractTestRealmKeycloakTest {
|
|||
events.clear();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void referrerEscaped() {
|
||||
profilePage.open();
|
||||
loginPage.login("test-user@localhost", "password");
|
||||
|
||||
driver.navigate().to(profilePage.getPath() + "?referrer=test-app&referrer_uri=http://localhost:8180/auth/realms/master/app/auth/test%2Ffkrenu%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E");
|
||||
Assert.assertTrue(profilePage.isCurrent());
|
||||
|
||||
Assert.assertFalse(driver.getPageSource().contains("<script>alert"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void changePassword() {
|
||||
changePasswordPage.open();
|
||||
|
|
|
@ -78,7 +78,7 @@ public abstract class AbstractFuseAdminAdapterTest extends AbstractExampleAdapte
|
|||
assertCurrentUrlDoesntStartWith(hawtioPage);
|
||||
|
||||
testRealmLoginPage.form().login("root", "password");
|
||||
assertCurrentUrlStartsWith(hawtioPage.getDriver(), hawtioPage.toString() + "/welcome");
|
||||
assertCurrentUrlStartsWith(hawtioPage.toString() + "/welcome", hawtioPage.getDriver());
|
||||
hawtioPage.logout();
|
||||
assertCurrentUrlStartsWith(testRealmLoginPage);
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ public abstract class AbstractHawtioAdapterTest extends AbstractExampleAdapterTe
|
|||
testRealmLoginPage.form().login("root", "password");
|
||||
|
||||
waitUntilElement(By.xpath("//body")).is().present();
|
||||
assertCurrentUrlStartsWith(hawtioPage.getDriver(), hawtioPage.toString() + "/welcome");
|
||||
assertCurrentUrlStartsWith(hawtioPage.toString() + "/welcome", hawtioPage.getDriver());
|
||||
|
||||
hawtioPage.logout();
|
||||
pause(1000);
|
||||
|
|
|
@ -194,7 +194,7 @@ public abstract class AbstractDemoServletsAdapterTest extends AbstractServletsAd
|
|||
|
||||
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
|
||||
testRealmLoginPage.form().login("bburke@redhat.com", "password");
|
||||
assertCurrentUrlEquals(driver, inputPortal + "/secured/post");
|
||||
assertCurrentUrlEquals(inputPortal + "/secured/post");
|
||||
waitForPageToLoad();
|
||||
String pageSource = driver.getPageSource();
|
||||
assertThat(pageSource, containsString("parameter=hello"));
|
||||
|
|
|
@ -127,7 +127,7 @@ public abstract class AbstractOIDCPublicKeyRotationAdapterTest extends AbstractS
|
|||
testRealmLoginPage.form().waitForUsernameInputPresent();
|
||||
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage);
|
||||
testRealmLoginPage.form().login("bburke@redhat.com", "password");
|
||||
URLAssert.assertCurrentUrlStartsWith(driver, tokenMinTTLPage.getInjectedUrl().toString());
|
||||
URLAssert.assertCurrentUrlStartsWith(tokenMinTTLPage.getInjectedUrl().toString());
|
||||
Assert.assertNull(tokenMinTTLPage.getAccessToken());
|
||||
|
||||
driver.navigate().to(logoutUri);
|
||||
|
|
|
@ -37,9 +37,8 @@ import org.keycloak.testsuite.util.SecondBrowser;
|
|||
import org.openqa.selenium.By;
|
||||
import org.openqa.selenium.WebDriver;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertTrue;
|
||||
import static org.hamcrest.CoreMatchers.containsString;
|
||||
import static org.junit.Assert.*;
|
||||
import static org.keycloak.testsuite.auth.page.AuthRealm.DEMO;
|
||||
import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlEquals;
|
||||
import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWithLoginUrlOf;
|
||||
|
@ -84,13 +83,13 @@ public abstract class AbstractSessionServletAdapterTest extends AbstractServlets
|
|||
|
||||
// cannot pass to loginAndCheckSession becayse loginPage is not working together with driver2, therefore copypasta
|
||||
driver2.navigate().to(sessionPortalPage.toString());
|
||||
assertCurrentUrlStartsWithLoginUrlOf(driver2, testRealmPage);
|
||||
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage, driver2);
|
||||
driver2.findElement(By.id("username")).sendKeys("bburke@redhat.com");
|
||||
driver2.findElement(By.id("password")).sendKeys("password");
|
||||
driver2.findElement(By.id("password")).submit();
|
||||
assertCurrentUrlEquals(driver2, sessionPortalPage);
|
||||
assertCurrentUrlEquals(sessionPortalPage, driver2);
|
||||
String pageSource = driver2.getPageSource();
|
||||
assertTrue(pageSource.contains("Counter=1"));
|
||||
assertThat(pageSource, containsString("Counter=1"));
|
||||
// Counter increased now
|
||||
driver2.navigate().to(sessionPortalPage.toString());
|
||||
pageSource = driver2.getPageSource();
|
||||
|
@ -108,12 +107,12 @@ public abstract class AbstractSessionServletAdapterTest extends AbstractServlets
|
|||
|
||||
// Assert that I am still logged in browser2 and same session is still preserved
|
||||
driver2.navigate().to(sessionPortalPage.toString());
|
||||
assertCurrentUrlEquals(driver2, sessionPortalPage);
|
||||
assertCurrentUrlEquals(sessionPortalPage, driver2);
|
||||
pageSource = driver2.getPageSource();
|
||||
assertTrue(pageSource.contains("Counter=3"));
|
||||
assertThat(pageSource, containsString("Counter=3"));
|
||||
|
||||
driver2.navigate().to(logoutUri);
|
||||
assertCurrentUrlStartsWithLoginUrlOf(driver2, testRealmPage);
|
||||
assertCurrentUrlStartsWithLoginUrlOf(testRealmPage, driver2);
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -35,6 +35,7 @@ import java.util.Map;
|
|||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.fail;
|
||||
import static org.keycloak.representations.idm.ComponentRepresentation.SECRET_VALUE;
|
||||
import static org.keycloak.util.JsonSerialization.writeValueAsPrettyString;
|
||||
|
||||
/**
|
||||
|
@ -60,6 +61,11 @@ public class SMTPConnectionTest extends AbstractKeycloakTest {
|
|||
|
||||
private String settings(String host, String port, String from, String auth, String ssl, String starttls,
|
||||
String username, String password) throws Exception {
|
||||
Map<String, String> config = smtpMap(host, port, from, auth, ssl, starttls, username, password);
|
||||
return writeValueAsPrettyString(config);
|
||||
}
|
||||
|
||||
private Map<String, String> smtpMap(String host, String port, String from, String auth, String ssl, String starttls, String username, String password) {
|
||||
Map<String, String> config = new HashMap<>();
|
||||
config.put("host", host);
|
||||
config.put("port", port);
|
||||
|
@ -69,7 +75,7 @@ public class SMTPConnectionTest extends AbstractKeycloakTest {
|
|||
config.put("starttls", starttls);
|
||||
config.put("user", username);
|
||||
config.put("password", password);
|
||||
return writeValueAsPrettyString(config);
|
||||
return config;
|
||||
}
|
||||
|
||||
@Test
|
||||
|
@ -102,6 +108,26 @@ public class SMTPConnectionTest extends AbstractKeycloakTest {
|
|||
assertStatus(response, 204);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAuthEnabledAndSavedCredentials() throws Exception {
|
||||
RealmRepresentation realmRep = realm.toRepresentation();
|
||||
Map<String, String> oldSmtp = realmRep.getSmtpServer();
|
||||
try {
|
||||
realmRep.setSmtpServer(smtpMap("127.0.0.1", "3025", "auto@keycloak.org", "true", null, null,
|
||||
"admin@localhost", "admin"));
|
||||
realm.update(realmRep);
|
||||
|
||||
greenMailRule.credentials("admin@localhost", "admin");
|
||||
Response response = realm.testSMTPConnection(settings("127.0.0.1", "3025", "auto@keycloak.org", "true", null, null,
|
||||
"admin@localhost", SECRET_VALUE));
|
||||
assertStatus(response, 204);
|
||||
} finally {
|
||||
// Revert SMTP back
|
||||
realmRep.setSmtpServer(oldSmtp);
|
||||
realm.update(realmRep);
|
||||
}
|
||||
}
|
||||
|
||||
private void assertStatus(Response response, int status) {
|
||||
assertEquals(status, response.getStatus());
|
||||
response.close();
|
||||
|
|
|
@ -21,8 +21,8 @@ import java.io.IOException;
|
|||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.URI;
|
||||
import java.net.URISyntaxException;
|
||||
import java.nio.charset.Charset;
|
||||
import java.util.ArrayList;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import javax.ws.rs.core.Response;
|
||||
|
@ -58,10 +58,12 @@ import java.util.Arrays;
|
|||
import java.util.LinkedHashMap;
|
||||
import java.util.concurrent.atomic.AtomicInteger;
|
||||
import java.util.concurrent.atomic.AtomicReference;
|
||||
import java.util.stream.Collectors;
|
||||
import org.apache.http.client.CookieStore;
|
||||
import org.apache.http.impl.client.BasicCookieStore;
|
||||
import org.hamcrest.Matchers;
|
||||
|
||||
import static org.hamcrest.Matchers.containsString;
|
||||
|
||||
|
||||
/**
|
||||
|
@ -126,8 +128,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
|||
CookieStore cookieStore = new BasicCookieStore();
|
||||
context.setCookieStore(cookieStore);
|
||||
HttpUriRequest request = handleLogin(getPageContent(oauth.getLoginFormUrl(), httpClient, context), userName, password);
|
||||
log.debug("Executing login request");
|
||||
Assert.assertTrue(parseAndCloseResponse(httpClient.execute(request, context)).contains("<title>AUTH_RESPONSE</title>"));
|
||||
Assert.assertThat(parseAndCloseResponse(httpClient.execute(request, context)), containsString("<title>AUTH_RESPONSE</title>"));
|
||||
return context;
|
||||
}
|
||||
|
||||
|
@ -306,12 +307,8 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
|
|||
}
|
||||
|
||||
private static Map<String, String> getQueryFromUrl(String url) throws URISyntaxException {
|
||||
Map<String, String> m = new HashMap<>();
|
||||
List<NameValuePair> pairs = URLEncodedUtils.parse(new URI(url), "UTF-8");
|
||||
for (NameValuePair p : pairs) {
|
||||
m.put(p.getName(), p.getValue());
|
||||
}
|
||||
return m;
|
||||
return URLEncodedUtils.parse(new URI(url), Charset.forName("UTF-8")).stream()
|
||||
.collect(Collectors.toMap(p -> p.getName(), p -> p.getValue()));
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -95,8 +95,10 @@ public abstract class AbstractAdminCrossDCTest extends AbstractCrossDCTest {
|
|||
T newStat = (T) stats.getSingleStatistics(key);
|
||||
|
||||
Matcher<? super T> matcherInstance = matcherOnOldStat.apply(oldStat);
|
||||
|
||||
log.infof("assertSingleStatistics '%s' : oldStat: %s, newStat: %s", key, oldStat.toString(), newStat.toString());
|
||||
assertThat(newStat, matcherInstance);
|
||||
}, 20, 200);
|
||||
}, 50, 200);
|
||||
}
|
||||
|
||||
protected void assertStatistics(InfinispanStatistics stats, Runnable testedCode, BiConsumer<Map<String, Object>, Map<String, Object>> assertionOnStats) {
|
||||
|
@ -108,7 +110,7 @@ public abstract class AbstractAdminCrossDCTest extends AbstractCrossDCTest {
|
|||
Retry.execute(() -> {
|
||||
Map<String, Object> newStat = stats.getStatistics();
|
||||
assertionOnStats.accept(oldStat, newStat);
|
||||
}, 5, 200);
|
||||
}, 50, 200);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -50,6 +50,8 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
// Keep the following constants in sync with arquillian
|
||||
public static final String QUALIFIER_NODE_BALANCER = "auth-server-balancer-cross-dc";
|
||||
public static final String QUALIFIER_AUTH_SERVER_DC_0_NODE_1 = "auth-server-${node.name}-cross-dc-0_1";
|
||||
public static final String QUALIFIER_AUTH_SERVER_DC_1_NODE_1 = "auth-server-${node.name}-cross-dc-1_1";
|
||||
|
||||
@ArquillianResource
|
||||
@LoadBalancer(value = QUALIFIER_NODE_BALANCER)
|
||||
|
@ -208,17 +210,19 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
/**
|
||||
* Disables routing requests to the given data center in the load balancer.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
*/
|
||||
public void disableDcOnLoadBalancer(DC dc) {
|
||||
int dcIndex = dc.ordinal();
|
||||
log.infof("Disabling load balancer for dc=%d", dcIndex);
|
||||
this.suiteContext.getDcAuthServerBackendsInfo().get(dcIndex).forEach(c -> loadBalancerCtrl.disableBackendNodeByName(c.getQualifier()));
|
||||
this.suiteContext.getDcAuthServerBackendsInfo().get(dcIndex).forEach(containerInfo -> {
|
||||
loadBalancerCtrl.disableBackendNodeByName(containerInfo.getQualifier());
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Enables routing requests to all started nodes to the given data center in the load balancer.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
*/
|
||||
public void enableDcOnLoadBalancer(DC dc) {
|
||||
int dcIndex = dc.ordinal();
|
||||
|
@ -229,13 +233,15 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
} else {
|
||||
dcNodes.stream()
|
||||
.filter(ContainerInfo::isStarted)
|
||||
.forEach(c -> loadBalancerCtrl.enableBackendNodeByName(c.getQualifier()));
|
||||
.forEach(containerInfo -> {
|
||||
loadBalancerCtrl.enableBackendNodeByName(containerInfo.getQualifier());
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Disables routing requests to the given node within the given data center in the load balancer.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
* @param nodeIndex
|
||||
*/
|
||||
public void disableLoadBalancerNode(DC dc, int nodeIndex) {
|
||||
|
@ -246,7 +252,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
/**
|
||||
* Enables routing requests to the given node within the given data center in the load balancer.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
* @param nodeIndex
|
||||
*/
|
||||
public void enableLoadBalancerNode(DC dc, int nodeIndex) {
|
||||
|
@ -264,7 +270,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
/**
|
||||
* Starts a manually-controlled backend auth-server node in cross-DC scenario.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
* @param nodeIndex
|
||||
* @return Started instance descriptor.
