more
This commit is contained in:
Bill Burke
parent
b54061fc3f
commit
9ab023cc6c
8 changed files with 315 additions and 275 deletions
|
|
@ -25,11 +25,6 @@
|
||||||
<listener-class>org.keycloak.services.listeners.KeycloakSessionDestroyListener</listener-class>
|
<listener-class>org.keycloak.services.listeners.KeycloakSessionDestroyListener</listener-class>
|
||||||
</listener>
|
</listener>
|
||||||
|
|
||||||
<filter>
|
|
||||||
<filter-name>Keycloak Client Connection Filter</filter-name>
|
|
||||||
<filter-class>org.keycloak.services.filters.ClientConnectionFilter</filter-class>
|
|
||||||
</filter>
|
|
||||||
|
|
||||||
<filter>
|
<filter>
|
||||||
<filter-name>Keycloak Session Management</filter-name>
|
<filter-name>Keycloak Session Management</filter-name>
|
||||||
<filter-class>org.keycloak.services.filters.KeycloakSessionServletFilter</filter-class>
|
<filter-class>org.keycloak.services.filters.KeycloakSessionServletFilter</filter-class>
|
||||||
|
|
|
||||||
6
model/api/src/main/java/org/keycloak/models/KeycloakContext.java
Normal file → Executable file
6
model/api/src/main/java/org/keycloak/models/KeycloakContext.java
Normal file → Executable file
|
|
@ -1,5 +1,7 @@
|
||||||
package org.keycloak.models;
|
package org.keycloak.models;
|
||||||
|
|
||||||
|
import org.keycloak.ClientConnection;
|
||||||
|
|
||||||
import javax.ws.rs.core.HttpHeaders;
|
import javax.ws.rs.core.HttpHeaders;
|
||||||
import javax.ws.rs.core.UriInfo;
|
import javax.ws.rs.core.UriInfo;
|
||||||
|
|
||||||
|
|
@ -20,4 +22,8 @@ public interface KeycloakContext {
|
||||||
|
|
||||||
void setClient(ClientModel client);
|
void setClient(ClientModel client);
|
||||||
|
|
||||||
|
ClientConnection getConnection();
|
||||||
|
|
||||||
|
void setConnection(ClientConnection connection);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -434,7 +434,7 @@ public class AuthenticationProcessor {
|
||||||
if (authenticator.requiresUser() && authUser != null) {
|
if (authenticator.requiresUser() && authUser != null) {
|
||||||
configuredFor = authenticator.configuredFor(session, realm, authUser);
|
configuredFor = authenticator.configuredFor(session, realm, authUser);
|
||||||
if (!configuredFor) {
|
if (!configuredFor) {
|
||||||
if (model.getRequirement() == AuthenticationExecutionModel.Requirement.REQUIRED) {
|
if (model.isRequired()) {
|
||||||
if (model.isUserSetupAllowed()) {
|
if (model.isUserSetupAllowed()) {
|
||||||
clientSession.setAuthenticatorStatus(model.getId(), UserSessionModel.AuthenticatorStatus.SETUP_REQUIRED);
|
clientSession.setAuthenticatorStatus(model.getId(), UserSessionModel.AuthenticatorStatus.SETUP_REQUIRED);
|
||||||
String requiredAction = authenticator.getRequiredAction();
|
String requiredAction = authenticator.getRequiredAction();
|
||||||
|
|
@ -445,6 +445,9 @@ public class AuthenticationProcessor {
|
||||||
} else {
|
} else {
|
||||||
throw new AuthException(Error.CREDENTIAL_SETUP_REQUIRED);
|
throw new AuthException(Error.CREDENTIAL_SETUP_REQUIRED);
|
||||||
}
|
}
|
||||||
|
} else if (model.isOptional()) {
|
||||||
|
clientSession.setAuthenticatorStatus(model.getId(), UserSessionModel.AuthenticatorStatus.SKIPPED);
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -477,7 +480,9 @@ public class AuthenticationProcessor {
|
||||||
clientSession.setAuthenticatorStatus(model.getId(), UserSessionModel.AuthenticatorStatus.CHALLENGED);
|
clientSession.setAuthenticatorStatus(model.getId(), UserSessionModel.AuthenticatorStatus.CHALLENGED);
|
||||||
return context.challenge;
|
return context.challenge;
|
||||||
