From a09bc6520f12f047d4519b601a04c14f150abd2d Mon Sep 17 00:00:00 2001 From: mposolda Date: Fri, 6 Jan 2017 19:27:46 +0100 Subject: [PATCH] KEYCLOAK-2888 KEYCLOAK-3927 Fully migrate kerberos tests to the new testsuite --- .../kerberos/CommonKerberosConfig.java | 24 +- .../federation/kerberos/KerberosConfig.java | 11 +- .../kerberos/LDAPProviderKerberosConfig.java | 7 +- .../rest/TestingResourceProvider.java | 9 + .../client/resources/TestingResource.java | 5 + .../testsuite/util}/KerberosRule.java | 32 +- .../testsuite/util/LDAPTestConfiguration.java | 9 +- .../kerberos/AbstractKerberosTest.java | 443 ++++++++++++++++++ .../federation/kerberos/KerberosLdapTest.java | 150 ++++++ .../kerberos/KerberosStandaloneTest.java | 161 +++++++ .../KeycloakSPNegoSchemeFactory.java | 2 +- .../kerberos-portal/META-INF/context.xml | 20 - .../kerberos-portal/WEB-INF/jetty-web.xml | 27 -- .../WEB-INF/keycloak-relative.json | 9 - .../kerberos-portal/WEB-INF/keycloak.json | 10 - .../kerberos-portal/WEB-INF/web.xml | 57 --- .../kerberosrealm.json | 3 +- .../federation/AbstractKerberosTest.java | 398 ---------------- .../federation/KerberosCredDelegServlet.java | 112 ----- .../federation/KerberosStandaloneTest.java | 249 ---------- .../KeycloakSPNegoSchemeFactory.java | 130 ----- .../ldap/LDAPTestConfiguration.java | 6 +- .../storage/ldap/KerberosLdapTest.java | 197 -------- .../storage/ldap/LDAPTestConfiguration.java | 149 ------ .../kerberos-test/kerberos-app-keycloak.json | 10 - .../kerberos-test/kerberosrealm.json | 53 --- .../src/test/resources/kerberos/http.keytab | Bin 348 -> 0 bytes .../kerberos-ldap-connection.properties | 34 -- .../kerberos-standalone-connection.properties | 23 - .../test/resources/kerberos/test-krb5.conf | 19 - .../resources/kerberos/users-kerberos.ldif | 104 ---- 31 files changed, 832 insertions(+), 1631 deletions(-) rename testsuite/{integration/src/test/java/org/keycloak/testsuite/rule => integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util}/KerberosRule.java (77%) create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosLdapTest.java create mode 100644 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java rename testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/{adapter/federation => federation/kerberos}/KeycloakSPNegoSchemeFactory.java (98%) delete mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/META-INF/context.xml delete mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/jetty-web.xml delete mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak-relative.json delete mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak.json delete mode 100644 testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/web.xml rename testsuite/integration-arquillian/tests/base/src/test/resources/{adapter-test => kerberos}/kerberosrealm.json (96%) delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/AbstractKerberosTest.java delete mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosCredDelegServlet.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosStandaloneTest.java delete mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KeycloakSPNegoSchemeFactory.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/KerberosLdapTest.java delete mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPTestConfiguration.java delete mode 100644 testsuite/integration/src/test/resources/kerberos-test/kerberos-app-keycloak.json delete mode 100644 testsuite/integration/src/test/resources/kerberos-test/kerberosrealm.json delete mode 100644 testsuite/integration/src/test/resources/kerberos/http.keytab delete mode 100644 testsuite/integration/src/test/resources/kerberos/kerberos-ldap-connection.properties delete mode 100644 testsuite/integration/src/test/resources/kerberos/kerberos-standalone-connection.properties delete mode 100644 testsuite/integration/src/test/resources/kerberos/test-krb5.conf delete mode 100644 testsuite/integration/src/test/resources/kerberos/users-kerberos.ldif diff --git a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/CommonKerberosConfig.java b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/CommonKerberosConfig.java index 4689190450..d9c3d2074a 100644 --- a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/CommonKerberosConfig.java +++ b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/CommonKerberosConfig.java @@ -18,7 +18,9 @@ package org.keycloak.federation.kerberos; import org.keycloak.common.constants.KerberosConstants; +import org.keycloak.common.util.MultivaluedHashMap; import org.keycloak.component.ComponentModel; +import org.keycloak.representations.idm.ComponentRepresentation; import java.util.Map; @@ -29,31 +31,39 @@ import java.util.Map; */ public abstract class CommonKerberosConfig { - protected ComponentModel componentModel; + protected MultivaluedHashMap userStorageConfig; public CommonKerberosConfig(ComponentModel componentModel) { - this.componentModel = componentModel; + this.userStorageConfig = componentModel.getConfig(); + } + + public CommonKerberosConfig(ComponentRepresentation componentRep) { + this.userStorageConfig = componentRep.getConfig(); + } + + protected MultivaluedHashMap getConfig() { + return userStorageConfig; } // Should be always true for KerberosFederationProvider public boolean isAllowKerberosAuthentication() { - return Boolean.valueOf(componentModel.getConfig().getFirst(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION)); + return Boolean.valueOf(getConfig().getFirst(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION)); } public String getKerberosRealm() { - return componentModel.getConfig().getFirst(KerberosConstants.KERBEROS_REALM); + return getConfig().getFirst(KerberosConstants.KERBEROS_REALM); } public String getServerPrincipal() { - return componentModel.getConfig().getFirst(KerberosConstants.SERVER_PRINCIPAL); + return getConfig().getFirst(KerberosConstants.SERVER_PRINCIPAL); } public String getKeyTab() { - return componentModel.getConfig().getFirst(KerberosConstants.KEYTAB); + return getConfig().getFirst(KerberosConstants.KEYTAB); } public boolean isDebug() { - return Boolean.valueOf(componentModel.getConfig().getFirst(KerberosConstants.DEBUG)); + return Boolean.valueOf(getConfig().getFirst(KerberosConstants.DEBUG)); } diff --git a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosConfig.java b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosConfig.java index 26badf9273..010f2c32c5 100644 --- a/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosConfig.java +++ b/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/KerberosConfig.java @@ -20,6 +20,7 @@ package org.keycloak.federation.kerberos; import org.keycloak.common.constants.KerberosConstants; import org.keycloak.component.ComponentModel; import org.keycloak.models.LDAPConstants; +import org.keycloak.representations.idm.ComponentRepresentation; import org.keycloak.storage.UserStorageProvider.EditMode; /** @@ -33,8 +34,12 @@ public class KerberosConfig extends CommonKerberosConfig { super(component); } + public KerberosConfig(ComponentRepresentation component) { + super(component); + } + public EditMode getEditMode() { - String editModeString = componentModel.getConfig().getFirst(LDAPConstants.EDIT_MODE); + String editModeString = getConfig().getFirst(LDAPConstants.EDIT_MODE); if (editModeString == null) { return EditMode.UNSYNCED; } else { @@ -43,11 +48,11 @@ public class KerberosConfig extends CommonKerberosConfig { } public boolean isAllowPasswordAuthentication() { - return Boolean.valueOf(componentModel.getConfig().getFirst(KerberosConstants.ALLOW_PASSWORD_AUTHENTICATION)); + return Boolean.valueOf(getConfig().getFirst(KerberosConstants.ALLOW_PASSWORD_AUTHENTICATION)); } public boolean isUpdateProfileFirstLogin() { - return Boolean.valueOf(componentModel.getConfig().getFirst(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN)); + return Boolean.valueOf(getConfig().getFirst(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN)); } } diff --git a/federation/ldap/src/main/java/org/keycloak/storage/ldap/kerberos/LDAPProviderKerberosConfig.java b/federation/ldap/src/main/java/org/keycloak/storage/ldap/kerberos/LDAPProviderKerberosConfig.java index 87bfcaf137..80b666b5ba 100644 --- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/kerberos/LDAPProviderKerberosConfig.java +++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/kerberos/LDAPProviderKerberosConfig.java @@ -20,6 +20,7 @@ package org.keycloak.storage.ldap.kerberos; import org.keycloak.common.constants.KerberosConstants; import org.keycloak.component.ComponentModel; import org.keycloak.federation.kerberos.CommonKerberosConfig; +import org.keycloak.representations.idm.ComponentRepresentation; import org.keycloak.storage.ldap.LDAPStorageProvider; /** @@ -33,7 +34,11 @@ public class LDAPProviderKerberosConfig extends CommonKerberosConfig { super(componentModel); } + public LDAPProviderKerberosConfig(ComponentRepresentation componentRep) { + super(componentRep); + } + public boolean isUseKerberosForPasswordAuthentication() { - return Boolean.valueOf(componentModel.getConfig().getFirst(KerberosConstants.USE_KERBEROS_FOR_PASSWORD_AUTHENTICATION)); + return Boolean.valueOf(getConfig().getFirst(KerberosConstants.USE_KERBEROS_FOR_PASSWORD_AUTHENTICATION)); } } diff --git a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java index 28e685e3c9..cfcef5a111 100644 --- a/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java +++ b/testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java @@ -82,6 +82,8 @@ import java.util.HashMap; import java.util.List; import java.util.Map; +import static org.keycloak.exportimport.ExportImportConfig.PROVIDER; + /** * @author Stian Thorgersen */ @@ -656,6 +658,13 @@ public class TestingResourceProvider implements RealmResourceProvider { return session.getContext().getRealm().getIdentityProviderByAlias(alias).getConfig(); } + @PUT + @Path("/set-krb5-conf-file") + @Consumes(MediaType.APPLICATION_JSON) + public void setKrb5ConfFile(@QueryParam("krb5-conf-file") String krb5ConfFile) { + System.setProperty("java.security.krb5.conf", krb5ConfFile); + } + private RealmModel getRealmByName(String realmName) { RealmProvider realmProvider = session.getProvider(RealmProvider.class); return realmProvider.getRealmByName(realmName); diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/resources/TestingResource.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/resources/TestingResource.java index bed2d328ed..9bb73d34a5 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/resources/TestingResource.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/resources/TestingResource.java @@ -256,4 +256,9 @@ public interface TestingResource { @Path("/component") @Produces(MediaType.APPLICATION_JSON) MultivaluedHashMap getComponentConfig(@QueryParam("componentId") String componentId); + + @PUT + @Path("/set-krb5-conf-file") + @Consumes(MediaType.APPLICATION_JSON) + void setKrb5ConfFile(@QueryParam("krb5-conf-file") String krb5ConfFile); } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KerberosRule.