|
||||
*/
|
||||
|
@ -275,6 +281,8 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
assertThat((Integer) nodeIndex, lessThan(dcNodes.size()));
|
||||
ContainerInfo dcNode = dcNodes.get(nodeIndex);
|
||||
assertTrue("Node " + dcNode.getQualifier() + " has to be controlled manually", dcNode.isManual());
|
||||
|
||||
log.infof("Starting backend node: %s (dcIndex: %d, nodeIndex: %d)", dcNode.getQualifier(), dcIndex, nodeIndex);
|
||||
containerController.start(dcNode.getQualifier());
|
||||
|
||||
createRESTClientsForNode(dcNode);
|
||||
|
@ -284,7 +292,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
/**
|
||||
* Stops a manually-controlled backend auth-server node in cross-DC scenario.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
* @param nodeIndex
|
||||
* @return Stopped instance descriptor.
|
||||
*/
|
||||
|
@ -298,13 +306,15 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
removeRESTClientsForNode(dcNode);
|
||||
|
||||
assertTrue("Node " + dcNode.getQualifier() + " has to be controlled manually", dcNode.isManual());
|
||||
|
||||
log.infof("Stopping backend node: %s (dcIndex: %d, nodeIndex: %d)", dcNode.getQualifier(), dcIndex, nodeIndex);
|
||||
containerController.stop(dcNode.getQualifier());
|
||||
return dcNode;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns stream of all nodes in the given dc that are started manually.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
* @return
|
||||
*/
|
||||
public Stream<ContainerInfo> getManuallyStartedBackendNodes(DC dc) {
|
||||
|
@ -315,7 +325,7 @@ public abstract class AbstractCrossDCTest extends AbstractTestRealmKeycloakTest
|
|||
|
||||
/**
|
||||
* Returns stream of all nodes in the given dc that are started automatically.
|
||||
* @param dcIndex
|
||||
* @param dc
|
||||
* @return
|
||||
*/
|
||||
public Stream<ContainerInfo> getAutomaticallyStartedBackendNodes(DC dc) {
|
||||
|
|
|
@ -42,6 +42,8 @@ import org.keycloak.testsuite.arquillian.annotation.JmxInfinispanChannelStatisti
|
|||
import org.keycloak.testsuite.arquillian.InfinispanStatistics;
|
||||
import org.keycloak.testsuite.arquillian.InfinispanStatistics.Constants;
|
||||
import org.keycloak.testsuite.pages.ProceedPage;
|
||||
|
||||
import java.util.Map;
|
||||
import java.util.concurrent.TimeUnit;
|
||||
import org.hamcrest.Matchers;
|
||||
import static org.hamcrest.Matchers.greaterThan;
|
||||
|
@ -104,8 +106,6 @@ public class ActionTokenCrossDCTest extends AbstractAdminCrossDCTest {
|
|||
|
||||
String link = MailUtils.getPasswordResetEmailLink(message);
|
||||
|
||||
Retry.execute(() -> channelStatisticsCrossDc.reset(), 3, 100);
|
||||
|
||||
assertSingleStatistics(cacheDc0Node0Statistics, Constants.STAT_CACHE_NUMBER_OF_ENTRIES,
|
||||
() -> driver.navigate().to(link),
|
||||
Matchers::is
|
||||
|
@ -115,10 +115,21 @@ public class ActionTokenCrossDCTest extends AbstractAdminCrossDCTest {
|
|||
proceedPage.clickProceedLink();
|
||||
passwordUpdatePage.assertCurrent();
|
||||
|
||||
// Verify that there was at least one message sent via the channel
|
||||
assertSingleStatistics(channelStatisticsCrossDc, Constants.STAT_CHANNEL_SENT_MESSAGES,
|
||||
() -> passwordUpdatePage.changePassword("new-pass", "new-pass"),
|
||||
old -> greaterThan((Comparable) 0l)
|
||||
// Verify that there was at least one message sent via the channel - Even if we did the change on DC0, the message may be sent either from DC0 or DC1. Seems it depends on the actionTokens key ownership.
|
||||
// In case that it was sent from DC1, we will receive it in DC0.
|
||||
assertStatistics(channelStatisticsCrossDc,
|
||||
() -> {
|
||||
passwordUpdatePage.changePassword("new-pass", "new-pass");
|
||||
},
|
||||
(Map<String, Object> oldStats, Map<String, Object> newStats) -> {
|
||||
int oldSent = ((Number) oldStats.get(Constants.STAT_CHANNEL_SENT_MESSAGES)).intValue();
|
||||
int newSent = ((Number) newStats.get(Constants.STAT_CHANNEL_SENT_MESSAGES)).intValue();
|
||||
int oldReceived = ((Number) oldStats.get(Constants.STAT_CHANNEL_RECEIVED_MESSAGES)).intValue();
|
||||
int newReceived = ((Number) newStats.get(Constants.STAT_CHANNEL_RECEIVED_MESSAGES)).intValue();
|
||||
|
||||
log.infof("oldSent: %d, newSent: %d, oldReceived: %d, newReceived: %d", oldSent, newSent, oldReceived, newReceived);
|
||||
Assert.assertTrue(newSent - oldSent > 0 || newReceived - oldReceived > 0);
|
||||
}
|
||||
);
|
||||
|
||||
assertEquals("Your account has been updated.", driver.getTitle());
|
||||
|
|
|
@ -21,6 +21,9 @@ import java.io.IOException;
|
|||
import java.net.URISyntaxException;
|
||||
|
||||
import javax.ws.rs.NotFoundException;
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.arquillian.container.test.api.TargetsContainer;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
|
@ -31,9 +34,11 @@ import org.keycloak.models.UserLoginFailureModel;
|
|||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.representations.idm.UserRepresentation;
|
||||
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
||||
import org.keycloak.testsuite.Assert;
|
||||
import org.keycloak.testsuite.Retry;
|
||||
import org.keycloak.testsuite.client.KeycloakTestingClient;
|
||||
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
|
||||
import org.keycloak.testsuite.util.ClientBuilder;
|
||||
import org.keycloak.testsuite.util.OAuthClient;
|
||||
import org.keycloak.testsuite.util.RealmBuilder;
|
||||
|
@ -46,6 +51,30 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
|
|||
|
||||
private static final String REALM_NAME = "brute-force-test";
|
||||
|
||||
@Deployment(name = "dc0")
|
||||
@TargetsContainer(QUALIFIER_AUTH_SERVER_DC_0_NODE_1)
|
||||
public static WebArchive deployDC0() {
|
||||
return RunOnServerDeployment.create(
|
||||
BruteForceCrossDCTest.class,
|
||||
AbstractAdminCrossDCTest.class,
|
||||
AbstractCrossDCTest.class,
|
||||
AbstractTestRealmKeycloakTest.class,
|
||||
KeycloakTestingClient.class
|
||||
);
|
||||
}
|
||||
|
||||
@Deployment(name = "dc1")
|
||||
@TargetsContainer(QUALIFIER_AUTH_SERVER_DC_1_NODE_1)
|
||||
public static WebArchive deployDC1() {
|
||||
return RunOnServerDeployment.create(
|
||||
BruteForceCrossDCTest.class,
|
||||
AbstractAdminCrossDCTest.class,
|
||||
AbstractCrossDCTest.class,
|
||||
AbstractTestRealmKeycloakTest.class,
|
||||
KeycloakTestingClient.class
|
||||
);
|
||||
}
|
||||
|
||||
@Before
|
||||
public void beforeTest() {
|
||||
try {
|
||||
|
@ -93,7 +122,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
|
|||
|
||||
@Test
|
||||
public void testBruteForceWithUserOperations() throws Exception {
|
||||
// Enable 1st DC only
|
||||
// Enable 1st node on each DC only
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
|
@ -125,7 +154,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
|
|||
|
||||
@Test
|
||||
public void testBruteForceWithRealmOperations() throws Exception {
|
||||
// Enable 1st DC only
|
||||
// Enable 1st node on each DC only
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
|
@ -162,7 +191,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
|
|||
|
||||
@Test
|
||||
public void testDuplicatedPutIfAbsentOperation() throws Exception {
|
||||
// Enable 1st DC only
|
||||
// Enable 1st node on each DC only
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
|
@ -219,7 +248,7 @@ public class BruteForceCrossDCTest extends AbstractAdminCrossDCTest {
|
|||
}
|
||||
|
||||
|
||||
// TODO Having this working on Wildfly might be a challenge. Maybe require @Deployment with @TargetsContainer descriptor generated at runtime as we don't know the container qualifier at compile time... Maybe workaround by add endpoint to TestingResourceProvider if needed..
