libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

Adding tests to cover using SAML brokers in an organization

Browse source 
Closes #28732

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>
This commit is contained in:
Pedro Igor 2024-05-07 11:58:31 -03:00 committed by Alexander Schwartz
parent 8d628d740e
commit 927ba48f7a
4 changed files with 666 additions and 637 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

610
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/AbstractBrokerSelfRegistrationTest.java Normal file
View file

@ -0,0 +1,610 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.organization.admin;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.keycloak.testsuite.broker.BrokerTestTools.waitForPage;
import java.util.List;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.NotFoundException;
import org.junit.Test;
import org.keycloak.admin.client.resource.OrganizationIdentityProviderResource;
import org.keycloak.admin.client.resource.OrganizationMemberResource;
import org.keycloak.admin.client.resource.OrganizationResource;
import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.OrganizationModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.ErrorRepresentation;
import org.keycloak.representations.idm.FederatedIdentityRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.OrganizationDomainRepresentation;
import org.keycloak.representations.idm.OrganizationRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.util.UserBuilder;
public abstract class AbstractBrokerSelfRegistrationTest extends AbstractOrganizationTest {
@Test
public void testRegistrationRedirectWhenSingleBroker() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
assertBrokerRegistration(organization, bc.getUserEmail());
}
@Test
public void testLoginHintSentToBrokerWhenEnabled() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(IdentityProviderModel.LOGIN_HINT, "true");
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
// check if the username is automatically filled
Assert.assertEquals(bc.getUserEmail(), loginPage.getUsername());
}
@Test
public void testDefaultAuthenticationMechanismIfNotOrganizationMember() {
testRealm().organizations().get(createOrganization().getId());
oauth.clientId("broker-app");
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
loginPage.loginUsername("user@noorg.org");
// check if the login page is shown
Assert.assertTrue(loginPage.isUsernameInputPresent());
Assert.assertTrue(loginPage.isPasswordInputPresent());
}
@Test
public void testRealmLevelBrokersAvailableIfEmailDoesNotMatchOrganization() {
testRealm().organizations().get(createOrganization().getId());
oauth.clientId("broker-app");
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
loginPage.loginUsername("user");
// check if the login page is shown
Assert.assertTrue(loginPage.isUsernameInputPresent());
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
IdentityProviderRepresentation idp = bc.setUpIdentityProvider();
idp.setAlias("realm-level-idp");
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
testRealm().identityProviders().create(idp).close();
driver.navigate().refresh();
Assert.assertTrue(loginPage.isUsernameInputPresent());
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertTrue(loginPage.isSocialButtonPresent(idp.getAlias()));
}
@Test
public void testLinkExistingAccount() {
// create a realm user in the consumer realm
realmsResouce().realm(bc.consumerRealmName()).users()
.create(UserBuilder.create()
.username(bc.getUserLogin())
.email(bc.getUserEmail())
.password(bc.getUserPassword())
.enabled(true).build()
).close();
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
oauth.clientId("broker-app");
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
// login to the organization identity provider and run the configured first broker login flow
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(bc.getUserEmail(), bc.getUserEmail(), "Firstname", "Lastname");
// account with the same email exists in the realm, execute account linking
waitForPage(driver, "account already exists", false);
idpConfirmLinkPage.assertCurrent();
idpConfirmLinkPage.clickLinkAccount();
// confirm the link by authenticating
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
assertIsMember(bc.getUserEmail(), organization);
}
@Test
public void testReAuthenticateWhenAlreadyMember() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
// add the member for the first time
assertBrokerRegistration(organization, bc.getUserEmail());
// logout to force the user to authenticate again
UserRepresentation account = getUserRepresentation(bc.getUserEmail());
realmsResouce().realm(bc.consumerRealmName()).users().get(account.getId()).logout();
realmsResouce().realm(bc.providerRealmName()).logoutAll();