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KerberosRule.java similarity index 77% rename from testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KerberosRule.java rename to testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KerberosRule.java index 38a1df20a6..11bfe180ca 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/rule/KerberosRule.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/KerberosRule.java @@ -15,17 +15,17 @@ * limitations under the License. */ -package org.keycloak.testsuite.rule; - -import org.jboss.logging.Logger; -import org.keycloak.testsuite.federation.ldap.LDAPTestConfiguration; -import org.keycloak.util.ldap.KerberosEmbeddedServer; -import org.keycloak.util.ldap.LDAPEmbeddedServer; +package org.keycloak.testsuite.util; import java.io.File; import java.net.URL; import java.util.Properties; +import org.jboss.logging.Logger; +import org.keycloak.testsuite.client.resources.TestingResource; +import org.keycloak.util.ldap.KerberosEmbeddedServer; +import org.keycloak.util.ldap.LDAPEmbeddedServer; + /** * @author Marek Posolda */ @@ -36,18 +36,24 @@ public class KerberosRule extends LDAPRule { private final String configLocation; public KerberosRule(String configLocation) { - this(configLocation, null); - } - - public KerberosRule(String configLocation, LDAPRuleCondition condition) { - super(condition); this.configLocation = configLocation; // Global kerberos configuration + String krb5ConfPath = getKrb5ConfPath(); + System.setProperty("java.security.krb5.conf", krb5ConfPath); + } + + private String getKrb5ConfPath() { URL krb5ConfURL = LDAPTestConfiguration.class.getResource("/kerberos/test-krb5.conf"); String krb5ConfPath = new File(krb5ConfURL.getFile()).getAbsolutePath(); log.info("Krb5.conf file location is: " + krb5ConfPath); + return krb5ConfPath; + } + + public void setKrb5ConfPath(TestingResource testingResource) { + String krb5ConfPath = getKrb5ConfPath(); System.setProperty("java.security.krb5.conf", krb5ConfPath); + testingResource.setKrb5ConfFile(krb5ConfPath); // Needs to set it on wildfly server too } @Override @@ -63,4 +69,8 @@ public class KerberosRule extends LDAPRule { return new KerberosEmbeddedServer(defaultProperties); } + + public boolean isCaseSensitiveLogin() { + return ldapTestConfiguration.isCaseSensitiveLogin(); + } } diff --git a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/LDAPTestConfiguration.java b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/LDAPTestConfiguration.java index 772ae2dcd5..b148a82656 100644 --- a/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/LDAPTestConfiguration.java +++ b/testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/LDAPTestConfiguration.java @@ -28,6 +28,7 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.net.URL; import java.util.HashMap; import java.util.Map; @@ -88,7 +89,7 @@ public class LDAPTestConfiguration { DEFAULT_VALUES.put(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "false"); DEFAULT_VALUES.put(KerberosConstants.KERBEROS_REALM, "KEYCLOAK.ORG"); DEFAULT_VALUES.put(KerberosConstants.SERVER_PRINCIPAL, "HTTP/localhost@KEYCLOAK.ORG"); - String keyTabPath = getResource("http.keytab"); + String keyTabPath = getResource("/kerberos/http.keytab"); DEFAULT_VALUES.put(KerberosConstants.KEYTAB, keyTabPath); DEFAULT_VALUES.put(KerberosConstants.DEBUG, "true"); DEFAULT_VALUES.put(KerberosConstants.ALLOW_PASSWORD_AUTHENTICATION, "true"); @@ -102,8 +103,10 @@ public class LDAPTestConfiguration { return ldapTestConfiguration; } - public static String getResource(String resourceName) { - return new File(PROJECT_BUILD_DIRECTORY, "dependency/kerberos/" + resourceName).getAbsolutePath(); + public static String getResource(String resourcePath) { + URL urlPath = LDAPTestConfiguration.class.getResource(resourcePath); + String absolutePath = new File(urlPath.getFile()).getAbsolutePath(); + return absolutePath; } protected void loadConnectionProperties(String connectionPropertiesLocation) { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java new file mode 100644 index 0000000000..2164ccd995 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java @@ -0,0 +1,443 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.federation.kerberos; + +import java.net.URI; +import java.security.Principal; +import java.util.Hashtable; +import java.util.List; +import java.util.Map; + +import javax.naming.Context; +import javax.naming.NamingException; +import javax.naming.directory.Attributes; +import javax.naming.directory.DirContext; +import javax.naming.directory.InitialDirContext; +import javax.security.sasl.Sasl; +import javax.ws.rs.core.HttpHeaders; +import javax.ws.rs.core.Response; + +import org.apache.http.NameValuePair; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.Credentials; +import org.apache.http.client.params.AuthPolicy; +import org.apache.http.client.utils.URLEncodedUtils; +import org.apache.http.impl.client.DefaultHttpClient; +import org.ietf.jgss.GSSCredential; +import org.jboss.arquillian.graphene.page.Page; +import org.jboss.resteasy.client.jaxrs.ResteasyClient; +import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; +import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine; +import org.junit.After; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.keycloak.OAuth2Constants; +import org.keycloak.adapters.HttpClientBuilder; +import org.keycloak.admin.client.resource.ClientResource; +import org.keycloak.admin.client.resource.RealmResource; +import org.keycloak.common.constants.KerberosConstants; +import org.keycloak.common.util.KerberosSerializationUtils; +import org.keycloak.common.util.MultivaluedHashMap; +import org.keycloak.events.Details; +import org.keycloak.federation.kerberos.CommonKerberosConfig; +import org.keycloak.models.LDAPConstants; +import org.keycloak.models.ProtocolMapperModel; +import org.keycloak.models.UserModel; +import org.keycloak.models.utils.ModelToRepresentation; +import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper; +import org.keycloak.representations.AccessToken; +import org.keycloak.representations.idm.ComponentRepresentation; +import org.keycloak.representations.idm.ProtocolMapperRepresentation; +import org.keycloak.representations.idm.RealmRepresentation; +import org.keycloak.representations.idm.UserRepresentation; +import org.keycloak.storage.UserStorageProvider; +import org.keycloak.testsuite.AbstractAuthTest; +import org.keycloak.testsuite.Assert; +import org.keycloak.testsuite.AssertEvents; +import org.keycloak.testsuite.admin.ApiUtil; +import org.keycloak.testsuite.auth.page.AuthRealm; +import org.keycloak.testsuite.pages.AccountPasswordPage; +import org.keycloak.testsuite.pages.LoginPage; +import org.keycloak.testsuite.util.OAuthClient; +import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; +import static org.keycloak.testsuite.admin.ApiUtil.findClientByClientId; + +/** + * @author Marek Posolda + */ +public abstract class AbstractKerberosTest extends AbstractAuthTest { + + protected KeycloakSPNegoSchemeFactory spnegoSchemeFactory; + + protected ResteasyClient client; + + @Page + protected LoginPage loginPage; + + @Rule + public AssertEvents events = new AssertEvents(this); + + @Page + protected AccountPasswordPage changePasswordPage; + + protected abstract CommonKerberosConfig getKerberosConfig(); + + protected abstract ComponentRepresentation getUserStorageConfiguration(); + + protected abstract void setKrb5ConfPath(); + + @Override + public void addTestRealms(List testRealms) { + RealmRepresentation realmRep = loadJson(getClass().getResourceAsStream("/kerberos/kerberosrealm.json"), RealmRepresentation.class); + testRealms.add(realmRep); + } + + + @Before + public void beforeAbstractKeycloakTest() throws Exception { + super.beforeAbstractKeycloakTest(); + + testRealmPage.setAuthRealm(AuthRealm.TEST); + changePasswordPage.realm(AuthRealm.TEST); + + setKrb5ConfPath(); + + spnegoSchemeFactory = new KeycloakSPNegoSchemeFactory(getKerberosConfig()); + initHttpClient(true); + removeAllUsers(); + + oauth.clientId("kerberos-app"); + + ComponentRepresentation rep = getUserStorageConfiguration(); + testRealmResource().components().add(rep); + } + + @After + public void afterAbstractKeycloakTest() { + cleanupApacheHttpClient(); + + super.afterAbstractKeycloakTest(); + } + + private void cleanupApacheHttpClient() { + client.close(); + client = null; + } + +// @Test +// public void sleepTest() throws Exception { +// String kcLoginPageLocation = oauth.getLoginFormUrl(); +// Thread.sleep(10000000); +// } + + + @Test + public void spnegoNotAvailableTest() throws Exception { + initHttpClient(false); + + String kcLoginPageLocation = oauth.getLoginFormUrl(); + + Response response = client.target(kcLoginPageLocation).request().get(); + Assert.assertEquals(401, response.getStatus()); + Assert.assertEquals(KerberosConstants.NEGOTIATE, response.getHeaderString(HttpHeaders.WWW_AUTHENTICATE)); + String responseText = response.readEntity(String.class); + response.close(); + } + + + protected OAuthClient.AccessTokenResponse spnegoLoginTestImpl() throws Exception { + Response spnegoResponse = spnegoLogin("hnelson", "secret"); + Assert.assertEquals(302, spnegoResponse.getStatus()); + + List users = testRealmResource().users().search("hnelson", 0, 1); + String userId = users.get(0).getId(); + events.expectLogin() + .client("kerberos-app") + .user(userId) + .detail(Details.USERNAME, "hnelson") + .assertEvent(); + + String codeUrl = spnegoResponse.getLocation().toString(); + + return assertAuthenticationSuccess(codeUrl); + } + + + protected abstract boolean isCaseSensitiveLogin(); + + // KEYCLOAK-2102 + @Test + public void spnegoCaseInsensitiveTest() throws Exception { + Response spnegoResponse = spnegoLogin(isCaseSensitiveLogin() ? "MyDuke" : "myduke", "theduke"); + Assert.assertEquals(302, spnegoResponse.getStatus()); + List users = testRealmResource().users().search("myduke", 0, 1); + String userId = users.get(0).getId(); + events.expectLogin() + .client("kerberos-app") + .user(userId) + .detail(Details.USERNAME, "myduke") + .assertEvent(); + + String codeUrl = spnegoResponse.getLocation().toString(); + + assertAuthenticationSuccess(codeUrl); + } + + @Test + public void usernamePasswordLoginTest() throws Exception { + // Change editMode to READ_ONLY + updateProviderEditMode(UserStorageProvider.EditMode.READ_ONLY); + + // Login with username/password from kerberos + changePasswordPage.open(); + loginPage.assertCurrent(); + loginPage.login("jduke", "theduke"); + changePasswordPage.assertCurrent(); + + // Bad existing password + changePasswordPage.changePassword("theduke-invalid", "newPass", "newPass"); + Assert.assertTrue(driver.getPageSource().contains("Invalid existing password.")); + + // Change password is not possible as editMode is READ_ONLY + changePasswordPage.changePassword("theduke", "newPass", "newPass"); + Assert.assertTrue( + driver.getPageSource().contains("You can't update your password as your account is read only")); + + // Change editMode to UNSYNCED + updateProviderEditMode(UserStorageProvider.EditMode.UNSYNCED); + + // Successfully change password now + changePasswordPage.changePassword("theduke", "newPass", "newPass"); + Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); + changePasswordPage.logout(); + + // Login with old password doesn't work, but with new password works + loginPage.login("jduke", "theduke"); + loginPage.assertCurrent(); + loginPage.login("jduke", "newPass"); + changePasswordPage.assertCurrent(); + changePasswordPage.logout(); + + // Assert SPNEGO login still with the old password as mode is unsynced + events.clear(); + Response spnegoResponse = spnegoLogin("jduke", "theduke"); + Assert.assertEquals(302, spnegoResponse.getStatus()); + List users = testRealmResource().users().search("jduke", 0, 1); + String userId = users.get(0).getId(); + events.expectLogin() + .client("kerberos-app") + .user(userId) + .detail(Details.USERNAME, "jduke") + .assertEvent(); + + String codeUrl = spnegoResponse.getLocation().toString(); + + assertAuthenticationSuccess(codeUrl); + } + + + @Test + public void credentialDelegationTest() throws Exception { + // Add kerberos delegation credential mapper + ProtocolMapperModel protocolMapper = UserSessionNoteMapper.createClaimMapper(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME, + KerberosConstants.GSS_DELEGATION_CREDENTIAL, + KerberosConstants.GSS_DELEGATION_CREDENTIAL, "String", + true, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME, + true, false); + ProtocolMapperRepresentation protocolMapperRep = ModelToRepresentation.toRepresentation(protocolMapper); + ClientResource clientResource = findClientByClientId(testRealmResource(), "kerberos-app"); + Response response = clientResource.getProtocolMappers().createMapper(protocolMapperRep); + String protocolMapperId = ApiUtil.getCreatedId(response); + response.close(); + + // SPNEGO login + OAuthClient.AccessTokenResponse tokenResponse = spnegoLoginTestImpl(); + + // Assert kerberos ticket in the accessToken can be re-used to authenticate against other 3rd party kerberos service (ApacheDS Server in this case) + String accessToken = tokenResponse.getAccessToken(); + AccessToken token = oauth.verifyToken(accessToken); + + String serializedGssCredential = (String) token.getOtherClaims().get(KerberosConstants.GSS_DELEGATION_CREDENTIAL); + Assert.assertNotNull(serializedGssCredential); + GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(serializedGssCredential); + String ldapResponse = invokeLdap(gssCredential, token.getPreferredUsername()); + Assert.assertEquals("Horatio Nelson", ldapResponse); + + // Logout + oauth.openLogout(); + + // Remove protocolMapper + clientResource.getProtocolMappers().delete(protocolMapperId); + + // Login and assert delegated credential not anymore + tokenResponse = spnegoLoginTestImpl(); + accessToken = tokenResponse.getAccessToken(); + token = oauth.verifyToken(accessToken); + Assert.assertFalse(token.getOtherClaims().containsKey(KerberosConstants.GSS_DELEGATION_CREDENTIAL)); + + events.clear(); + } + + private String invokeLdap(GSSCredential gssCredential, String username) throws NamingException { + Hashtable env = new Hashtable(11); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.PROVIDER_URL, "ldap://localhost:10389"); + + if (gssCredential != null) { + env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); + env.put(Sasl.CREDENTIALS, gssCredential); + } + + DirContext ctx = new InitialDirContext(env); + try { + Attributes attrs = ctx.getAttributes("uid=" + username + ",ou=People,dc=keycloak,dc=org"); + String cn = (String) attrs.get("cn").get(); + String sn = (String) attrs.get("sn").get(); + return cn + " " + sn; + } finally { + ctx.close(); + } + } + + + protected Response spnegoLogin(String username, String password) { + String kcLoginPageLocation = oauth.getLoginFormUrl(); + + // Request for SPNEGO login sent with Resteasy client + spnegoSchemeFactory.setCredentials(username, password); + Response response = client.target(kcLoginPageLocation).request().get(); + if (response.getStatus() == 302) { + if (response.getLocation() == null) + return response; + String uri = response.getLocation().toString(); + if (uri.contains("login-actions/required-action")) { + response = client.target(uri).request().get(); + } + } + return response; + + } + + + protected void initHttpClient(boolean useSpnego) { + if (client != null) { + cleanupApacheHttpClient(); + } + + DefaultHttpClient httpClient = (DefaultHttpClient) new HttpClientBuilder().build(); + httpClient.getAuthSchemes().register(AuthPolicy.SPNEGO, spnegoSchemeFactory); + + if (useSpnego) { + Credentials fake = new Credentials() { + + public String getPassword() { + return null; + } + + public Principal getUserPrincipal() { + return null; + } + + }; + + httpClient.getCredentialsProvider().setCredentials( + new AuthScope(null, -1, null), + fake); + } + ApacheHttpClient4Engine engine = new ApacheHttpClient4Engine(httpClient); + client = new ResteasyClientBuilder().httpEngine(engine).build(); + } + + + protected void removeAllUsers() { + RealmResource realm = testRealmResource(); + List users = realm.users().search("", 0, Integer.MAX_VALUE); + for (UserRepresentation user : users) { + if (!user.getUsername().equals(AssertEvents.DEFAULT_USERNAME)) { + realm.users().get(user.getId()).remove(); + } + } + Assert.assertEquals(1, realm.users().search("", 0, Integer.MAX_VALUE).size()); + } + + + protected void assertUser(String expectedUsername, String expectedEmail, String expectedFirstname, + String expectedLastname, boolean updateProfileActionExpected) { + try { + UserRepresentation user = ApiUtil.findUserByUsername(testRealmResource(), expectedUsername); + Assert.assertNotNull(user); + Assert.assertEquals(expectedEmail, user.getEmail()); + Assert.assertEquals(expectedFirstname, user.getFirstName()); + Assert.assertEquals(expectedLastname, user.getLastName()); + + if (updateProfileActionExpected) { + Assert.assertEquals(UserModel.RequiredAction.UPDATE_PROFILE.toString(), + user.getRequiredActions().iterator().next()); + } else { + Assert.assertTrue(user.getRequiredActions().isEmpty()); + } + } finally { + } + } + + + protected OAuthClient.AccessTokenResponse assertAuthenticationSuccess(String codeUrl) throws Exception { + List pairs = URLEncodedUtils.parse(new URI(codeUrl), "UTF-8"); + String code = null; + String state = null; + for (NameValuePair pair : pairs) { + if (pair.getName().equals(OAuth2Constants.CODE)) { + code = pair.getValue(); + } else if (pair.getName().equals(OAuth2Constants.STATE)) { + state = pair.getValue(); + } + } + Assert.assertNotNull(code); + Assert.assertNotNull(state); + OAuthClient.AccessTokenResponse response = oauth.doAccessTokenRequest(code, "password"); + Assert.assertNotNull(response.getAccessToken()); + events.clear(); + return response; + } + + + protected void updateProviderEditMode(UserStorageProvider.EditMode editMode) { + List reps = testRealmResource().components().query("test", UserStorageProvider.class.getName()); + Assert.assertEquals(1, reps.size()); + ComponentRepresentation kerberosProvider = reps.get(0); + kerberosProvider.getConfig().putSingle(LDAPConstants.EDIT_MODE, editMode.toString()); + testRealmResource().components().component(kerberosProvider.getId()).update(kerberosProvider); + } + + public RealmResource testRealmResource() { + return adminClient.realm("test"); + } + + + // TODO: Use LDAPTestUtils.toComponentConfig once it's migrated to new testsuite + public static MultivaluedHashMap toComponentConfig(Map ldapConfig) { + MultivaluedHashMap config = new MultivaluedHashMap<>(); + for (Map.Entry entry : ldapConfig.entrySet()) { + config.add(entry.getKey(), entry.getValue()); + + } + return config; + } + +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosLdapTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosLdapTest.java new file mode 100644 index 0000000000..1a4f626ca7 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosLdapTest.java @@ -0,0 +1,150 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.federation.kerberos; + +import java.util.List; +import java.util.Map; + +import javax.ws.rs.core.Response; + +import org.junit.Assert; +import org.junit.ClassRule; +import org.junit.Test; +import org.keycloak.common.util.MultivaluedHashMap; +import org.keycloak.events.Details; +import org.keycloak.federation.kerberos.CommonKerberosConfig; +import org.keycloak.models.utils.ModelToRepresentation; +import org.keycloak.representations.idm.ComponentRepresentation; +import org.keycloak.representations.idm.UserRepresentation; +import org.keycloak.storage.UserStorageProvider; +import org.keycloak.storage.UserStorageProviderModel; +import org.keycloak.storage.ldap.LDAPStorageProviderFactory; +import org.keycloak.storage.ldap.kerberos.LDAPProviderKerberosConfig; +import org.keycloak.testsuite.util.KerberosRule; + +/** + * @author Marek Posolda + */ +public class KerberosLdapTest extends AbstractKerberosTest { + + private static final String PROVIDER_CONFIG_LOCATION = "classpath:kerberos/kerberos-ldap-connection.properties"; + + @ClassRule + public static KerberosRule kerberosRule = new KerberosRule(PROVIDER_CONFIG_LOCATION); + + @Override + protected CommonKerberosConfig getKerberosConfig() { + return new LDAPProviderKerberosConfig(getUserStorageConfiguration()); + } + + @Override + protected ComponentRepresentation getUserStorageConfiguration() { + Map kerberosConfig = kerberosRule.getConfig(); + MultivaluedHashMap config = toComponentConfig(kerberosConfig); + + UserStorageProviderModel model = new UserStorageProviderModel(); + model.setLastSync(0); + model.setChangedSyncPeriod(-1); + model.setFullSyncPeriod(-1); + model.setName("kerberos-ldap"); + model.setPriority(0); + model.setProviderId(LDAPStorageProviderFactory.PROVIDER_NAME); + model.setConfig(config); + + ComponentRepresentation rep = ModelToRepresentation.toRepresentationWithoutConfig(model); + return rep; + } + + + @Override + protected boolean isCaseSensitiveLogin() { + return kerberosRule.isCaseSensitiveLogin(); + } + + + @Override + protected void setKrb5ConfPath() { + kerberosRule.setKrb5ConfPath(testingClient.testing()); + } + + + @Test + public void spnegoLoginTest() throws Exception { + spnegoLoginTestImpl(); + + // Assert user was imported and hasn't any required action on him. Profile info is synced from LDAP + assertUser("hnelson", "hnelson@keycloak.org", "Horatio", "Nelson", false); + } + + + @Test + public void writableEditModeTest() throws Exception { + // Change editMode to WRITABLE + updateProviderEditMode(UserStorageProvider.EditMode.WRITABLE); + + // Login with username/password from kerberos + changePasswordPage.open(); + // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript + // to forward the user if kerberos isn't enabled. + //bypassPage.isCurrent(); + //bypassPage.clickContinue(); + loginPage.assertCurrent(); + loginPage.login("jduke", "theduke"); + Assert.assertTrue(changePasswordPage.isCurrent()); + + // Successfully change password now + changePasswordPage.changePassword("theduke", "newPass", "newPass"); + Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); + changePasswordPage.logout(); + + // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript + // to forward the user if kerberos isn't enabled. + //bypassPage.isCurrent(); + //bypassPage.clickContinue(); + + // Login with old password doesn't work, but with new password works + loginPage.login("jduke", "theduke"); + Assert.assertTrue(loginPage.isCurrent()); + loginPage.login("jduke", "newPass"); + changePasswordPage.assertCurrent(); + changePasswordPage.logout(); + + // Assert SPNEGO login with the new password as mode is writable + events.clear(); + Response spnegoResponse = spnegoLogin("jduke", "newPass"); + org.keycloak.testsuite.Assert.assertEquals(302, spnegoResponse.getStatus()); + org.keycloak.testsuite.Assert.assertEquals(302, spnegoResponse.getStatus()); + List users = testRealmResource().users().search("jduke", 0, 1); + String userId = users.get(0).getId(); + events.expectLogin() + .client("kerberos-app") + .user(userId) + .detail(Details.USERNAME, "jduke") + .assertEvent(); + + String codeUrl = spnegoResponse.getLocation().toString(); + + assertAuthenticationSuccess(codeUrl); + + // Change password back + changePasswordPage.open(); + loginPage.login("jduke", "newPass"); + changePasswordPage.assertCurrent(); + changePasswordPage.changePassword("newPass", "theduke", "theduke"); + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java new file mode 100644 index 0000000000..9ed0cc9909 --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KerberosStandaloneTest.java @@ -0,0 +1,161 @@ +/* + * Copyright 2016 Red Hat, Inc. and/or its affiliates + * and other contributors as indicated by the @author tags. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.keycloak.testsuite.federation.kerberos; + +import java.util.List; +import java.util.Map; +import java.util.regex.Matcher; +import java.util.regex.Pattern; + + +import javax.ws.rs.core.Response; + +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.ClassRule; +import org.junit.Test; +import org.keycloak.common.constants.KerberosConstants; +import org.keycloak.common.util.MultivaluedHashMap; +import org.keycloak.federation.kerberos.CommonKerberosConfig; +import org.keycloak.federation.kerberos.KerberosConfig; +import org.keycloak.federation.kerberos.KerberosFederationProviderFactory; +import org.keycloak.models.utils.ModelToRepresentation; +import org.keycloak.representations.idm.ComponentRepresentation; +import org.keycloak.storage.UserStorageProvider; +import org.keycloak.storage.UserStorageProviderModel; +import org.keycloak.testsuite.util.KerberosRule; + +/** + * @author Marek Posolda + */ +public class KerberosStandaloneTest extends AbstractKerberosTest { + + private static final String PROVIDER_CONFIG_LOCATION = "classpath:kerberos/kerberos-standalone-connection.properties"; + + @ClassRule + public static KerberosRule kerberosRule = new KerberosRule(PROVIDER_CONFIG_LOCATION); + + @Override + protected CommonKerberosConfig getKerberosConfig() { + return new KerberosConfig(getUserStorageConfiguration()); + } + + @Override + protected ComponentRepresentation getUserStorageConfiguration() { + Map kerberosConfig = kerberosRule.getConfig(); + MultivaluedHashMap config = toComponentConfig(kerberosConfig); + + UserStorageProviderModel model = new UserStorageProviderModel(); + model.setLastSync(0); + model.setChangedSyncPeriod(-1); + model.setFullSyncPeriod(-1); + model.setName("kerberos-standalone"); + model.setPriority(0); + model.setProviderId(KerberosFederationProviderFactory.PROVIDER_NAME); + model.setConfig(config); + + ComponentRepresentation rep = ModelToRepresentation.toRepresentationWithoutConfig(model); + return rep; + } + + + @Override + protected boolean isCaseSensitiveLogin() { + return kerberosRule.isCaseSensitiveLogin(); + } + + + @Override + protected void setKrb5ConfPath() { + kerberosRule.setKrb5ConfPath(testingClient.testing()); + } + + @Test + public void spnegoLoginTest() throws Exception { + spnegoLoginTestImpl(); + + // Assert user was imported and hasn't any required action on him. Profile info is synced from LDAP + assertUser("hnelson", "hnelson@keycloak.org", null, null, false); + } + + + @Test + public void updateProfileEnabledTest() throws Exception { + // Switch updateProfileOnFirstLogin to on + List reps = testRealmResource().components().query("test", UserStorageProvider.class.getName()); + org.keycloak.testsuite.Assert.assertEquals(1, reps.size()); + ComponentRepresentation kerberosProvider = reps.get(0); + kerberosProvider.getConfig().putSingle(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN, "true"); + testRealmResource().components().component(kerberosProvider.getId()).update(kerberosProvider); + + // Assert update profile page is displayed + Response spnegoResponse = spnegoLogin("hnelson", "secret"); + Assert.assertEquals(200, spnegoResponse.getStatus()); + String responseText = spnegoResponse.readEntity(String.class); + Assert.assertTrue(responseText.contains("You need to update your user profile to activate your account.")); + Assert.assertTrue(responseText.contains("hnelson@keycloak.org")); + spnegoResponse.close(); + + // Assert user was imported and has required action on him + assertUser("hnelson", "hnelson@keycloak.org", null, null, true); + + // Switch updateProfileOnFirstLogin to off + kerberosProvider.getConfig().putSingle(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN, "false"); + testRealmResource().components().component(kerberosProvider.getId()).update(kerberosProvider); + } + + + /** + * KEYCLOAK-3451 + * + * Test that if there is no User Storage Provider that can handle kerberos we can still login + * + * @throws Exception + */ + @Test + public void noProvider() throws Exception { + List reps = testRealmResource().components().query("test", UserStorageProvider.class.getName()); + org.keycloak.testsuite.Assert.assertEquals(1, reps.size()); + ComponentRepresentation kerberosProvider = reps.get(0); + testRealmResource().components().component(kerberosProvider.getId()).remove(); + + /* + To do this we do a valid kerberos login. The authenticator will obtain a valid token, but there will + be no user storage provider that can process it. This means we should be on the login page. + We do this through a JAX-RS client request. We extract the action URL from the login page, and stuff it + into selenium then just perform a regular login. + */ + Response spnegoResponse = spnegoLogin("hnelson", "secret"); + String context = spnegoResponse.readEntity(String.class); + spnegoResponse.close(); + Pattern pattern = Pattern.compile("action=\"([^\"]+)\""); + Matcher m = pattern.matcher(context); + Assert.assertTrue(m.find()); + String url = m.group(1); + driver.navigate().to(url); + Assert.assertTrue(loginPage.isCurrent()); + loginPage.login("test-user@localhost", "password"); + String pageSource = driver.getPageSource(); + assertAuthenticationSuccess(driver.getCurrentUrl()); + + events.clear(); + testRealmResource().components().add(kerberosProvider); + } + +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/federation/KeycloakSPNegoSchemeFactory.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KeycloakSPNegoSchemeFactory.java similarity index 98% rename from testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/federation/KeycloakSPNegoSchemeFactory.java rename to testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KeycloakSPNegoSchemeFactory.java index fdd5f3feae..d212881706 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/federation/KeycloakSPNegoSchemeFactory.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/KeycloakSPNegoSchemeFactory.java @@ -15,7 +15,7 @@ * limitations under the License. */ -package org.keycloak.testsuite.adapter.federation; +package org.keycloak.testsuite.federation.kerberos; import org.apache.http.auth.AuthScheme; import org.apache.http.auth.Credentials; diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/META-INF/context.xml b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/META-INF/context.xml deleted file mode 100644 index bb128d1c0a..0000000000 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/META-INF/context.xml +++ /dev/null @@ -1,20 +0,0 @@ - - - - - \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/jetty-web.xml b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/jetty-web.xml deleted file mode 100644 index 64863de3ef..0000000000 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/jetty-web.xml +++ /dev/null @@ -1,27 +0,0 @@ - - - - - - - - - - - - \ No newline at end of file diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak-relative.json b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak-relative.json deleted file mode 100644 index 549fde40b7..0000000000 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak-relative.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "realm" : "test", - "resource" : "kerberos-app", - "auth-server-url" : "/auth", - "ssl-required" : "external", - "credentials" : { - "secret": "password" - } -} diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak.json b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak.json deleted file mode 100644 index 609bcdb1aa..0000000000 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/keycloak.