|
||||
// resolution on Wildfly: make deployment available on both dc0_1 and dc1_1, see @Deployment methods
|
||||
private void addUserLoginFailure(KeycloakTestingClient testingClient) throws URISyntaxException, IOException {
|
||||
testingClient.server().run(session -> {
|
||||
RealmModel realm = session.realms().getRealmByName(REALM_NAME);
|
||||
|
|
|
@ -0,0 +1,216 @@
|
|||
/*
|
||||
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.testsuite.crossdc;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.concurrent.atomic.AtomicInteger;
|
||||
|
||||
import javax.ws.rs.core.Response;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.ClientResource;
|
||||
import org.keycloak.admin.client.resource.ResourcesResource;
|
||||
import org.keycloak.admin.client.resource.UserResource;
|
||||
import org.keycloak.representations.idm.ClientRepresentation;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.representations.idm.UserRepresentation;
|
||||
import org.keycloak.representations.idm.authorization.ResourceRepresentation;
|
||||
import org.keycloak.testsuite.Assert;
|
||||
import org.keycloak.testsuite.Retry;
|
||||
import org.keycloak.testsuite.admin.ApiUtil;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||
*/
|
||||
public class InvalidationCrossDCTest extends AbstractAdminCrossDCTest {
|
||||
|
||||
private static final String REALM_NAME = "test";
|
||||
|
||||
@Test
|
||||
public void realmInvalidationTest() throws Exception {
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
RealmRepresentation realmDc0 = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).toRepresentation();
|
||||
RealmRepresentation realmDc1 = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).toRepresentation();
|
||||
|
||||
// Test same realm on both DCs
|
||||
Assert.assertNull(realmDc0.getDisplayName());
|
||||
Assert.assertTrue(realmDc0.isRegistrationAllowed());
|
||||
Assert.assertNull(realmDc1.getDisplayName());
|
||||
Assert.assertTrue(realmDc1.isRegistrationAllowed());
|
||||
|
||||
// Update realm on DC0
|
||||
realmDc0.setRegistrationAllowed(false);
|
||||
realmDc0.setDisplayName("Cool Realm!");
|
||||
getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).update(realmDc0);
|
||||
|
||||
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
|
||||
realmDc0 = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).toRepresentation();
|
||||
Assert.assertEquals("Cool Realm!", realmDc0.getDisplayName());
|
||||
Assert.assertFalse(realmDc0.isRegistrationAllowed());
|
||||
|
||||
AtomicInteger i = new AtomicInteger(0);
|
||||
Retry.execute(() -> {
|
||||
i.incrementAndGet();
|
||||
RealmRepresentation realmDcc1 = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).toRepresentation();
|
||||
Assert.assertEquals("Cool Realm!", realmDcc1.getDisplayName());
|
||||
Assert.assertFalse(realmDcc1.isRegistrationAllowed());
|
||||
}, 50, 50);
|
||||
|
||||
log.infof("realmInvalidationTest: Passed after '%d' iterations", i.get());
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void clientInvalidationTest() throws Exception {
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
ClientResource clientResourceDc0 = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME), "named-test-app");
|
||||
ClientResource clientResourceDc1 = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME), "named-test-app");
|
||||
ClientRepresentation clientDc0 = clientResourceDc0.toRepresentation();
|
||||
ClientRepresentation clientDc1 = clientResourceDc1.toRepresentation();
|
||||
|
||||
// Test same client on both DCs
|
||||
Assert.assertEquals("My Named Test App", clientDc0.getName());
|
||||
Assert.assertEquals("My Named Test App", clientDc1.getName());
|
||||
|
||||
// Update client on DC0
|
||||
clientDc0.setName("Changed Test App");
|
||||
clientResourceDc0.update(clientDc0);
|
||||
|
||||
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
|
||||
clientDc0 = clientResourceDc0.toRepresentation();
|
||||
Assert.assertEquals("Changed Test App", clientDc0.getName());
|
||||
|
||||
AtomicInteger i = new AtomicInteger(0);
|
||||
Retry.execute(() -> {
|
||||
i.incrementAndGet();
|
||||
ClientRepresentation clientDcc1 = clientResourceDc1.toRepresentation();
|
||||
Assert.assertEquals("Changed Test App", clientDcc1.getName());
|
||||
}, 50, 50);
|
||||
|
||||
log.infof("clientInvalidationTest: Passed after '%d' iterations", i.get());
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void clientListInvalidationTest() throws Exception {
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
List<ClientRepresentation> dc0List = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).clients().findAll();
|
||||
List<ClientRepresentation> dc1List = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).clients().findAll();
|
||||
|
||||
|
||||
// Test same clients on both DCs
|
||||
Assert.assertEquals(dc0List.size(), dc1List.size());
|
||||
int initialSize = dc0List.size();
|
||||
|
||||
// Create client on DC0
|
||||
ClientRepresentation rep = new ClientRepresentation();
|
||||
rep.setClientId("some-new-client");
|
||||
rep.setEnabled(true);
|
||||
Response response = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).clients().create(rep);
|
||||
Assert.assertEquals(201, response.getStatus());
|
||||
response.close();
|
||||
|
||||
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
|
||||
dc0List = getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME).clients().findAll();
|
||||
Assert.assertEquals(initialSize + 1, dc0List.size());
|
||||
|
||||
AtomicInteger i = new AtomicInteger(0);
|
||||
Retry.execute(() -> {
|
||||
i.incrementAndGet();
|
||||
List<ClientRepresentation> dc1Listt = getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME).clients().findAll();
|
||||
Assert.assertEquals(initialSize + 1, dc1Listt.size());
|
||||
}, 50, 50);
|
||||
|
||||
log.infof("clientListInvalidationTest: Passed after '%d' iterations", i.get());
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void userInvalidationTest() throws Exception {
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
UserResource userResourceDc0 = ApiUtil.findUserByUsernameId(getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME), "test-user@localhost");
|
||||
UserResource userResourceDc1 = ApiUtil.findUserByUsernameId(getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME), "test-user@localhost");
|
||||
UserRepresentation userDc0 = userResourceDc0.toRepresentation();
|
||||
UserRepresentation userDc1 = userResourceDc1.toRepresentation();
|
||||
|
||||
// Test same user on both DCs
|
||||
Assert.assertEquals("Tom", userDc0.getFirstName());
|
||||
Assert.assertEquals("Tom", userDc1.getFirstName());
|
||||
|
||||
// Update user on DC0
|
||||
userDc0.setFirstName("Brad");
|
||||
userResourceDc0.update(userDc0);
|
||||
|
||||
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
|
||||
userDc0 = userResourceDc0.toRepresentation();
|
||||
Assert.assertEquals("Brad", userDc0.getFirstName());
|
||||
|
||||
AtomicInteger i = new AtomicInteger(0);
|
||||
Retry.execute(() -> {
|
||||
i.incrementAndGet();
|
||||
UserRepresentation userDcc1 = userResourceDc1.toRepresentation();
|
||||
Assert.assertEquals("Brad", userDcc1.getFirstName());
|
||||
}, 50, 50);
|
||||
|
||||
log.infof("userInvalidationTest: Passed after '%d' iterations", i.get());
|
||||
}
|
||||
|
||||
|
||||
@Test
|
||||
public void authzResourceInvalidationTest() throws Exception {
|
||||
enableDcOnLoadBalancer(DC.FIRST);
|
||||
enableDcOnLoadBalancer(DC.SECOND);
|
||||
|
||||
|
||||
ResourcesResource resourcesDc0Resource = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(0).realms().realm(REALM_NAME), "test-app-authz").authorization().resources();
|
||||
ResourcesResource resourcesDc1Resource = ApiUtil.findClientByClientId(getAdminClientForStartedNodeInDc(1).realms().realm(REALM_NAME), "test-app-authz").authorization().resources();
|
||||
ResourceRepresentation resDc0 = resourcesDc0Resource.findByName("Premium Resource").get(0);
|
||||
ResourceRepresentation resDc1 = resourcesDc1Resource.findByName("Premium Resource").get(0);
|
||||
|
||||
// Test same resource on both DCs
|
||||
Assert.assertEquals("/protected/premium/*", resDc0.getUri());
|
||||
Assert.assertEquals("/protected/premium/*", resDc1.getUri());
|
||||
|
||||
// Update resource on DC0
|
||||
resDc0.setUri("/protected/ultra/premium/*");
|
||||
resourcesDc0Resource.resource(resDc0.getId()).update(resDc0);
|
||||
|
||||
// Assert updated on both DC0 and DC1 (here retry is needed. We need to wait until invalidation message arrives)
|
||||
resDc0 = resourcesDc0Resource.findByName("Premium Resource").get(0);
|
||||
Assert.assertEquals("/protected/ultra/premium/*", resDc0.getUri());
|
||||
|
||||
AtomicInteger i = new AtomicInteger(0);
|
||||
Retry.execute(() -> {
|
||||
i.incrementAndGet();
|
||||
ResourceRepresentation ressDc1 = resourcesDc1Resource.findByName("Premium Resource").get(0);
|
||||
Assert.assertEquals("/protected/ultra/premium/*", ressDc1.getUri());
|
||||
}, 50, 50);
|
||||
|
||||
log.infof("authzResourceInvalidationTest: Passed after '%d' iterations", i.get());
|
||||
}
|
||||
|
||||
|
||||
}
|
|
@ -24,6 +24,7 @@ import org.junit.Rule;
|
|||
import org.junit.Test;
|
||||
import org.keycloak.events.Details;
|
||||
import org.keycloak.events.Errors;
|
||||
import org.keycloak.events.EventType;
|
||||
import org.keycloak.models.Constants;
|
||||
import org.keycloak.models.utils.TimeBasedOTP;
|
||||
import org.keycloak.representations.idm.CredentialRepresentation;
|
||||
|
@ -35,6 +36,7 @@ import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
|||
import org.keycloak.testsuite.pages.AppPage;
|
||||
import org.keycloak.testsuite.pages.AppPage.RequestType;
|
||||
import org.keycloak.testsuite.pages.LoginPage;
|
||||
import org.keycloak.testsuite.pages.LoginPasswordResetPage;
|
||||
import org.keycloak.testsuite.pages.LoginTotpPage;
|
||||
import org.keycloak.testsuite.pages.RegisterPage;
|
||||
import org.keycloak.testsuite.util.GreenMailRule;
|
||||
|
@ -44,12 +46,16 @@ import org.keycloak.testsuite.util.UserBuilder;
|
|||
|
||||
import java.net.MalformedURLException;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:sthorger@redhat.com">Stian Thorgersen</a>
|
||||
* @author Stan Silvert ssilvert@redhat.com (C) 2016 Red Hat Inc.
|
||||
*/
|
||||
public class BruteForceTest extends AbstractTestRealmKeycloakTest {
|
||||
|
||||
private static String userId;
|
||||
|
||||
@Override
|
||||
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||
UserRepresentation user = RealmRepUtil.findUser(testRealm, "test-user@localhost");
|
||||
|
@ -62,6 +68,8 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
|
|||
testRealm.setBruteForceProtected(true);
|
||||
testRealm.setFailureFactor(2);
|
||||
|
||||
userId = user.getId();
|
||||
|
||||
RealmRepUtil.findClientByClientId(testRealm, "test-app").setDirectAccessGrantsEnabled(true);
|
||||
testRealm.getUsers().add(UserBuilder.create().username("user2").email("user2@localhost").password("password").build());
|
||||
}
|
||||
|
@ -74,7 +82,6 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
|
|||
@After
|
||||
public void slowItDown() throws Exception {
|
||||
Thread.sleep(100);
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
@ -90,6 +97,9 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
|
|||
@Page
|
||||
protected LoginPage loginPage;
|
||||
|
||||
@Page
|
||||
protected LoginPasswordResetPage resetPasswordPage;
|
||||
|
||||
@Page
|
||||
private RegisterPage registerPage;
|
||||
|
||||
|
@ -215,8 +225,6 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
|
|||
Assert.assertNull(response.getAccessToken());
|
||||
}
|
||||
|
||||
|
||||
|
||||
@Test
|
||||
public void testGrantMissingOtp() throws Exception {
|
||||
{
|
||||
|
@ -384,6 +392,27 @@ public class BruteForceTest extends AbstractTestRealmKeycloakTest {
|
|||
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testResetPassword() throws Exception {
|
||||
String userId = adminClient.realm("test").users().search("test-user@localhost", null, null, null, 0, 1).get(0).getId();
|
||||
|
||||
loginSuccess();
|
||||
loginInvalidPassword();
|
||||
loginInvalidPassword();
|
||||
expectTemporarilyDisabled();
|
||||
|
||||
loginPage.resetPassword();
|
||||
resetPasswordPage.assertCurrent();
|
||||
resetPasswordPage.changePassword("test-user@localhost");
|
||||
loginPage.assertCurrent();
|
||||
|
||||
assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
|
||||
|
||||
