libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-7677 KEYCLOAK-7723 fix version collision of httpclient

Browse source 
Co-authored-by: Pedro Igor <psilva@redhat.com>
This commit is contained in:
vramik 2018-12-07 09:40:37 +01:00 committed by Pedro Igor
parent 7c9f15778a
commit c4a46a5591
36 changed files with 1128 additions and 1161 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
integration/admin-client/src/main/java/org/keycloak/admin/client/Keycloak.java
View file

@ -28,8 +28,6 @@ import org.keycloak.admin.client.resource.ServerInfoResource;
import org.keycloak.admin.client.token.TokenManager; import org.keycloak.admin.client.token.TokenManager;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import java.net.URI; import java.net.URI;
@ -45,13 +43,12 @@ import static org.keycloak.OAuth2Constants.PASSWORD;
* @author rodrigo.sasaki@icarros.com.br * @author rodrigo.sasaki@icarros.com.br
* @see KeycloakBuilder * @see KeycloakBuilder
*/ */
public class Keycloak { public class Keycloak implements AutoCloseable {
private final Config config; private final Config config;
private final TokenManager tokenManager; private final TokenManager tokenManager;
private String authToken; private final String authToken;
private final ResteasyWebTarget target; private final ResteasyWebTarget target;
private final ResteasyClient client; private final ResteasyClient client;
private static final boolean authServerSslRequired = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required"));
Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, ResteasyClient resteasyClient, String authtoken) { Keycloak(String serverUrl, String realm, String username, String password, String clientId, String clientSecret, String grantType, ResteasyClient resteasyClient, String authtoken) {
config = new Config(serverUrl, realm, username, password, clientId, clientSecret, grantType); config = new Config(serverUrl, realm, username, password, clientId, clientSecret, grantType);
@ -84,20 +81,6 @@ public class Keycloak {
return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, clientBuilder.build(), null); return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, clientBuilder.build(), null);
} }
private static ResteasyClientBuilder newResteasyClientBuilder() {
if (authServerSslRequired) {
// Disable PKIX path validation errors when running tests using SSL
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
@Override
public boolean verify(String hostName, SSLSession session) {
return true;
}
};
return new ResteasyClientBuilder().disableTrustManager().hostnameVerifier(hostnameVerifier);
}
return new ResteasyClientBuilder();
}
public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret) { public static Keycloak getInstance(String serverUrl, String realm, String username, String password, String clientId, String clientSecret) {
return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, null, null); return new Keycloak(serverUrl, realm, username, password, clientId, clientSecret, PASSWORD, null, null);
} }
@ -142,6 +125,7 @@ public class Keycloak {
/** /**
* Closes the underlying client. After calling this method, this <code>Keycloak</code> instance cannot be reused. * Closes the underlying client. After calling this method, this <code>Keycloak</code> instance cannot be reused.
*/ */
@Override
public void close() { public void close() {
client.close(); client.close();
} }

5
model/jpa/src/main/java/org/keycloak/models/jpa/JpaUserProvider.java
View file

@ -66,6 +66,8 @@ import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import javax.persistence.criteria.Expression;
import javax.persistence.criteria.Path;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@ -753,7 +755,8 @@ public class JpaUserProvider implements UserProvider, UserCredentialStore {
List<Predicate> subs = new ArrayList<>(); List<Predicate> subs = new ArrayList<>();
subs.add(builder.like(from1.get("name"), builder.concat("group.resource.", from.get("groupId")))); Expression<String> groupId = from.get("groupId");
subs.add(builder.like(from1.get("name"), builder.concat("group.resource.", groupId)));
subquery1.where(subs.toArray(new Predicate[subs.size()])); subquery1.where(subs.toArray(new Predicate[subs.size()]));

6
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/rest/TestingResourceProvider.java
View file

@ -439,7 +439,7 @@ public class TestingResourceProvider implements RealmResourceProvider {
if (realmId != null) { if (realmId != null) {
query.realm(realmId); query.realm(realmId);
}; }
if (authRealm != null) { if (authRealm != null) {
query.authRealm(authRealm); query.authRealm(authRealm);
@ -548,7 +548,9 @@ public class TestingResourceProvider implements RealmResourceProvider {
@Produces(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON)
public String getSSOCookieValue() { public String getSSOCookieValue() {
Map<String, Cookie> cookies = request.getHttpHeaders().getCookies(); Map<String, Cookie> cookies = request.getHttpHeaders().getCookies();
return cookies.get(AuthenticationManager.KEYCLOAK_IDENTITY_COOKIE).getValue(); Cookie cookie = cookies.get(AuthenticationManager.KEYCLOAK_IDENTITY_COOKIE);
if (cookie == null) return null;
return cookie.getValue();
} }

4
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/ProfileAssume.java
View file

@ -42,13 +42,11 @@ public class ProfileAssume {
boolean adapterCompatTesting = Boolean.parseBoolean(System.getProperty("testsuite.adapter.compat.testing")); boolean adapterCompatTesting = Boolean.parseBoolean(System.getProperty("testsuite.adapter.compat.testing"));
String authServerContextRoot = "http://" + host + ":" + port; String authServerContextRoot = "http://" + host + ":" + port;
try { try (Keycloak adminClient = AdminClientUtil.createAdminClient(adapterCompatTesting, authServerContextRoot)) {
Keycloak adminClient = AdminClientUtil.createAdminClient(adapterCompatTesting, authServerContextRoot);
ProfileInfoRepresentation profileInfo = adminClient.serverInfo().getInfo().getProfileInfo(); ProfileInfoRepresentation profileInfo = adminClient.serverInfo().getInfo().getProfileInfo();
profile = profileInfo.getName(); profile = profileInfo.getName();
List<String> disabled = profileInfo.getDisabledFeatures(); List<String> disabled = profileInfo.getDisabledFeatures();
disabledFeatures = Collections.unmodifiableSet(new HashSet<>(disabled)); disabledFeatures = Collections.unmodifiableSet(new HashSet<>(disabled));
adminClient.close();
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException("Failed to obtain profile / features info from serverinfo endpoint of " + authServerContextRoot, e); throw new RuntimeException("Failed to obtain profile / features info from serverinfo endpoint of " + authServerContextRoot, e);
} }

2
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/arquillian/ModelTestExecutor.java
View file

@ -54,8 +54,8 @@ public class ModelTestExecutor extends LocalTestExecuter {
// Model test - wrap the call inside the // Model test - wrap the call inside the
TestContext ctx = testContext.get(); TestContext ctx = testContext.get();
KeycloakTestingClient testingClient = ctx.getTestingClient(); KeycloakTestingClient testingClient = ctx.getTestingClient();
testingClient.server().runModelTest(testMethod.getDeclaringClass().getName(), testMethod.getName()); testingClient.server().runModelTest(testMethod.getDeclaringClass().getName(), testMethod.getName());
result.setStatus(TestResult.Status.PASSED); result.setStatus(TestResult.Status.PASSED);
} catch (Throwable e) { } catch (Throwable e) {
result.setStatus(TestResult.Status.FAILED); result.setStatus(TestResult.Status.FAILED);

27
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/client/KeycloakTestingClient.java
View file