} else if (result == Status.ATTEMPTED) {
|
} else if (result == Status.ATTEMPTED) {
|
||||||
if (model.getRequirement() == AuthenticationExecutionModel.Requirement.REQUIRED) throw new AuthException(Error.INVALID_CREDENTIALS);
|
if (model.getRequirement() == AuthenticationExecutionModel.Requirement.REQUIRED) {
|
||||||
|
throw new AuthException(Error.INVALID_CREDENTIALS);
|
||||||
|
}
|
||||||
clientSession.setAuthenticatorStatus(model.getId(), UserSessionModel.AuthenticatorStatus.ATTEMPTED);
|
clientSession.setAuthenticatorStatus(model.getId(), UserSessionModel.AuthenticatorStatus.ATTEMPTED);
|
||||||
continue;
|
continue;
|
||||||
} else {
|
} else {
|
||||||
|
|
|
||||||
12
services/src/main/java/org/keycloak/services/DefaultKeycloakContext.java
Normal file → Executable file
12
services/src/main/java/org/keycloak/services/DefaultKeycloakContext.java
Normal file → Executable file
|
|
@ -1,6 +1,7 @@
|
||||||
package org.keycloak.services;
|
package org.keycloak.services;
|
||||||
|
|
||||||
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
||||||
|
import org.keycloak.ClientConnection;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.KeycloakContext;
|
import org.keycloak.models.KeycloakContext;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
|
|
@ -17,6 +18,8 @@ public class DefaultKeycloakContext implements KeycloakContext {
|
||||||
|
|
||||||
private ClientModel client;
|
private ClientModel client;
|
||||||
|
|
||||||
|
private ClientConnection connection;
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public UriInfo getUri() {
|
public UriInfo getUri() {
|
||||||
return ResteasyProviderFactory.getContextData(UriInfo.class);
|
return ResteasyProviderFactory.getContextData(UriInfo.class);
|
||||||
|
|
@ -47,4 +50,13 @@ public class DefaultKeycloakContext implements KeycloakContext {
|
||||||
this.client = client;
|
this.client = client;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public ClientConnection getConnection() {
|
||||||
|
return connection;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void setConnection(ClientConnection connection) {
|
||||||
|
this.connection = connection;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ import java.io.IOException;
|
||||||
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
|
||||||
* @version $Revision: 1 $
|
* @version $Revision: 1 $
|
||||||
*/
|
*/
|
||||||
|
@Deprecated
|
||||||
public class ClientConnectionFilter implements Filter {
|
public class ClientConnectionFilter implements Filter {
|
||||||
@Override
|
@Override
|
||||||
public void init(FilterConfig filterConfig) throws ServletException {
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
package org.keycloak.services.filters;
|
package org.keycloak.services.filters;
|
||||||
|
|
||||||
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
import org.jboss.resteasy.spi.ResteasyProviderFactory;
|
||||||
|
import org.keycloak.ClientConnection;
|
||||||
import org.keycloak.models.KeycloakSession;
|
import org.keycloak.models.KeycloakSession;
|
||||||
import org.keycloak.models.KeycloakSessionFactory;
|
import org.keycloak.models.KeycloakSessionFactory;
|
||||||
import org.keycloak.models.KeycloakTransaction;
|
import org.keycloak.models.KeycloakTransaction;
|
||||||
|
|
@ -26,11 +27,29 @@ public class KeycloakSessionServletFilter implements Filter {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
|
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
|
||||||
HttpServletRequest request = (HttpServletRequest)servletRequest;
|
final HttpServletRequest request = (HttpServletRequest)servletRequest;