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
// login to the organization identity provider and automatically redirects to the app as the account already exists
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
appPage.assertCurrent();
assertIsMember(bc.getUserEmail(), organization);
}
@Test
public void testFailUpdateEmailNotAssociatedOrganizationUsingAdminAPI() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationIdentityProviderResource idp = organization.identityProviders().get(bc.getIDPAlias());
IdentityProviderRepresentation idpRep = idp.toRepresentation();
idpRep.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
testRealm().identityProviders().get(idpRep.getAlias()).update(idpRep);
// add the member for the first time
assertBrokerRegistration(organization, bc.getUserEmail());
UserRepresentation member = getUserRepresentation(bc.getUserEmail());
member.setEmail(KeycloakModelUtils.generateId() + "@user.org");
try {
// member has a hard link with the organization, and the email must match the domains set to the organization
testRealm().users().get(member.getId()).update(member);
fail("Should fail because email domain does not match any from organization");
} catch (BadRequestException expected) {
ErrorRepresentation error = expected.getResponse().readEntity(ErrorRepresentation.class);
assertEquals(UserModel.EMAIL, error.getField());
assertEquals("Email domain does not match any domain from the organization", error.getErrorMessage());
}
member.setEmail(member.getEmail().replace("@user.org", "@" + organizationName + ".org"));
testRealm().users().get(member.getId()).update(member);
}
@Test
public void testDeleteManagedMember() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
// add the member for the first time
assertBrokerRegistration(organization, bc.getUserEmail());
UserRepresentation member = getUserRepresentation(bc.getUserEmail());
OrganizationMemberResource organizationMember = organization.members().member(member.getId());
organizationMember.delete().close();
try {
testRealm().users().get(member.getId()).toRepresentation();
fail("it is managed member should be removed from the realm");
} catch (NotFoundException expected) {
}
try {
organizationMember.toRepresentation();
fail("it is managed member should be removed from the realm");
} catch (NotFoundException expected) {
}
}
@Test
public void testRedirectToIdentityProviderAssociatedWithOrganizationDomain() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(bc.getUserEmail(), bc.getUserEmail(), "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember(bc.getUserEmail(), organization);
UserRepresentation user = testRealm().users().search(bc.getUserEmail()).get(0);
List<FederatedIdentityRepresentation> federatedIdentities = testRealm().users().get(user.getId()).getFederatedIdentity();
assertEquals(1, federatedIdentities.size());
assertEquals(bc.getIDPAlias(), federatedIdentities.get(0).getIdentityProvider());
}
@Test
public void testIdentityFirstLoginShowsPublicOrganizationBrokers() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationRepresentation representation = organization.toRepresentation();
representation.addDomain(new OrganizationDomainRepresentation("other.org"));
organization.update(representation).close();
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
idp = organization.identityProviders().get(idp.getAlias()).toRepresentation();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
loginPage.loginUsername("external@user.org");
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertTrue(loginPage.isSocialButtonPresent(idp.getAlias()));
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.FALSE.toString());
testRealm().identityProviders().get(idp.getAlias()).update(idp);
driver.navigate().refresh();
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
}
@Test
public void testLoginUsingBrokerWithoutDomain() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
String email = "external@user.org";
loginPage.loginUsername(email);
loginPage.clickSocial(idp.getAlias());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("external", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(email, email, "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember(email, organization);
// make sure the federated identity matches the expected broker
UserRepresentation user = testRealm().users().search(email).get(0);
List<FederatedIdentityRepresentation> federatedIdentities = testRealm().users().get(user.getId()).getFederatedIdentity();
assertEquals(1, federatedIdentities.size());
assertEquals(idp.getAlias(), federatedIdentities.get(0).getIdentityProvider());
}
@Test
public void testEmailDomainDoesNotMatchBrokerDomain() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationRepresentation representation = organization.toRepresentation();
