KEYCLOAK-17939 Enable Client policies feature by default
This commit is contained in:
parent
6e139b8fda
commit
ab13e3e4fe
8 changed files with 98 additions and 16 deletions
|
@ -55,7 +55,7 @@ public class Profile {
|
||||||
TOKEN_EXCHANGE(Type.PREVIEW),
|
TOKEN_EXCHANGE(Type.PREVIEW),
|
||||||
UPLOAD_SCRIPTS(DEPRECATED),
|
UPLOAD_SCRIPTS(DEPRECATED),
|
||||||
WEB_AUTHN(Type.DEFAULT, Type.PREVIEW),
|
WEB_AUTHN(Type.DEFAULT, Type.PREVIEW),
|
||||||
CLIENT_POLICIES(Type.PREVIEW),
|
CLIENT_POLICIES(Type.DEFAULT),
|
||||||
CIBA(Type.PREVIEW),
|
CIBA(Type.PREVIEW),
|
||||||
MAP_STORAGE(Type.EXPERIMENTAL);
|
MAP_STORAGE(Type.EXPERIMENTAL);
|
||||||
|
|
||||||
|
|
|
@ -21,8 +21,8 @@ public class ProfileTest {
|
||||||
@Test
|
@Test
|
||||||
public void checkDefaultsKeycloak() {
|
public void checkDefaultsKeycloak() {
|
||||||
Assert.assertEquals("community", Profile.getName());
|
Assert.assertEquals("community", Profile.getName());
|
||||||
assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS, Profile.Feature.CLIENT_POLICIES, Profile.Feature.CIBA, Profile.Feature.MAP_STORAGE);
|
assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS, Profile.Feature.CIBA, Profile.Feature.MAP_STORAGE);
|
||||||
assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.CLIENT_POLICIES, Profile.Feature.CIBA);
|
assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.CIBA);
|
||||||
assertEquals(Profile.getDeprecatedFeatures(), Profile.Feature.UPLOAD_SCRIPTS);
|
assertEquals(Profile.getDeprecatedFeatures(), Profile.Feature.UPLOAD_SCRIPTS);
|
||||||
|
|
||||||
Assert.assertTrue(Profile.Feature.WEB_AUTHN.hasDifferentProductType());
|
Assert.assertTrue(Profile.Feature.WEB_AUTHN.hasDifferentProductType());
|
||||||
|
@ -37,8 +37,8 @@ public class ProfileTest {
|
||||||
Profile.init();
|
Profile.init();
|
||||||
|
|
||||||
Assert.assertEquals("product", Profile.getName());
|
Assert.assertEquals("product", Profile.getName());
|
||||||
assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS, Profile.Feature.WEB_AUTHN, Profile.Feature.CLIENT_POLICIES, Profile.Feature.CIBA, Profile.Feature.MAP_STORAGE);
|
assertEquals(Profile.getDisabledFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.DOCKER, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.UPLOAD_SCRIPTS, Profile.Feature.WEB_AUTHN, Profile.Feature.CIBA, Profile.Feature.MAP_STORAGE);
|
||||||
assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.WEB_AUTHN, Profile.Feature.CLIENT_POLICIES, Profile.Feature.CIBA);
|
assertEquals(Profile.getPreviewFeatures(), Profile.Feature.ADMIN_FINE_GRAINED_AUTHZ, Profile.Feature.SCRIPTS, Profile.Feature.TOKEN_EXCHANGE, Profile.Feature.OPENSHIFT_INTEGRATION, Profile.Feature.WEB_AUTHN, Profile.Feature.CIBA);
|
||||||
assertEquals(Profile.getDeprecatedFeatures(), Profile.Feature.UPLOAD_SCRIPTS);
|
assertEquals(Profile.getDeprecatedFeatures(), Profile.Feature.UPLOAD_SCRIPTS);
|
||||||
|
|
||||||
Assert.assertTrue(Profile.Feature.WEB_AUTHN.hasDifferentProductType());
|
Assert.assertTrue(Profile.Feature.WEB_AUTHN.hasDifferentProductType());
|
||||||
|
|
|
@ -26,6 +26,8 @@ import org.keycloak.provider.Spi;
|
||||||
*/
|
*/
|
||||||
public class ClientPolicyConditionSpi implements Spi {
|
public class ClientPolicyConditionSpi implements Spi {
|
||||||
|
|
||||||
|
public static final String SPI_NAME = "client-policy-condition";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean isInternal() {
|
public boolean isInternal() {
|
||||||
return true;
|
return true;
|
||||||
|
@ -33,7 +35,7 @@ public class ClientPolicyConditionSpi implements Spi {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getName() {
|
public String getName() {
|
||||||
return "client-policy-condition";
|
return SPI_NAME;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -26,6 +26,8 @@ import org.keycloak.provider.Spi;
|
||||||
*/
|
*/
|
||||||
public class ClientPolicyExecutorSpi implements Spi {
|
public class ClientPolicyExecutorSpi implements Spi {
|
||||||
|
|
||||||
|
public static final String SPI_NAME = "client-policy-executor";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public boolean isInternal() {
|
public boolean isInternal() {
|
||||||
return true;
|
return true;
|
||||||
|
@ -33,7 +35,7 @@ public class ClientPolicyExecutorSpi implements Spi {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String getName() {