@ -25,33 +25,29 @@ import org.keycloak.testsuite.client.resources.TestExampleCompanyResource;
import org.keycloak.testsuite.client.resources.TestSamlApplicationResource; import org.keycloak.testsuite.client.resources.TestSamlApplicationResource;
import org.keycloak.testsuite.client.resources.TestingResource; import org.keycloak.testsuite.client.resources.TestingResource;
import org.keycloak.testsuite.runonserver.*; import org.keycloak.testsuite.runonserver.*;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.util.JsonSerialization; import org.keycloak.util.JsonSerialization;
import javax.net.ssl.HostnameVerifier;
/** /**
* @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a> * @author <a href="mailto:mstrukel@redhat.com">Marko Strukelj</a>
*/ */
public class KeycloakTestingClient { public class KeycloakTestingClient implements AutoCloseable {
private final ResteasyWebTarget target; private final ResteasyWebTarget target;
private final ResteasyClient client; private final ResteasyClient client;
private static final boolean authServerSslRequired = Boolean.parseBoolean(System.getProperty("auth.server.ssl.required"));
KeycloakTestingClient(String serverUrl, ResteasyClient resteasyClient) { KeycloakTestingClient(String serverUrl, ResteasyClient resteasyClient) {
client = resteasyClient != null ? resteasyClient : newResteasyClientBuilder().connectionPoolSize(10).build(); if (resteasyClient != null) {
client = resteasyClient;
} else {
ResteasyClientBuilder resteasyClientBuilder = new ResteasyClientBuilder();
resteasyClientBuilder.connectionPoolSize(10);
resteasyClientBuilder.httpEngine(AdminClientUtil.getCustomClientHttpEngine(resteasyClientBuilder, 10));
client = resteasyClientBuilder.build();
}
target = client.target(serverUrl); target = client.target(serverUrl);
} }
private static ResteasyClientBuilder newResteasyClientBuilder() {
if (authServerSslRequired) {
// Disable PKIX path validation errors when running tests using SSL
HostnameVerifier hostnameVerifier = (hostName, session) -> true;
return new ResteasyClientBuilder().disableTrustManager().hostnameVerifier(hostnameVerifier);
}
return new ResteasyClientBuilder();
}
public static KeycloakTestingClient getInstance(String serverUrl) { public static KeycloakTestingClient getInstance(String serverUrl) {
return new KeycloakTestingClient(serverUrl, null); return new KeycloakTestingClient(serverUrl, null);
} }
@ -84,7 +80,7 @@ public class KeycloakTestingClient {
public class Server { public class Server {
private String realm; private final String realm;
public Server(String realm) { public Server(String realm) {
this.realm = realm; this.realm = realm;
@ -150,6 +146,7 @@ public class KeycloakTestingClient {
} }
@Override
public void close() { public void close() {
client.close(); client.close();
} }

66
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/AdminClientUtil.java
View file

@ -28,12 +28,20 @@ import javax.net.ssl.SSLContext;
import com.fasterxml.jackson.databind.DeserializationFeature; import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.ObjectMapper;
import javax.net.ssl.HostnameVerifier;
import org.apache.http.HttpHost;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.HttpClientConnectionManager;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.ssl.SSLContexts; import org.apache.http.ssl.SSLContexts;
import org.jboss.resteasy.client.jaxrs.ClientHttpEngine;
import org.jboss.resteasy.client.jaxrs.ClientHttpEngineBuilder43;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider; import org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider;
import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
import org.keycloak.testsuite.arquillian.AuthServerTestEnricher; import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
import org.keycloak.testsuite.arquillian.SuiteContext;
import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN; import static org.keycloak.testsuite.auth.page.AuthRealm.ADMIN;
import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER; import static org.keycloak.testsuite.auth.page.AuthRealm.MASTER;
@ -51,29 +59,40 @@ public class AdminClientUtil {
} }
public static Keycloak createAdminClient(boolean ignoreUnknownProperties, String authServerContextRoot, String realmName, String username, String password, String clientId, String clientSecret) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException { public static Keycloak createAdminClient(boolean ignoreUnknownProperties, String authServerContextRoot, String realmName, String username, String password, String clientId, String clientSecret) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
SSLContext ssl = null; ResteasyClientBuilder resteasyClientBuilder = new ResteasyClientBuilder();
if ("true".equals(System.getProperty("auth.server.ssl.required"))) { if ("true".equals(System.getProperty("auth.server.ssl.required"))) {
File trustore = new File(PROJECT_BUILD_DIRECTORY, "dependency/keystore/keycloak.truststore"); File trustore = new File(PROJECT_BUILD_DIRECTORY, "dependency/keystore/keycloak.truststore");
ssl = getSSLContextWithTrustore(trustore, "secret"); resteasyClientBuilder.sslContext(getSSLContextWithTrustore(trustore, "secret"));
System.setProperty("javax.net.ssl.trustStore", trustore.getAbsolutePath()); System.setProperty("javax.net.ssl.trustStore", trustore.getAbsolutePath());
} }
ResteasyJackson2Provider jacksonProvider = null;
// We need to ignore unknown JSON properties e.g. in the adapter configuration representation // We need to ignore unknown JSON properties e.g. in the adapter configuration representation
// during adapter backward compatibility testing // during adapter backward compatibility testing
if (ignoreUnknownProperties) { if (ignoreUnknownProperties) {
// We need to use anonymous class to avoid the following error from RESTEasy: // We need to use anonymous class to avoid the following error from RESTEasy:
// Provider class org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider is already registered. 2nd registration is being ignored. // Provider class org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider is already registered. 2nd registration is being ignored.
jacksonProvider = new ResteasyJackson2Provider() {}; ResteasyJackson2Provider jacksonProvider = new ResteasyJackson2Provider() {};
ObjectMapper objectMapper = new ObjectMapper(); ObjectMapper objectMapper = new ObjectMapper();
objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
jacksonProvider.setMapper(objectMapper); jacksonProvider.setMapper(objectMapper);
resteasyClientBuilder.register(jacksonProvider, 100);
} }
return Keycloak.getInstance(authServerContextRoot + "/auth", resteasyClientBuilder
realmName, username, password, clientId, clientSecret, ssl, jacksonProvider); .hostnameVerification(ResteasyClientBuilder.HostnameVerificationPolicy.WILDCARD)
.connectionPoolSize(10)
.httpEngine(getCustomClientHttpEngine(resteasyClientBuilder, 1));
return KeycloakBuilder.builder()
.serverUrl(authServerContextRoot + "/auth")
.realm(realmName)
.username(username)
.password(password)
.clientId(clientId)
.clientSecret(clientSecret)
.resteasyClient(resteasyClientBuilder.build()).build();
} }
public static Keycloak createAdminClient() throws Exception { public static Keycloak createAdminClient() throws Exception {
@ -95,4 +114,35 @@ public class AdminClientUtil {
return theContext; return theContext;
} }
public static ClientHttpEngine getCustomClientHttpEngine(ResteasyClientBuilder resteasyClientBuilder, int validateAfterInactivity) {
return new CustomClientHttpEngineBuilder43(validateAfterInactivity).resteasyClientBuilder(resteasyClientBuilder).build();
}
/**
* Adds a possibility to pass validateAfterInactivity parameter into underlying ConnectionManager. The parameter affects how
* long the connection is being used without testing if it became stale, default value is 2000ms
*/
private static class CustomClientHttpEngineBuilder43 extends ClientHttpEngineBuilder43 {
private final int validateAfterInactivity;
private CustomClientHttpEngineBuilder43(int validateAfterInactivity) {
this.validateAfterInactivity = validateAfterInactivity;
}
@Override
protected ClientHttpEngine createEngine(final HttpClientConnectionManager cm, final RequestConfig.Builder rcBuilder,
final HttpHost defaultProxy, final int responseBufferSize, final HostnameVerifier verifier, final SSLContext theContext) {
if (cm instanceof PoolingHttpClientConnectionManager) {
PoolingHttpClientConnectionManager pcm = (PoolingHttpClientConnectionManager) cm;
pcm.setValidateAfterInactivity(validateAfterInactivity);
return super.createEngine(pcm, rcBuilder, defaultProxy, responseBufferSize, verifier, theContext);
} else {
return super.createEngine(cm, rcBuilder, defaultProxy, responseBufferSize, verifier, theContext);
}
}
}
} }

10
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/ContainerAssume.java
View file

@ -38,16 +38,6 @@ public class ContainerAssume {
AuthServerTestEnricher.AUTH_SERVER_CLUSTER_PROPERTY), AuthServerTestEnricher.AUTH_SERVER_CLUSTER); AuthServerTestEnricher.AUTH_SERVER_CLUSTER_PROPERTY), AuthServerTestEnricher.AUTH_SERVER_CLUSTER);
} }
public static void assumeNotAppServerUndertow() {
log.warn("TODO: Not stable on app-server-undertow. "
+ "It throws: KC-SERVICES0057: Logout for client '${CLIENT_NAME}' failed\n"
+ "org.apache.http.NoHttpResponseException: localhost:8280 failed to respond");
Assume.assumeFalse("Not stable on app-server-undertow. "
+ "It throws: KC-SERVICES0057: Logout for client '${CLIENT_NAME}' failed\n"
+ "org.apache.http.NoHttpResponseException: localhost:8280 failed to respond",
System.getProperty("app.server", "undertow").equals("undertow"));
}
public static void assumeNotAppServerFuse6() { public static void assumeNotAppServerFuse6() {
Assume.assumeFalse("The test doesn't work on " + fuse6, fuse6.equals(System.getProperty("app.server"))); Assume.assumeFalse("The test doesn't work on " + fuse6, fuse6.equals(System.getProperty("app.server")));
} }