representation.addDomain(new OrganizationDomainRepresentation("other.org"));
organization.update(representation).close();
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "other.org");
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
String email = "external@user.org";
loginPage.loginUsername(email);
loginPage.clickSocial(idp.getAlias());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login(email, "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(email, email, "Firstname", "Lastname");
Assert.assertTrue(driver.getPageSource().contains("Email domain does not match any domain from the organization"));
assertIsNotMember(email, organization);
updateAccountInformationPage.updateAccountInformation("external@other.org", "external@other.org", "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember("external@other.org", organization);
}
@Test
public void testAnyEmailFromBrokerWithoutDomainSet() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationRepresentation representation = organization.toRepresentation();
representation.addDomain(new OrganizationDomainRepresentation("other.org"));
organization.update(representation).close();
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
String email = "external@user.org";
loginPage.loginUsername(email);
loginPage.clickSocial(idp.getAlias());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login(email, "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation("external@unknown.org", "external@unknown.org", "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember("external@unknown.org", organization);
}
@Test
public void testRealmLevelBrokerNotImpactedByOrganizationFlow() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = bc.setUpIdentityProvider();
idp.setAlias("realm-idp");
idp.setInternalId(null);
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
loginPage.loginUsername("some@user.org");
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the consumer realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
loginPage.clickSocial(idp.getAlias());
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("external", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(bc.getUserEmail(), bc.getUserEmail(), "Firstname", "Lastname");
appPage.assertCurrent();
assertTrue(organization.members().getAll().isEmpty());
UserRepresentation user = testRealm().users().search(bc.getUserEmail()).get(0);
testRealm().users().get(user.getId()).remove();
}
@Test
public void testMemberRegistrationUsingDifferentDomainThanOrganization() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idpRep = organization.identityProviders().getIdentityProviders().get(0);
// make sure the user can select this idp from the organization when authenticating
idpRep.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
testRealm().identityProviders().get(idpRep.getAlias()).update(idpRep);
// create a user to the provider realm using a email that does not share the same domain as the org
UserRepresentation user = UserBuilder.create()
.username("user")
.email("user@different.org")
.password("password")
.enabled(true)
.build();
realmsResouce().realm(bc.providerRealmName()).users().create(user).close();
// select the organization broker to authenticate
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
loginPage.loginUsername("user@different.org");
loginPage.clickSocial(idpRep.getAlias());
// login through the organization broker
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("user@different.org", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(user.getUsername(), user.getEmail(), "Firstname", "Lastname");
appPage.assertCurrent();
}
@Test
public void testMemberFromBrokerRedirectedToOriginBroker() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idpRep = organization.identityProviders().getIdentityProviders().get(0);
// make sure the user can select this idp from the organization when authenticating
idpRep.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
testRealm().identityProviders().get(idpRep.getAlias()).update(idpRep);
// create a user to the provider realm using a email that does not share the same domain as the org
UserRepresentation user = UserBuilder.create()
.username("user")
.email("user@different.org")
.password("password")
.enabled(true)
.build();
realmsResouce().realm(bc.providerRealmName()).users().create(user).close();
// execute the identity-first login
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
loginPage.loginUsername(user.getEmail());
waitForPage(driver, "sign in to", true);
// select the organization broker to authenticate
assertTrue(loginPage.isPasswordInputPresent());
assertTrue(loginPage.isUsernameInputPresent());
loginPage.clickSocial(idpRep.getAlias());