|
||||||
|
|
||||||
KeycloakSessionFactory sessionFactory = (KeycloakSessionFactory) servletRequest.getServletContext().getAttribute(KeycloakSessionFactory.class.getName());
|
KeycloakSessionFactory sessionFactory = (KeycloakSessionFactory) servletRequest.getServletContext().getAttribute(KeycloakSessionFactory.class.getName());
|
||||||
KeycloakSession session = sessionFactory.create();
|
KeycloakSession session = sessionFactory.create();
|
||||||
ResteasyProviderFactory.pushContext(KeycloakSession.class, session);
|
ResteasyProviderFactory.pushContext(KeycloakSession.class, session);
|
||||||
|
ClientConnection connection = new ClientConnection() {
|
||||||
|
@Override
|
||||||
|
public String getRemoteAddr() {
|
||||||
|
return request.getRemoteAddr();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getRemoteHost() {
|
||||||
|
return request.getRemoteHost();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public int getReportPort() {
|
||||||
|
return request.getRemotePort();
|
||||||
|
}
|
||||||
|
};
|
||||||
|
session.getContext().setConnection(connection);
|
||||||
|
ResteasyProviderFactory.pushContext(ClientConnection.class, connection);
|
||||||
|
|
||||||
KeycloakTransaction tx = session.getTransaction();
|
KeycloakTransaction tx = session.getTransaction();
|
||||||
ResteasyProviderFactory.pushContext(KeycloakTransaction.class, tx);
|
ResteasyProviderFactory.pushContext(KeycloakTransaction.class, tx);
|
||||||
|
|
|
||||||
|
|
@ -315,6 +315,8 @@ public class LoginActionsService {
|
||||||
event.error(Errors.CLIENT_NOT_FOUND);
|
event.error(Errors.CLIENT_NOT_FOUND);
|
||||||
return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER);
|
return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER);
|
||||||
}
|
}
|
||||||
|
session.getContext().setClient(client);
|
||||||
|
|
||||||
if (!client.isEnabled()) {
|
if (!client.isEnabled()) {
|
||||||
event.error(Errors.CLIENT_NOT_FOUND);
|
event.error(Errors.CLIENT_NOT_FOUND);
|
||||||
return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED);
|
return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED);
|
||||||
|
|
|
||||||
|
|
@ -1,267 +1,267 @@
|
||||||
/*
|
/*
|
||||||
* JBoss, Home of Professional Open Source.
|
* JBoss, Home of Professional Open Source.
|
||||||
* Copyright 2012, Red Hat, Inc., and individual contributors
|
* Copyright 2012, Red Hat, Inc., and individual contributors
|
||||||
* as indicated by the @author tags. See the copyright.txt file in the
|
* as indicated by the @author tags. See the copyright.txt file in the
|
||||||
* distribution for a full listing of individual contributors.
|
* distribution for a full listing of individual contributors.
|
||||||
*
|
*
|
||||||
* This is free software; you can redistribute it and/or modify it
|
* This is free software; you can redistribute it and/or modify it
|
||||||
* under the terms of the GNU Lesser General Public License as
|
* under the terms of the GNU Lesser General Public License as
|
||||||
* published by the Free Software Foundation; either version 2.1 of
|
* published by the Free Software Foundation; either version 2.1 of
|
||||||
* the License, or (at your option) any later version.
|
* the License, or (at your option) any later version.
|
||||||
*
|
*
|
||||||
* This software is distributed in the hope that it will be useful,
|
* This software is distributed in the hope that it will be useful,
|
||||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
* Lesser General Public License for more details.
|
* Lesser General Public License for more details.