3
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/OAuthClient.java
View file

@ -71,6 +71,7 @@ import java.io.UnsupportedEncodingException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.charset.Charset; import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.PublicKey; import java.security.PublicKey;
import java.util.Collections; import java.util.Collections;
@ -725,7 +726,7 @@ public class OAuthClient {
public Map<String, String> getCurrentQuery() { public Map<String, String> getCurrentQuery() {
Map<String, String> m = new HashMap<>(); Map<String, String> m = new HashMap<>();
List<NameValuePair> pairs = URLEncodedUtils.parse(getCurrentUri(), Charset.forName("UTF-8")); List<NameValuePair> pairs = URLEncodedUtils.parse(getCurrentUri(), "UTF-8");
for (NameValuePair p : pairs) { for (NameValuePair p : pairs) {
m.put(p.getName(), p.getValue()); m.put(p.getName(), p.getValue());
} }

3
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/SamlClient.java
View file

@ -49,7 +49,6 @@ import javax.ws.rs.core.Response;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.URI; import java.net.URI;
import java.nio.charset.Charset;
import java.security.PrivateKey; import java.security.PrivateKey;
import java.security.PublicKey; import java.security.PublicKey;
import java.util.Arrays; import java.util.Arrays;
@ -296,7 +295,7 @@ public class SamlClient {
* @return * @return
*/ */
public static SAMLDocumentHolder extractSamlResponseFromRedirect(String responseUri) { public static SAMLDocumentHolder extractSamlResponseFromRedirect(String responseUri) {
List<NameValuePair> params = URLEncodedUtils.parse(URI.create(responseUri), Charset.forName("UTF-8")); List<NameValuePair> params = URLEncodedUtils.parse(URI.create(responseUri), "UTF-8");
String samlDoc = null; String samlDoc = null;
for (NameValuePair param : params) { for (NameValuePair param : params) {

4
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/TokenSignatureUtil.java
View file

@ -100,10 +100,10 @@ public class TokenSignatureUtil {
rep.getConfig().putSingle("priority", Long.toString(priority)); rep.getConfig().putSingle("priority", Long.toString(priority));
rep.getConfig().putSingle(ECDSA_ELLIPTIC_CURVE_KEY, ecNistRep); rep.getConfig().putSingle(ECDSA_ELLIPTIC_CURVE_KEY, ecNistRep);
Response response = adminClient.realm(realm).components().add(rep); try (Response response = adminClient.realm(realm).components().add(rep)) {
String id = ApiUtil.getCreatedId(response); String id = ApiUtil.getCreatedId(response);
testContext.getOrCreateCleanup(realm).addComponentId(id); testContext.getOrCreateCleanup(realm).addComponentId(id);
response.close(); }
} }
private static ComponentRepresentation createKeyRep(String name, String providerId) { private static ComponentRepresentation createKeyRep(String name, String providerId) {

3
testsuite/integration-arquillian/tests/base/src/main/java/org/keycloak/testsuite/util/saml/ModifySamlResponseStepBuilder.java
View file

@ -26,7 +26,6 @@ import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.util.Iterator; import java.util.Iterator;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
@ -126,7 +125,7 @@ public class ModifySamlResponseStepBuilder extends SamlDocumentStepBuilder<SAML2
String location = currentResponse.getFirstHeader("Location").getValue(); String location = currentResponse.getFirstHeader("Location").getValue();
URI locationUri = URI.create(location); URI locationUri = URI.create(location);
List<NameValuePair> params = URLEncodedUtils.parse(locationUri, Charset.forName("UTF-8")); List<NameValuePair> params = URLEncodedUtils.parse(locationUri, "UTF-8");
for (Iterator<NameValuePair> it = params.iterator(); it.hasNext();) { for (Iterator<NameValuePair> it = params.iterator(); it.hasNext();) {
NameValuePair param = it.next(); NameValuePair param = it.next();
if ("SAMLResponse".equals(param.getName()) || "SAMLRequest".equals(param.getName())) { if ("SAMLResponse".equals(param.getName()) || "SAMLRequest".equals(param.getName())) {

8
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/example/authorization/AbstractPhotozExampleAdapterTest.java
View file

@ -20,7 +20,6 @@ import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder; import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.LaxRedirectStrategy; import org.apache.http.impl.client.LaxRedirectStrategy;
import org.hamcrest.CoreMatchers;
import org.jboss.arquillian.container.test.api.Deployer; import org.jboss.arquillian.container.test.api.Deployer;
import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.graphene.page.Page;
import org.jboss.arquillian.test.api.ArquillianResource; import org.jboss.arquillian.test.api.ArquillianResource;
@ -52,7 +51,6 @@ import org.keycloak.testsuite.adapter.page.PhotozClientAuthzTestApp;
import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.arquillian.AppServerTestEnricher; import org.keycloak.testsuite.arquillian.AppServerTestEnricher;
import org.keycloak.testsuite.auth.page.login.OAuthGrant; import org.keycloak.testsuite.auth.page.login.OAuthGrant;
import org.keycloak.testsuite.util.ContainerAssume;
import org.keycloak.testsuite.util.DroneUtils; import org.keycloak.testsuite.util.DroneUtils;
import org.keycloak.testsuite.util.JavascriptBrowser; import org.keycloak.testsuite.util.JavascriptBrowser;
import org.keycloak.testsuite.util.javascript.JavascriptTestExecutorWithAuthorization; import org.keycloak.testsuite.util.javascript.JavascriptTestExecutorWithAuthorization;
@ -227,8 +225,6 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractPhotozJav
@Test @Test
public void testOnlyOwnerCanDeleteAlbum() throws Exception { public void testOnlyOwnerCanDeleteAlbum() throws Exception {
ContainerAssume.assumeNotAppServerUndertow();
loginToClientPage(aliceUser); loginToClientPage(aliceUser);
clientPage.createAlbum(ALICE_ALBUM_NAME); clientPage.createAlbum(ALICE_ALBUM_NAME);
@ -301,8 +297,6 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractPhotozJav
@Test @Test
public void testAdminWithoutPermissionsToTypedResource() throws Exception { public void testAdminWithoutPermissionsToTypedResource() throws Exception {
ContainerAssume.assumeNotAppServerUndertow();
loginToClientPage(aliceUser); loginToClientPage(aliceUser);
clientPage.createAlbum(ALICE_ALBUM_NAME); clientPage.createAlbum(ALICE_ALBUM_NAME);
@ -538,8 +532,6 @@ public abstract class AbstractPhotozExampleAdapterTest extends AbstractPhotozJav
@Test @Test
public void testInheritPermissionFromResourceParent() throws Exception { public void testInheritPermissionFromResourceParent() throws Exception {
ContainerAssume.assumeNotAppServerUndertow();
loginToClientPage(aliceUser); loginToClientPage(aliceUser);
final String RESOURCE_NAME = "My-Resource-Instance"; final String RESOURCE_NAME = "My-Resource-Instance";

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/DemoServletsAdapterTest.java
View file

@ -20,14 +20,11 @@ import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.concurrent.TimeUnit; import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import java.util.stream.Stream; import java.util.stream.Stream;
import javax.ws.rs.client.Client; import javax.ws.rs.client.Client;
@ -783,7 +780,7 @@ public class DemoServletsAdapterTest extends AbstractServletsAdapterTest {
private static Map<String, String> getQueryFromUrl(String url) { private static Map<String, String> getQueryFromUrl(String url) {
try { try {
return URLEncodedUtils.parse(new URI(url), StandardCharsets.UTF_8).stream() return URLEncodedUtils.parse(new URI(url), "UTF-8").stream()
.collect(Collectors.toMap(p -> p.getName(), p -> p.getValue())); .collect(Collectors.toMap(p -> p.getName(), p -> p.getValue()));
} catch (URISyntaxException e) { } catch (URISyntaxException e) {
return null; return null;

