diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerClientUserInfoTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerClientUserInfoTest.java new file mode 100644 index 0000000000..0d7097470c --- /dev/null +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerClientUserInfoTest.java @@ -0,0 +1,60 @@ +package org.keycloak.testsuite.broker; + +import org.keycloak.models.IdentityProviderSyncMode; +import org.keycloak.protocol.ProtocolMapperUtils; +import org.keycloak.protocol.oidc.OIDCLoginProtocol; +import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; +import org.keycloak.protocol.oidc.mappers.UserAttributeMapper; +import org.keycloak.provider.ProviderConfigProperty; +import org.keycloak.representations.idm.ClientRepresentation; +import org.keycloak.representations.idm.ProtocolMapperRepresentation; + +import java.util.Arrays; +import java.util.List; +import java.util.Map; + + +public class KcOidcBrokerClientUserInfoTest extends AbstractBrokerTest { + + protected static final String ATTRIBUTE_TO_MAP_USER_INFO = "user-attribute-ufo"; + + @Override + protected BrokerConfiguration getBrokerConfiguration() { + return new KcOidcBrokerConfigurationUserInfoOnlyMappers(); + } + + private class KcOidcBrokerConfigurationUserInfoOnlyMappers extends KcOidcBrokerConfiguration { + + @Override + public List createProviderClients() { + List clientsRepList = super.createProviderClients(); + log.info("Update provider clients to disable attributes in Access & ID token"); + + ProtocolMapperRepresentation userAttrMapper = new ProtocolMapperRepresentation(); + userAttrMapper.setName("attribute - name"); + userAttrMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); + userAttrMapper.setProtocolMapper(UserAttributeMapper.PROVIDER_ID); + + Map userAttrMapperConfig = userAttrMapper.getConfig(); + userAttrMapperConfig.put(ProtocolMapperUtils.USER_ATTRIBUTE, ATTRIBUTE_TO_MAP_USER_INFO); + userAttrMapperConfig.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, ATTRIBUTE_TO_MAP_USER_INFO); + userAttrMapperConfig.put(OIDCAttributeMapperHelper.JSON_TYPE, ProviderConfigProperty.STRING_TYPE); + userAttrMapperConfig.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "false"); + userAttrMapperConfig.put(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN, "false"); + userAttrMapperConfig.put(OIDCAttributeMapperHelper.INCLUDE_IN_USERINFO, "true"); + + for (ClientRepresentation client: clientsRepList) { + client.setProtocolMappers(Arrays.asList(userAttrMapper)); + } + + return clientsRepList; + + } + + @Override + protected void applyDefaultConfiguration(final Map config, IdentityProviderSyncMode syncMode) { + super.applyDefaultConfiguration(config, syncMode); + config.put("disableUserInfo", "false"); + } + } +} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerConfigurationUserInfoOnlyMappers.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerConfigurationUserInfoOnlyMappers.java deleted file mode 100644 index b23730a187..0000000000 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/KcOidcBrokerConfigurationUserInfoOnlyMappers.java +++ /dev/null @@ -1,82 +0,0 @@ -package org.keycloak.testsuite.broker; - -import org.keycloak.models.IdentityProviderModel; -import org.keycloak.models.IdentityProviderSyncMode; -import org.keycloak.protocol.ProtocolMapperUtils; -import org.keycloak.protocol.oidc.OIDCLoginProtocol; -import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; -import org.keycloak.protocol.oidc.mappers.UserAttributeMapper; -import org.keycloak.provider.ProviderConfigProperty; -import org.keycloak.representations.idm.ClientRepresentation; -import org.keycloak.representations.idm.ProtocolMapperRepresentation; - -import java.util.Arrays; -import java.util.Collections; -import java.util.List; -import java.util.Map; - -import static org.keycloak.testsuite.broker.BrokerTestConstants.*; -import static org.keycloak.testsuite.broker.BrokerTestTools.