|
||||||
*
|
*
|
||||||
* You should have received a copy of the GNU Lesser General Public
|
* You should have received a copy of the GNU Lesser General Public
|
||||||
* License along with this software; if not, write to the Free
|
* License along with this software; if not, write to the Free
|
||||||
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
|
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
|
||||||
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
|
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
|
||||||
*/
|
*/
|
||||||
package org.keycloak.testsuite.oauth;
|
package org.keycloak.testsuite.oauth;
|
||||||
|
|
||||||
import org.junit.Assert;
|
import org.junit.Assert;
|
||||||
import org.junit.ClassRule;
|
import org.junit.ClassRule;
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.OAuth2Constants;
|
import org.keycloak.OAuth2Constants;
|
||||||
import org.keycloak.constants.KerberosConstants;
|
import org.keycloak.constants.KerberosConstants;
|
||||||
import org.keycloak.events.Details;
|
import org.keycloak.events.Details;
|
||||||
import org.keycloak.events.Event;
|
import org.keycloak.events.Event;
|
||||||
import org.keycloak.events.EventType;
|
import org.keycloak.events.EventType;
|
||||||
import org.keycloak.models.ClientModel;
|
import org.keycloak.models.ClientModel;
|
||||||
import org.keycloak.models.ProtocolMapperModel;
|
import org.keycloak.models.ProtocolMapperModel;
|
||||||
import org.keycloak.models.RealmModel;
|
import org.keycloak.models.RealmModel;
|
||||||
import org.keycloak.models.RoleModel;
|
import org.keycloak.models.RoleModel;
|
||||||
import org.keycloak.models.UserModel;
|
import org.keycloak.models.UserModel;
|
||||||
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
|
||||||
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
|
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
|
||||||
import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper;
|
import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
import org.keycloak.services.managers.RealmManager;
|
import org.keycloak.services.managers.RealmManager;
|
||||||
import org.keycloak.testsuite.AssertEvents;
|
import org.keycloak.testsuite.AssertEvents;
|
||||||
import org.keycloak.testsuite.OAuthClient;
|
import org.keycloak.testsuite.OAuthClient;
|
||||||
import org.keycloak.testsuite.pages.AccountApplicationsPage;
|
import org.keycloak.testsuite.pages.AccountApplicationsPage;
|
||||||
import org.keycloak.testsuite.pages.AppPage;
|
import org.keycloak.testsuite.pages.AppPage;
|
||||||
import org.keycloak.testsuite.pages.LoginPage;
|
import org.keycloak.testsuite.pages.LoginPage;
|
||||||
import org.keycloak.testsuite.pages.OAuthGrantPage;
|
import org.keycloak.testsuite.pages.OAuthGrantPage;
|
||||||
import org.keycloak.testsuite.rule.KeycloakRule;
|
import org.keycloak.testsuite.rule.KeycloakRule;
|
||||||
import org.keycloak.testsuite.rule.WebResource;
|
import org.keycloak.testsuite.rule.WebResource;
|
||||||
import org.keycloak.testsuite.rule.WebRule;
|
import org.keycloak.testsuite.rule.WebRule;
|
||||||
import org.openqa.selenium.WebDriver;
|
import org.openqa.selenium.WebDriver;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:vrockai@redhat.com">Viliam Rockai</a>
|
* @author <a href="mailto:vrockai@redhat.com">Viliam Rockai</a>
|
||||||
*/
|
*/
|
||||||
public class OAuthGrantTest {
|
public class OAuthGrantTest {
|
||||||
|
|
||||||
@ClassRule
|
@ClassRule
|
||||||
public static KeycloakRule keycloakRule = new KeycloakRule();
|
public static KeycloakRule keycloakRule = new KeycloakRule();
|
||||||
|
|
||||||
@Rule
|
@Rule
|
||||||
public AssertEvents events = new AssertEvents(keycloakRule);
|
public AssertEvents events = new AssertEvents(keycloakRule);
|
||||||
|
|
||||||
@Rule
|
@Rule
|
||||||
public WebRule webRule = new WebRule(this);
|
public WebRule webRule = new WebRule(this);
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected WebDriver driver;
|
protected WebDriver driver;