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/SessionServletAdapterTest.java
View file

@ -35,7 +35,6 @@ import org.keycloak.testsuite.auth.page.account.Sessions;
import org.keycloak.testsuite.auth.page.login.Login; import org.keycloak.testsuite.auth.page.login.Login;
import org.keycloak.testsuite.arquillian.annotation.AppServerContainer; import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
import org.keycloak.testsuite.arquillian.containers.ContainerConstants; import org.keycloak.testsuite.arquillian.containers.ContainerConstants;
import org.keycloak.testsuite.util.ContainerAssume;
import org.keycloak.testsuite.util.SecondBrowser; import org.keycloak.testsuite.util.SecondBrowser;
import org.openqa.selenium.By; import org.openqa.selenium.By;
import org.openqa.selenium.WebDriver; import org.openqa.selenium.WebDriver;
@ -129,7 +128,6 @@ public class SessionServletAdapterTest extends AbstractServletsAdapterTest {
//KEYCLOAK-741 //KEYCLOAK-741
@Test @Test
public void testSessionInvalidatedAfterFailedRefresh() { public void testSessionInvalidatedAfterFailedRefresh() {
ContainerAssume.assumeNotAppServerUndertow();
RealmRepresentation testRealmRep = testRealmResource().toRepresentation(); RealmRepresentation testRealmRep = testRealmResource().toRepresentation();
ClientResource sessionPortalRes = null; ClientResource sessionPortalRes = null;
for (ClientRepresentation clientRep : testRealmResource().clients().findAll()) { for (ClientRepresentation clientRep : testRealmResource().clients().findAll()) {
@ -187,7 +185,6 @@ public class SessionServletAdapterTest extends AbstractServletsAdapterTest {
//KEYCLOAK-1216 //KEYCLOAK-1216
@Test @Test
public void testAccountManagementSessionsLogout() { public void testAccountManagementSessionsLogout() {
ContainerAssume.assumeNotAppServerUndertow();
// login as bburke // login as bburke
loginAndCheckSession(testRealmLoginPage); loginAndCheckSession(testRealmLoginPage);
testRealmSessions.navigateTo(); testRealmSessions.navigateTo();

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/UserStorageConsentTest.java
View file

@ -55,7 +55,6 @@ import org.keycloak.testsuite.auth.page.login.PageWithLoginUrl;
import org.keycloak.testsuite.federation.UserMapStorageFactory; import org.keycloak.testsuite.federation.UserMapStorageFactory;
import org.keycloak.testsuite.pages.ConsentPage; import org.keycloak.testsuite.pages.ConsentPage;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment; import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import org.keycloak.testsuite.util.ContainerAssume;
import static org.keycloak.testsuite.arquillian.DeploymentTargetModifier.AUTH_SERVER_CURRENT; import static org.keycloak.testsuite.arquillian.DeploymentTargetModifier.AUTH_SERVER_CURRENT;
import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlEquals; import static org.keycloak.testsuite.util.URLAssert.assertCurrentUrlEquals;
@ -150,8 +149,6 @@ public class UserStorageConsentTest extends AbstractServletsAdapterTest {
*/ */
@Test @Test
public void testLogin() throws Exception { public void testLogin() throws Exception {
ContainerAssume.assumeNotAppServerUndertow();
testingClient.server().run(UserStorageConsentTest::setupConsent); testingClient.server().run(UserStorageConsentTest::setupConsent);
UserRepresentation memuser = new UserRepresentation(); UserRepresentation memuser = new UserRepresentation();
memuser.setUsername("memuser"); memuser.setUsername("memuser");

4
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/AdminSignatureAlgorithmTest.java
View file

@ -50,8 +50,7 @@ public class AdminSignatureAlgorithmTest extends AbstractKeycloakTest {
TokenSignatureUtil.registerKeyProvider("master", "P-256", adminClient, testContext); TokenSignatureUtil.registerKeyProvider("master", "P-256", adminClient, testContext);
TokenSignatureUtil.changeRealmTokenSignatureProvider("master", adminClient, Algorithm.ES256); TokenSignatureUtil.changeRealmTokenSignatureProvider("master", adminClient, Algorithm.ES256);
Keycloak adminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), suiteContext.getAuthServerInfo().getContextRoot().toString()); try (Keycloak adminClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), suiteContext.getAuthServerInfo().getContextRoot().toString())) {
AccessTokenResponse accessToken = adminClient.tokenManager().getAccessToken(); AccessTokenResponse accessToken = adminClient.tokenManager().getAccessToken();
TokenVerifier<AccessToken> verifier = TokenVerifier.create(accessToken.getToken(), AccessToken.class); TokenVerifier<AccessToken> verifier = TokenVerifier.create(accessToken.getToken(), AccessToken.class);
assertEquals(Algorithm.ES256, verifier.getHeader().getAlgorithm().name()); assertEquals(Algorithm.ES256, verifier.getHeader().getAlgorithm().name());
@ -64,5 +63,6 @@ public class AdminSignatureAlgorithmTest extends AbstractKeycloakTest {
assertNotNull(jsonNode.get("realm")); assertNotNull(jsonNode.get("realm"));
assertNotNull(jsonNode.get("userId")); assertNotNull(jsonNode.get("userId"));
} }
}
} }

122
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java
View file

@ -427,8 +427,8 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
// test configure client // test configure client
{ {
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "clientConfigurer", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "clientConfigurer", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
client.setAdminUrl("http://nowhere"); client.setAdminUrl("http://nowhere");
realmClient.realm(TEST).clients().get(client.getId()).update(client); realmClient.realm(TEST).clients().get(client.getId()).update(client);
client.setFullScopeAllowed(true); client.setFullScopeAllowed(true);
@ -458,11 +458,13 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
} }
} }
}
// test illegal impersonation // test illegal impersonation
if (!IMPERSONATION_DISABLED) { if (!IMPERSONATION_DISABLED) {
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "nomap-admin", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "nomap-admin", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
try {
realmClient.realm(TEST).users().get(user1.getId()).impersonate(); realmClient.realm(TEST).users().get(user1.getId()).impersonate();
realmClient.close(); // just in case of cookie settings realmClient.close(); // just in case of cookie settings
realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
@ -472,42 +474,16 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(403, e.getResponse().getStatus()); Assert.assertEquals(403, e.getResponse().getStatus());
} }
} finally {
}
{
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "authorized", "password", Constants.ADMIN_CLI_CLIENT_ID, null);
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().remove(realmRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).add(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("client-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).remove(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("client-role");
}));
realmClient.close(); realmClient.close();
} }
}
{ {
Keycloak realmClient= AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "authorizedComposite", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "authorized", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet); realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll(); List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> { Assert.assertTrue(roles.stream().anyMatch((r) -> {
@ -530,35 +506,58 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
return r.getName().equals("client-role"); return r.getName().equals("client-role");
})); }));
} }
}
{ {
Keycloak realmClient= AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "unauthorized", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "authorizedComposite", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
try { realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().remove(realmRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("realm-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).add(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("client-role");
}));
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).remove(clientRoleSet);
roles = adminClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("client-role");
}));
}
}
{
try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "unauthorized", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet); realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(403, e.getResponse().getStatus()); Assert.assertEquals(403, e.getResponse().getStatus());
} }
} }
{ {
Keycloak realmClient= AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "unauthorizedMapper", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "unauthorizedMapper", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
try {
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet); realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(403, e.getResponse().getStatus()); Assert.assertEquals(403, e.getResponse().getStatus());
} }
} }
{ {
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "groupManager", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "groupManager", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
List<RoleRepresentation> roles = null;
realmClient.realm(TEST).users().get(groupMember.getId()).roles().clientLevel(client.getId()).add(clientRoleSet); realmClient.realm(TEST).users().get(groupMember.getId()).roles().clientLevel(client.getId()).add(clientRoleSet);
roles = realmClient.realm(TEST).users().get(groupMember.getId()).roles().clientLevel(client.getId()).listAll(); List<RoleRepresentation> roles = realmClient.realm(TEST).users().get(groupMember.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> { Assert.assertTrue(roles.stream().anyMatch((r) -> {
return r.getName().equals("client-role"); return r.getName().equals("client-role");
})); }));
@ -573,25 +572,22 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(403, e.getResponse().getStatus()); Assert.assertEquals(403, e.getResponse().getStatus());
} }
try { try {
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet); realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(403, e.getResponse().getStatus()); Assert.assertEquals(403, e.getResponse().getStatus());
} }
}
} }
// test client.mapRoles // test client.mapRoles
{ {
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "clientMapper", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "clientMapper", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
List<RoleRepresentation> roles = null; List<RoleRepresentation> roles = realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
roles = realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
Assert.assertTrue(roles.isEmpty()); Assert.assertTrue(roles.isEmpty());
realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).add(clientRoleSet); realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).add(clientRoleSet);
roles = realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll(); roles = realmClient.realm(TEST).users().get(user1.getId()).roles().clientLevel(client.getId()).listAll();
@ -605,15 +601,15 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(403, e.getResponse().getStatus()); Assert.assertEquals(403, e.getResponse().getStatus());
}
} }
} }
// KEYCLOAK-5878 // KEYCLOAK-5878
{ {
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "groupViewer", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "groupViewer", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
// Should only return the list of users that belong to "top" group // Should only return the list of users that belong to "top" group
List<UserRepresentation> queryUsers = realmClient.realm(TEST).users().list(); List<UserRepresentation> queryUsers = realmClient.realm(TEST).users().list();
Assert.assertEquals(queryUsers.size(), 1); Assert.assertEquals(queryUsers.size(), 1);
@ -623,6 +619,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
} }
} }
} }
}
@Test @Test
public void testMasterRealm() throws Exception { public void testMasterRealm() throws Exception {
@ -645,7 +642,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
{ {
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting()); try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting())) {
realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet); realmClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().add(realmRoleSet);
List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll(); List<RoleRepresentation> roles = adminClient.realm(TEST).users().get(user1.getId()).roles().realmLevel().listAll();
Assert.assertTrue(roles.stream().anyMatch((r) -> { Assert.assertTrue(roles.stream().anyMatch((r) -> {
@ -667,7 +664,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
Assert.assertTrue(roles.stream().noneMatch((r) -> { Assert.assertTrue(roles.stream().noneMatch((r) -> {
return r.getName().equals("client-role"); return r.getName().equals("client-role");
})); }));
realmClient.close(); }
} }
} }
@ -706,9 +703,8 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
public void testRealmWithComposites() throws Exception { public void testRealmWithComposites() throws Exception {
testingClient.server().run(FineGrainAdminUnitTest::setup5152); testingClient.server().run(FineGrainAdminUnitTest::setup5152);
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "realm-admin", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "realm-admin", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
RoleRepresentation composite = new RoleRepresentation(); RoleRepresentation composite = new RoleRepresentation();
composite.setName("composite"); composite.setName("composite");
composite.setComposite(true); composite.setComposite(true);
@ -722,6 +718,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
composites.add(viewUsers); composites.add(viewUsers);
realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites); realmClient.realm(TEST).rolesById().addComposites(composite.getId(), composites);
} }
}
// testRestEvaluationMasterRealm // testRestEvaluationMasterRealm
// testRestEvaluationMasterAdminTestRealm // testRestEvaluationMasterAdminTestRealm
@ -785,7 +782,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
"master", "admin", "admin", "fullScopedClient", "618268aa-51e6-4e64-93c4-3c0bc65b8171"); "master", "admin", "admin", "fullScopedClient", "618268aa-51e6-4e64-93c4-3c0bc65b8171");
try {
RealmRepresentation newRealm=new RealmRepresentation(); RealmRepresentation newRealm=new RealmRepresentation();
newRealm.setRealm("anotherRealm"); newRealm.setRealm("anotherRealm");
newRealm.setId("anotherRealm"); newRealm.setId("anotherRealm");
@ -794,7 +791,6 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
ClientRepresentation newClient = new ClientRepresentation(); ClientRepresentation newClient = new ClientRepresentation();
try {
newClient.setName("newClient"); newClient.setName("newClient");
newClient.setClientId("newClient"); newClient.setClientId("newClient");
newClient.setFullScopeAllowed(true); newClient.setFullScopeAllowed(true);
@ -812,7 +808,7 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
Assert.assertEquals(201, response.getStatus()); Assert.assertEquals(201, response.getStatus());
} finally { } finally {
adminClient.realm("anotherRealm").remove(); adminClient.realm("anotherRealm").remove();
realmClient.close();
} }

220
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/IllegalAdminUpgradeTest.java
View file

@ -21,37 +21,30 @@ import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;
import org.keycloak.admin.client.Keycloak; import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.authorization.model.Policy;
import org.keycloak.authorization.model.ResourceServer;
import org.keycloak.models.AdminRoles; import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.Constants; import org.keycloak.models.Constants;
import org.keycloak.models.GroupModel;
import org.keycloak.models.ImpersonationConstants; import org.keycloak.models.ImpersonationConstants;
import org.keycloak.models.KeycloakSession; import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel; import org.keycloak.models.RoleModel;
import org.keycloak.models.UserCredentialModel; import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.RoleRepresentation; import org.keycloak.representations.idm.RoleRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.representations.idm.authorization.UserPolicyRepresentation;
import org.keycloak.services.resources.admin.permissions.AdminPermissionManagement;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.testsuite.AbstractKeycloakTest; import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment; import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import org.keycloak.testsuite.util.AdminClientUtil; import org.keycloak.testsuite.util.AdminClientUtil;
import javax.ws.rs.ClientErrorException; import javax.ws.rs.ClientErrorException;
import java.util.HashSet; import javax.ws.rs.core.Response;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Set;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import static org.keycloak.testsuite.auth.page.AuthRealm.TEST; import static org.keycloak.testsuite.auth.page.AuthRealm.TEST;
/** /**
@ -76,6 +69,7 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
testRealms.add(testRealmRep); testRealms.add(testRealmRep);
} }
@Override
protected boolean isImportAfterEachMethod() { protected boolean isImportAfterEachMethod() {
return true; return true;
} }
@ -172,16 +166,16 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
{ {
ClientRepresentation client = realmAdminClient; ClientRepresentation client = realmAdminClient;
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
TEST, "userAdmin", "password", Constants.ADMIN_CLI_CLIENT_ID, null); TEST, "userAdmin", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
roles.clear(); roles.clear();
roles.add(realmManageAuthorization); roles.add(realmManageAuthorization);
try { try {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -190,8 +184,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -200,8 +194,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -210,8 +204,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -220,8 +214,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -230,8 +224,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -240,8 +234,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -250,8 +244,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -260,8 +254,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -270,8 +264,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -280,8 +274,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -290,8 +284,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -318,22 +312,21 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
roles.add(realmQueryClients); roles.add(realmQueryClients);
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).remove(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).remove(roles);
}
realmClient.close();
} }
// test master user with manage_users can't assign realm's admin roles // test master user with manage_users can't assign realm's admin roles
{ {
ClientRepresentation client = realmAdminClient; ClientRepresentation client = realmAdminClient;
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
"master", "userAdmin", "password", Constants.ADMIN_CLI_CLIENT_ID, null); "master", "userAdmin", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
roles.clear(); roles.clear();
roles.add(realmManageAuthorization); roles.add(realmManageAuthorization);
try { try {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -342,8 +335,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -352,8 +345,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -362,8 +355,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -372,8 +365,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -382,8 +375,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -392,8 +385,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -402,8 +395,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -412,8 +405,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -422,8 +415,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -432,8 +425,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -442,8 +435,8 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
@ -470,180 +463,163 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
roles.add(realmQueryClients); roles.add(realmQueryClients);
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).remove(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).remove(roles);
}
realmClient.close();
} }
// test master manageUsers only admin can do with master realm admin roles // test master manageUsers only admin can do with master realm admin roles
{ {
ClientRepresentation client = masterClient; ClientRepresentation client = masterClient;
Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(), try (Keycloak realmClient = AdminClientUtil.createAdminClient(suiteContext.isAdapterCompatTesting(),
"master", "masterAdmin", "password", Constants.ADMIN_CLI_CLIENT_ID, null); "master", "masterAdmin", "password", Constants.ADMIN_CLI_CLIENT_ID, null)) {
roles.clear(); roles.clear();
roles.add(masterManageAuthorization); roles.add(masterManageAuthorization);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterViewAuthorization); roles.add(masterViewAuthorization);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterManageClients); roles.add(masterManageClients);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterViewClients); roles.add(masterViewClients);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterManageEvents); roles.add(masterManageEvents);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterViewEvents); roles.add(masterViewEvents);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterManageIdentityProviders); roles.add(masterManageIdentityProviders);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterViewIdentityProviders); roles.add(masterViewIdentityProviders);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterManageRealm); roles.add(masterManageRealm);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterViewRealm); roles.add(masterViewRealm);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterImpersonate); roles.add(masterImpersonate);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterManageUsers); roles.add(masterManageUsers);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterViewUsers); roles.add(masterViewUsers);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterQueryUsers); roles.add(masterQueryUsers);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterQueryGroups); roles.add(masterQueryGroups);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
} }
roles.clear(); roles.clear();
roles.add(masterQueryClients); roles.add(masterQueryClients);
try { try {
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
Assert.fail("should fail with forbidden exception"); Assert.fail("should fail with forbidden exception");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertEquals(e.getResponse().getStatus(), 403); Assert.assertThat(Response.Status.fromStatusCode(e.getResponse().getStatus()),
is(equalTo(Response.Status.FORBIDDEN)));
}
} }
realmClient.close();
} }
// test master admin can add all admin roles in realm // test master admin can add all admin roles in realm
{ {
ClientRepresentation client = realmAdminClient; ClientRepresentation client = realmAdminClient;
Keycloak realmClient = AdminClientUtil.createAdminClient(); try (Keycloak realmClient = AdminClientUtil.createAdminClient()) {
roles.clear(); roles.clear();
roles.add(realmManageAuthorization); roles.add(realmManageAuthorization);
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
@ -726,13 +702,12 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
roles.add(realmQueryClients); roles.add(realmQueryClients);
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).add(roles);
realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).remove(roles); realmClient.realm(TEST).users().get(realmUser.getId()).roles().clientLevel(client.getId()).remove(roles);
}
realmClient.close();
} }
// test that "admin" in master realm can assign all roles of master realm realm client admin roles // test that "admin" in master realm can assign all roles of master realm realm client admin roles
{ {
ClientRepresentation client = masterClient; ClientRepresentation client = masterClient;
Keycloak realmClient = AdminClientUtil.createAdminClient(); try (Keycloak realmClient = AdminClientUtil.createAdminClient()) {
roles.clear(); roles.clear();
roles.add(masterManageAuthorization); roles.add(masterManageAuthorization);
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
@ -815,8 +790,7 @@ public class IllegalAdminUpgradeTest extends AbstractKeycloakTest {
roles.add(masterQueryClients); roles.add(masterQueryClients);
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).add(roles);
realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).remove(roles); realmClient.realm("master").users().get(masterUser.getId()).roles().clientLevel(client.getId()).remove(roles);
}
realmClient.close();
} }
} }

76
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/ImpersonationTest.java
View file

@ -44,9 +44,9 @@ import org.keycloak.testsuite.AbstractKeycloakTest;
import org.keycloak.testsuite.AssertEvents; import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.arquillian.AuthServerTestEnricher; import org.keycloak.testsuite.arquillian.AuthServerTestEnricher;
import org.keycloak.testsuite.auth.page.AuthRealm; import org.keycloak.testsuite.auth.page.AuthRealm;
import org.keycloak.testsuite.client.KeycloakTestingClient;
import org.keycloak.testsuite.pages.AppPage; import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.LoginPage; import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.util.AdminClientUtil;
import org.keycloak.testsuite.util.ClientBuilder; import org.keycloak.testsuite.util.ClientBuilder;
import org.keycloak.testsuite.util.CredentialBuilder; import org.keycloak.testsuite.util.CredentialBuilder;
import org.keycloak.testsuite.util.OAuthClient; import org.keycloak.testsuite.util.OAuthClient;
@ -54,6 +54,9 @@ import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder; import org.keycloak.testsuite.util.UserBuilder;
import javax.ws.rs.ClientErrorException; import javax.ws.rs.ClientErrorException;
import javax.ws.rs.client.Client;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.NewCookie;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
@ -62,6 +65,8 @@ import org.junit.Assume;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.openqa.selenium.Cookie; import org.openqa.selenium.Cookie;
import static org.hamcrest.Matchers.containsString;
/** /**
* Tests Undertow Adapter * Tests Undertow Adapter
* *
@ -115,9 +120,10 @@ public class ImpersonationTest extends AbstractKeycloakTest {
@Test @Test
public void testImpersonateByMasterImpersonator() { public void testImpersonateByMasterImpersonator() {
Response response = adminClient.realm("master").users().create(UserBuilder.create().username("master-impersonator").build()); String userId;
String userId = ApiUtil.getCreatedId(response); try (Response response = adminClient.realm("master").users().create(UserBuilder.create().username("master-impersonator").build())) {
response.close(); userId = ApiUtil.getCreatedId(response);
}
UserResource user = adminClient.realm("master").users().get(userId); UserResource user = adminClient.realm("master").users().get(userId);
user.resetPassword(CredentialBuilder.create().password("password").build()); user.resetPassword(CredentialBuilder.create().password("password").build());
@ -153,9 +159,10 @@ public class ImpersonationTest extends AbstractKeycloakTest {
@Test @Test
public void testImpersonateByMastertBadImpersonator() { public void testImpersonateByMastertBadImpersonator() {
Response response = adminClient.realm("master").users().create(UserBuilder.create().username("master-bad-impersonator").build()); String userId;
String userId = ApiUtil.getCreatedId(response); try (Response response = adminClient.realm("master").users().create(UserBuilder.create().username("master-bad-impersonator").build())) {
response.close(); userId = ApiUtil.getCreatedId(response);
}
adminClient.realm("master").users().get(userId).resetPassword(CredentialBuilder.create().password("password").build()); adminClient.realm("master").users().get(userId).resetPassword(CredentialBuilder.create().password("password").build());
testForbiddenImpersonation("master-bad-impersonator", Config.getAdminRealm()); testForbiddenImpersonation("master-bad-impersonator", Config.getAdminRealm());
@ -178,8 +185,7 @@ public class ImpersonationTest extends AbstractKeycloakTest {
loginPage.assertCurrent(); loginPage.assertCurrent();
// Impersonate and get SSO cookie. Setup that cookie for webDriver // Impersonate and get SSO cookie. Setup that cookie for webDriver
String ssoCookie = testSuccessfulImpersonation("realm-admin", "test"); driver.manage().addCookie(testSuccessfulImpersonation("realm-admin", "test"));
driver.manage().addCookie(new Cookie(AuthenticationManager.KEYCLOAK_IDENTITY_COOKIE, ssoCookie));
// Open the URL again - should be directly redirected to the app due the SSO login // Open the URL again - should be directly redirected to the app due the SSO login
driver.navigate().to(loginFormUrl); driver.navigate().to(loginFormUrl);
@ -191,28 +197,33 @@ public class ImpersonationTest extends AbstractKeycloakTest {
// Return the SSO cookie from the impersonated session // Return the SSO cookie from the impersonated session
protected String testSuccessfulImpersonation(String admin, String adminRealm) { protected Cookie testSuccessfulImpersonation(String admin, String adminRealm) {
ResteasyClient resteasyClient = new ResteasyClientBuilder().connectionPoolSize(10).build(); ResteasyClientBuilder resteasyClientBuilder = new ResteasyClientBuilder();
resteasyClientBuilder.connectionPoolSize(10);
resteasyClientBuilder.httpEngine(AdminClientUtil.getCustomClientHttpEngine(resteasyClientBuilder, 10));
ResteasyClient resteasyClient = resteasyClientBuilder.build();
// Login adminClient // Login adminClient
Keycloak client = login(admin, adminRealm, resteasyClient); try (Keycloak client = login(admin, adminRealm, resteasyClient)) {
try {
// Impersonate // Impersonate
impersonate(client, admin, adminRealm); return impersonate(client, admin, adminRealm);
// Get the SSO cookie. Needs to use same RestEasyClient used by adminClient to be able to see the cookies
KeycloakTestingClient testingClient = KeycloakTestingClient.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", resteasyClient);
String kcIdentity = testingClient.testing("test").getSSOCookieValue();
Assert.assertNotNull(kcIdentity);
return kcIdentity;
} finally {
resteasyClient.close();
} }
} }
private void impersonate(Keycloak adminClient, String admin, String adminRealm) { private Cookie impersonate(Keycloak adminClient, String admin, String adminRealm) {
Map data = adminClient.realms().realm("test").users().get(impersonatedUserId).impersonate(); Client httpClient = javax.ws.rs.client.ClientBuilder.newClient();
try (Response response = httpClient.target(OAuthClient.AUTH_SERVER_ROOT)
.path("admin")
.path("realms")
.path("test")
.path("users/" + impersonatedUserId + "/impersonation")
.request()
.header(HttpHeaders.AUTHORIZATION, "Bearer " + adminClient.tokenManager().getAccessTokenString())
.post(null)) {
Map data = response.readEntity(Map.class);
Assert.assertNotNull(data); Assert.assertNotNull(data);
Assert.assertNotNull(data.get("redirect")); Assert.assertNotNull(data.get("redirect"));
@ -222,16 +233,21 @@ public class ImpersonationTest extends AbstractKeycloakTest {
.detail(Details.IMPERSONATOR, admin) .detail(Details.IMPERSONATOR, admin)
.detail(Details.IMPERSONATOR_REALM, adminRealm) .detail(Details.IMPERSONATOR_REALM, adminRealm)
.client((String) null).assertEvent(); .client((String) null).assertEvent();
NewCookie cookie = response.getCookies().get(AuthenticationManager.KEYCLOAK_IDENTITY_COOKIE);
Assert.assertNotNull(cookie);
return new Cookie(cookie.getName(), cookie.getValue(), cookie.getDomain(), cookie.getPath(), cookie.getExpiry(), cookie.isSecure(), cookie.isHttpOnly());
}
} }
protected void testForbiddenImpersonation(String admin, String adminRealm) { protected void testForbiddenImpersonation(String admin, String adminRealm) {
Keycloak client = createAdminClient(adminRealm, establishClientId(adminRealm), admin); try (Keycloak client = createAdminClient(adminRealm, establishClientId(adminRealm), admin)) {
try {
client.realms().realm("test").users().get(impersonatedUserId).impersonate(); client.realms().realm("test").users().get(impersonatedUserId).impersonate();
Assert.fail("Expected ClientErrorException wasn't thrown.");
} catch (ClientErrorException e) { } catch (ClientErrorException e) {
Assert.assertTrue(e.getMessage().indexOf("403 Forbidden") != -1); Assert.assertThat(e.getMessage(), containsString("403 Forbidden"));
} finally {
client.close();
} }
} }

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java
View file

@ -170,13 +170,10 @@ public class PermissionsTest extends AbstractKeycloakTest {
@AfterClass @AfterClass
public static void removeTestUsers() throws Exception { public static void removeTestUsers() throws Exception {
Keycloak adminClient = AdminClientUtil.createAdminClient(); try (Keycloak adminClient = AdminClientUtil.createAdminClient()) {
try {
for (UserRepresentation u : adminClient.realm("master").users().search("permissions-test-master-", 0, 100)) { for (UserRepresentation u : adminClient.realm("master").users().search("permissions-test-master-", 0, 100)) {
adminClient.realm("master").users().get(u.getId()).remove(); adminClient.realm("master").users().get(u.getId()).remove();
} }
} finally {
adminClient.close();
} }
} }

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/concurrency/ConcurrentLoginTest.java
View file

@ -21,7 +21,6 @@ import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.URI; import java.net.URI;
import java.net.URISyntaxException; import java.net.URISyntaxException;
import java.nio.charset.Charset;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -312,7 +311,7 @@ public class ConcurrentLoginTest extends AbstractConcurrencyTest {
} }
private static Map<String, String> getQueryFromUrl(String url) throws URISyntaxException { private static Map<String, String> getQueryFromUrl(String url) throws URISyntaxException {
return URLEncodedUtils.parse(new URI(url), Charset.forName("UTF-8")).stream() return URLEncodedUtils.parse(new URI(url), "UTF-8").stream()
.collect(Collectors.toMap(p -> p.getName(), p -> p.getValue())); .collect(Collectors.toMap(p -> p.getName(), p -> p.getValue()));
} }

7
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/event/AdminEventAuthDetailsTest.java
View file

@ -127,9 +127,8 @@ public class AdminEventAuthDetailsTest extends AbstractAuthTest {
} }
private void testClient(String realmName, String username, String password, String clientId, String expectedRealmId, String expectedClientUuid, String expectedUserId) { private void testClient(String realmName, String username, String password, String clientId, String expectedRealmId, String expectedClientUuid, String expectedUserId) {
Keycloak keycloak = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", try (Keycloak keycloak = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
realmName, username, password, clientId); realmName, username, password, clientId)) {
try {
UserRepresentation rep = UserBuilder.create().id(appUserId).username("app-user").email("foo@email.org").build(); UserRepresentation rep = UserBuilder.create().id(appUserId).username("app-user").email("foo@email.org").build();
keycloak.realm("test").users().get(appUserId).update(rep); keycloak.realm("test").users().get(appUserId).update(rep);
@ -141,8 +140,6 @@ public class AdminEventAuthDetailsTest extends AbstractAuthTest {
.representation(rep) .representation(rep)
.authDetails(expectedRealmId, expectedClientUuid, expectedUserId) .authDetails(expectedRealmId, expectedClientUuid, expectedUserId)
.assertEvent(); .assertEvent();
} finally {
keycloak.close();
} }
} }
} }

51
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/group/GroupTest.java
View file