*; - -/** - * @author hmlnarik - */ -public class KcOidcBrokerConfigurationUserInfoOnlyMappers extends KcOidcBrokerConfiguration { - - public static final KcOidcBrokerConfigurationUserInfoOnlyMappers INSTANCE = new KcOidcBrokerConfigurationUserInfoOnlyMappers(); - - protected static final String ATTRIBUTE_TO_MAP_USER_INFO = "user-attribute-ufo"; - - - @Override - public List createProviderClients() { - ClientRepresentation client = new ClientRepresentation(); - client.setId(CLIENT_ID); - client.setClientId(getIDPClientIdInProviderRealm()); - client.setName(CLIENT_ID); - client.setSecret(CLIENT_SECRET); - client.setEnabled(true); - - client.setRedirectUris(Collections.singletonList(getConsumerRoot() + - "/auth/realms/" + REALM_CONS_NAME + "/broker/" + IDP_OIDC_ALIAS + "/endpoint/*")); - - client.setAdminUrl(getConsumerRoot() + - "/auth/realms/" + REALM_CONS_NAME + "/broker/" + IDP_OIDC_ALIAS + "/endpoint"); - - ProtocolMapperRepresentation userAttrMapper = new ProtocolMapperRepresentation(); - userAttrMapper.setName("attribute - name"); - userAttrMapper.setProtocol(OIDCLoginProtocol.LOGIN_PROTOCOL); - userAttrMapper.setProtocolMapper(UserAttributeMapper.PROVIDER_ID); - - Map userAttrMapperConfig = userAttrMapper.getConfig(); - userAttrMapperConfig.put(ProtocolMapperUtils.USER_ATTRIBUTE, ATTRIBUTE_TO_MAP_USER_INFO); - userAttrMapperConfig.put(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, ATTRIBUTE_TO_MAP_USER_INFO); - userAttrMapperConfig.put(OIDCAttributeMapperHelper.JSON_TYPE, ProviderConfigProperty.STRING_TYPE); - userAttrMapperConfig.put(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN, "false"); - userAttrMapperConfig.put(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN, "false"); - userAttrMapperConfig.put(OIDCAttributeMapperHelper.INCLUDE_IN_USERINFO, "true"); - userAttrMapperConfig.put(ProtocolMapperUtils.MULTIVALUED, "true"); - - - client.setProtocolMappers(Arrays.asList(userAttrMapper)); - - return Collections.singletonList(client); - } - - @Override - protected void applyDefaultConfiguration(final Map config, IdentityProviderSyncMode syncMode) { - config.put(IdentityProviderModel.SYNC_MODE, syncMode.toString()); - config.put("clientId", CLIENT_ID); - config.put("clientSecret", CLIENT_SECRET); - config.put("prompt", "login"); - config.put("authorizationUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/auth"); - config.put("tokenUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/token"); - config.put("logoutUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/logout"); - config.put("userInfoUrl", getProviderRoot() + "/auth/realms/" + REALM_PROV_NAME + "/protocol/openid-connect/userinfo"); - config.put("defaultScope", "email profile"); - config.put("backchannelSupported", "true"); - config.put("disableUserInfo", "false"); - } - - -} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OidcUserInfoClaimToRoleMapperTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OidcUserInfoClaimToRoleMapperTest.java index b82994f7b9..dd5d0cf489 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OidcUserInfoClaimToRoleMapperTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/broker/OidcUserInfoClaimToRoleMapperTest.java @@ -2,7 +2,6 @@ package org.keycloak.testsuite.broker; import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableMap; -import org.jetbrains.annotations.NotNull; import org.junit.Test; import org.keycloak.admin.client.resource.IdentityProviderResource; import org.keycloak.broker.oidc.mappers.ClaimToRoleMapper; @@ -15,21 +14,15 @@ import org.keycloak.representations.idm.UserRepresentation; import java.util.List; -import static org.keycloak.models.IdentityProviderMapperSyncMode.FORCE; -import static org.keycloak.models.IdentityProviderMapperSyncMode.LEGACY; - -/** - * @author Martin Idel - */ public class OidcUserInfoClaimToRoleMapperTest extends AbstractRoleMapperTest { - private static