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected OAuthClient oauth;
|
protected OAuthClient oauth;
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected LoginPage loginPage;
|
protected LoginPage loginPage;
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected OAuthGrantPage grantPage;
|
protected OAuthGrantPage grantPage;
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected AccountApplicationsPage accountAppsPage;
|
protected AccountApplicationsPage accountAppsPage;
|
||||||
|
|
||||||
@WebResource
|
@WebResource
|
||||||
protected AppPage appPage;
|
protected AppPage appPage;
|
||||||
|
|
||||||
private static String ROLE_USER = "Have User privileges";
|
private static String ROLE_USER = "Have User privileges";
|
||||||
private static String ROLE_CUSTOMER = "Have Customer User privileges";
|
private static String ROLE_CUSTOMER = "Have Customer User privileges";
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void oauthGrantAcceptTest() {
|
public void oauthGrantAcceptTest() {
|
||||||
oauth.clientId("third-party");
|
oauth.clientId("third-party");
|
||||||
oauth.doLoginGrant("test-user@localhost", "password");
|
oauth.doLoginGrant("test-user@localhost", "password");
|
||||||
|
|
||||||
grantPage.assertCurrent();
|
grantPage.assertCurrent();
|
||||||
Assert.assertTrue(driver.getPageSource().contains(ROLE_USER));
|
Assert.assertTrue(driver.getPageSource().contains(ROLE_USER));
|
||||||
Assert.assertTrue(driver.getPageSource().contains(ROLE_CUSTOMER));
|
Assert.assertTrue(driver.getPageSource().contains(ROLE_CUSTOMER));
|
||||||
|
|
||||||
grantPage.accept();
|
grantPage.accept();
|
||||||
|
|
||||||
Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.CODE));
|
Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.CODE));
|
||||||
|
|
||||||
Event loginEvent = events.expectLogin().client("third-party").assertEvent();
|
Event loginEvent = events.expectLogin().client("third-party").assertEvent();
|
||||||
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
String codeId = loginEvent.getDetails().get(Details.CODE_ID);
|
||||||
String sessionId = loginEvent.getSessionId();
|
String sessionId = loginEvent.getSessionId();
|
||||||
|
|
||||||
OAuthClient.AccessTokenResponse accessToken = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), "password");
|
OAuthClient.AccessTokenResponse accessToken = oauth.doAccessTokenRequest(oauth.getCurrentQuery().get(OAuth2Constants.CODE), "password");
|
||||||
|
|
||||||
String tokenString = accessToken.getAccessToken();
|
String tokenString = accessToken.getAccessToken();
|
||||||
Assert.assertNotNull(tokenString);
|
Assert.assertNotNull(tokenString);
|
||||||
AccessToken token = oauth.verifyToken(tokenString);
|
AccessToken token = oauth.verifyToken(tokenString);
|
||||||
assertEquals(sessionId, token.getSessionState());
|
assertEquals(sessionId, token.getSessionState());
|
||||||
|
|
||||||
AccessToken.Access realmAccess = token.getRealmAccess();
|
AccessToken.Access realmAccess = token.getRealmAccess();
|
||||||
assertEquals(1, realmAccess.getRoles().size());
|
assertEquals(1, realmAccess.getRoles().size());
|
||||||
Assert.assertTrue(realmAccess.isUserInRole("user"));
|
Assert.assertTrue(realmAccess.isUserInRole("user"));
|
||||||
|
|
||||||
Map<String,AccessToken.Access> resourceAccess = token.getResourceAccess();
|
Map<String,AccessToken.Access> resourceAccess = token.getResourceAccess();
|
||||||
assertEquals(1, resourceAccess.size());
|
assertEquals(1, resourceAccess.size());
|
||||||
assertEquals(1, resourceAccess.get("test-app").getRoles().size());
|
assertEquals(1, resourceAccess.get("test-app").getRoles().size());
|
||||||
Assert.assertTrue(resourceAccess.get("test-app").isUserInRole("customer-user"));
|
Assert.assertTrue(resourceAccess.get("test-app").isUserInRole("customer-user"));
|
||||||
|
|
||||||
events.expectCodeToToken(codeId, loginEvent.getSessionId()).client("third-party").assertEvent();
|
events.expectCodeToToken(codeId, loginEvent.getSessionId()).client("third-party").assertEvent();
|