// login through the organization broker
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("user@different.org", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(user.getUsername(), user.getEmail(), "Firstname", "Lastname");
UserRepresentation account = getUserRepresentation(user.getEmail());
realmsResouce().realm(bc.consumerRealmName()).users().get(account.getId()).logout();
realmsResouce().realm(bc.providerRealmName()).logoutAll();
// the flow now changed and the user should be automatically redirected to the origin broker
loginPage.open(bc.consumerRealmName());
waitForPage(driver, "sign in to", true);
loginPage.loginUsername(user.getEmail());
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("user@different.org", "password");
appPage.assertCurrent();
}
private void assertIsNotMember(String userEmail, OrganizationResource organization) {
UsersResource users = adminClient.realm(bc.consumerRealmName()).users();
List<UserRepresentation> reps = users.searchByEmail(userEmail, true);
if (reps.isEmpty()) {
return;
}
assertEquals(1, reps.size());
UserRepresentation account = reps.get(0);
try {
assertNull(organization.members().member(account.getId()).toRepresentation());
} catch (NotFoundException ignore) {
}
}
}

56
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/AbstractOrganizationTest.java
View file

@ -28,7 +28,6 @@ import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.Response.Status; import jakarta.ws.rs.core.Response.Status;
import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.graphene.page.Page;
import org.keycloak.admin.client.resource.OrganizationResource; import org.keycloak.admin.client.resource.OrganizationResource;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.admin.client.resource.UsersResource; import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.representations.idm.IdentityProviderRepresentation; import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.admin.client.resource.RealmResource;
@ -41,12 +40,12 @@ import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.admin.AbstractAdminTest; import org.keycloak.testsuite.admin.AbstractAdminTest;
import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.admin.Users; import org.keycloak.testsuite.admin.Users;
import org.keycloak.testsuite.broker.BrokerConfiguration;
import org.keycloak.testsuite.broker.KcOidcBrokerConfiguration; import org.keycloak.testsuite.broker.KcOidcBrokerConfiguration;
import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.IdpConfirmLinkPage; import org.keycloak.testsuite.pages.IdpConfirmLinkPage;
import org.keycloak.testsuite.pages.LoginPage; import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.UpdateAccountInformationPage; import org.keycloak.testsuite.pages.UpdateAccountInformationPage;
import org.keycloak.testsuite.util.UserBuilder;
/** /**
* @author <a href="mailto:psilva@redhat.com">Pedro Igor</a> * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
@ -56,53 +55,8 @@ public abstract class AbstractOrganizationTest extends AbstractAdminTest {
protected String organizationName = "neworg"; protected String organizationName = "neworg";
protected String memberEmail = "jdoe@neworg.org"; protected String memberEmail = "jdoe@neworg.org";
protected String memberPassword = "password"; protected String memberPassword = "password";
protected Function<String, KcOidcBrokerConfiguration> brokerConfigFunction = name -> new KcOidcBrokerConfiguration() { protected Function<String, BrokerConfiguration> brokerConfigFunction = name -> new BrokerConfigurationWrapper(name, createBrokerConfiguration());
@Override
public String consumerRealmName() {
return TEST_REALM_NAME;
}
@Override
public RealmRepresentation createProviderRealm() {
RealmRepresentation providerRealm = super.createProviderRealm();
providerRealm.setClients(createProviderClients());
providerRealm.setUsers(List.of(
UserBuilder.create()
.username(getUserLogin())
.email(getUserEmail())
.password(getUserPassword())
.enabled(true)
.build(),
UserBuilder.create()
.username("external")
.email("external@user.org")
.password("password")
.enabled(true)
.build()
)
);
return providerRealm;
}
@Override
public String getUserEmail() {
return getUserLogin() + "@" + organizationName + ".org";
}
@Override
public String getIDPAlias() {
return name + "-identity-provider";
}
@Override
public List<ClientRepresentation> createProviderClients() {
List<ClientRepresentation> clients = super.createProviderClients();
clients.get(0).setRedirectUris(List.of("*"));
return clients;
}
};
@Page @Page
protected LoginPage loginPage; protected LoginPage loginPage;
@ -116,7 +70,7 @@ public abstract class AbstractOrganizationTest extends AbstractAdminTest {
@Page @Page
protected AppPage appPage; protected AppPage appPage;