final String USER_INFO_CLAIM = KcOidcBrokerConfigurationUserInfoOnlyMappers.ATTRIBUTE_TO_MAP_USER_INFO; + private static final String USER_INFO_CLAIM = KcOidcBrokerClientUserInfoTest.ATTRIBUTE_TO_MAP_USER_INFO; private static final String USER_INFO_CLAIM_VALUE = "value 1"; private String claimOnSecondLogin = ""; @Override protected BrokerConfiguration getBrokerConfiguration() { - return new KcOidcBrokerConfigurationUserInfoOnlyMappers(); + return new KcOidcBrokerClientUserInfoTest().getBrokerConfiguration(); } @Test @@ -58,71 +51,6 @@ public class OidcUserInfoClaimToRoleMapperTest extends AbstractRoleMapperTest { assertThatRoleHasNotBeenAssignedInConsumerRealmTo(user); } - @Test - public void claimValuesMismatch() { - createClaimToRoleMapper("other value"); - createUserInProviderRealm(ImmutableMap.>builder() - .put(USER_INFO_CLAIM, ImmutableList.builder().add(USER_INFO_CLAIM_VALUE).build()) - .build()); - - logInAsUserInIDPForFirstTime(); - - UserRepresentation user = findUser(bc.consumerRealmName(), bc.getUserLogin(), bc.getUserEmail()); - assertThatRoleHasNotBeenAssignedInConsumerRealmTo(user); - } - - @Test - public void updateBrokeredUserMismatchDeletesRoleInForceMode() { - UserRepresentation user = loginWithClaimThenChangeClaimToValue("value mismatch", FORCE, false); - - assertThatRoleHasNotBeenAssignedInConsumerRealmTo(user); - } - - @Test - public void updateBrokeredUserMismatchDeletesRoleInLegacyMode() { - UserRepresentation user = createMapperThenLoginWithStandardClaimThenChangeClaimToValue("value mismatch", LEGACY); - - assertThatRoleHasNotBeenAssignedInConsumerRealmTo(user); - } - - @Test - public void updateBrokeredUserNewMatchGrantsRoleAfterFirstLoginInForceMode() { - UserRepresentation user = loginWithStandardClaimThenAddMapperAndLoginAgain(FORCE); - - assertThatRoleHasBeenAssignedInConsumerRealmTo(user); - } - - @Test - public void updateBrokeredUserNewMatchDoesNotGrantRoleAfterFirstLoginInLegacyMode() { - UserRepresentation user = loginWithStandardClaimThenAddMapperAndLoginAgain(LEGACY); - - assertThatRoleHasNotBeenAssignedInConsumerRealmTo(user); - } - - @Test - public void updateBrokeredUserDoesNotDeleteRoleIfClaimStillMatches() { - UserRepresentation user = createMapperThenLoginWithStandardClaimThenChangeClaimToValue(USER_INFO_CLAIM_VALUE, FORCE); - - assertThatRoleHasBeenAssignedInConsumerRealmTo(user); - } - - private UserRepresentation loginWithStandardClaimThenAddMapperAndLoginAgain(IdentityProviderMapperSyncMode syncMode) { - return loginWithClaimThenChangeClaimToValue(OidcUserInfoClaimToRoleMapperTest.USER_INFO_CLAIM_VALUE, syncMode, true); - } - - private UserRepresentation createMapperThenLoginWithStandardClaimThenChangeClaimToValue(String claimOnSecondLogin, IdentityProviderMapperSyncMode syncMode) { - return loginWithClaimThenChangeClaimToValue(claimOnSecondLogin, syncMode, false); - } - - @NotNull - private UserRepresentation loginWithClaimThenChangeClaimToValue(String claimOnSecondLogin, IdentityProviderMapperSyncMode syncMode, boolean createAfterFirstLogin) { - this.claimOnSecondLogin = claimOnSecondLogin; - return loginAsUserTwiceWithMapper(syncMode, createAfterFirstLogin, - ImmutableMap.>builder() - .put(USER_INFO_CLAIM, ImmutableList.builder().add(USER_INFO_CLAIM_VALUE).build()) - .build()); - } - private void createClaimToRoleMapper(String claimValue) { IdentityProviderRepresentation idp = setupIdentityProvider(); createClaimToRoleMapper(idp, claimValue, IdentityProviderMapperSyncMode.IMPORT); @@ -137,8 +65,7 @@ public class OidcUserInfoClaimToRoleMapperTest extends AbstractRoleMapperTest { protected void createMapperInIdp(IdentityProviderRepresentation idp, IdentityProviderMapperSyncMode syncMode) { createClaimToRoleMapper(idp, USER_INFO_CLAIM_VALUE, syncMode); } - - + @Override protected void updateUser() { UserRepresentation user = findUser(bc.providerRealmName(), bc.getUserLogin(), bc.getUserEmail());