||||||
|
|
||||||
accountAppsPage.open();
|
accountAppsPage.open();
|
||||||
accountAppsPage.revokeGrant("third-party");
|
accountAppsPage.revokeGrant("third-party");
|
||||||
|
|
||||||
events.expect(EventType.REVOKE_GRANT)
|
events.expect(EventType.REVOKE_GRANT)
|
||||||
.client("account").detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
|
.client("account").detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void oauthGrantCancelTest() {
|
public void oauthGrantCancelTest() {
|
||||||
oauth.clientId("third-party");
|
oauth.clientId("third-party");
|
||||||
oauth.doLoginGrant("test-user@localhost", "password");
|
oauth.doLoginGrant("test-user@localhost", "password");
|
||||||
|
|
||||||
grantPage.assertCurrent();
|
grantPage.assertCurrent();
|
||||||
Assert.assertTrue(driver.getPageSource().contains(ROLE_USER));
|
Assert.assertTrue(driver.getPageSource().contains(ROLE_USER));
|
||||||
Assert.assertTrue(driver.getPageSource().contains(ROLE_CUSTOMER));
|
Assert.assertTrue(driver.getPageSource().contains(ROLE_CUSTOMER));
|
||||||
|
|
||||||
grantPage.cancel();
|
grantPage.cancel();
|
||||||
|
|
||||||
Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.ERROR));
|
Assert.assertTrue(oauth.getCurrentQuery().containsKey(OAuth2Constants.ERROR));
|
||||||
assertEquals("access_denied", oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
|
assertEquals("access_denied", oauth.getCurrentQuery().get(OAuth2Constants.ERROR));
|
||||||
|
|
||||||
events.expectLogin().client("third-party").error("rejected_by_user").assertEvent();
|
events.expectLogin().client("third-party").error("rejected_by_user").assertEvent();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void oauthGrantNotShownWhenAlreadyGranted() {
|
public void oauthGrantNotShownWhenAlreadyGranted() {
|
||||||
// Grant permissions on grant screen
|
// Grant permissions on grant screen
|
||||||
oauth.clientId("third-party");
|
oauth.clientId("third-party");
|
||||||
oauth.doLoginGrant("test-user@localhost", "password");
|
oauth.doLoginGrant("test-user@localhost", "password");
|
||||||
|
|
||||||
grantPage.assertCurrent();
|
grantPage.assertCurrent();
|
||||||
grantPage.accept();
|
grantPage.accept();
|
||||||
|
|
||||||
events.expectLogin().client("third-party").assertEvent();
|
events.expectLogin().client("third-party").assertEvent();
|
||||||
|
|
||||||
// Assert permissions granted on Account mgmt. applications page
|
// Assert permissions granted on Account mgmt. applications page
|
||||||
accountAppsPage.open();
|
accountAppsPage.open();
|
||||||
AccountApplicationsPage.AppEntry thirdPartyEntry = accountAppsPage.getApplications().get("third-party");
|
AccountApplicationsPage.AppEntry thirdPartyEntry = accountAppsPage.getApplications().get("third-party");
|
||||||
Assert.assertTrue(thirdPartyEntry.getRolesGranted().contains(ROLE_USER));
|
Assert.assertTrue(thirdPartyEntry.getRolesGranted().contains(ROLE_USER));
|
||||||
Assert.assertTrue(thirdPartyEntry.getRolesGranted().contains("Have Customer User privileges in test-app"));
|
Assert.assertTrue(thirdPartyEntry.getRolesGranted().contains("Have Customer User privileges in test-app"));
|
||||||
Assert.assertTrue(thirdPartyEntry.getProtocolMappersGranted().contains("Full name"));
|
Assert.assertTrue(thirdPartyEntry.getProtocolMappersGranted().contains("Full name"));
|
||||||
Assert.assertTrue(thirdPartyEntry.getProtocolMappersGranted().contains("Email"));
|
Assert.assertTrue(thirdPartyEntry.getProtocolMappersGranted().contains("Email"));
|
||||||
|
|
||||||
// Open login form and assert grantPage not shown
|
// Open login form and assert grantPage not shown
|
||||||
oauth.openLoginForm();
|
oauth.openLoginForm();
|
||||||
appPage.assertCurrent();
|
appPage.assertCurrent();
|
||||||
events.expectLogin().detail(Details.AUTH_METHOD, "sso").removeDetail(Details.USERNAME).client("third-party").assertEvent();
|
events.expectLogin().removeDetail(Details.USERNAME).client("third-party").assertEvent();
|
||||||
|
|
||||||
// Revoke grant in account mgmt.