protected KcOidcBrokerConfiguration bc = brokerConfigFunction.apply(organizationName); protected BrokerConfiguration bc = brokerConfigFunction.apply(organizationName);
@Override @Override
public void configureTestRealm(RealmRepresentation testRealm) { public void configureTestRealm(RealmRepresentation testRealm) {
@ -259,4 +213,8 @@ public abstract class AbstractOrganizationTest extends AbstractAdminTest {
return group; return group;
} }
} }
protected BrokerConfiguration createBrokerConfiguration() {
return new KcOidcBrokerConfiguration();
};
} }

589
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/OrganizationBrokerSelfRegistrationTest.java
View file

@ -17,597 +17,10 @@
package org.keycloak.testsuite.organization.admin; package org.keycloak.testsuite.organization.admin;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.keycloak.testsuite.broker.BrokerTestTools.waitForPage;
import java.util.List;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.NotFoundException;
import org.junit.Test;
import org.keycloak.admin.client.resource.OrganizationIdentityProviderResource;
import org.keycloak.admin.client.resource.OrganizationMemberResource;
import org.keycloak.admin.client.resource.OrganizationResource;
import org.keycloak.admin.client.resource.UsersResource;
import org.keycloak.common.Profile.Feature; import org.keycloak.common.Profile.Feature;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.OrganizationModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.ErrorRepresentation;
import org.keycloak.representations.idm.FederatedIdentityRepresentation;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.representations.idm.OrganizationDomainRepresentation;
import org.keycloak.representations.idm.OrganizationRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.Assert;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature; import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.util.UserBuilder;
@EnableFeature(Feature.ORGANIZATION) @EnableFeature(Feature.ORGANIZATION)
public class OrganizationBrokerSelfRegistrationTest extends AbstractOrganizationTest { public class OrganizationBrokerSelfRegistrationTest extends AbstractBrokerSelfRegistrationTest {
@Test
public void testRegistrationRedirectWhenSingleBroker() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
assertBrokerRegistration(organization, bc.getUserEmail());
}
@Test
public void testLoginHintSentToBrokerWhenEnabled() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(IdentityProviderModel.LOGIN_HINT, "true");
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
// check if the username is automatically filled
Assert.assertEquals(bc.getUserEmail(), loginPage.getUsername());
}
@Test
public void testDefaultAuthenticationMechanismIfNotOrganizationMember() {
testRealm().organizations().get(createOrganization().getId());
oauth.clientId("broker-app");
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
loginPage.loginUsername("user@noorg.org");
// check if the login page is shown
Assert.assertTrue(loginPage.isUsernameInputPresent());
Assert.assertTrue(loginPage.isPasswordInputPresent());
}
@Test
public void testRealmLevelBrokersAvailableIfEmailDoesNotMatchOrganization() {
testRealm().organizations().get(createOrganization().getId());
oauth.clientId("broker-app");
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
loginPage.loginUsername("user");
// check if the login page is shown
Assert.assertTrue(loginPage.isUsernameInputPresent());
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
IdentityProviderRepresentation idp = bc.setUpIdentityProvider();
idp.setAlias("realm-level-idp");
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
testRealm().identityProviders().create(idp).close();
driver.navigate().refresh();
Assert.assertTrue(loginPage.isUsernameInputPresent());
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertTrue(loginPage.isSocialButtonPresent(idp.getAlias()));
}
@Test
public void testLinkExistingAccount() {
// create a realm user in the consumer realm
realmsResouce().realm(bc.consumerRealmName()).users()
.create(UserBuilder.create()
.username(bc.getUserLogin())
.email(bc.getUserEmail())
.password(bc.getUserPassword())
.enabled(true).build()
).close();
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
oauth.clientId("broker-app");
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
// login to the organization identity provider and run the configured first broker login flow
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(bc.getUserEmail(), bc.getUserEmail(), "Firstname", "Lastname");
// account with the same email exists in the realm, execute account linking
waitForPage(driver, "account already exists", false);
idpConfirmLinkPage.assertCurrent();
idpConfirmLinkPage.clickLinkAccount();
// confirm the link by authenticating