|
public String getName() {
|
||||||
return "client-policy-executor";
|
return SPI_NAME;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
|
@ -0,0 +1,87 @@
|
||||||
|
/*
|
||||||
|
* Copyright 2021 Red Hat, Inc. and/or its affiliates
|
||||||
|
* and other contributors as indicated by the @author tags.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.keycloak.testsuite.client;
|
||||||
|
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.keycloak.representations.idm.ClientPoliciesRepresentation;
|
||||||
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
|
import org.keycloak.representations.info.ServerInfoRepresentation;
|
||||||
|
import org.keycloak.services.clientpolicy.condition.ClientPolicyConditionSpi;
|
||||||
|
import org.keycloak.services.clientpolicy.condition.ClientUpdaterContextConditionFactory;
|
||||||
|
import org.keycloak.services.clientpolicy.executor.ClientPolicyExecutorSpi;
|
||||||
|
import org.keycloak.services.clientpolicy.executor.SecureResponseTypeExecutorFactory;
|
||||||
|
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
|
||||||
|
import org.keycloak.testsuite.Assert;
|
||||||
|
import org.keycloak.testsuite.arquillian.annotation.DisableFeature;
|
||||||
|
import org.keycloak.testsuite.arquillian.annotation.UncaughtServerErrorExpected;
|
||||||
|
|
||||||
|
import static org.junit.Assert.fail;
|
||||||
|
import static org.keycloak.common.Profile.Feature.CLIENT_POLICIES;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
|
||||||
|
*/
|
||||||
|
public class ClientPoliciesFeatureTest extends AbstractTestRealmKeycloakTest {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void configureTestRealm(RealmRepresentation testRealm) {
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testFeatureWorksWhenEnabled() {
|
||||||
|
checkIfFeatureWorks(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
@UncaughtServerErrorExpected
|
||||||
|
@DisableFeature(value = CLIENT_POLICIES, skipRestart = true)
|
||||||
|
public void testFeatureDoesntWorkWhenDisabled() {
|
||||||
|
checkIfFeatureWorks(false);
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if the feature really works
|
||||||
|
private void checkIfFeatureWorks(boolean shouldWork) {
|
||||||
|
try {
|
||||||
|
ClientPoliciesRepresentation clientPolicies = testRealm().clientPoliciesPoliciesResource().getPolicies();
|
||||||
|
Assert.assertTrue(clientPolicies.getPolicies().isEmpty());
|
||||||
|
if (!shouldWork)
|
||||||
|
fail("Feature is available, but at this moment should be disabled");
|
||||||
|
|
||||||
|
} catch (Exception e) {
|
||||||
|
if (shouldWork) {
|
||||||
|
e.printStackTrace();
|
||||||
|
fail("Feature is not available");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ServerInfoRepresentation serverInfo = adminClient.serverInfo().getInfo();
|
||||||
|
Set<String> executorProviderIds = serverInfo.getProviders().get(ClientPolicyExecutorSpi.SPI_NAME).getProviders().keySet();
|
||||||
|
Set<String> conditionProviderIds = serverInfo.getProviders().get(ClientPolicyConditionSpi.SPI_NAME).getProviders().keySet();
|
||||||
|
|
||||||
|
if (shouldWork) {
|
||||||
|
Assert.assertTrue(executorProviderIds.contains(SecureResponseTypeExecutorFactory.PROVIDER_ID));
|
||||||
|
Assert.assertTrue(conditionProviderIds.contains(ClientUpdaterContextConditionFactory.PROVIDER_ID));
|
||||||
|
} else {
|
||||||
|
Assert.assertFalse(executorProviderIds.contains(SecureResponseTypeExecutorFactory.PROVIDER_ID));
|
||||||
|
Assert.assertFalse(conditionProviderIds.contains(ClientUpdaterContextConditionFactory.PROVIDER_ID));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -24,9 +24,7 @@ import java.io.File;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.jboss.arquillian.container.spi.client.container.LifecycleException;
|
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.keycloak.common.Profile;
|
|
||||||
import org.keycloak.exportimport.ExportImportConfig;
|
import org.keycloak.exportimport.ExportImportConfig;
|
||||||
import org.keycloak.exportimport.singlefile.SingleFileExportProviderFactory;
|
import org.keycloak.exportimport.singlefile.SingleFileExportProviderFactory;
|
||||||
import org.keycloak.representations.idm.ClientPoliciesRepresentation;
|
import org.keycloak.representations.idm.ClientPoliciesRepresentation;
|
||||||
|
@ -36,12 +34,10 @@ import org.keycloak.representations.idm.ClientProfilesRepresentation;
|
||||||
import org.keycloak.representations.idm.RealmRepresentation;
|
import org.keycloak.representations.idm.RealmRepresentation;
|
||||||
import org.keycloak.testsuite.Assert;
|
import org.keycloak.testsuite.Assert;
|
||||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
||||||
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
*/
|
*/
|
||||||
@EnableFeature(value = Profile.Feature.CLIENT_POLICIES, skipRestart = true)
|
|
||||||
@AuthServerContainerExclude({REMOTE})
|
@AuthServerContainerExclude({REMOTE})
|
||||||
public class ClientPoliciesImportExportTest extends AbstractClientPoliciesTest {
|
public class ClientPoliciesImportExportTest extends AbstractClientPoliciesTest {
|
||||||
|
|
||||||
|
|
|
@ -49,12 +49,10 @@ import org.keycloak.services.clientpolicy.executor.SecureClientAuthenticatorExec
|
||||||
import org.keycloak.services.clientpolicy.executor.SecureSessionEnforceExecutorFactory;
|
import org.keycloak.services.clientpolicy.executor.SecureSessionEnforceExecutorFactory;
|
||||||
import org.keycloak.testsuite.Assert;
|
import org.keycloak.testsuite.Assert;
|
||||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
||||||
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
*/
|
*/
|
||||||
@EnableFeature(value = Profile.Feature.CLIENT_POLICIES, skipRestart = true)
|
|
||||||
@AuthServerContainerExclude({REMOTE})
|
@AuthServerContainerExclude({REMOTE})
|
||||||
public class ClientPoliciesLoadUpdateTest extends AbstractClientPoliciesTest {
|
public class ClientPoliciesLoadUpdateTest extends AbstractClientPoliciesTest {
|
||||||
|
|
||||||
|
|
|
@ -52,7 +52,6 @@ import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
|
||||||
import org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator;
|
import org.keycloak.authentication.authenticators.client.JWTClientSecretAuthenticator;
|
||||||
import org.keycloak.authentication.authenticators.client.X509ClientAuthenticator;
|
import org.keycloak.authentication.authenticators.client.X509ClientAuthenticator;
|
||||||
import org.keycloak.client.registration.ClientRegistrationException;
|
import org.keycloak.client.registration.ClientRegistrationException;
|
||||||
import org.keycloak.common.Profile;
|
|
||||||
import org.keycloak.events.Details;
|
import org.keycloak.events.Details;
|
||||||
import org.keycloak.events.Errors;
|
import org.keycloak.events.Errors;
|
||||||
import org.keycloak.events.EventType;
|
import org.keycloak.events.EventType;
|
||||||
|
@ -98,7 +97,6 @@ import org.keycloak.services.clientpolicy.executor.SecureSigningAlgorithmForSign
|
||||||
import org.keycloak.services.clientpolicy.executor.SecureRequestObjectExecutor;
|
import org.keycloak.services.clientpolicy.executor.SecureRequestObjectExecutor;
|
||||||
import org.keycloak.testsuite.admin.ApiUtil;
|
import org.keycloak.testsuite.admin.ApiUtil;
|
||||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude;
|
||||||
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
|
|
||||||
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
|
import org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer;
|
||||||
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
|
import org.keycloak.testsuite.client.resources.TestApplicationResourceUrls;
|
||||||
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject;
|
import org.keycloak.testsuite.rest.resource.TestingOIDCEndpointsApplicationResource.AuthorizationEndpointRequestObject;
|
||||||
|
@ -114,7 +112,6 @@ import org.keycloak.util.JsonSerialization;
|
||||||
/**
|
/**
|
||||||
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
* @author <a href="mailto:takashi.norimatsu.ws@hitachi.com">Takashi Norimatsu</a>
|
||||||
*/
|
*/
|
||||||
@EnableFeature(value = Profile.Feature.CLIENT_POLICIES, skipRestart = true)
|
|
||||||
public class ClientPoliciesTest extends AbstractClientPoliciesTest {
|
public class ClientPoliciesTest extends AbstractClientPoliciesTest {
|
||||||
|
|
||||||
private static final Logger logger = Logger.getLogger(ClientPoliciesTest.class);
|
private static final Logger logger = Logger.getLogger(ClientPoliciesTest.class);
|
||||||
|
|
Loading…
Reference in a new issue