events.expectRequiredAction(EventType.RESET_PASSWORD_ERROR).user(userId);
|
||||
events.clear();
|
||||
clearUserFailures();
|
||||
}
|
||||
|
||||
public void expectTemporarilyDisabled() throws Exception {
|
||||
expectTemporarilyDisabled("test-user@localhost", null);
|
||||
}
|
||||
|
|
|
@ -0,0 +1,128 @@
|
|||
/*
|
||||
* Copyright 2017 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.keycloak.testsuite.forms;
|
||||
|
||||
import java.io.IOException;
|
||||
|
||||
import javax.mail.MessagingException;
|
||||
|
||||
import org.jboss.arquillian.container.test.api.Deployment;
|
||||
import org.jboss.arquillian.graphene.page.Page;
|
||||
import org.jboss.shrinkwrap.api.spec.WebArchive;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.admin.client.resource.UserResource;
|
||||
import org.keycloak.events.Details;
|
||||
import org.keycloak.events.Errors;
|
||||
import org.keycloak.jose.jws.JWSBuilder;
|
||||
import org.keycloak.models.KeyManager;
|
||||
import org.keycloak.models.KeycloakSession;
|
||||
import org.keycloak.models.RealmModel;
|
||||
import org.keycloak.protocol.RestartLoginCookie;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
||||
import org.keycloak.testsuite.Assert;
|
||||
import org.keycloak.testsuite.AssertEvents;
|
||||
import org.keycloak.testsuite.pages.LoginPage;
|
||||
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
|
||||
import org.openqa.selenium.Cookie;
|
||||
|
||||
/**
|
||||
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||
*/
|
||||
public class RestartCookieTest extends AbstractTestRealmKeycloakTest {
|
||||
|
||||
|
||||
@Page
|
||||
protected LoginPage loginPage;
|
||||
|
||||
|
||||
@Rule
|
||||
public AssertEvents events = new AssertEvents(this);
|
||||
|
||||
|
||||
@Deployment
|
||||
public static WebArchive deploy() {
|
||||
return RunOnServerDeployment.create(UserResource.class)
|
||||
.addPackages(true, "org.keycloak.testsuite");
|
||||
}
|
||||
|
||||
|
||||
// KC_RESTART cookie from Keycloak 3.1.0
|
||||
private static final String OLD_RESTART_COOKIE_JSON = "{\n" +
|
||||
" \"cs\": \"874a1ea8-5579-4f21-add0-903dd8e3ec1b\",\n" +
|
||||
" \"cid\": \"test-app\",\n" +
|
||||
" \"pty\": \"openid-connect\",\n" +
|
||||
" \"ruri\": \"http://localhost:8081/auth/realms/master/app/auth\",\n" +
|
||||
" \"act\": \"AUTHENTICATE\",\n" +
|
||||
" \"notes\": {\n" +
|
||||
" \"auth_type\": \"code\",\n" +
|
||||
" \"scope\": \"openid\",\n" +
|
||||
" \"iss\": \"http://localhost:8081/auth/realms/master/app/auth\",\n" +
|
||||
" \"response_type\": \"code\",\n" +
|
||||
" \"redirect_uri\": \"http://localhost:8081/auth/realms/master/app/auth/\",\n" +
|
||||
" \"state\": \"6c983e5b-2dc1-411a-9ed1-0f51095949c5\",\n" +
|
||||
" \"code_challenge_method\": \"plain\",\n" +
|
||||
" \"nonce\": \"65639660-99b2-4cdf-bc9f-9978fdce5b03\",\n" +
|
||||
" \"response_mode\": \"fragment\"\n" +
|
||||
" }\n" +
|
||||
"}";
|
||||
|
||||
@Override
|
||||
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||
}
|
||||
|
||||
|
||||
// KEYCLOAK-5440
|
||||
@Test
|
||||
public void invalidLoginAndBackButton() throws IOException, MessagingException {
|
||||
String oldRestartCookie = testingClient.server().fetchString((KeycloakSession session) -> {
|
||||
try {
|
||||
String cookieVal = OLD_RESTART_COOKIE_JSON.replace("\n", "").replace(" ", "");
|
||||
RealmModel realm = session.realms().getRealmByName("test");
|
||||
|
||||
KeyManager.ActiveHmacKey activeKey = session.keys().getActiveHmacKey(realm);
|
||||
|
||||
String encodedToken = new JWSBuilder()
|
||||
.kid(activeKey.getKid())
|
||||
.content(cookieVal.getBytes("UTF-8"))
|
||||
.hmac256(activeKey.getSecretKey());
|
||||
|
||||
return encodedToken;
|
||||
|
||||
|
||||
} catch (IOException ioe) {
|
||||
throw new RuntimeException(ioe);
|
||||
}
|
||||
});
|
||||
|
||||
oauth.openLoginForm();
|
||||
|
||||
driver.manage().deleteAllCookies();
|
||||
driver.manage().addCookie(new Cookie(RestartLoginCookie.KC_RESTART, oldRestartCookie));
|
||||
|
||||
loginPage.login("foo", "bar");
|
||||
loginPage.assertCurrent();
|
||||
Assert.assertEquals("You took too long to login. Login process starting from beginning.", loginPage.getError());
|
||||
|
||||
events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
|
||||
.detail(Details.RESTART_AFTER_TIMEOUT, "true")
|
||||
.client((String) null)
|
||||
.assertEvent();
|
||||
}
|
||||
}
|
|
@ -52,7 +52,7 @@ import static org.hamcrest.Matchers.containsInAnyOrder;
|
|||
import static org.hamcrest.Matchers.hasItems;
|
||||
import static org.hamcrest.Matchers.instanceOf;
|
||||
import static org.hamcrest.Matchers.is;
|
||||
import static org.hamcrest.Matchers.isEmptyString;
|
||||
import static org.hamcrest.Matchers.isEmptyOrNullString;
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertNull;
|
||||
|
@ -266,7 +266,7 @@ public class OIDCProtocolMappersTest extends AbstractKeycloakTest {
|
|||
|
||||
IDToken idToken = oauth.verifyIDToken(response.getIdToken());
|
||||
Object empty = idToken.getOtherClaims().get("empty");
|
||||
assertThat((empty == null ? null : (String) empty), isEmptyString());
|
||||
assertThat((empty == null ? null : (String) empty), isEmptyOrNullString());
|
||||
Object nulll = idToken.getOtherClaims().get("null");
|
||||
assertNull(nulll);
|
||||
|
||||
|
|
|
@ -46,47 +46,85 @@ import static org.keycloak.testsuite.util.URLUtils.currentUrlStartWith;
|
|||
*/
|
||||
public class URLAssert {
|
||||
|
||||
public static void assertCurrentUrlEquals(AbstractPage page) {
|
||||
assertCurrentUrlEquals(page.getDriver(), page);
|
||||
public static void assertCurrentUrlEquals(final AbstractPage page, WebDriver driver) {
|
||||
assertCurrentUrlEquals(page.toString(), driver);
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlEquals(WebDriver driver, final AbstractPage page) {
|
||||
String expected = page.toString();
|
||||
assertTrue("Expected URL: " + expected + "; actual: " + driver.getCurrentUrl(),
|
||||
currentUrlEqual(page.toString()));
|
||||
public static void assertCurrentUrlEquals(final String url, WebDriver driver) {
|
||||
DroneUtils.addWebDriver(driver);
|
||||
assertCurrentUrlEquals(url);
|
||||
DroneUtils.removeWebDriver();
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlEquals(WebDriver driver, final String url) {
|
||||
assertTrue("Expected URL: " + url + "; actual: " + driver.getCurrentUrl(),
|
||||
public static void assertCurrentUrlEquals(final AbstractPage page) {
|
||||
assertCurrentUrlEquals(page.toString());
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlEquals(final String url) {
|
||||
assertTrue("Expected URL: " + url + "; actual: " + DroneUtils.getCurrentDriver().getCurrentUrl(),
|
||||
currentUrlEqual(url));
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWith(AbstractPage page) {
|
||||
assertCurrentUrlStartsWith(page.getDriver(), page.toString());
|
||||
|
||||
public static void assertCurrentUrlStartsWith(final AbstractPage page, WebDriver driver) {
|
||||
assertCurrentUrlStartsWith(page.toString(), driver);
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWith(WebDriver driver, final String url) {
|
||||
assertTrue("URL expected to begin with:" + url + "; actual URL: " + driver.getCurrentUrl(),
|
||||
public static void assertCurrentUrlStartsWith(final String url, WebDriver driver) {
|
||||
DroneUtils.addWebDriver(driver);
|
||||
assertCurrentUrlStartsWith(url);
|
||||
DroneUtils.removeWebDriver();
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWith(final AbstractPage page) {
|
||||
assertCurrentUrlStartsWith(page.toString());
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWith(final String url){
|
||||
assertTrue("URL expected to begin with:" + url + "; actual URL: " + DroneUtils.getCurrentDriver().getCurrentUrl(),
|
||||
currentUrlStartWith(url));
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlDoesntStartWith(AbstractPage page) {
|
||||
assertCurrentUrlDoesntStartWith(page.getDriver(), page.toString());
|
||||
|
||||
public static void assertCurrentUrlDoesntStartWith(final AbstractPage page, WebDriver driver) {
|
||||
assertCurrentUrlDoesntStartWith(page.toString(), driver);
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlDoesntStartWith(WebDriver driver, final String url) {
|
||||
assertTrue("URL expected NOT to begin with:" + url + "; actual URL: " + driver.getCurrentUrl(),
|
||||
public static void assertCurrentUrlDoesntStartWith(final String url, WebDriver driver) {
|
||||
DroneUtils.addWebDriver(driver);
|
||||
assertCurrentUrlDoesntStartWith(url);
|
||||
DroneUtils.removeWebDriver();
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlDoesntStartWith(AbstractPage page) {
|
||||
assertCurrentUrlDoesntStartWith(page.toString());
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlDoesntStartWith(final String url) {
|
||||
assertTrue("URL expected NOT to begin with:" + url + "; actual URL: " + DroneUtils.getCurrentDriver().getCurrentUrl(),
|
||||
currentUrlDoesntStartWith(url));
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWithLoginUrlOf(PageWithLoginUrl page) {
|
||||
assertCurrentUrlStartsWithLoginUrlOf(page.getDriver(), page);
|
||||
|
||||
public static void assertCurrentUrlStartsWithLoginUrlOf(final PageWithLoginUrl page, WebDriver driver) {
|
||||
assertCurrentUrlStartsWithLoginUrlOf(page.getOIDCLoginUrl().toString(), driver);
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWithLoginUrlOf(WebDriver driver, PageWithLoginUrl page) {
|
||||
assertCurrentUrlStartsWith(driver, page.getOIDCLoginUrl().toString());
|
||||
public static void assertCurrentUrlStartsWithLoginUrlOf(final String url, WebDriver driver) {
|
||||
DroneUtils.addWebDriver(driver);
|
||||
assertCurrentUrlStartsWithLoginUrlOf(url);
|
||||
DroneUtils.removeWebDriver();
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWithLoginUrlOf(final PageWithLoginUrl page) {
|
||||
assertCurrentUrlStartsWithLoginUrlOf(page.getOIDCLoginUrl().toString());
|
||||
}
|
||||
|
||||
public static void assertCurrentUrlStartsWithLoginUrlOf(final String url) {
|
||||
assertCurrentUrlStartsWith(url);
|
||||
}
|
||||
|
||||
|
||||
public static void assertGetURL(URI url, String accessToken, AssertResponseHandler handler) {
|
||||
CloseableHttpClient httpclient = HttpClients.createDefault();
|
||||
try {
|
||||
|
|
|
@ -64,7 +64,7 @@
|
|||
|
||||
<container qualifier="auth-server-undertow" mode="suite" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.undertow} && ! ${auth.server.undertow.crossdc}</property>
|
||||
<property name="enabled">${auth.server.undertow} && ! ${auth.server.crossdc}</property>
|
||||
<property name="bindAddress">0.0.0.0</property>
|
||||
<property name="adapterImplClass">org.keycloak.testsuite.arquillian.undertow.KeycloakOnUndertow</property>
|
||||
<property name="bindHttpPort">${auth.server.http.port}</property>
|
||||
|
@ -74,7 +74,7 @@
|
|||
|
||||
<container qualifier="auth-server-${auth.server}" mode="suite" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.jboss}</property>
|
||||
<property name="enabled">${auth.server.jboss} && ! ${auth.server.crossdc}</property>
|
||||
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
|
||||
<property name="jbossHome">${auth.server.home}</property>
|
||||
<property name="${auth.server.config.property.name}">${auth.server.config.property.value}</property>
|
||||
|
@ -186,18 +186,18 @@
|
|||
</group>
|
||||
|
||||
|
||||
<!-- Cross DC with embedded undertow. Node numbering is [centre #].[node #] -->
|
||||
<group qualifier="auth-server-undertow-cross-dc">
|
||||
<!-- Cross DC. Node numbering is [centre #].[node #] -->
|
||||
<group qualifier="auth-server-jboss-cross-dc">
|
||||
<container qualifier="cache-server-cross-dc-1" mode="suite" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.undertow.crossdc} && ! ${cache.server.lifecycle.skip}</property>
|
||||
<property name="enabled">${auth.server.crossdc} && ! ${cache.server.lifecycle.skip}</property>
|
||||
<property name="adapterImplClass">org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</property>
|
||||
<property name="jbossHome">${cache.server.home}</property>
|
||||
<property name="serverConfig">clustered.xml</property>
|
||||
<property name="jbossArguments">
|
||||
-Djboss.socket.binding.port-offset=${cache.server.port.offset}
|
||||
-Djboss.default.multicast.address=234.56.78.99
|
||||
-Djboss.node.name=cache-server
|
||||
-Djboss.node.name=cache-server-dc-1
|
||||
${adapter.test.props}
|
||||
${auth.server.profile}
|
||||
</property>
|
||||
|
@ -213,7 +213,7 @@
|
|||
|
||||
<container qualifier="cache-server-cross-dc-2" mode="suite" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.undertow.crossdc} && ! ${cache.server.lifecycle.skip}</property>
|
||||
<property name="enabled">${auth.server.crossdc} && ! ${cache.server.lifecycle.skip}</property>
|
||||
<property name="adapterImplClass">org.jboss.as.arquillian.container.managed.ManagedDeployableContainer</property>
|
||||
<property name="jbossHome">${cache.server.home}</property>
|
||||
<property name="setupCleanServerBaseDir">true</property>
|
||||
|
@ -238,11 +238,11 @@
|
|||
|
||||
<container qualifier="auth-server-balancer-cross-dc" mode="suite" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.undertow.crossdc}</property>
|
||||
<property name="enabled">${auth.server.crossdc}</property>
|
||||
<property name="adapterImplClass">org.keycloak.testsuite.arquillian.undertow.lb.SimpleUndertowLoadBalancerContainer</property>
|
||||
<property name="bindAddress">localhost</property>
|
||||
<property name="bindHttpPort">${auth.server.http.port}</property>
|
||||
<property name="nodes">auth-server-undertow-cross-dc-0_1=http://localhost:8101,auth-server-undertow-cross-dc-0_2-manual=http://localhost:8102,auth-server-undertow-cross-dc-1_1=http://localhost:8111,auth-server-undertow-cross-dc-1_2-manual=http://localhost:8112</property>
|
||||
<property name="nodes">auth-server-${node.name}-cross-dc-0_1=http://localhost:8101,auth-server-${node.name}-cross-dc-0_2-manual=http://localhost:8102,auth-server-${node.name}-cross-dc-1_1=http://localhost:8111,auth-server-${node.name}-cross-dc-1_2-manual=http://localhost:8112</property>
|
||||
</configuration>
|
||||
</container>
|
||||
|
||||
|
@ -253,7 +253,6 @@
|
|||
<property name="bindAddress">localhost</property>
|
||||
<property name="bindHttpPort">${auth.server.http.port}</property>
|
||||
<property name="bindHttpPortOffset">-79</property>
|
||||
<property name="route">auth-server-undertow-cross-dc-0_1</property>
|
||||
<property name="remoteMode">${undertow.remote}</property>
|
||||
<property name="dataCenter">0</property>
|
||||
<property name="keycloakConfigPropertyOverrides">{
|
||||
|
@ -277,7 +276,6 @@
|
|||
<property name="bindAddress">localhost</property>
|
||||
<property name="bindHttpPort">${auth.server.http.port}</property>
|
||||
<property name="bindHttpPortOffset">-78</property>
|
||||
<property name="route">auth-server-undertow-cross-dc-0_2-manual</property>
|
||||
<property name="remoteMode">${undertow.remote}</property>
|
||||
<property name="dataCenter">0</property>
|
||||
<property name="keycloakConfigPropertyOverrides">{
|
||||
|
@ -302,7 +300,6 @@
|
|||
<property name="bindAddress">localhost</property>
|
||||
<property name="bindHttpPort">${auth.server.http.port}</property>
|
||||
<property name="bindHttpPortOffset">-69</property>
|
||||
<property name="route">auth-server-undertow-cross-dc-1_1</property>
|
||||
<property name="remoteMode">${undertow.remote}</property>
|
||||
<property name="dataCenter">1</property>
|
||||
<property name="keycloakConfigPropertyOverrides">{
|
||||
|
@ -326,7 +323,6 @@
|
|||
<property name="bindAddress">localhost</property>
|
||||
<property name="bindHttpPort">${auth.server.http.port}</property>
|
||||
<property name="bindHttpPortOffset">-68</property>
|
||||
<property name="route">auth-server-undertow-cross-dc-1_2-manual</property>
|
||||
<property name="remoteMode">${undertow.remote}</property>
|
||||
<property name="dataCenter">1</property>
|
||||
<property name="keycloakConfigPropertyOverrides">{
|
||||
|
@ -343,6 +339,99 @@
|
|||
}</property>
|
||||
</configuration>
|
||||
</container>
|
||||
<container qualifier="auth-server-jboss-cross-dc-0_1" mode="suite" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.jboss.crossdc}</property>
|
||||
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
|
||||
<property name="jbossHome">${auth.server.crossdc01.home}</property>
|
||||
<property name="serverConfig">standalone-ha.xml</property>
|
||||
<property name="jbossArguments">
|
||||
-Djboss.socket.binding.port-offset=${auth.server.crossdc01.port.offset}
|
||||
-Djboss.default.multicast.address=234.56.78.1
|
||||
-Dremote.cache.port=12232
|
||||
-Djboss.site.name=dc0
|
||||
-Djboss.node.name=auth-server-${node.name}-cross-dc-0_1
|
||||
</property>
|
||||
<property name="javaVmArguments">
|
||||
-Djava.net.preferIPv4Stack=true
|
||||
${auth.server.crossdc01.jvm.debug.args}
|
||||
</property>
|
||||
<property name="managementPort">${auth.server.crossdc01.management.port}</property>
|
||||
<property name="bindHttpPortOffset">-79</property>
|
||||
<property name="dataCenter">0</property>
|
||||
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
|
||||
</configuration>
|
||||
</container>
|
||||
<container qualifier="auth-server-jboss-cross-dc-0_2-manual" mode="manual" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.jboss.crossdc}</property>
|
||||
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
|
||||
<property name="jbossHome">${auth.server.crossdc02.home}</property>
|
||||
<property name="serverConfig">standalone-ha.xml</property>
|
||||
<property name="jbossArguments">
|
||||
-Djboss.socket.binding.port-offset=${auth.server.crossdc02.port.offset}
|
||||
-Djboss.default.multicast.address=234.56.78.1
|
||||
-Dremote.cache.port=12232
|
||||
-Djboss.site.name=dc0
|
||||
-Djboss.node.name=auth-server-${node.name}-cross-dc-0_2-manual
|
||||
</property>
|
||||
<property name="javaVmArguments">
|
||||
-Djava.net.preferIPv4Stack=true
|
||||
${auth.server.crossdc02.jvm.debug.args}
|
||||
</property>
|
||||
<property name="managementPort">${auth.server.crossdc02.management.port}</property>
|
||||
<property name="bindHttpPortOffset">-78</property>
|
||||
<property name="dataCenter">0</property>
|
||||
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
|
||||
</configuration>
|
||||
</container>
|
||||
|
||||
<container qualifier="auth-server-jboss-cross-dc-1_1" mode="suite" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.jboss.crossdc}</property>
|
||||
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
|
||||
<property name="jbossHome">${auth.server.crossdc11.home}</property>
|
||||
<property name="serverConfig">standalone-ha.xml</property>
|
||||
<property name="jbossArguments">
|
||||
-Djboss.socket.binding.port-offset=${auth.server.crossdc11.port.offset}
|
||||
-Djboss.default.multicast.address=234.56.78.2
|
||||
-Dremote.cache.port=13232
|
||||
-Djboss.site.name=dc1
|
||||
-Djboss.node.name=auth-server-${node.name}-cross-dc-1_1
|
||||
</property>
|
||||
<property name="javaVmArguments">
|
||||
-Djava.net.preferIPv4Stack=true
|
||||
${auth.server.crossdc11.jvm.debug.args}
|
||||
</property>
|
||||
<property name="managementPort">${auth.server.crossdc11.management.port}</property>
|
||||
<property name="bindHttpPortOffset">-69</property>
|
||||
<property name="dataCenter">1</property>
|
||||
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
|
||||
</configuration>
|
||||
</container>
|
||||
<container qualifier="auth-server-jboss-cross-dc-1_2-manual" mode="manual" >
|
||||
<configuration>
|
||||
<property name="enabled">${auth.server.jboss.crossdc}</property>
|
||||
<property name="adapterImplClass">${auth.server.adapter.impl.class}</property>
|
||||
<property name="jbossHome">${auth.server.crossdc12.home}</property>
|
||||
<property name="serverConfig">standalone-ha.xml</property>
|
||||
<property name="jbossArguments">
|
||||
-Djboss.socket.binding.port-offset=${auth.server.crossdc12.port.offset}
|
||||
-Djboss.default.multicast.address=234.56.78.2
|
||||
-Dremote.cache.port=13232
|
||||
-Djboss.site.name=dc1
|
||||
-Djboss.node.name=auth-server-${node.name}-cross-dc-1_2-manual
|
||||
</property>
|
||||
<property name="javaVmArguments">
|
||||
-Djava.net.preferIPv4Stack=true
|
||||
${auth.server.crossdc12.jvm.debug.args}
|
||||
</property>
|
||||
<property name="managementPort">${auth.server.crossdc12.management.port}</property>
|
||||
<property name="bindHttpPortOffset">-68</property>
|
||||
<property name="dataCenter">1</property>
|
||||
<property name="startupTimeoutInSeconds">${auth.server.jboss.startup.timeout}</property>
|
||||
</configuration>
|
||||
</container>
|
||||
</group>
|
||||
|
||||
|
||||
|
|
|
@ -19,20 +19,25 @@ package org.keycloak.testsuite.adapter.example.hal;
|
|||
import static org.junit.Assert.assertTrue;
|
||||
import static org.keycloak.testsuite.util.IOUtil.loadRealm;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
|
||||
import org.jboss.arquillian.graphene.page.Page;
|
||||
import org.junit.Assume;
|
||||
import org.junit.Before;
|
||||
import org.junit.Test;
|
||||
import org.keycloak.representations.idm.RealmRepresentation;
|
||||
import org.keycloak.testsuite.adapter.AbstractAdapterTest;
|
||||
import org.keycloak.testsuite.arquillian.AppServerTestEnricher;
|
||||
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
|
||||
import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
|
||||
import org.keycloak.testsuite.pages.AppServerWelcomePage;
|
||||
import org.keycloak.testsuite.util.WaitUtils;
|
||||
import org.wildfly.extras.creaper.core.ManagementClient;
|
||||
import org.wildfly.extras.creaper.core.online.CliException;
|
||||
import org.wildfly.extras.creaper.core.online.OnlineManagementClient;
|
||||
import org.wildfly.extras.creaper.core.online.OnlineOptions;
|
||||
import org.wildfly.extras.creaper.core.online.operations.Address;
|
||||
import org.wildfly.extras.creaper.core.online.operations.OperationException;
|
||||
import org.wildfly.extras.creaper.core.online.operations.Operations;
|
||||
|
||||
/**
|
||||
*
|
||||
|
@ -54,14 +59,17 @@ public class WildflyConsoleProtectionTest extends AbstractAdapterTest {
|
|||
}
|
||||
|
||||
@Before
|
||||
public void beforeAuthTest() {
|
||||
public void beforeAuthTest() throws IOException, OperationException {
|
||||
super.beforeAuthTest();
|
||||
|
||||
OnlineManagementClient clientWorkerNodeClient = null;
|
||||
|
||||
try {
|
||||
OnlineManagementClient clientWorkerNodeClient = ManagementClient.online(OnlineOptions
|
||||
.standalone()
|
||||
.hostAndPort("localhost", 10190)
|
||||
.build());
|
||||
clientWorkerNodeClient = AppServerTestEnricher.getManagementClient();
|
||||
|
||||
Operations operations = new Operations(clientWorkerNodeClient);
|
||||
|
||||
Assume.assumeTrue(operations.exists(Address.subsystem("elytron")));
|
||||
|
||||
// Create a realm for both wildfly console and mgmt interface
|
||||
clientWorkerNodeClient.execute("/subsystem=keycloak/realm=jboss-infra:add(auth-server-url=http://localhost:8180/auth,realm-public-key=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB)");
|
||||
|
@ -84,8 +92,12 @@ public class WildflyConsoleProtectionTest extends AbstractAdapterTest {
|
|||
|
||||
// reload
|
||||
clientWorkerNodeClient.execute("reload");
|
||||
} catch (Exception cause) {
|
||||
} catch (CliException cause) {
|
||||
throw new RuntimeException("Failed to configure app server", cause);
|
||||
} finally {
|
||||
if (clientWorkerNodeClient != null) {
|
||||
clientWorkerNodeClient.close();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -41,8 +41,10 @@
|
|||
<properties>
|
||||
<auth.server>undertow</auth.server>
|
||||
<auth.server.undertow>true</auth.server.undertow>
|
||||
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
|
||||
|
||||
<auth.server.crossdc>false</auth.server.crossdc>
|
||||
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
|
||||
<auth.server.jboss.crossdc>false</auth.server.jboss.crossdc>
|
||||
<cache.server.lifecycle.skip>false</cache.server.lifecycle.skip>
|
||||
|
||||
<auth.server.container>auth-server-${auth.server}</auth.server.container>
|
||||
|
@ -291,6 +293,7 @@
|
|||
<!--cache server properties-->
|
||||
<auth.server.crossdc>${auth.server.crossdc}</auth.server.crossdc>
|
||||
<auth.server.undertow.crossdc>${auth.server.undertow.crossdc}</auth.server.undertow.crossdc>
|
||||
<auth.server.jboss.crossdc>${auth.server.jboss.crossdc}</auth.server.jboss.crossdc>
|
||||
<cache.server.lifecycle.skip>${cache.server.lifecycle.skip}</cache.server.lifecycle.skip>
|
||||
|
||||
<cache.server>${cache.server}</cache.server>
|
||||
|
@ -374,7 +377,6 @@
|
|||
<auth.server>wildfly</auth.server>
|
||||
<auth.server.jboss>true</auth.server.jboss>
|
||||
<auth.server.undertow>false</auth.server.undertow>
|
||||
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
|
||||
<auth.server.config.property.value>standalone.xml</auth.server.config.property.value>
|
||||
<auth.server.config.dir>${auth.server.home}/standalone/configuration</auth.server.config.dir>
|
||||
<h2.version>1.3.173</h2.version>
|
||||
|
@ -393,7 +395,6 @@
|
|||
<auth.server>eap</auth.server>
|
||||
<auth.server.jboss>true</auth.server.jboss>
|
||||
<auth.server.undertow>false</auth.server.undertow>
|
||||
<auth.server.undertow.crossdc>false</auth.server.undertow.crossdc>
|
||||
<auth.server.config.property.value>standalone.xml</auth.server.config.property.value>
|
||||
<auth.server.config.dir>${auth.server.home}/standalone/configuration</auth.server.config.dir>
|
||||
<h2.version>1.3.173</h2.version>
|
||||
|
@ -406,11 +407,196 @@
|
|||
</dependencies>
|
||||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>auth-servers-crossdc-undertow</id>
|
||||
<properties>
|
||||
<auth.servers.crossdc>true</auth.servers.crossdc>
|
||||
<auth.server.undertow.crossdc>true</auth.server.undertow.crossdc>
|
||||
<node.name>undertow</node.name>
|
||||
</properties>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>enforce-profile-activation</id>
|
||||
<goals>
|
||||
<goal>enforce</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<rules>
|
||||
<requireProperty>
|
||||
<property>cache.server.jboss</property>
|
||||
<message>Profile "auth-servers-crossdc-undertow" requires activation of another profile: either "cache-server-infinispan" or "cache-server-jdg".</message>
|
||||
<regex>true</regex>
|
||||
</requireProperty>
|
||||
</rules>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<configuration>
|
||||
<systemPropertyVariables>
|
||||
<node.name>${node.name}</node.name>
|
||||
<pageload.timeout>20000</pageload.timeout>
|
||||
</systemPropertyVariables>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>auth-servers-crossdc-jboss</id>
|
||||
<properties>
|
||||
<auth.servers.crossdc>true</auth.servers.crossdc>
|
||||
<auth.server.jboss.crossdc>true</auth.server.jboss.crossdc>
|
||||
<node.name>jboss</node.name>
|
||||
|
||||
<auth.server.crossdc01.home>${containers.home}/auth-server-${auth.server}-crossdc01</auth.server.crossdc01.home>
|
||||
<auth.server.crossdc02.home>${containers.home}/auth-server-${auth.server}-crossdc02</auth.server.crossdc02.home>
|
||||
<auth.server.crossdc11.home>${containers.home}/auth-server-${auth.server}-crossdc11</auth.server.crossdc11.home>
|
||||
<auth.server.crossdc12.home>${containers.home}/auth-server-${auth.server}-crossdc12</auth.server.crossdc12.home>
|
||||
|
||||
<!-- property specifies keycloak-add-user.json file destination -->
|
||||
<auth.server.config.dir>${auth.server.crossdc01.home}/standalone/configuration</auth.server.config.dir>
|
||||
|
||||
<auth.server.crossdc01.jvm.debug.port>5001</auth.server.crossdc01.jvm.debug.port>
|
||||
<auth.server.crossdc02.jvm.debug.port>5002</auth.server.crossdc02.jvm.debug.port>
|
||||
<auth.server.crossdc11.jvm.debug.port>5011</auth.server.crossdc11.jvm.debug.port>
|
||||
<auth.server.crossdc12.jvm.debug.port>5012</auth.server.crossdc12.jvm.debug.port>
|
||||
|
||||
<!-- default is "n", possible to override by e.g. -Dauth.server.crossdc01.debug.suspend=y -->
|
||||
<auth.server.crossdc01.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc01.debug.suspend>
|
||||
<auth.server.crossdc02.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc02.debug.suspend>
|
||||
<auth.server.crossdc11.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc11.debug.suspend>
|
||||
<auth.server.crossdc12.debug.suspend>${auth.server.debug.suspend}</auth.server.crossdc12.debug.suspend>
|
||||
</properties>
|
||||
<build>
|
||||
<pluginManagement>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<artifactId>maven-antrun-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>copy-auth-server-crossdc-nodes</id>
|
||||
<phase>process-resources</phase>
|
||||
<goals>
|
||||
<goal>run</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<target>
|
||||
<move todir="${auth.server.crossdc01.home}">
|
||||
<fileset dir="${auth.server.home}"/>
|
||||
</move>
|
||||
<copy todir="${auth.server.crossdc02.home}">
|
||||
<fileset dir="${auth.server.crossdc01.home}"/>
|
||||
</copy>
|
||||
<copy todir="${auth.server.crossdc11.home}">
|
||||
<fileset dir="${auth.server.crossdc01.home}"/>
|
||||
</copy>
|
||||
<copy todir="${auth.server.crossdc12.home}">
|
||||
<fileset dir="${auth.server.crossdc01.home}"/>
|
||||
</copy>
|
||||
</target>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</pluginManagement>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>enforce-profiles-activation</id>
|
||||
<goals>
|
||||
<goal>enforce</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<rules>
|
||||
<requireProperty>
|
||||
<property>cache.server.jboss</property>
|
||||
<message>Profile "auth-servers-crossdc-jboss" requires activation of another profile: either "cache-server-infinispan" or "cache-server-jdg".</message>
|
||||
<regex>true</regex>
|
||||
</requireProperty>
|
||||
<requireProperty>
|
||||
<property>auth.server.jboss</property>
|
||||
<message>Profile "auth-servers-crossdc-jboss" requires activation of another profile: either "auth-server-wildfly" or "auth-server-eap".</message>
|
||||
<regex>true</regex>
|
||||
</requireProperty>
|
||||
</rules>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<artifactId>maven-surefire-plugin</artifactId>
|
||||
<configuration>
|
||||
<systemPropertyVariables>
|
||||
|
||||
<pageload.timeout>20000</pageload.timeout>
|
||||
|
||||
<run.h2>true</run.h2>
|
||||
<node.name>${node.name}</node.name>
|
||||
|
||||
<auth.server.crossdc01.home>${auth.server.crossdc01.home}</auth.server.crossdc01.home>
|
||||
<auth.server.crossdc02.home>${auth.server.crossdc02.home}</auth.server.crossdc02.home>
|
||||
<auth.server.crossdc11.home>${auth.server.crossdc11.home}</auth.server.crossdc11.home>
|
||||
<auth.server.crossdc12.home>${auth.server.crossdc12.home}</auth.server.crossdc12.home>
|
||||
|
||||
<!--8101-->
|
||||
<auth.server.crossdc01.port.offset>21</auth.server.crossdc01.port.offset>
|
||||
<!--8102-->
|
||||
<auth.server.crossdc02.port.offset>22</auth.server.crossdc02.port.offset>
|
||||
<!--8111-->
|
||||
<auth.server.crossdc11.port.offset>31</auth.server.crossdc11.port.offset>
|
||||
<!--8112-->
|
||||
<auth.server.crossdc12.port.offset>32</auth.server.crossdc12.port.offset>
|
||||
|
||||
<auth.server.crossdc01.management.port>10011</auth.server.crossdc01.management.port>
|
||||
<auth.server.crossdc02.management.port>10012</auth.server.crossdc02.management.port>
|
||||
<auth.server.crossdc11.management.port>10021</auth.server.crossdc11.management.port>
|
||||
<auth.server.crossdc12.management.port>10022</auth.server.crossdc12.management.port>
|
||||
|
||||
<auth.server.crossdc01.jvm.debug.args>
|
||||
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc01.debug.suspend},address=localhost:${auth.server.crossdc01.jvm.debug.port}
|
||||
</auth.server.crossdc01.jvm.debug.args>
|
||||
<auth.server.crossdc02.jvm.debug.args>
|
||||
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc02.debug.suspend},address=localhost:${auth.server.crossdc02.jvm.debug.port}
|
||||
</auth.server.crossdc02.jvm.debug.args>
|
||||
<auth.server.crossdc11.jvm.debug.args>
|
||||
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc11.debug.suspend},address=localhost:${auth.server.crossdc11.jvm.debug.port}
|
||||
</auth.server.crossdc11.jvm.debug.args>
|
||||
<auth.server.crossdc12.jvm.debug.args>
|
||||
-agentlib:jdwp=transport=dt_socket,server=y,suspend=${auth.server.crossdc12.debug.suspend},address=localhost:${auth.server.crossdc12.jvm.debug.port}
|
||||
</auth.server.crossdc12.jvm.debug.args>
|
||||
|
||||
</systemPropertyVariables>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<artifactId>maven-antrun-plugin</artifactId>
|
||||
<configuration>
|
||||
<!--
|
||||
skipping execution for <artifactId>integration-arquillian-tests</artifactId>,
|
||||
it's re-enabled in <artifactId>integration-arquillian-tests-base</artifactId>
|
||||
-->
|
||||
<skip>true</skip>
|
||||
</configuration>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>cache-server-infinispan</id>
|
||||
<properties>
|
||||
<cache.server>infinispan</cache.server>
|
||||
<auth.server.undertow.crossdc>true</auth.server.undertow.crossdc>
|
||||
<auth.server.crossdc>true</auth.server.crossdc>
|
||||
<cache.server.jboss>true</cache.server.jboss>
|
||||
<cache.server.config.dir>${cache.server.home}/standalone/configuration</cache.server.config.dir>
|
||||
|
@ -429,17 +615,15 @@
|
|||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>enforce-profile-activation</id>
|
||||
<goals>
|
||||
<goal>enforce</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<rules>
|
||||
<!--requireActiveProfile 'auth-server-wildfly/eap' doesn't work unless the profiles are defined in all submodule poms
|
||||
using requireProperty instead-->
|
||||
<requireProperty>
|
||||
<property>cache.server</property>
|
||||
<regex>(infinispan)|(jdg)</regex>
|
||||
<regexMessage>Profile "cache-server-infinispan" requires activation of profile "cache-server-infinispan" or "cache-server-jdg".</regexMessage>
|
||||
<property>auth.servers.crossdc</property>
|
||||
<message>Profile "cache-server-infinispan" requires activation of another profile: either "auth-servers-crossdc-undertow" or "auth-servers-crossdc-jboss".</message>
|
||||
</requireProperty>
|
||||
</rules>
|
||||
</configuration>
|
||||
|
@ -485,7 +669,6 @@
|
|||
<id>cache-server-jdg</id>
|
||||
<properties>
|
||||
<cache.server>jdg</cache.server>
|
||||
<auth.server.undertow.crossdc>true</auth.server.undertow.crossdc>
|
||||
<auth.server.crossdc>true</auth.server.crossdc>
|
||||
<cache.server.jboss>true</cache.server.jboss>
|
||||
<cache.server.config.dir>${cache.server.home}/standalone/configuration</cache.server.config.dir>
|
||||
|
@ -504,17 +687,15 @@
|
|||
<artifactId>maven-enforcer-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>enforce-profile-activation</id>
|
||||
<goals>
|
||||
<goal>enforce</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<rules>
|
||||
<!--requireActiveProfile 'auth-server-wildfly/eap' doesn't work unless the profiles are defined in all submodule poms
|
||||
using requireProperty instead-->
|
||||
<requireProperty>
|
||||
<property>cache.server</property>
|
||||
<regex>(infinispan)|(jdg)</regex>
|
||||
<regexMessage>Profile "cache-server-jdg" requires activation of profile "cache-server-infinispan" or "cache-server-jdg".</regexMessage>
|
||||
<property>auth.servers.crossdc</property>
|
||||
<message>Profile "cache-server-jdg" requires activation of another profile: either "auth-servers-crossdc-undertow" or "auth-servers-crossdc-jboss".</message>
|
||||
</requireProperty>
|
||||
</rules>
|
||||
</configuration>
|
||||
|
|
|
@ -6,7 +6,7 @@ Perform the usual test run:
|
|||
```
|
||||
mvn verify -Pteardown
|
||||
mvn verify -Pprovision
|
||||
mvn verify -Pimport-data -Ddataset=100users -Dimport.workers=10 -DhashIterations=100
|
||||
mvn verify -Pgenerate-data -Ddataset=100users -Dimport.workers=10 -DhashIterations=100
|
||||
mvn verify -Ptest -Ddataset=100users -DrunUsers=200 -DrampUpPeriod=10 -DuserThinkTime=0 -DbadLoginAttempts=1 -DrefreshTokenCount=1 -DnumOfIterations=3
|
||||
```
|
||||
|
||||
|
|
|
@ -24,7 +24,7 @@ mvn clean install
|
|||
|
||||
# Make sure your Docker daemon is running THEN
|
||||
mvn verify -Pprovision
|
||||
mvn verify -Pimport-data -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100
|
||||
mvn verify -Pgenerate-data -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100
|
||||
mvn verify -Ptest -Ddataset=100u -DrunUsers=200 -DrampUpPeriod=10 -DuserThinkTime=0 -DbadLoginAttempts=1 -DrefreshTokenCount=1 -DnumOfIterations=3
|
||||
|
||||
```
|
||||
|
@ -38,7 +38,7 @@ mvn verify -Pteardown
|
|||
|
||||
You can perform all phases in a single run:
|
||||
```
|
||||
mvn verify -Pprovision,import-data,test,teardown -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100 -DrunUsers=200 -DrampUpPeriod=10
|
||||
mvn verify -Pprovision,generate-data,test,teardown -Ddataset=100u -DnumOfWorkers=10 -DhashIterations=100 -DrunUsers=200 -DrampUpPeriod=10
|
||||
```
|
||||
Note: The order in which maven profiles are listed does not determine the order in which profile related plugins are executed. `teardown` profile always executes last.
|
||||
|
||||
|
@ -68,25 +68,26 @@ Provisioning/teardown is performed via `docker-compose` tool. More details in [R
|
|||
|
||||
## Testing
|
||||
|
||||
### Import Data
|
||||
### Generate Test Data
|
||||
|
||||
Usage: `mvn verify -Pimport-data[,cluster] [-Ddataset=DATASET] [-D<dataset.property>=<value>]`.
|
||||
Usage: `mvn verify -Pgenerate-data[,cluster] [-Ddataset=DATASET] [-Dexport-dump] [-D<dataset.property>=<value>]`.
|
||||
|
||||
Dataset properties are loaded from `datasets/${dataset}.properties` file. Individual properties can be overriden by specifying `-D` params.
|
||||
|
||||
Dataset data is first generated as a .json file, and then imported into Keycloak via Admin Client REST API.
|
||||
|
||||
#### Examples:
|
||||
- `mvn verify -Pimport-data` - import default dataset
|
||||
- `mvn verify -Pimport-data -DusersPerRealm=5` - import default dataset, override the `usersPerRealm` property
|
||||
- `mvn verify -Pimport-data -Ddataset=100u` - import `100u` dataset
|
||||
- `mvn verify -Pimport-data -Ddataset=100r/default` - import dataset from `datasets/100r/default.properties`
|
||||
- `mvn verify -Pgenerate-data` - generate default dataset
|
||||
- `mvn verify -Pgenerate-data -DusersPerRealm=5` - generate default dataset, override the `usersPerRealm` property
|
||||
- `mvn verify -Pgenerate-data -Ddataset=100u` - generate `100u` dataset
|
||||
- `mvn verify -Pgenerate-data -Ddataset=100r/default` - generate dataset based on `datasets/100r/default.properties`
|
||||
|
||||
The data can also be exported from the database, and stored locally as `datasets/${dataset}.sql.gz`
|
||||
`DATASET=100u ./prepare-dump.sh`
|
||||
|
||||
If there is a data dump file available then -Pimport-dump can be used to import the data directly into the database,
|
||||
by-passing Keycloak server completely.
|
||||
To speed up dataset initialization part, it is possible to pass `-Dexport-dump` option to have the generated dataset
|
||||
exported right after it has been generated. Then, if there is a data dump file available then `-Pimport-dump`
|
||||
can be used to import the data directly into the database, bypassing Keycloak server completely.
|
||||
|
||||
Usage: `mvn verify -Pimport-dump [-Ddataset=DATASET]`
|
||||
|
||||
|
@ -98,7 +99,7 @@ Usage: `mvn verify -Pimport-dump [-Ddataset=DATASET]`
|
|||
|
||||
Usage: `mvn verify -Ptest[,cluster] [-DrunUsers=N] [-DrampUpPeriod=SECONDS] [-DnumOfIterations=N] [-Ddataset=DATASET] [-D<dataset.property>=<value>]* [-D<test.property>=<value>]* `.
|
||||
|
||||
_*Note:* The same dataset properties which were used for data import should be supplied to the `test` phase._
|
||||
_*Note:* The same dataset properties which were used for data generation/import should be supplied to the `test` phase._
|
||||
|
||||
The default test `keycloak.DefaultSimulation` takes the following additional properties:
|
||||
|
||||
|
@ -145,13 +146,13 @@ To view monitoring dashboard open Grafana UI at: `http://localhost:3000/dashboar
|
|||
|
||||
### Single-node
|
||||
|
||||
- Provision single node of KC + DB, import data, run test, and tear down the provisioned system:
|
||||
- Provision single node of KC + DB, generate data, run test, and tear down the provisioned system:
|
||||
|
||||
`mvn verify -Pprovision,import-data,test,teardown -Ddataset=100u -DrunUsers=100`
|
||||
`mvn verify -Pprovision,generate-data,test,teardown -Ddataset=100u -DrunUsers=100`
|
||||
|
||||
- Provision single node of KC + DB, import data, no test, no teardown:
|
||||
- Provision single node of KC + DB, generate data, no test, no teardown:
|
||||
|
||||
`mvn verify -Pprovision,import-data -Ddataset=100u`
|
||||
`mvn verify -Pprovision,generate-data -Ddataset=100u`
|
||||
|
||||
- Run test against provisioned system using 100 concurrent users ramped up over 10 seconds, then tear it down:
|
||||
|
||||
|
@ -159,13 +160,13 @@ To view monitoring dashboard open Grafana UI at: `http://localhost:3000/dashboar
|
|||
|
||||
### Cluster
|
||||
|
||||
- Provision a 1-node KC cluster + DB, import data, run test against the provisioned system, then tear it down:
|
||||
- Provision a 1-node KC cluster + DB, generate data, run test against the provisioned system, then tear it down:
|
||||
|
||||
`mvn verify -Pprovision,cluster,import-data,test,teardown -Ddataset=100u -DrunUsers=100`
|
||||
`mvn verify -Pprovision,cluster,generate-data,test,teardown -Ddataset=100u -DrunUsers=100`
|
||||
|
||||
- Provision a 2-node KC cluster + DB, import data, run test against the provisioned system, then tear it down:
|
||||
- Provision a 2-node KC cluster + DB, generate data, run test against the provisioned system, then tear it down:
|
||||
|
||||
`mvn verify -Pprovision,cluster,import-data,test,teardown -Dkeycloak.scale=2 -DusersPerRealm=200 -DrunUsers=200`
|
||||
`mvn verify -Pprovision,cluster,generate-data,test,teardown -Dkeycloak.scale=2 -DusersPerRealm=200 -DrunUsers=200`
|
||||
|
||||
|
||||
## Developing tests in IntelliJ IDEA
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
| Category | Setting | Property | Default value |
|
||||
|-------------|-------------------------------|------------------------------------|------------------------------------------------------------------|
|
||||
| JVM | Memory settings | `keycloak.jvm.memory` | -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m |
|
||||
| JVM | Memory settings | `keycloak.jvm.memory` | -Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m |
|
||||
| Undertow | HTTP Listener max connections | `keycloak.http.max-connections` | 500 |
|
||||
| | AJP Listener max connections | `keycloak.ajp.max-connections` | 500 |
|
||||
| IO | Worker IO thread pool | `keycloak.worker.io-threads` | 2 |
|
||||
|
@ -29,35 +29,20 @@
|
|||
|-------------|-------------------------------|-------------------------|-----------------------------------------------------------------------------------------|
|
||||
| JVM | Memory settings | `infinispan.jvm.memory` | -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -XX:+DisableExplicitGC |
|
||||
|
||||
## CPUs
|
||||
## Docker settings
|
||||
|
||||
At the moment it is not possible to dynamically parametrize the number of CPUs for a service via Maven properties or environment variables.
|
||||
By default, there are 4 CPU cores allocated: core 0 for monitoring, core 1 for database (MariaDB), and cores 2 and 3 for Keycloak server.
|
||||
Default memory limits for database and Keycloak server are 2g. The `cpuset` and `memlimit` parameters set here are set to `cpuset` and
|
||||
`mem_limit` parameters of docker-compose configuration. See docker-compose documentation for meaning of the values. How to set the parameters
|
||||
correctly depends on number of factors - number of cpu cores, NUMA, available memory etc., hence it is out of scope of this document.
|
||||
|
||||
To change the default value (`cpus: 1`) it is necessary to edit the Docker Compose file.
|
||||
| Container | Setting | Property | Default value |
|
||||
|-------------|-------------------------------|---------------------------------|-------------------------------------------------------|
|
||||
| Keycloak | Allocated CPUs | `keycloak.docker.cpuset` | 2-3 |
|
||||
| | Allocated CPUs for DC1 | `keycloak.dc1.docker.cpuset` | 2-3 |
|
||||
| | Allocated CPUs for DC2 | `keycloak.dc2.docker.cpuset` | 2-3 |
|
||||
| | Available memory | `keycloak.docker.memlimit` | 2g |
|
||||
| MariaDB | Allocated CPUs | `db.docker.cpuset` | 1 |
|
||||
| | Available memory | `db.docker.memlimit` | 2g |
|
||||
| Monitoring | Allocated CPUs | `monitoring.docker.cpuset` | 0 |
|
||||
|
||||
|
||||
### Example: Keycloak service using 2 CPU cores
|
||||
|
||||
`docker-compose.yml` and `docker-compose-cluster.yml`:
|
||||
```
|
||||
services:
|
||||
...
|
||||
keycloak:
|
||||
...
|
||||
cpus: 2
|
||||
...
|
||||
```
|
||||
|
||||
`docker-compose-crossdc.yml`:
|
||||
```
|
||||
services:
|
||||
...
|
||||
keycloak_dc1:
|
||||
...
|
||||
cpus: 2
|
||||
...
|
||||
keycloak_dc2:
|
||||
...
|
||||
cpus: 2
|
||||
...
|
||||
```
|
||||
|
|
|
@ -15,7 +15,8 @@ services:
|
|||
mariadb:
|
||||
build: db/mariadb
|
||||
image: keycloak_test_mariadb:${KEYCLOAK_VERSION:-latest}
|
||||
cpus: 1
|
||||
cpuset: ${DB_CPUSET:-1}
|
||||
mem_limit: ${DB_MEMLIMIT:-1g}
|
||||
networks:
|
||||
- keycloak
|
||||
environment:
|
||||
|
@ -32,7 +33,8 @@ services:
|
|||
depends_on:
|
||||
mariadb:
|
||||
condition: service_healthy
|
||||
cpus: 1
|
||||
cpuset: ${KEYCLOAK_CPUSET:-2-3}
|
||||
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
|
||||
networks:
|
||||
- keycloak
|
||||
environment:
|
||||
|
@ -46,7 +48,7 @@ services:
|
|||
KEYCLOAK_USER: admin
|
||||
KEYCLOAK_PASSWORD: admin
|
||||
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
|
||||
AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500}
|
||||
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}
|
||||
|
|
|
@ -95,7 +95,8 @@ services:
|
|||
depends_on:
|
||||
mariadb_dc1:
|
||||
condition: service_healthy
|
||||
cpus: 1
|
||||
cpuset: ${DB_CPUSET:-1}
|
||||
mem_limit: ${DB_MEMLIMIT:-1g}
|
||||
networks:
|
||||
- db_replication
|
||||
- dc2_keycloak
|
||||
|
@ -122,7 +123,8 @@ services:
|
|||
# wait for the ispn cluster to be ready before starting keycloak
|
||||
infinispan_dc2:
|
||||
condition: service_healthy
|
||||
cpus: 1
|
||||
cpuset: ${KEYCLOAK_DC1_CPUSET:-2}
|
||||
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
|
||||
networks:
|
||||
- dc1_keycloak
|
||||
environment:
|
||||
|
@ -138,7 +140,7 @@ services:
|
|||
INFINISPAN_HOST: infinispan_dc1
|
||||
SITE: dc1
|
||||
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
|
||||
AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500}
|
||||
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}
|
||||
|
@ -162,7 +164,8 @@ services:
|
|||
# wait for first kc instance to be ready before starting another
|
||||
keycloak_dc1:
|
||||
condition: service_healthy
|
||||
cpus: 1
|
||||
cpuset: ${KEYCLOAK_DC2_CPUSET:-3}
|
||||
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
|
||||
networks:
|
||||
- dc2_keycloak
|
||||
environment:
|
||||
|
@ -176,7 +179,7 @@ services:
|
|||
INFINISPAN_HOST: infinispan_dc2
|
||||
SITE: dc2
|
||||
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
|
||||
AJP_MAX_CONNECTIONS: ${KEYCLOAK_AJP_MAX_CONNECTIONS:-500}
|
||||
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}
|
||||
|
|
|
@ -11,6 +11,7 @@ services:
|
|||
|
||||
monitoring_influxdb:
|
||||
image: influxdb
|
||||
cpuset: ${MONITORING_CPUSET:-1}
|
||||
volumes:
|
||||
- influx:/var/lib/influxdb
|
||||
networks:
|
||||
|
@ -26,6 +27,7 @@ services:
|
|||
monitoring_cadvisor:
|
||||
build: monitoring/cadvisor
|
||||
image: monitoring_cadvisor
|
||||
cpuset: ${MONITORING_CPUSET:-1}
|
||||
hostname: '{{.Node.ID}}'
|
||||
volumes:
|
||||
- /:/rootfs:ro
|
||||
|
@ -50,6 +52,7 @@ services:
|
|||
monitoring_grafana:
|
||||
build: monitoring/grafana
|
||||
image: monitoring_grafana
|
||||
cpuset: ${MONITORING_CPUSET:-1}
|
||||
depends_on:
|
||||
- monitoring_influxdb
|
||||
volumes:
|
||||
|
|
|
@ -11,7 +11,8 @@ services:
|
|||
mariadb:
|
||||