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
assertIsMember(bc.getUserEmail(), organization);
}
@Test
public void testReAuthenticateWhenAlreadyMember() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
// add the member for the first time
assertBrokerRegistration(organization, bc.getUserEmail());
// logout to force the user to authenticate again
UserRepresentation account = getUserRepresentation(bc.getUserEmail());
realmsResouce().realm(bc.consumerRealmName()).users().get(account.getId()).logout();
realmsResouce().realm(bc.providerRealmName()).logoutAll();
// login with email only
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
// login to the organization identity provider and automatically redirects to the app as the account already exists
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
appPage.assertCurrent();
assertIsMember(bc.getUserEmail(), organization);
}
@Test
public void testFailUpdateEmailNotAssociatedOrganizationUsingAdminAPI() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationIdentityProviderResource idp = organization.identityProviders().get(bc.getIDPAlias());
IdentityProviderRepresentation idpRep = idp.toRepresentation();
idpRep.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
testRealm().identityProviders().get(idpRep.getAlias()).update(idpRep);
// add the member for the first time
assertBrokerRegistration(organization, bc.getUserEmail());
UserRepresentation member = getUserRepresentation(bc.getUserEmail());
member.setEmail(KeycloakModelUtils.generateId() + "@user.org");
try {
// member has a hard link with the organization, and the email must match the domains set to the organization
testRealm().users().get(member.getId()).update(member);
fail("Should fail because email domain does not match any from organization");
} catch (BadRequestException expected) {
ErrorRepresentation error = expected.getResponse().readEntity(ErrorRepresentation.class);
assertEquals(UserModel.EMAIL, error.getField());
assertEquals("Email domain does not match any domain from the organization", error.getErrorMessage());
}
member.setEmail(member.getEmail().replace("@user.org", "@" + organizationName + ".org"));
testRealm().users().get(member.getId()).update(member);
}
@Test
public void testDeleteManagedMember() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
// add the member for the first time
assertBrokerRegistration(organization, bc.getUserEmail());
UserRepresentation member = getUserRepresentation(bc.getUserEmail());
OrganizationMemberResource organizationMember = organization.members().member(member.getId());
organizationMember.delete().close();
try {
testRealm().users().get(member.getId()).toRepresentation();
fail("it is managed member should be removed from the realm");
} catch (NotFoundException expected) {
}
try {
organizationMember.toRepresentation();
fail("it is managed member should be removed from the realm");
} catch (NotFoundException expected) {
}
}
@Test
public void testRedirectToIdentityProviderAssociatedWithOrganizationDomain() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
loginPage.loginUsername(bc.getUserEmail());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login(bc.getUserEmail(), bc.getUserPassword());
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(bc.getUserEmail(), bc.getUserEmail(), "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember(bc.getUserEmail(), organization);
UserRepresentation user = testRealm().users().search(bc.getUserEmail()).get(0);
List<FederatedIdentityRepresentation> federatedIdentities = testRealm().users().get(user.getId()).getFederatedIdentity();
assertEquals(1, federatedIdentities.size());
assertEquals(bc.getIDPAlias(), federatedIdentities.get(0).getIdentityProvider());
}
@Test
public void testIdentityFirstLoginShowsPublicOrganizationBrokers() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationRepresentation representation = organization.toRepresentation();
representation.addDomain(new OrganizationDomainRepresentation("other.org"));
organization.update(representation).close();
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
idp = organization.identityProviders().get(idp.getAlias()).toRepresentation();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
loginPage.loginUsername("external@user.org");
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertTrue(loginPage.isSocialButtonPresent(idp.getAlias()));
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.FALSE.toString());
testRealm().identityProviders().get(idp.getAlias()).update(idp);
driver.navigate().refresh();
Assert.assertTrue(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
Assert.assertFalse(loginPage.isSocialButtonPresent(idp.getAlias()));
}
@Test