|
// Revoke grant in account mgmt.
|
||||||
accountAppsPage.open();
|
accountAppsPage.open();
|
||||||
accountAppsPage.revokeGrant("third-party");
|
accountAppsPage.revokeGrant("third-party");
|
||||||
|
|
||||||
events.expect(EventType.REVOKE_GRANT)
|
events.expect(EventType.REVOKE_GRANT)
|
||||||
.client("account").detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
|
.client("account").detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
|
||||||
|
|
||||||
// Open login form again and assert grant Page is shown
|
// Open login form again and assert grant Page is shown
|
||||||
oauth.openLoginForm();
|
oauth.openLoginForm();
|
||||||
grantPage.assertCurrent();
|
grantPage.assertCurrent();
|
||||||
Assert.assertTrue(driver.getPageSource().contains(ROLE_USER));
|
Assert.assertTrue(driver.getPageSource().contains(ROLE_USER));
|
||||||
Assert.assertTrue(driver.getPageSource().contains(ROLE_CUSTOMER));
|
Assert.assertTrue(driver.getPageSource().contains(ROLE_CUSTOMER));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void oauthGrantAddAnotherRoleAndMapper() {
|
public void oauthGrantAddAnotherRoleAndMapper() {
|
||||||
// Grant permissions on grant screen
|
// Grant permissions on grant screen
|
||||||
oauth.clientId("third-party");
|
oauth.clientId("third-party");
|
||||||
oauth.doLoginGrant("test-user@localhost", "password");
|
oauth.doLoginGrant("test-user@localhost", "password");
|
||||||
|
|
||||||
// Add new protocolMapper and role before showing grant page
|
// Add new protocolMapper and role before showing grant page
|
||||||
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
ProtocolMapperModel protocolMapper = UserSessionNoteMapper.createClaimMapper(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME,
|
ProtocolMapperModel protocolMapper = UserSessionNoteMapper.createClaimMapper(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME,
|
||||||
KerberosConstants.GSS_DELEGATION_CREDENTIAL,
|
KerberosConstants.GSS_DELEGATION_CREDENTIAL,
|
||||||
KerberosConstants.GSS_DELEGATION_CREDENTIAL, "String",
|
KerberosConstants.GSS_DELEGATION_CREDENTIAL, "String",
|
||||||
true, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME,
|
true, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME,
|
||||||
true, false);
|
true, false);
|
||||||
|
|
||||||
ClientModel thirdPartyApp = appRealm.getClientByClientId("third-party");
|
ClientModel thirdPartyApp = appRealm.getClientByClientId("third-party");
|
||||||
thirdPartyApp.addProtocolMapper(protocolMapper);
|
thirdPartyApp.addProtocolMapper(protocolMapper);
|
||||||
|
|
||||||
RoleModel newRole = appRealm.addRole("new-role");
|
RoleModel newRole = appRealm.addRole("new-role");
|
||||||
thirdPartyApp.addScopeMapping(newRole);
|
thirdPartyApp.addScopeMapping(newRole);
|
||||||
UserModel testUser = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm);
|
UserModel testUser = manager.getSession().users().getUserByUsername("test-user@localhost", appRealm);
|
||||||
testUser.grantRole(newRole);
|
testUser.grantRole(newRole);
|
||||||
}
|
}
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
||||||
// Confirm grant page
|
// Confirm grant page
|
||||||
grantPage.assertCurrent();
|
grantPage.assertCurrent();
|
||||||
grantPage.accept();
|
grantPage.accept();
|
||||||
events.expectLogin().client("third-party").assertEvent();
|
events.expectLogin().client("third-party").assertEvent();
|
||||||
|
|
||||||
// Assert new role and protocol mapper not in account mgmt.