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "realm": "test", - "resource": "kerberos-app", - "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", - "auth-server-url": "http://localhost:8081/auth", - "ssl-required" : "external", - "credentials": { - "secret": "password" - } -} diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/web.xml b/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/web.xml deleted file mode 100644 index a52c8e5260..0000000000 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberos-portal/WEB-INF/web.xml +++ /dev/null @@ -1,57 +0,0 @@ - - - - - - kerberos-portal - - - Servlet - org.keycloak.testsuite.adapter.servlet.KerberosCredDelegServlet - - - - Servlet - /* - - - - - Users - /* - - - user - - - - - KEYCLOAK - test - - - - admin - - - user - - diff --git a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberosrealm.json b/testsuite/integration-arquillian/tests/base/src/test/resources/kerberos/kerberosrealm.json similarity index 96% rename from testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberosrealm.json rename to testsuite/integration-arquillian/tests/base/src/test/resources/kerberos/kerberosrealm.json index a77d447771..b48faf1d6e 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/kerberosrealm.json +++ b/testsuite/integration-arquillian/tests/base/src/test/resources/kerberos/kerberosrealm.json @@ -37,7 +37,8 @@ "adminUrl": "/kerberos-portal/logout", "baseUrl": "/kerberos-portal", "redirectUris": [ - "/kerberos-portal/*" + "/kerberos-portal/*", + "/auth/realms/master/app/*" ], "secret": "password" } diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/AbstractKerberosTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/AbstractKerberosTest.java deleted file mode 100755 index 78266b8810..0000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/AbstractKerberosTest.java +++ /dev/null @@ -1,398 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation; - -import org.apache.http.auth.AuthScope; -import org.apache.http.auth.Credentials; -import org.apache.http.client.params.AuthPolicy; -import org.apache.http.impl.client.DefaultHttpClient; -import org.jboss.resteasy.client.jaxrs.ResteasyClient; -import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder; -import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine; -import org.junit.After; -import org.junit.Assert; -import org.junit.Before; -import org.junit.Test; -import org.keycloak.adapters.HttpClientBuilder; -import org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator; -import org.keycloak.common.constants.KerberosConstants; -import org.keycloak.component.ComponentModel; -import org.keycloak.events.Details; -import org.keycloak.federation.kerberos.CommonKerberosConfig; -import org.keycloak.models.ClientModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.ProtocolMapperModel; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserModel; -import org.keycloak.protocol.oidc.OIDCLoginProtocol; -import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.storage.UserStorageProvider; -import org.keycloak.testsuite.AssertEvents; -import org.keycloak.testsuite.OAuthClient; -import org.keycloak.testsuite.pages.AccountPasswordPage; -import org.keycloak.testsuite.pages.BypassKerberosPage; -import org.keycloak.testsuite.pages.LoginPage; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.WebResource; -import org.openqa.selenium.WebDriver; - -import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.Response; -import java.security.Principal; -import java.util.List; - -/** - * @author Marek Posolda - */ -public abstract class AbstractKerberosTest { - - protected String KERBEROS_APP_URL = "http://localhost:8081/kerberos-portal"; - - protected KeycloakSPNegoSchemeFactory spnegoSchemeFactory; - protected ResteasyClient client; - - @WebResource - protected OAuthClient oauth; - - @WebResource - protected WebDriver driver; - - @WebResource - protected LoginPage loginPage; - - @WebResource - protected BypassKerberosPage bypassPage; - - @WebResource - protected AccountPasswordPage changePasswordPage; - - protected abstract CommonKerberosConfig getKerberosConfig(); - protected abstract KeycloakRule getKeycloakRule(); - protected abstract AssertEvents getAssertEvents(); - - @Before - public void before() { - CommonKerberosConfig kerberosConfig = getKerberosConfig(); - spnegoSchemeFactory = new KeycloakSPNegoSchemeFactory(kerberosConfig); - initHttpClient(true); - removeAllUsers(); - } - - @After - public void after() { - client.close(); - client = null; - } - - - @Test - public void spnegoNotAvailableTest() throws Exception { - initHttpClient(false); - - SpnegoAuthenticator.bypassChallengeJavascript = true; - driver.navigate().to(KERBEROS_APP_URL); - String kcLoginPageLocation = driver.getCurrentUrl(); - - Response response = client.target(kcLoginPageLocation).request().get(); - Assert.assertEquals(401, response.getStatus()); - Assert.assertEquals(KerberosConstants.NEGOTIATE, response.getHeaderString(HttpHeaders.WWW_AUTHENTICATE)); - String responseText = response.readEntity(String.class); - responseText.contains("Log in to test"); - response.close(); - SpnegoAuthenticator.bypassChallengeJavascript = false; - } - - - protected void spnegoLoginTestImpl() throws Exception { - KeycloakRule keycloakRule = getKeycloakRule(); - AssertEvents events = getAssertEvents(); - - Response spnegoResponse = spnegoLogin("hnelson", "secret"); - Assert.assertEquals(302, spnegoResponse.getStatus()); - - events.expectLogin() - .client("kerberos-app") - .user(keycloakRule.getUser("test", "hnelson").getId()) - .detail(Details.REDIRECT_URI, KERBEROS_APP_URL) - //.detail(Details.AUTH_METHOD, "spnego") - .detail(Details.USERNAME, "hnelson") - .assertEvent(); - - String location = spnegoResponse.getLocation().toString(); - driver.navigate().to(location); - - String pageSource = driver.getPageSource(); - Assert.assertTrue(pageSource.contains("Kerberos Test") && pageSource.contains("Kerberos servlet secured content")); - - spnegoResponse.close(); - events.clear(); - } - - // KEYCLOAK-2102 - @Test - public void spnegoCaseInsensitiveTest() throws Exception { - KeycloakRule keycloakRule = getKeycloakRule(); - AssertEvents events = getAssertEvents(); - - Response spnegoResponse = spnegoLogin("MyDuke", "theduke"); - Assert.assertEquals(302, spnegoResponse.getStatus()); - - events.expectLogin() - .client("kerberos-app") - .user(keycloakRule.getUser("test", "myduke").getId()) - .detail(Details.REDIRECT_URI, KERBEROS_APP_URL) - //.detail(Details.AUTH_METHOD, "spnego") - .detail(Details.USERNAME, "myduke") - .assertEvent(); - - String location = spnegoResponse.getLocation().toString(); - driver.navigate().to(location); - - String pageSource = driver.getPageSource(); - Assert.assertTrue(pageSource.contains("Kerberos Test") && pageSource.contains("Kerberos servlet secured content")); - - spnegoResponse.close(); - events.clear(); - } - - - @Test - public void usernamePasswordLoginTest() throws Exception { - KeycloakRule keycloakRule = getKeycloakRule(); - AssertEvents events = getAssertEvents(); - - // Change editMode to READ_ONLY - updateProviderEditMode(UserStorageProvider.EditMode.READ_ONLY); - - // Login with username/password from kerberos - changePasswordPage.open(); - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - loginPage.assertCurrent(); - loginPage.login("jduke", "theduke"); - changePasswordPage.assertCurrent(); - - // Bad existing password - changePasswordPage.changePassword("theduke-invalid", "newPass", "newPass"); - Assert.assertTrue(driver.getPageSource().contains("Invalid existing password.")); - - // Change password is not possible as editMode is READ_ONLY - changePasswordPage.changePassword("theduke", "newPass", "newPass"); - Assert.assertTrue(driver.getPageSource().contains("You can't update your password as your account is read only")); - - // Change editMode to UNSYNCED - updateProviderEditMode(UserStorageProvider.EditMode.UNSYNCED); - - // Successfully change password now - changePasswordPage.changePassword("theduke", "newPass", "newPass"); - Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); - changePasswordPage.logout(); - - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - // Login with old password doesn't work, but with new password works - loginPage.login("jduke", "theduke"); - loginPage.assertCurrent(); - loginPage.login("jduke", "newPass"); - changePasswordPage.assertCurrent(); - changePasswordPage.logout(); - - // Assert SPNEGO login still with the old password as mode is unsynced - events.clear(); - Response spnegoResponse = spnegoLogin("jduke", "theduke"); - Assert.assertEquals(302, spnegoResponse.getStatus()); - String redirect = spnegoResponse.getLocation().toString(); - events.expectLogin() - .client("kerberos-app") - .user(keycloakRule.getUser("test", "jduke").getId()) - .detail(Details.REDIRECT_URI, KERBEROS_APP_URL) - //.detail(Details.AUTH_METHOD, "spnego") - .detail(Details.USERNAME, "jduke") - .assertEvent(); - spnegoResponse.close(); - } - - @Test - public void credentialDelegationTest() throws Exception { - // Add kerberos delegation credential mapper - getKeycloakRule().update(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - ProtocolMapperModel protocolMapper = UserSessionNoteMapper.createClaimMapper(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME, - KerberosConstants.GSS_DELEGATION_CREDENTIAL, - KerberosConstants.GSS_DELEGATION_CREDENTIAL, "String", - true, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME, - true, false); - - ClientModel kerberosApp = appRealm.getClientByClientId("kerberos-app"); - kerberosApp.addProtocolMapper(protocolMapper); - } - - }); - - // SPNEGO login - spnegoLoginTestImpl(); - - // Assert servlet authenticated to LDAP with delegated credential - driver.navigate().to(KERBEROS_APP_URL + KerberosCredDelegServlet.CRED_DELEG_TEST_PATH); - String pageSource = driver.getPageSource(); - Assert.assertTrue(pageSource.contains("LDAP Data: Horatio Nelson")); - - // Remove kerberos delegation credential mapper - getKeycloakRule().update(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - ClientModel kerberosApp = appRealm.getClientByClientId("kerberos-app"); - ProtocolMapperModel toRemove = kerberosApp.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME); - kerberosApp.removeProtocolMapper(toRemove); - } - - }); - - // Clear driver and login again. I can't invoke LDAP now as GSS Credential is not in accessToken - driver.manage().deleteAllCookies(); - spnegoLoginTestImpl(); - driver.navigate().to(KERBEROS_APP_URL + KerberosCredDelegServlet.CRED_DELEG_TEST_PATH); - pageSource = driver.getPageSource(); - Assert.assertFalse(pageSource.contains("LDAP Data: Horatio Nelson")); - Assert.assertTrue(pageSource.contains("LDAP Data: ERROR")); - } - - - - protected Response spnegoLogin(String username, String password) { - SpnegoAuthenticator.bypassChallengeJavascript = true; - driver.navigate().to(KERBEROS_APP_URL); - String kcLoginPageLocation = driver.getCurrentUrl(); - - // Request for SPNEGO login sent with Resteasy client - spnegoSchemeFactory.setCredentials(username, password); - Response response = client.target(kcLoginPageLocation).request().get(); - SpnegoAuthenticator.bypassChallengeJavascript = false; - if (response.getStatus() == 302) { - if (response.getLocation() == null) return response; - String uri = response.getLocation().toString(); - if (uri.contains("login-actions/required-action")) { - response = client.target(uri).request().get(); - } - } - return response; - - } - - - protected void initHttpClient(boolean useSpnego) { - if (client != null) { - after(); - } - - DefaultHttpClient httpClient = (DefaultHttpClient) new HttpClientBuilder().build(); - httpClient.getAuthSchemes().register(AuthPolicy.SPNEGO, spnegoSchemeFactory); - - if (useSpnego) { - Credentials fake = new Credentials() { - - public String getPassword() { - return null; - } - - public Principal getUserPrincipal() { - return null; - } - - }; - - httpClient.getCredentialsProvider().setCredentials( - new AuthScope(null, -1, null), - fake); - } - - ApacheHttpClient4Engine engine = new