public void testLoginUsingBrokerWithoutDomain() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().remove(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE);
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
String email = "external@user.org";
loginPage.loginUsername(email);
loginPage.clickSocial(idp.getAlias());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("external", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(email, email, "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember(email, organization);
// make sure the federated identity matches the expected broker
UserRepresentation user = testRealm().users().search(email).get(0);
List<FederatedIdentityRepresentation> federatedIdentities = testRealm().users().get(user.getId()).getFederatedIdentity();
assertEquals(1, federatedIdentities.size());
assertEquals(idp.getAlias(), federatedIdentities.get(0).getIdentityProvider());
}
@Test
public void testEmailDomainDoesNotMatchBrokerDomain() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationRepresentation representation = organization.toRepresentation();
representation.addDomain(new OrganizationDomainRepresentation("other.org"));
organization.update(representation).close();
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "other.org");
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
String email = "external@user.org";
loginPage.loginUsername(email);
loginPage.clickSocial(idp.getAlias());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login(email, "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(email, email, "Firstname", "Lastname");
Assert.assertTrue(driver.getPageSource().contains("Email domain does not match any domain from the organization"));
assertIsNotMember(email, organization);
updateAccountInformationPage.updateAccountInformation("external@other.org", "external@other.org", "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember("external@other.org", organization);
}
@Test
public void testAnyEmailFromBrokerWithoutDomainSet() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
OrganizationRepresentation representation = organization.toRepresentation();
representation.addDomain(new OrganizationDomainRepresentation("other.org"));
organization.update(representation).close();
IdentityProviderRepresentation idp = organization.identityProviders().get(bc.getIDPAlias()).toRepresentation();
idp.getConfig().put(OrganizationModel.ORGANIZATION_DOMAIN_ATTRIBUTE, "neworg.org");
// set a domain to the existing broker
testRealm().identityProviders().get(bc.getIDPAlias()).update(idp);
idp = bc.setUpIdentityProvider();
idp.setAlias("second-idp");
idp.setInternalId(null);
idp.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
getCleanup().addCleanup(testRealm().identityProviders().get("second-idp")::remove);
organization.identityProviders().addIdentityProvider(idp.getAlias()).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
String email = "external@user.org";
loginPage.loginUsername(email);
loginPage.clickSocial(idp.getAlias());
// user automatically redirected to the organization identity provider
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login(email, "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation("external@unknown.org", "external@unknown.org", "Firstname", "Lastname");
appPage.assertCurrent();
assertIsMember("external@unknown.org", organization);
}
@Test
public void testRealmLevelBrokerNotImpactedByOrganizationFlow() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idp = bc.setUpIdentityProvider();
idp.setAlias("realm-idp");
idp.setInternalId(null);
// create a second broker without a domain set
testRealm().identityProviders().create(idp).close();
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
log.debug("Logging in");
Assert.assertFalse(loginPage.isPasswordInputPresent());
Assert.assertFalse(loginPage.isSocialButtonPresent(bc.getIDPAlias()));
loginPage.loginUsername("some@user.org");
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the consumer realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
loginPage.clickSocial(idp.getAlias());
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("external", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(bc.getUserEmail(), bc.getUserEmail(), "Firstname", "Lastname");
appPage.assertCurrent();
assertTrue(organization.members().getAll().isEmpty());
UserRepresentation user = testRealm().users().search(bc.getUserEmail()).get(0);
testRealm().users().get(user.getId()).remove();
}
@Test
public void testMemberRegistrationUsingDifferentDomainThanOrganization() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idpRep = organization.identityProviders().getIdentityProviders().get(0);
// make sure the user can select this idp from the organization when authenticating
idpRep.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