|
// Assert new role and protocol mapper not in account mgmt.
|
||||||
accountAppsPage.open();
|
accountAppsPage.open();
|
||||||
AccountApplicationsPage.AppEntry appEntry = accountAppsPage.getApplications().get("third-party");
|
AccountApplicationsPage.AppEntry appEntry = accountAppsPage.getApplications().get("third-party");
|
||||||
Assert.assertFalse(appEntry.getRolesGranted().contains("new-role"));
|
Assert.assertFalse(appEntry.getRolesGranted().contains("new-role"));
|
||||||
Assert.assertFalse(appEntry.getProtocolMappersGranted().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));
|
Assert.assertFalse(appEntry.getProtocolMappersGranted().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));
|
||||||
|
|
||||||
// Show grant page another time. Just new role and protocol mapper are on the page
|
// Show grant page another time. Just new role and protocol mapper are on the page
|
||||||
oauth.openLoginForm();
|
oauth.openLoginForm();
|
||||||
grantPage.assertCurrent();
|
grantPage.assertCurrent();
|
||||||
Assert.assertFalse(driver.getPageSource().contains(ROLE_USER));
|
Assert.assertFalse(driver.getPageSource().contains(ROLE_USER));
|
||||||
Assert.assertFalse(driver.getPageSource().contains("Full name"));
|
Assert.assertFalse(driver.getPageSource().contains("Full name"));
|
||||||
Assert.assertTrue(driver.getPageSource().contains("new-role"));
|
Assert.assertTrue(driver.getPageSource().contains("new-role"));
|
||||||
Assert.assertTrue(driver.getPageSource().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));
|
Assert.assertTrue(driver.getPageSource().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));
|
||||||
grantPage.accept();
|
grantPage.accept();
|
||||||
events.expectLogin().client("third-party").assertEvent();
|
events.expectLogin().client("third-party").assertEvent();
|
||||||
|
|
||||||
// Go to account mgmt. Everything is granted now
|
// Go to account mgmt. Everything is granted now
|
||||||
accountAppsPage.open();
|
accountAppsPage.open();
|
||||||
appEntry = accountAppsPage.getApplications().get("third-party");
|
appEntry = accountAppsPage.getApplications().get("third-party");
|
||||||
Assert.assertTrue(appEntry.getRolesGranted().contains("new-role"));
|
Assert.assertTrue(appEntry.getRolesGranted().contains("new-role"));
|
||||||
Assert.assertTrue(appEntry.getProtocolMappersGranted().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));
|
Assert.assertTrue(appEntry.getProtocolMappersGranted().contains(KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME));
|
||||||
|
|
||||||
// Revoke
|
// Revoke
|
||||||
accountAppsPage.revokeGrant("third-party");
|
accountAppsPage.revokeGrant("third-party");
|
||||||
events.expect(EventType.REVOKE_GRANT)
|
events.expect(EventType.REVOKE_GRANT)
|
||||||
.client("account").detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
|
.client("account").detail(Details.REVOKED_CLIENT, "third-party").assertEvent();
|
||||||
|
|
||||||
// Cleanup
|
// Cleanup
|
||||||
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
keycloakRule.update(new KeycloakRule.KeycloakSetup() {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
|
||||||
ClientModel thirdPartyApp = appRealm.getClientByClientId("third-party");
|
ClientModel thirdPartyApp = appRealm.getClientByClientId("third-party");
|
||||||
ProtocolMapperModel gssMapper = thirdPartyApp.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME);
|
ProtocolMapperModel gssMapper = thirdPartyApp.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME);
|
||||||
thirdPartyApp.removeProtocolMapper(gssMapper);
|
thirdPartyApp.removeProtocolMapper(gssMapper);
|
||||||
|
|
||||||
RoleModel newRole = appRealm.getRole("new-role");
|
RoleModel newRole = appRealm.getRole("new-role");
|
||||||
appRealm.removeRole(newRole);
|
appRealm.removeRole(newRole);
|
||||||
}
|
}
|
||||||
|
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue