Tests for role and time policy configuration validation

Closes #28978

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/admin/RolePolicyManagementTest.java

@@ -24,9 +24,11 @@ import static org.junit.Assert.fail;
 import java.util.Collections;
 import java.util.stream.Collectors;
 
+import jakarta.ws.rs.BadRequestException;
 import jakarta.ws.rs.NotFoundException;
 import jakarta.ws.rs.core.Response;
 
+import jakarta.ws.rs.core.Response.Status;
 import org.junit.Test;
 import org.keycloak.admin.client.resource.AuthorizationResource;
 import org.keycloak.admin.client.resource.ClientResource;
@@ -36,11 +38,13 @@ import org.keycloak.admin.client.resource.RolePolicyResource;
 import org.keycloak.admin.client.resource.RolesResource;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.representations.idm.ClientRepresentation;
+import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
 import org.keycloak.representations.idm.RoleRepresentation;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.Logic;
 import org.keycloak.representations.idm.authorization.PolicyRepresentation;
 import org.keycloak.representations.idm.authorization.RolePolicyRepresentation;
+import org.keycloak.testsuite.Assert;
 import org.keycloak.testsuite.util.RealmBuilder;
 import org.keycloak.testsuite.util.RoleBuilder;
 import org.keycloak.testsuite.util.RolesBuilder;
@@ -229,13 +233,49 @@ public class RolePolicyManagementTest extends AbstractPolicyManagementTest {
         }
     }
 
-    private void assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
+    @Test
+    public void testFailDuplicatedRoles() {
+        AuthorizationResource authorization = getClient().authorization();
+        RolePolicyRepresentation representation = new RolePolicyRepresentation();
+
+        representation.setName(KeycloakModelUtils.generateId());
+        representation.setDescription("description");
+        representation.setDecisionStrategy(DecisionStrategy.CONSENSUS);
+        representation.setLogic(Logic.NEGATIVE);
+        representation.addRole("Role A");
+        representation.addRole("Role A");
+
+        try (
+            Response response = authorization.policies().role().create(representation);
+        ) {
+            assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
+            assertEquals("Role can't be specified multiple times - Role A", response.readEntity(OAuth2ErrorRepresentation.class).getError());
+        }
+
+        representation.getRoles().clear();
+        representation.addRole("Role A");
+        representation.addRole("Role B");
+        representation = assertCreated(authorization, representation);
+
+        representation.addRole("Role B");
+        try {
+            authorization.policies().role().findById(representation.getId()).update(representation);
+            Assert.fail("should fail due to duplicated roles");
+        } catch (BadRequestException bre) {
+            Response response = bre.getResponse();
+            assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
+            assertEquals("Role can't be specified multiple times - Role B", response.readEntity(OAuth2ErrorRepresentation.class).getError());
+        }
+    }
+
+    private RolePolicyRepresentation assertCreated(AuthorizationResource authorization, RolePolicyRepresentation representation) {
         RolePoliciesResource permissions = authorization.policies().role();
 
         try (Response response = permissions.create(representation)) {
             RolePolicyRepresentation created = response.readEntity(RolePolicyRepresentation.class);
             RolePolicyResource permission = permissions.findById(created.getId());
             assertRepresentation(representation, permission);
+            return permission.toRepresentation();
         }
     }
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/admin/TimePolicyManagementTest.java

@@ -21,16 +21,21 @@ import static org.junit.Assert.fail;
 
 import java.util.Collections;
 
+import jakarta.ws.rs.BadRequestException;
 import jakarta.ws.rs.NotFoundException;
 import jakarta.ws.rs.core.Response;
 
+import jakarta.ws.rs.core.Response.Status;
 import org.junit.Test;
 import org.keycloak.admin.client.resource.AuthorizationResource;
 import org.keycloak.admin.client.resource.TimePoliciesResource;
 import org.keycloak.admin.client.resource.TimePolicyResource;
+import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.TimePolicyRepresentation;
 import org.keycloak.representations.idm.authorization.Logic;
+import org.keycloak.testsuite.Assert;
 
 /**
  * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@@ -118,6 +123,44 @@ public class TimePolicyManagementTest extends AbstractPolicyManagementTest {
         }
     }
 
+    @Test
+    public void testInvalidDateFormat() {
+        AuthorizationResource authorization = getClient().authorization();
+        TimePolicyRepresentation representation = createRepresentation(KeycloakModelUtils.generateId());
+
+        representation.setNotBefore("invalid");
+        representation.setNotOnOrAfter("invalid");
+
+        try (
+            Response response = authorization.policies().time().create(representation)
+        ) {
+            assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
+            assertEquals("Unable not parse a date using format [" + representation.getNotOnOrAfter() + "]", response.readEntity(OAuth2ErrorRepresentation.class).getError());
+        }
+
+        representation.setNotBefore("2017-01-01 00:00:00");
+
+        try (
+            Response response = authorization.policies().time().create(representation)
+        ) {
+            assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
+            assertEquals("Unable not parse a date using format [" + representation.getNotOnOrAfter() + "]", response.readEntity(OAuth2ErrorRepresentation.class).getError());
+        }
+
+        representation.setNotOnOrAfter("2017-02-01 00:00:00");
+        representation = assertCreated(authorization, representation);
+
+        try {
+            representation.setNotOnOrAfter("2016-02-01 00:00:00");
+            authorization.policies().time().findById(representation.getId()).update(representation);
+            Assert.fail("should fail due to invalid dates");
+        } catch (BadRequestException bre) {
+            Response response = bre.getResponse();
+            assertEquals(Status.BAD_REQUEST.getStatusCode(), response.getStatus());
+            assertEquals("Expire time can't be set to a date before start time", response.readEntity(OAuth2ErrorRepresentation.class).getError());
+        }
+    }
+
     private TimePolicyRepresentation createRepresentation(String name) {
         TimePolicyRepresentation representation = new TimePolicyRepresentation();
 
@@ -140,13 +183,14 @@ public class TimePolicyManagementTest extends AbstractPolicyManagementTest {
         return representation;
     }
 
-    private void assertCreated(AuthorizationResource authorization, TimePolicyRepresentation representation) {
+    private TimePolicyRepresentation assertCreated(AuthorizationResource authorization, TimePolicyRepresentation representation) {
         TimePoliciesResource permissions = authorization.policies().time();
 
         try (Response response = permissions.create(representation)) {
             TimePolicyRepresentation created = response.readEntity(TimePolicyRepresentation.class);
             TimePolicyResource permission = permissions.findById(created.getId());
             assertRepresentation(representation, permission);
+            return permission.toRepresentation();
         }
     }