testRealm().identityProviders().get(idpRep.getAlias()).update(idpRep);
// create a user to the provider realm using a email that does not share the same domain as the org
UserRepresentation user = UserBuilder.create()
.username("user")
.email("user@different.org")
.password("password")
.enabled(true)
.build();
realmsResouce().realm(bc.providerRealmName()).users().create(user).close();
// select the organization broker to authenticate
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
loginPage.loginUsername("user@different.org");
loginPage.clickSocial(idpRep.getAlias());
// login through the organization broker
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("user@different.org", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(user.getUsername(), user.getEmail(), "Firstname", "Lastname");
appPage.assertCurrent();
}
@Test
public void testMemberFromBrokerRedirectedToOriginBroker() {
OrganizationResource organization = testRealm().organizations().get(createOrganization().getId());
IdentityProviderRepresentation idpRep = organization.identityProviders().getIdentityProviders().get(0);
// make sure the user can select this idp from the organization when authenticating
idpRep.getConfig().put(OrganizationModel.BROKER_PUBLIC, Boolean.TRUE.toString());
testRealm().identityProviders().get(idpRep.getAlias()).update(idpRep);
// create a user to the provider realm using a email that does not share the same domain as the org
UserRepresentation user = UserBuilder.create()
.username("user")
.email("user@different.org")
.password("password")
.enabled(true)
.build();
realmsResouce().realm(bc.providerRealmName()).users().create(user).close();
// execute the identity-first login
oauth.clientId("broker-app");
loginPage.open(bc.consumerRealmName());
loginPage.loginUsername(user.getEmail());
waitForPage(driver, "sign in to", true);
// select the organization broker to authenticate
assertTrue(loginPage.isPasswordInputPresent());
assertTrue(loginPage.isUsernameInputPresent());
loginPage.clickSocial(idpRep.getAlias());
// login through the organization broker
waitForPage(driver, "sign in to", true);
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("user@different.org", "password");
waitForPage(driver, "update account information", false);
updateAccountInformationPage.assertCurrent();
Assert.assertTrue("We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation(user.getUsername(), user.getEmail(), "Firstname", "Lastname");
UserRepresentation account = getUserRepresentation(user.getEmail());
realmsResouce().realm(bc.consumerRealmName()).users().get(account.getId()).logout();
realmsResouce().realm(bc.providerRealmName()).logoutAll();
// the flow now changed and the user should be automatically redirected to the origin broker
loginPage.open(bc.consumerRealmName());
waitForPage(driver, "sign in to", true);
loginPage.loginUsername(user.getEmail());
Assert.assertTrue("Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + bc.providerRealmName() + "/"));
loginPage.login("user@different.org", "password");
appPage.assertCurrent();
}
private void assertIsNotMember(String userEmail, OrganizationResource organization) {
UsersResource users = adminClient.realm(bc.consumerRealmName()).users();
List<UserRepresentation> reps = users.searchByEmail(userEmail, true);
if (reps.isEmpty()) {
return;
}
assertEquals(1, reps.size());
UserRepresentation account = reps.get(0);
try {
assertNull(organization.members().member(account.getId()).toRepresentation());
} catch (NotFoundException ignore) {
}
}
} }

48
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/admin/OrganizationSAMLBrokerSelfRegistrationTest.java Normal file
View file

@ -0,0 +1,48 @@
/*
* Copyright 2024 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.organization.admin;
import org.keycloak.broker.saml.SAMLIdentityProviderConfig;
import org.keycloak.common.Profile.Feature;
import org.keycloak.models.IdentityProviderSyncMode;
import org.keycloak.representations.idm.IdentityProviderRepresentation;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.broker.BrokerConfiguration;
import org.keycloak.testsuite.broker.KcSamlBrokerConfiguration;
@EnableFeature(Feature.ORGANIZATION)
public class OrganizationSAMLBrokerSelfRegistrationTest extends AbstractBrokerSelfRegistrationTest {
@Override
protected BrokerConfiguration createBrokerConfiguration() {
return new KcSamlBrokerConfiguration() {
@Override
public String getIDPClientIdInProviderRealm() {
return "saml-broker";
}
@Override
public IdentityProviderRepresentation setUpIdentityProvider(IdentityProviderSyncMode syncMode) {
IdentityProviderRepresentation broker = super.setUpIdentityProvider(syncMode);
broker.getConfig().put(SAMLIdentityProviderConfig.ENTITY_ID, getIDPClientIdInProviderRealm());
return broker;
}
};
}
}