ApacheHttpClient4Engine(httpClient); - client = new ResteasyClientBuilder().httpEngine(engine).build(); - } - - - protected void removeAllUsers() { - KeycloakRule keycloakRule = getKeycloakRule(); - - KeycloakSession session = keycloakRule.startSession(); - try { - RealmManager manager = new RealmManager(session); - - RealmModel appRealm = manager.getRealm("test"); - List users = session.users().getUsers(appRealm, true); - for (UserModel user : users) { - if (!user.getUsername().equals(AssertEvents.DEFAULT_USERNAME)) { - session.users().removeUser(appRealm, user); - } - } - - Assert.assertEquals(1, session.users().getUsers(appRealm, true).size()); - } finally { - keycloakRule.stopSession(session, true); - } - } - - - protected void assertUser(String expectedUsername, String expectedEmail, String expectedFirstname, String expectedLastname, boolean updateProfileActionExpected) { - KeycloakRule keycloakRule = getKeycloakRule(); - - KeycloakSession session = keycloakRule.startSession(); - try { - RealmManager manager = new RealmManager(session); - RealmModel appRealm = manager.getRealm("test"); - - UserModel user = session.users().getUserByUsername(expectedUsername, appRealm); - Assert.assertNotNull(user); - Assert.assertEquals(user.getEmail(), expectedEmail); - Assert.assertEquals(user.getFirstName(), expectedFirstname); - Assert.assertEquals(user.getLastName(), expectedLastname); - - if (updateProfileActionExpected) { - Assert.assertEquals(UserModel.RequiredAction.UPDATE_PROFILE.toString(), user.getRequiredActions().iterator().next()); - } else { - Assert.assertTrue(user.getRequiredActions().isEmpty()); - } - } finally { - keycloakRule.stopSession(session, true); - } - } - - - protected void updateProviderEditMode(UserStorageProvider.EditMode editMode) { - KeycloakRule keycloakRule = getKeycloakRule(); - - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealm("test"); - ComponentModel kerberosProviderModel = realm.getComponents(realm.getId(), UserStorageProvider.class.getName()).get(0); - kerberosProviderModel.getConfig().putSingle(LDAPConstants.EDIT_MODE, editMode.toString()); - realm.updateComponent(kerberosProviderModel); - } finally { - keycloakRule.stopSession(session, true); - } - } -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosCredDelegServlet.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosCredDelegServlet.java deleted file mode 100644 index 33b1012698..0000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosCredDelegServlet.java +++ /dev/null @@ -1,112 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation; - -import org.ietf.jgss.GSSCredential; -import org.keycloak.KeycloakPrincipal; -import org.keycloak.common.constants.KerberosConstants; -import org.keycloak.common.util.KerberosSerializationUtils; - -import javax.naming.Context; -import javax.naming.NamingException; -import javax.naming.directory.Attributes; -import javax.naming.directory.DirContext; -import javax.naming.directory.InitialDirContext; -import javax.security.sasl.Sasl; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServlet; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; -import java.io.IOException; -import java.io.PrintWriter; -import java.util.Hashtable; - -/** - * @author Marek Posolda - */ -public class KerberosCredDelegServlet extends HttpServlet { - - public static final String CRED_DELEG_TEST_PATH = "/cred-deleg-test"; - - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - String ldapData = null; - - if (req.getRequestURI().endsWith(CRED_DELEG_TEST_PATH)) { - - try { - // Retrieve kerberos credential from accessToken and deserialize it - KeycloakPrincipal keycloakPrincipal = (KeycloakPrincipal) req.getUserPrincipal(); - String serializedGssCredential = (String) keycloakPrincipal.getKeycloakSecurityContext().getToken().getOtherClaims().get(KerberosConstants.GSS_DELEGATION_CREDENTIAL); - GSSCredential gssCredential = KerberosSerializationUtils.deserializeCredential(serializedGssCredential); - - // First try to invoke without gssCredential. It should fail - try { - invokeLdap(null); - throw new RuntimeException("Not expected to authenticate to LDAP without credential"); - } catch (NamingException nse) { - System.out.println("Expected exception: " + nse.getMessage()); - } - - ldapData = invokeLdap(gssCredential); - } catch (KerberosSerializationUtils.KerberosSerializationException kse) { - System.err.println("KerberosSerializationUtils.KerberosSerializationException: " + kse.getMessage()); - ldapData = "ERROR"; - } catch (Exception e) { - e.printStackTrace(); - resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); - } - } - - resp.setContentType("text/html"); - PrintWriter pw = resp.getWriter(); - pw.printf("%s", "Kerberos Test"); - pw.printf("Kerberos servlet secured content
"); - - if (ldapData != null) { - pw.printf("LDAP Data: " + ldapData + "
"); - } - - pw.print(""); - pw.flush(); - - - } - - private String invokeLdap(GSSCredential gssCredential) throws NamingException { - Hashtable env = new Hashtable(11); - env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); - env.put(Context.PROVIDER_URL, "ldap://localhost:10389"); - - if (gssCredential != null) { - env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); - env.put(Sasl.CREDENTIALS, gssCredential); - } - - DirContext ctx = new InitialDirContext(env); - try { - Attributes attrs = ctx.getAttributes("uid=hnelson,ou=People,dc=keycloak,dc=org"); - String cn = (String) attrs.get("cn").get(); - String sn = (String) attrs.get("sn").get(); - return cn + " " + sn; - } finally { - ctx.close(); - } - } - -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosStandaloneTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosStandaloneTest.java deleted file mode 100755 index af4fd225d2..0000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosStandaloneTest.java +++ /dev/null @@ -1,249 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.junit.runners.MethodSorters; -import org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator; -import org.keycloak.common.constants.KerberosConstants; -import org.keycloak.common.util.MultivaluedHashMap; -import org.keycloak.federation.kerberos.CommonKerberosConfig; -import org.keycloak.federation.kerberos.KerberosConfig; -import org.keycloak.federation.kerberos.KerberosFederationProviderFactory; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.RealmModel; -import org.keycloak.representations.idm.CredentialRepresentation; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.storage.UserStorageProviderModel; -import org.keycloak.testsuite.AssertEvents; -import org.keycloak.testsuite.federation.storage.ldap.LDAPTestUtils; -import org.keycloak.testsuite.rule.KerberosRule; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.WebRule; -import org.keycloak.utils.CredentialHelper; - -import javax.ws.rs.core.Response; -import java.net.URL; -import java.util.Map; -import java.util.regex.Matcher; -import java.util.regex.Pattern; - -/** - * Test of KerberosFederationProvider (Kerberos not backed by LDAP) - * - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class KerberosStandaloneTest extends AbstractKerberosTest { - - private static final String PROVIDER_CONFIG_LOCATION = "kerberos/kerberos-standalone-connection.properties"; - - private static UserStorageProviderModel kerberosModel; - - private static KerberosRule kerberosRule = new KerberosRule(PROVIDER_CONFIG_LOCATION); - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - - CredentialHelper.setAlternativeCredential(manager.getSession(), CredentialRepresentation.KERBEROS, appRealm); - URL url = getClass().getResource("/kerberos-test/kerberos-app-keycloak.json"); - keycloakRule.createApplicationDeployment() - .name("kerberos-portal").contextPath("/kerberos-portal") - .servletClass(KerberosCredDelegServlet.class).adapterConfigPath(url.getPath()) - .role("user").deployApplication(); - - - Map kerberosConfig = kerberosRule.getConfig(); - MultivaluedHashMap config = LDAPTestUtils.toComponentConfig(kerberosConfig); - - UserStorageProviderModel model = new UserStorageProviderModel(); - model.setLastSync(0); - model.setChangedSyncPeriod(-1); - model.setFullSyncPeriod(-1); - model.setName("kerberos-standalone"); - model.setPriority(0); - model.setProviderId(KerberosFederationProviderFactory.PROVIDER_NAME); - model.setConfig(config); - - kerberosModel = new UserStorageProviderModel(appRealm.addComponentModel(model)); - } - - }) { - - @Override - protected void importRealm() { - server.importRealm(getClass().getResourceAsStream("/kerberos-test/kerberosrealm.json")); - } - - }; - - - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(kerberosRule) - .around(keycloakRule); - - @Rule - public WebRule webRule = new WebRule(this); - - @Rule - public AssertEvents events = new AssertEvents(keycloakRule); - - - @Override - protected CommonKerberosConfig getKerberosConfig() { - return new KerberosConfig(kerberosModel); - } - - @Override - protected KeycloakRule getKeycloakRule() { - return keycloakRule; - } - - @Override - protected AssertEvents getAssertEvents() { - return events; - } - - - @Test - public void spnegoLoginTest() throws Exception { - spnegoLoginTestImpl(); - - // Assert user was imported and hasn't any required action on him - assertUser("hnelson", "hnelson@keycloak.org", null, null, false); - } - - @Test - @Override - public void spnegoCaseInsensitiveTest() throws Exception { - super.spnegoCaseInsensitiveTest(); - } - - @Test - @Override - public void credentialDelegationTest() throws Exception { - super.credentialDelegationTest(); - } - - @Test - @Override - public void usernamePasswordLoginTest() throws Exception { - super.usernamePasswordLoginTest(); - } - - @Test - public void updateProfileEnabledTest() throws Exception { - // Switch updateProfileOnFirstLogin to on - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealm("test"); - UserStorageProviderModel kerberosProviderModel = realm.getUserStorageProviders().get(0); - kerberosProviderModel.getConfig().putSingle(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN, "true"); - realm.updateComponent(kerberosProviderModel); - } finally { - keycloakRule.stopSession(session, true); - } - - // Assert update profile page is displayed - Response spnegoResponse = spnegoLogin("hnelson", "secret"); - Assert.assertEquals(200, spnegoResponse.getStatus()); - String responseText = spnegoResponse.readEntity(String.class); - Assert.assertTrue(responseText.contains("You need to update your user profile to activate your account.")); - Assert.assertTrue(responseText.contains("hnelson@keycloak.org")); - spnegoResponse.close(); - - // Assert user was imported and has required action on him - assertUser("hnelson", "hnelson@keycloak.org", null, null, true); - - // Switch updateProfileOnFirstLogin to off - session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealm("test"); - UserStorageProviderModel kerberosProviderModel = realm.getUserStorageProviders().get(0); - kerberosProviderModel.getConfig().putSingle(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN, "false"); - realm.updateComponent(kerberosProviderModel); - } finally { - keycloakRule.stopSession(session, true); - } - } - - /** - * KEYCLOAK-3451 - * - * Test that if there is no User Storage Provider that can handle kerberos we can still login - * - * @throws Exception - */ - @Test - public void noProvider() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealm("test"); - realm.removeComponent(kerberosModel); - } finally { - keycloakRule.stopSession(session, true); - } - /* - To do this we do a valid kerberos login. The authenticator will obtain a valid token, but there will - be no user storage provider that can process it. This means we should be on the login page. - We do this through a JAX-RS client request. We extract the action URL from the login page, and stuff it - into selenium then just perform a regular login. - */ - Response spnegoResponse = spnegoLogin("hnelson", "secret"); - String context = spnegoResponse.readEntity(String.class); - spnegoResponse.close(); - Pattern pattern = Pattern.compile("action=\"([^\"]+)\""); - Matcher m = pattern.matcher(context); - Assert.assertTrue(m.find()); - String url = m.group(1); - driver.navigate().to(url); - Assert.assertTrue(loginPage.isCurrent()); - loginPage.login("test-user@localhost", "password"); - String pageSource = driver.getPageSource(); - Assert.assertTrue(pageSource.contains("Kerberos Test") && pageSource.contains("Kerberos servlet secured content")); - - - events.clear(); - session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealm("test"); - realm.addComponentModel(kerberosModel); - } finally { - keycloakRule.stopSession(session, true); - } - - - - - } - - - - - -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KeycloakSPNegoSchemeFactory.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KeycloakSPNegoSchemeFactory.java deleted file mode 100644 index 83fb5837ad..0000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KeycloakSPNegoSchemeFactory.java +++ /dev/null @@ -1,130 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation; - -import org.apache.http.auth.AuthScheme; -import org.apache.http.auth.Credentials; -import org.apache.http.impl.auth.SPNegoScheme; -import org.apache.http.impl.auth.SPNegoSchemeFactory; -import org.apache.http.params.HttpParams; -import org.ietf.jgss.GSSContext; -import org.ietf.jgss.GSSException; -import org.ietf.jgss.GSSManager; -import org.ietf.jgss.GSSName; -import org.ietf.jgss.Oid; -import org.keycloak.federation.kerberos.CommonKerberosConfig; -import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator; - -import javax.security.auth.Subject; -import java.security.PrivilegedExceptionAction; - -/** - * Usable for testing only. Username and password are shared for the whole factory - * - * @author Marek Posolda - */ -public class KeycloakSPNegoSchemeFactory extends SPNegoSchemeFactory { - - private final CommonKerberosConfig kerberosConfig; - - private String username; - private String password; - - - public KeycloakSPNegoSchemeFactory(CommonKerberosConfig kerberosConfig) { - super(true, false); - this.kerberosConfig = kerberosConfig; - } - - - public void setCredentials(String username, String password) { - this.username = username; - this.password = password; - } - - - @Override - public AuthScheme newInstance(HttpParams params) { - return new KeycloakSPNegoScheme(isStripPort(), isUseCanonicalHostname()); - } - - - public class KeycloakSPNegoScheme extends SPNegoScheme { - - public KeycloakSPNegoScheme(boolean stripPort, boolean useCanonicalHostname) { - super(stripPort, useCanonicalHostname); - } - - - @Override - protected byte[] generateGSSToken(byte[] input, Oid oid, String authServer, Credentials credentials) throws GSSException { - KerberosUsernamePasswordAuthenticator authenticator = new KerberosUsernamePasswordAuthenticator(kerberosConfig); - try { - Subject clientSubject = authenticator.authenticateSubject(username, password); - - ByteArrayHolder holder = Subject.doAs(clientSubject, new ClientAcceptSecContext(input, oid, authServer)); - - return holder.bytes; - } catch (Exception le) { - throw new RuntimeException(le); - } finally { - authenticator.logoutSubject(); - } - } - - - private class ClientAcceptSecContext implements PrivilegedExceptionAction { - - private final byte[] input; - private final Oid oid; - private final String authServer; - - public ClientAcceptSecContext(byte[] input, Oid oid, String authServer) { - this.input = input; - this.oid = oid; - this.authServer = authServer; - } - - - @Override - public ByteArrayHolder run() throws Exception { - byte[] token = input; - if (token == null) { - token = new byte[0]; - } - GSSManager manager = getManager(); - GSSName serverName = manager.createName("HTTP/" + authServer + "@" + kerberosConfig.getKerberosRealm(), null); - GSSContext gssContext = manager.createContext( - serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); - gssContext.requestMutualAuth(true); - gssContext.requestCredDeleg(true); - byte[] outputToken = gssContext.initSecContext(token, 0, token.length); - - ByteArrayHolder result = new ByteArrayHolder(); - result.bytes = outputToken; - return result; - } - - } - - - private class ByteArrayHolder { - private byte[] bytes; - } - } -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java index b254a1abe5..f4cbc2283b 100644 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPTestConfiguration.java @@ -84,9 +84,9 @@ public class LDAPTestConfiguration { DEFAULT_VALUES.put(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "false"); DEFAULT_VALUES.put(KerberosConstants.KERBEROS_REALM, "KEYCLOAK.ORG"); DEFAULT_VALUES.put(KerberosConstants.SERVER_PRINCIPAL, "HTTP/localhost@KEYCLOAK.ORG"); - URL keytabUrl = LDAPTestConfiguration.class.getResource("/kerberos/http.keytab"); - String keyTabPath = new File(keytabUrl.getFile()).getAbsolutePath(); - DEFAULT_VALUES.put(KerberosConstants.KEYTAB, keyTabPath); +// URL keytabUrl = LDAPTestConfiguration.class.getResource("/kerberos/http.keytab"); +// String keyTabPath = new File(keytabUrl.getFile()).getAbsolutePath(); +// DEFAULT_VALUES.put(KerberosConstants.KEYTAB, keyTabPath); DEFAULT_VALUES.put(KerberosConstants.DEBUG, "true"); DEFAULT_VALUES.put(KerberosConstants.ALLOW_PASSWORD_AUTHENTICATION, "true"); DEFAULT_VALUES.put(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN, "true"); diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/KerberosLdapTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/KerberosLdapTest.java deleted file mode 100755 index ea48ff7eae..0000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/KerberosLdapTest.java +++ /dev/null @@ -1,197 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.storage.ldap; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.keycloak.common.util.MultivaluedHashMap; -import org.keycloak.events.Details; -import org.keycloak.federation.kerberos.CommonKerberosConfig; -import org.keycloak.storage.UserStorageProvider; -import org.keycloak.storage.UserStorageProviderModel; -import org.keycloak.storage.ldap.LDAPStorageProviderFactory; -import org.keycloak.storage.ldap.kerberos.LDAPProviderKerberosConfig; -import org.keycloak.models.RealmModel; -import org.keycloak.representations.idm.CredentialRepresentation; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.AssertEvents; -import org.keycloak.testsuite.federation.AbstractKerberosTest; -import org.keycloak.testsuite.federation.KerberosCredDelegServlet; -import org.keycloak.testsuite.rule.KerberosRule; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.WebRule; -import org.keycloak.utils.CredentialHelper; - -import javax.ws.rs.core.Response; -import java.net.URL; - -/** - * Test of LDAPFederationProvider (Kerberos backed by LDAP) - * - * @author Marek Posolda - */ -public class KerberosLdapTest extends AbstractKerberosTest { - - private static final String PROVIDER_CONFIG_LOCATION = "kerberos/kerberos-ldap-connection.properties"; - - private static UserStorageProviderModel ldapModel = null; - - private static KerberosRule kerberosRule = new KerberosRule(PROVIDER_CONFIG_LOCATION); - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - CredentialHelper.setAlternativeCredential(manager.getSession(), CredentialRepresentation.KERBEROS, appRealm); - URL url = getClass().getResource("/kerberos-test/kerberos-app-keycloak.json"); - keycloakRule.createApplicationDeployment() - .name("kerberos-portal").contextPath("/kerberos-portal") - .servletClass(KerberosCredDelegServlet.class).adapterConfigPath(url.getPath()) - .role("user").deployApplication(); - - MultivaluedHashMap ldapConfig = LDAPTestUtils.toComponentConfig(kerberosRule.getConfig()); - UserStorageProviderModel model = new UserStorageProviderModel(); - model.setLastSync(0); - model.setChangedSyncPeriod(-1); - model.setFullSyncPeriod(-1); - model.setName("test-ldap"); - model.setPriority(0); - model.setProviderId(LDAPStorageProviderFactory.PROVIDER_NAME); - model.setConfig(ldapConfig); - - ldapModel = new UserStorageProviderModel(appRealm.addComponentModel(model)); - } - }) { - - @Override - protected void importRealm() { - server.importRealm(getClass().getResourceAsStream("/kerberos-test/kerberosrealm.json")); - } - - }; - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(kerberosRule) - .around(keycloakRule); - - @Rule - public WebRule webRule = new WebRule(this); - - @Rule - public AssertEvents events = new AssertEvents(keycloakRule); - - @Override - protected CommonKerberosConfig getKerberosConfig() { - return new LDAPProviderKerberosConfig(ldapModel); - } - - @Override - protected KeycloakRule getKeycloakRule() { - return keycloakRule; - } - - @Override - protected AssertEvents getAssertEvents() { - return events; - } - - - @Test - public void spnegoLoginTest() throws Exception { - spnegoLoginTestImpl(); - - // Assert user was imported and hasn't any required action on him. Profile info is synced from LDAP - assertUser("hnelson", "hnelson@keycloak.org", "Horatio", "Nelson", false); - } - - @Test - @Override - public void usernamePasswordLoginTest() throws Exception { - super.usernamePasswordLoginTest(); - } - - @Test - public void writableEditModeTest() throws Exception { - KeycloakRule keycloakRule = getKeycloakRule(); - AssertEvents events = getAssertEvents(); - - // Change editMode to WRITABLE - updateProviderEditMode(UserStorageProvider.EditMode.WRITABLE); - - // Login with username/password from kerberos - changePasswordPage.open(); - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - loginPage.assertCurrent(); - loginPage.login("jduke", "theduke"); - changePasswordPage.assertCurrent(); - - // Successfully change password now - changePasswordPage.changePassword("theduke", "newPass", "newPass"); - Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); - changePasswordPage.logout(); - - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - - // Login with old password doesn't work, but with new password works - loginPage.login("jduke", "theduke"); - loginPage.assertCurrent(); - loginPage.login("jduke", "newPass"); - changePasswordPage.assertCurrent(); - changePasswordPage.logout(); - - // Assert SPNEGO login with the new password as mode is writable - events.clear(); - Response spnegoResponse = spnegoLogin("jduke", "newPass"); - Assert.assertEquals(302, spnegoResponse.getStatus()); - events.expectLogin() - .client("kerberos-app") - .user(keycloakRule.getUser("test", "jduke").getId()) - .detail(Details.REDIRECT_URI, KERBEROS_APP_URL) - //.detail(Details.AUTH_METHOD, "spnego") - .detail(Details.USERNAME, "jduke") - .assertEvent(); - - // Change password back - changePasswordPage.open(); - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - - loginPage.login("jduke", "newPass"); - changePasswordPage.assertCurrent(); - changePasswordPage.changePassword("newPass", "theduke", "theduke"); - Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); - changePasswordPage.logout(); - - spnegoResponse.close(); - events.clear(); - } - -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPTestConfiguration.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPTestConfiguration.java deleted file mode 100644 index 9a9bda1738..0000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/storage/ldap/LDAPTestConfiguration.java +++ /dev/null @@ -1,149 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.storage.ldap; - -import org.jboss.logging.Logger; -import org.keycloak.common.constants.KerberosConstants; -import org.keycloak.models.LDAPConstants; -import org.keycloak.storage.UserStorageProvider; - -import java.io.File; -import java.io.InputStream; -import java.net.URL; -import java.util.HashMap; -import java.util.Map; -import java.util.Properties; - -/** - * @author Marek Posolda - */ -public class LDAPTestConfiguration { - - private static final Logger log = Logger.getLogger(LDAPTestConfiguration.class); - - private String connectionPropertiesLocation; - private int sleepTime; - private boolean startEmbeddedLdapLerver = true; - private Map config; - - protected static final Map PROP_MAPPINGS = new HashMap(); - protected static final Map DEFAULT_VALUES = new HashMap(); - - static { - PROP_MAPPINGS.put(LDAPConstants.CONNECTION_URL, "idm.test.ldap.connection.url"); - PROP_MAPPINGS.put(LDAPConstants.BASE_DN, "idm.test.ldap.base.dn"); - PROP_MAPPINGS.put(LDAPConstants.USERS_DN, "idm.test.ldap.user.dn.suffix"); - PROP_MAPPINGS.put(LDAPConstants.BIND_DN, "idm.test.ldap.bind.dn"); - PROP_MAPPINGS.put(LDAPConstants.BIND_CREDENTIAL, "idm.test.ldap.bind.credential"); - PROP_MAPPINGS.put(LDAPConstants.VENDOR, "idm.test.ldap.vendor"); - PROP_MAPPINGS.put(LDAPConstants.CONNECTION_POOLING, "idm.test.ldap.connection.pooling"); - PROP_MAPPINGS.put(LDAPConstants.PAGINATION, "idm.test.ldap.pagination"); - PROP_MAPPINGS.put(LDAPConstants.BATCH_SIZE_FOR_SYNC, "idm.test.ldap.batch.size.for.sync"); - PROP_MAPPINGS.put(LDAPConstants.USERNAME_LDAP_ATTRIBUTE, "idm.test.ldap.username.ldap.attribute"); - PROP_MAPPINGS.put(LDAPConstants.RDN_LDAP_ATTRIBUTE, "idm.test.ldap.rdn.ldap.attribute"); - PROP_MAPPINGS.put(LDAPConstants.USER_OBJECT_CLASSES, "idm.test.ldap.user.object.classes"); - PROP_MAPPINGS.put(LDAPConstants.EDIT_MODE, "idm.test.ldap.edit.mode"); - - PROP_MAPPINGS.put(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "idm.test.kerberos.allow.kerberos.authentication"); - PROP_MAPPINGS.put(KerberosConstants.KERBEROS_REALM, "idm.test.kerberos.realm"); - PROP_MAPPINGS.put(KerberosConstants.SERVER_PRINCIPAL, "idm.test.kerberos.server.principal"); - PROP_MAPPINGS.put(KerberosConstants.KEYTAB, "idm.test.kerberos.keytab"); - PROP_MAPPINGS.put(KerberosConstants.DEBUG, "idm.test.kerberos.debug"); - PROP_MAPPINGS.put(KerberosConstants.ALLOW_PASSWORD_AUTHENTICATION, "idm.test.kerberos.allow.password.authentication"); - PROP_MAPPINGS.put(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN, "idm.test.kerberos.update.profile.first.login"); - PROP_MAPPINGS.put(KerberosConstants.USE_KERBEROS_FOR_PASSWORD_AUTHENTICATION, "idm.test.kerberos.use.kerberos.for.password.authentication"); - - DEFAULT_VALUES.put(LDAPConstants.CONNECTION_URL, "ldap://localhost:10389"); - DEFAULT_VALUES.put(LDAPConstants.BASE_DN, "dc=keycloak,dc=org"); - DEFAULT_VALUES.put(LDAPConstants.USERS_DN, "ou=People,dc=keycloak,dc=org"); - DEFAULT_VALUES.put(LDAPConstants.BIND_DN, "uid=admin,ou=system"); - DEFAULT_VALUES.put(LDAPConstants.BIND_CREDENTIAL, "secret"); - DEFAULT_VALUES.put(LDAPConstants.VENDOR, LDAPConstants.VENDOR_OTHER); - DEFAULT_VALUES.put(LDAPConstants.CONNECTION_POOLING, "true"); - DEFAULT_VALUES.put(LDAPConstants.PAGINATION, "true"); - DEFAULT_VALUES.put(LDAPConstants.BATCH_SIZE_FOR_SYNC, String.valueOf(LDAPConstants.DEFAULT_BATCH_SIZE_FOR_SYNC)); - DEFAULT_VALUES.put(LDAPConstants.USERNAME_LDAP_ATTRIBUTE, null); - DEFAULT_VALUES.put(LDAPConstants.USER_OBJECT_CLASSES, null); - DEFAULT_VALUES.put(LDAPConstants.EDIT_MODE, UserStorageProvider.EditMode.READ_ONLY.toString()); - - DEFAULT_VALUES.put(KerberosConstants.ALLOW_KERBEROS_AUTHENTICATION, "false"); - DEFAULT_VALUES.put(KerberosConstants.KERBEROS_REALM, "KEYCLOAK.ORG"); - DEFAULT_VALUES.put(KerberosConstants.SERVER_PRINCIPAL, "HTTP/localhost@KEYCLOAK.ORG"); - URL keytabUrl = LDAPTestConfiguration.class.getResource("/kerberos/http.keytab"); - String keyTabPath = new File(keytabUrl.getFile()).getAbsolutePath(); - DEFAULT_VALUES.put(KerberosConstants.KEYTAB, keyTabPath); - DEFAULT_VALUES.put(KerberosConstants.DEBUG, "true"); - DEFAULT_VALUES.put(KerberosConstants.ALLOW_PASSWORD_AUTHENTICATION, "true"); - DEFAULT_VALUES.put(KerberosConstants.UPDATE_PROFILE_FIRST_LOGIN, "true"); - DEFAULT_VALUES.put(KerberosConstants.USE_KERBEROS_FOR_PASSWORD_AUTHENTICATION, "false"); - } - - public static LDAPTestConfiguration readConfiguration(String connectionPropertiesLocation) { - LDAPTestConfiguration ldapTestConfiguration = new LDAPTestConfiguration(); - ldapTestConfiguration.setConnectionPropertiesLocation(connectionPropertiesLocation); - ldapTestConfiguration.loadConnectionProperties(); - return ldapTestConfiguration; - } - - protected void loadConnectionProperties() { - Properties p = new Properties(); - try { - log.info("Reading LDAP configuration from: " + connectionPropertiesLocation); - InputStream is = Thread.currentThread().getContextClassLoader().getResourceAsStream(connectionPropertiesLocation); - p.load(is); - } - catch (Exception e) { - throw new RuntimeException(e); - } - - config = new HashMap(); - for (Map.Entry property : PROP_MAPPINGS.entrySet()) { - String propertyName = property.getKey(); - String configName = property.getValue(); - - String value = (String) p.get(configName); - if (value == null) { - value = DEFAULT_VALUES.get(propertyName); - } - - config.put(propertyName, value); - } - - startEmbeddedLdapLerver = Boolean.parseBoolean(p.getProperty("idm.test.ldap.start.embedded.ldap.server", "true")); - sleepTime = Integer.parseInt(p.getProperty("idm.test.ldap.sleepTime", "1000")); - log.info("Start embedded server: " + startEmbeddedLdapLerver); - log.info("Read config: " + config); - } - - public Map getLDAPConfig() { - return config; - } - - public void setConnectionPropertiesLocation(String connectionPropertiesLocation) { - this.connectionPropertiesLocation = connectionPropertiesLocation; - } - - public boolean isStartEmbeddedLdapLerver() { - return startEmbeddedLdapLerver; - } - - public int getSleepTime() { - return sleepTime; - } - -} diff --git a/testsuite/integration/src/test/resources/kerberos-test/kerberos-app-keycloak.json b/testsuite/integration/src/test/resources/kerberos-test/kerberos-app-keycloak.json deleted file mode 100644 index 609bcdb1aa..0000000000 --- a/testsuite/integration/src/test/resources/kerberos-test/kerberos-app-keycloak.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "realm": "test", - "resource": "kerberos-app", - "realm-public-key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", - "auth-server-url": "http://localhost:8081/auth", - "ssl-required" : "external", - "credentials": { - "secret": "password" - } -} diff --git a/testsuite/integration/src/test/resources/kerberos-test/kerberosrealm.json b/testsuite/integration/src/test/resources/kerberos-test/kerberosrealm.json deleted file mode 100644 index d9616dbf2c..0000000000 --- a/testsuite/integration/src/test/resources/kerberos-test/kerberosrealm.json +++ /dev/null @@ -1,53 +0,0 @@ -{ - "id": "test", - "realm": "test", - "enabled": true, - "sslRequired": "external", - "registrationAllowed": true, - "resetPasswordAllowed": true, - "privateKey": "MIICXAIBAAKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQABAoGAfmO8gVhyBxdqlxmIuglbz8bcjQbhXJLR2EoS8ngTXmN1bo2L90M0mUKSdc7qF10LgETBzqL8jYlQIbt+e6TH8fcEpKCjUlyq0Mf/vVbfZSNaVycY13nTzo27iPyWQHK5NLuJzn1xvxxrUeXI6A2WFpGEBLbHjwpx5WQG9A+2scECQQDvdn9NE75HPTVPxBqsEd2z10TKkl9CZxu10Qby3iQQmWLEJ9LNmy3acvKrE3gMiYNWb6xHPKiIqOR1as7L24aTAkEAtyvQOlCvr5kAjVqrEKXalj0Tzewjweuxc0pskvArTI2Oo070h65GpoIKLc9jf+UA69cRtquwP93aZKtW06U8dQJAF2Y44ks/mK5+eyDqik3koCI08qaC8HYq2wVl7G2QkJ6sbAaILtcvD92ToOvyGyeE0flvmDZxMYlvaZnaQ0lcSQJBAKZU6umJi3/xeEbkJqMfeLclD27XGEFoPeNrmdx0q10Azp4NfJAY+Z8KRyQCR2BEG+oNitBOZ+YXF9KCpH3cdmECQHEigJhYg+ykOvr1aiZUMFT72HU0jnmQe2FVekuG+LJUt2Tm7GtMjTFoGpf0JwrVuZN39fOYAlo+nTixgeW7X8Y=", - "publicKey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrVrCuTtArbgaZzL1hvh0xtL5mc7o0NqPVnYXkLvgcwiC3BjLGw1tGEGoJaXDuSaRllobm53JBhjx33UNv+5z/UMG4kytBWxheNVKnL6GgqlNabMaFfPLPCF8kAgKnsi79NMo+n6KnSY8YeUmec/p2vjO2NjsSAVcWEQMVhJ31LwIDAQAB", - "requiredCredentials": [ "password", "kerberos" ], - "defaultRoles": [ "user" ], - "users" : [ - { - "username" : "test-user@localhost", - "enabled": true, - "email" : "test-user@localhost", - "credentials" : [ - { "type" : "password", - "value" : "password" } - ], - "realmRoles": ["user"], - "applicationRoles": { - "account": [ "view-profile", "manage-account" ] - } - } - ], - "scopeMappings": [ - { - "client": "kerberos-app", - "roles": ["user"] - } - ], - "applications": [ - { - "name": "kerberos-app", - "enabled": true, - "baseUrl": "http://localhost:8081/kerberos-portal", - "redirectUris": [ - "http://localhost:8081/kerberos-portal/*" - ], - "adminUrl": "http://localhost:8081/kerberos-portal/logout", - "secret": "password" - } - ], - "roles" : { - "realm" : [ - { - "name": "user", - "description": "Have User privileges" - } - ] - } -} \ No newline at end of file diff --git a/testsuite/integration/src/test/resources/kerberos/http.keytab b/testsuite/integration/src/test/resources/kerberos/http.keytab deleted file mode 100644 index 0e7fd96fa73f636ff040c8e8a658c42785906acc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 348 zcmZQ&VqjpfV_;(7@pg@L_VIW0*7FZ?XJGLN2?=1}%*jtq%*n_vE&(cH4EZK|fPq1f zL4g1HK9N~r>sNh0AIWRKXG$he(u@QXm>D?QT32u=ggCg8Xty|n0DA=g!b5+q&sCxL3?ypU|>Zo<-Xpb$+hd+$Hz>%)Ej{Z+`;-2