build: db/mariadb
|
||||
image: keycloak_test_mariadb:${KEYCLOAK_VERSION:-latest}
|
||||
cpus: 1
|
||||
cpuset: ${DB_CPUSET:-1}
|
||||
mem_limit: ${DB_MEMLIMIT:-1g}
|
||||
networks:
|
||||
- keycloak
|
||||
environment:
|
||||
|
@ -29,7 +30,8 @@ services:
|
|||
depends_on:
|
||||
mariadb:
|
||||
condition: service_healthy
|
||||
cpus: 1
|
||||
cpuset: ${KEYCLOAK_CPUSET:-2-3}
|
||||
mem_limit: ${KEYCLOAK_MEMLIMIT:-2500m}
|
||||
networks:
|
||||
- keycloak
|
||||
environment:
|
||||
|
@ -40,7 +42,7 @@ services:
|
|||
KEYCLOAK_USER: admin
|
||||
KEYCLOAK_PASSWORD: admin
|
||||
# docker-compose syntax note: ${ENV_VAR:-<DEFAULT_VALUE>}
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
JAVA_OPTS: ${KEYCLOAK_JVM_MEMORY:--Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m} -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
|
||||
HTTP_MAX_CONNECTIONS: ${KEYCLOAK_HTTP_MAX_CONNECTIONS:-500}
|
||||
WORKER_IO_THREADS: ${KEYCLOAK_WORKER_IO_THREADS:-2}
|
||||
WORKER_TASK_MAX_THREADS: ${KEYCLOAK_WORKER_TASK_MAX_THREADS:-16}
|
||||
|
|
|
@ -17,26 +17,23 @@ ADD target/keycloak configs/ ./
|
|||
ADD *.sh /usr/local/bin/
|
||||
|
||||
USER root
|
||||
RUN chown -R jboss .; chgrp -R jboss .;
|
||||
RUN chmod -R -v +x /usr/local/bin/
|
||||
RUN yum install -y epel-release jq iproute && yum clean all
|
||||
RUN chown -R jboss .; chgrp -R jboss .; \
|
||||
chmod -R -v +x /usr/local/bin/ ; \
|
||||
yum install -y epel-release jq iproute && yum clean all
|
||||
|
||||
USER jboss
|
||||
# install mariadb JDBC driver
|
||||
RUN mkdir -p modules/system/layers/base/org/mariadb/jdbc/main; \
|
||||
cd modules/system/layers/base/org/mariadb/jdbc/main; \
|
||||
curl -O http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/2.0.3/mariadb-java-client-2.0.3.jar
|
||||
ADD module.xml modules/system/layers/base/org/mariadb/jdbc/main/
|
||||
# apply configurations
|
||||
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=set-keycloak-ds.cli
|
||||
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=io-worker-threads.cli
|
||||
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=undertow.cli
|
||||
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=distributed-cache-owners.cli
|
||||
RUN $JBOSS_HOME/bin/jboss-cli.sh --file=modcluster-simple-load-provider.cli
|
||||
RUN if [ "$REMOTE_CACHES" == "true" ]; then $JBOSS_HOME/bin/jboss-cli.sh --file=add-remote-cache-stores.cli; fi
|
||||
RUN cd $JBOSS_HOME/standalone; rm -rf configuration/standalone_xml_history log data tmp
|
||||
RUN curl --create-dirs --output modules/system/layers/base/org/mariadb/jdbc/main/mariadb-java-client-2.0.3.jar http://central.maven.org/maven2/org/mariadb/jdbc/mariadb-java-client/2.0.3/mariadb-java-client-2.0.3.jar ; \
|
||||
$JBOSS_HOME/bin/jboss-cli.sh --file=set-keycloak-ds.cli && \
|
||||
$JBOSS_HOME/bin/jboss-cli.sh --file=io-worker-threads.cli && \
|
||||
$JBOSS_HOME/bin/jboss-cli.sh --file=undertow.cli && \
|
||||
$JBOSS_HOME/bin/jboss-cli.sh --file=distributed-cache-owners.cli && \
|
||||
$JBOSS_HOME/bin/jboss-cli.sh --file=modcluster-simple-load-provider.cli && \
|
||||
if [ "$REMOTE_CACHES" == "true" ]; then $JBOSS_HOME/bin/jboss-cli.sh --file=add-remote-cache-stores.cli; fi && \
|
||||
cd $JBOSS_HOME/standalone; rm -rf configuration/standalone_xml_history log data tmp ; \
|
||||
$JBOSS_HOME/bin/add-user.sh -u $DEBUG_USER -p $DEBUG_USER_PASSWORD
|
||||
|
||||
RUN $JBOSS_HOME/bin/add-user.sh -u $DEBUG_USER -p $DEBUG_USER_PASSWORD
|
||||
ADD module.xml modules/system/layers/base/org/mariadb/jdbc/main/
|
||||
|
||||
EXPOSE 8080
|
||||
EXPOSE 9990
|
||||
|
|
|
@ -15,4 +15,3 @@ if [ $KEYCLOAK_USER ] && [ $KEYCLOAK_PASSWORD ]; then
|
|||
fi
|
||||
|
||||
exec /opt/jboss/keycloak/bin/standalone.sh $PARAMS
|
||||
exit $?
|
||||
|
|
|
@ -4,13 +4,7 @@ GATLING_HOME=$DIRNAME/tests
|
|||
|
||||
if [ -z "$DATASET" ]; then
|
||||
echo "This script requires DATASET env variable to be set"
|
||||
echo 1
|
||||
fi
|
||||
|
||||
./prepare-data.sh $@
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Failed! See log file for details."
|
||||
exit $?
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Exporting dump file"
|
||||
|
|
|
@ -39,7 +39,7 @@
|
|||
<keycloak.server.uris>http://localhost:8080/auth</keycloak.server.uris>
|
||||
<db.url>jdbc:mariadb://keycloak:keycloak@localhost:3306/keycloak</db.url>
|
||||
|
||||
<keycloak.jvm.memory>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</keycloak.jvm.memory>
|
||||
<keycloak.jvm.memory>-Xms64m -Xmx2g -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m</keycloak.jvm.memory>
|
||||
<keycloak.http.max-connections>500</keycloak.http.max-connections>
|
||||
<keycloak.ajp.max-connections>500</keycloak.ajp.max-connections>
|
||||
<keycloak.worker.io-threads>2</keycloak.worker.io-threads>
|
||||
|
@ -54,6 +54,17 @@
|
|||
<keycloak-lb.worker.io-threads>2</keycloak-lb.worker.io-threads>
|
||||
<keycloak-lb.worker.task-max-threads>16</keycloak-lb.worker.task-max-threads>
|
||||
|
||||
<!-- Docker-related properties -->
|
||||
<db.docker.cpuset>1</db.docker.cpuset>
|
||||
<keycloak.docker.cpuset>2-3</keycloak.docker.cpuset>
|
||||
<keycloak.dc1.docker.cpuset>2</keycloak.dc1.docker.cpuset>
|
||||
<keycloak.dc2.docker.cpuset>3</keycloak.dc2.docker.cpuset>
|
||||
<monitoring.docker.cpuset>0</monitoring.docker.cpuset>
|
||||
|
||||
<db.docker.memlimit>2g</db.docker.memlimit>
|
||||
<keycloak.docker.memlimit>2g</keycloak.docker.memlimit>
|
||||
<!-- End of docker-related properties -->
|
||||
|
||||
<infinispan.jvm.memory>-Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -XX:+DisableExplicitGC</infinispan.jvm.memory>
|
||||
|
||||
<dataset>default</dataset>
|
||||
|
@ -322,6 +333,13 @@
|
|||
<environmentVariables>
|
||||
<KEYCLOAK_VERSION>${project.version}</KEYCLOAK_VERSION>
|
||||
|
||||
<KEYCLOAK_CPUSET>${keycloak.docker.cpuset}</KEYCLOAK_CPUSET>
|
||||
<KEYCLOAK_DC1_CPUSET>${keycloak.dc1.docker.cpuset}</KEYCLOAK_DC1_CPUSET>
|
||||
<KEYCLOAK_DC2_CPUSET>${keycloak.dc2.docker.cpuset}</KEYCLOAK_DC2_CPUSET>
|
||||
<KEYCLOAK_MEMLIMIT>${keycloak.docker.memlimit}</KEYCLOAK_MEMLIMIT>
|
||||
<DB_CPUSET>${db.docker.cpuset}</DB_CPUSET>
|
||||
<DB_MEMLIMIT>${db.docker.memlimit}</DB_MEMLIMIT>
|
||||
|
||||
<KEYCLOAK_JVM_MEMORY>${keycloak.jvm.memory}</KEYCLOAK_JVM_MEMORY>
|
||||
<KEYCLOAK_HTTP_MAX_CONNECTIONS>${keycloak.http.max-connections}</KEYCLOAK_HTTP_MAX_CONNECTIONS>
|
||||
<KEYCLOAK_AJP_MAX_CONNECTIONS>${keycloak.ajp.max-connections}</KEYCLOAK_AJP_MAX_CONNECTIONS>
|
||||
|
@ -381,7 +399,7 @@
|
|||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>import-data</id>
|
||||
<id>generate-data</id>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
|
@ -462,6 +480,43 @@
|
|||
</build>
|
||||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>export-dump-after-generation</id>
|
||||
|
||||
<activation>
|
||||
<activeByDefault>false</activeByDefault>
|
||||
<property>
|
||||
<name>export-dump</name>
|
||||
</property>
|
||||
</activation>
|
||||
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.codehaus.mojo</groupId>
|
||||
<artifactId>exec-maven-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>export-dump</id>
|
||||
<phase>pre-integration-test</phase>
|
||||
<goals>
|
||||
<goal>exec</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<workingDirectory>${project.basedir}/..</workingDirectory>
|
||||
<executable>./prepare-dump.sh</executable>
|
||||
|
||||
<environmentVariables>
|
||||
<DATASET>${dataset}</DATASET>
|
||||
</environmentVariables>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
</profile>
|
||||
|
||||
<profile>
|
||||
<id>import-dump</id>
|
||||
<build>
|
||||
|
@ -581,6 +636,9 @@
|
|||
<workingDirectory>${project.basedir}/..</workingDirectory>
|
||||
<executable>docker-compose</executable>
|
||||
<commandlineArgs>-f docker-compose-monitoring.yml up -d --build</commandlineArgs>
|
||||
<environmentVariables>
|
||||
<MONITORING_CPUSET>${monitoring.docker.cpuset}</MONITORING_CPUSET>
|
||||
</environmentVariables>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
|
|
|
@ -1236,7 +1236,7 @@ authz-add-aggregated-policy=Add Aggregated Policy
|
|||
authz-add-group-policy=Add Group Policy
|
||||
authz-no-groups-assigned=No groups assigned.
|
||||
authz-policy-group-claim=Groups Claim
|
||||
authz-policy-group-claim.tooltip=A claim to use as the source for user’s group. If the claim is present it must be an array of strings.
|
||||
authz-policy-group-claim.tooltip=A claim to use as the source for user's group. If the claim is present it must be an array of strings.
|
||||
authz-policy-group-groups.tooltip=Specifies the groups allowed by this policy.
|
||||
|
||||
# Authz Permission List
|
||||
|
@ -1358,7 +1358,7 @@ view-authz-client-scope-description=Policies that decide if an admin can view th
|
|||
map-roles-authz-client-scope-description=Policies that decide if an admin can map roles defined by this client
|
||||
map-roles-client-scope-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client to the client scope of another client
|
||||
map-roles-composite-authz-client-scope-description=Policies that decide if an admin can apply roles defined by this client as a composite to another role
|
||||
map-role-authz-role-scope-description=Policies that decide if an admin can map role this role to a user or group
|
||||
map-role-authz-role-scope-description=Policies that decide if an admin can map this role to a user or group
|
||||
map-role-client-scope-authz-role-scope-description=Policies that decide if an admin can apply this role to the client scope of a client
|
||||
map-role-composite-authz-role-scope-description=Policies that decide if an admin can apply this role as a composite to another role
|
||||
manage-group-membership-authz-users-scope-description=Policies that decide if an admin can manage group membership for all users in the realm. This is used in conjunction with specific group policy
|
||||
|
|
|
@ -26,7 +26,7 @@
|
|||
data-ng-show="serverInfo.featureEnabled('AUTHORIZATION') && !disableAuthorizationTab && client.authorizationServicesEnabled">
|
||||
<a href="#/realms/{{realm.realm}}/clients/{{client.id}}/authz/resource-server">{{:: 'authz-authorization' |
|
||||
translate}}</a></li>
|
||||
<li ng-class="{active: path[4] == 'revocation'}" data-ng-show="client.protocol != 'docker-v2'"><a
|
||||
<li ng-class="{active: path[4] == 'revocation'}" data-ng-show="client.protocol != 'docker-v2' && client.protocol != 'saml'"><a
|
||||
href="#/realms/{{realm.realm}}/clients/{{client.id}}/revocation">{{:: 'revocation' | translate}}</a>
|
||||
</li>
|
||||
<!-- <li ng-class="{active: path[4] == 'identity-provider'}" data-ng-show="realm.identityFederationEnabled"><a href="#/realms/{{realm.realm}}/clients/{{client.id}}/identity-provider">Identity Provider</a></li> -->
|
||||
|
|
Loading…
Reference in a new issue