@ -141,10 +141,9 @@ public class GroupTest extends AbstractGroupTest {
} }
private GroupRepresentation createGroup(RealmResource realm, GroupRepresentation group) { private GroupRepresentation createGroup(RealmResource realm, GroupRepresentation group) {
Response response = realm.groups().add(group); try (Response response = realm.groups().add(group)) {
String groupId = ApiUtil.getCreatedId(response); String groupId = ApiUtil.getCreatedId(response);
getCleanup().addGroupId(groupId); getCleanup().addGroupId(groupId);
response.close();
assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.groupPath(groupId), group, ResourceType.GROUP); assertAdminEvents.assertEvent("test", OperationType.CREATE, AdminEventPaths.groupPath(groupId), group, ResourceType.GROUP);
@ -152,6 +151,7 @@ public class GroupTest extends AbstractGroupTest {
group.setId(groupId); group.setId(groupId);
return group; return group;
} }
}
@Test @Test
public void doNotAllowSameGroupNameAtSameLevel() throws Exception { public void doNotAllowSameGroupNameAtSameLevel() throws Exception {
@ -420,13 +420,12 @@ public class GroupTest extends AbstractGroupTest {
UserRepresentation user = UserBuilder.create().username("user" + i).build(); UserRepresentation user = UserBuilder.create().username("user" + i).build();
usernames.add(user.getUsername()); usernames.add(user.getUsername());
Response create = realm.users().create(user); try (Response create = realm.users().create(user)) {
assertEquals(Status.CREATED, create.getStatusInfo()); assertEquals(Status.CREATED, create.getStatusInfo());
String userAId = ApiUtil.getCreatedId(create); String userAId = ApiUtil.getCreatedId(create);
realm.users().get(userAId).joinGroup(groupId); realm.users().get(userAId).joinGroup(groupId);
}
create.close();
} }
List<String> memberUsernames = new ArrayList<>(); List<String> memberUsernames = new ArrayList<>();
@ -463,9 +462,8 @@ public class GroupTest extends AbstractGroupTest {
realm.roles().create(RoleBuilder.create().name("realm-child").build()); realm.roles().create(RoleBuilder.create().name("realm-child").build());
realm.roles().get("realm-composite").addComposites(Collections.singletonList(realm.roles().get("realm-child").toRepresentation())); realm.roles().get("realm-composite").addComposites(Collections.singletonList(realm.roles().get("realm-child").toRepresentation()));
Response response = realm.clients().create(ClientBuilder.create().clientId("myclient").build()); try (Response response = realm.clients().create(ClientBuilder.create().clientId("myclient").build())) {
String clientId = ApiUtil.getCreatedId(response); String clientId = ApiUtil.getCreatedId(response);
response.close();
realm.clients().get(clientId).roles().create(RoleBuilder.create().name("client-role").build()); realm.clients().get(clientId).roles().create(RoleBuilder.create().name("client-role").build());
realm.clients().get(clientId).roles().create(RoleBuilder.create().name("client-role2").build()); realm.clients().get(clientId).roles().create(RoleBuilder.create().name("client-role2").build());
@ -527,6 +525,7 @@ public class GroupTest extends AbstractGroupTest {
assertAdminEvents.assertEvent("test", OperationType.DELETE, AdminEventPaths.groupRolesClientRolesPath(group.getId(), clientId), Collections.singletonList(clientRoleRep), ResourceType.CLIENT_ROLE_MAPPING); assertAdminEvents.assertEvent("test", OperationType.DELETE, AdminEventPaths.groupRolesClientRolesPath(group.getId(), clientId), Collections.singletonList(clientRoleRep), ResourceType.CLIENT_ROLE_MAPPING);
assertNames(roles.clientLevel(clientId).listAll(), "client-composite"); assertNames(roles.clientLevel(clientId).listAll(), "client-composite");
} }
}
/** /**
@ -540,13 +539,14 @@ public class GroupTest extends AbstractGroupTest {
final String realmName = AuthRealm.MASTER; final String realmName = AuthRealm.MASTER;
createUser(realmName, userName, "pwd"); createUser(realmName, userName, "pwd");
Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", try (Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID); realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID)) {
expectedException.expect(ClientErrorException.class); expectedException.expect(ClientErrorException.class);
expectedException.expectMessage(String.valueOf(Response.Status.FORBIDDEN.getStatusCode())); expectedException.expectMessage(String.valueOf(Response.Status.FORBIDDEN.getStatusCode()));
userClient.realms().findAll(); // Any admin operation will do userClient.realms().findAll(); // Any admin operation will do
} }
}
/** /**
* Verifies that the role assigned to a user is correctly handled by Keycloak Admin endpoint. * Verifies that the role assigned to a user is correctly handled by Keycloak Admin endpoint.
@ -592,21 +592,21 @@ public class GroupTest extends AbstractGroupTest {
String userId = createUser(realmName, userName, "pwd"); String userId = createUser(realmName, userName, "pwd");
GroupRepresentation group = GroupBuilder.create().name(groupName).build(); GroupRepresentation group = GroupBuilder.create().name(groupName).build();
Response response = realm.groups().add(group); try (Response response = realm.groups().add(group)) {
String groupId = ApiUtil.getCreatedId(response); String groupId = ApiUtil.getCreatedId(response);
response.close();
RoleMappingResource mappings = realm.groups().group(groupId).roles(); RoleMappingResource mappings = realm.groups().group(groupId).roles();
mappings.realmLevel().add(Collections.singletonList(adminRole)); mappings.realmLevel().add(Collections.singletonList(adminRole));
realm.users().get(userId).joinGroup(groupId); realm.users().get(userId).joinGroup(groupId);
}
Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", try (Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID); realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID)) {
assertThat(userClient.realms().findAll(), // Any admin operation will do assertThat(userClient.realms().findAll(), // Any admin operation will do
not(empty())); not(empty()));
} }
}
/** /**
@ -626,39 +626,37 @@ public class GroupTest extends AbstractGroupTest {
String userId = createUser(realmName, userName, "pwd"); String userId = createUser(realmName, userName, "pwd");
GroupRepresentation group = GroupBuilder.create().name(groupName).build(); GroupRepresentation group = GroupBuilder.create().name(groupName).build();
Response response = realm.groups().add(group); try (Response response = realm.groups().add(group)) {
String groupId = ApiUtil.getCreatedId(response); String groupId = ApiUtil.getCreatedId(response);
response.close();
realm.users().get(userId).joinGroup(groupId); realm.users().get(userId).joinGroup(groupId);
RoleMappingResource mappings = realm.groups().group(groupId).roles(); RoleMappingResource mappings = realm.groups().group(groupId).roles();
mappings.realmLevel().add(Collections.singletonList(adminRole));
Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", mappings.realmLevel().add(Collections.singletonList(adminRole));
realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID); }
try (Keycloak userClient = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
realmName, userName, "pwd", Constants.ADMIN_CLI_CLIENT_ID)) {
assertThat(userClient.realms().findAll(), // Any admin operation will do assertThat(userClient.realms().findAll(), // Any admin operation will do
not(empty())); not(empty()));
} }
}
@Test @Test
public void defaultMaxResults() { public void defaultMaxResults() {
GroupsResource groups = adminClient.realms().realm("test").groups(); GroupsResource groups = adminClient.realms().realm("test").groups();
Response response = groups.add(GroupBuilder.create().name("test").build()); try (Response response = groups.add(GroupBuilder.create().name("test").build())) {
String groupId = ApiUtil.getCreatedId(response); String groupId = ApiUtil.getCreatedId(response);
response.close();
GroupResource group = groups.group(groupId); GroupResource group = groups.group(groupId);
UsersResource users = adminClient.realms().realm("test").users(); UsersResource users = adminClient.realms().realm("test").users();
for (int i = 0; i < 110; i++) { for (int i = 0; i < 110; i++) {
Response r = users.create(UserBuilder.create().username("test-" + i).build()); try (Response r = users.create(UserBuilder.create().username("test-" + i).build())) {
String userId = ApiUtil.getCreatedId(r); users.get(ApiUtil.getCreatedId(r)).joinGroup(groupId);
r.close(); }
users.get(userId).joinGroup(groupId);
} }
assertEquals(100, group.members(null, null).size()); assertEquals(100, group.members(null, null).size());
@ -667,6 +665,7 @@ public class GroupTest extends AbstractGroupTest {
assertEquals(110, group.members(0, 1000).size()); assertEquals(110, group.members(0, 1000).size());
assertEquals(110, group.members(-1, -2).size()); assertEquals(110, group.members(-1, -2).size());
} }
}
@Test @Test
public void searchAndCountGroups() throws Exception { public void searchAndCountGroups() throws Exception {

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
View file

@ -271,8 +271,9 @@ public class RealmTest extends AbstractAdminTest {
public void loginAfterRemoveRealm() { public void loginAfterRemoveRealm() {
realm.remove(); realm.remove();
ServerInfoResource serverInfoResource = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", "master", "admin", "admin", Constants.ADMIN_CLI_CLIENT_ID).serverInfo(); try (Keycloak client = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", "master", "admin", "admin", Constants.ADMIN_CLI_CLIENT_ID)) {
serverInfoResource.getInfo(); client.serverInfo().getInfo();
}
reCreateRealm(); reCreateRealm();
} }

1
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/AuthzClientCredentialsTest.java
View file

@ -80,6 +80,7 @@ public class AuthzClientCredentialsTest extends AbstractAuthzTest {
} }
@Before @Before
@Override
public void beforeAbstractKeycloakTest() throws Exception { public void beforeAbstractKeycloakTest() throws Exception {
super.beforeAbstractKeycloakTest(); super.beforeAbstractKeycloakTest();
testContext.getTestRealmReps().forEach(realmRepresentation -> { testContext.getTestRealmReps().forEach(realmRepresentation -> {

2
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/EntitlementAPITest.java
View file

@ -1170,8 +1170,6 @@ public class EntitlementAPITest extends AbstractAuthzTest {
@Test @Test
public void testOfflineRequestingPartyToken() throws Exception { public void testOfflineRequestingPartyToken() throws Exception {
ContainerAssume.assumeNotAuthServerUndertow();
ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST); ClientResource client = getClient(getRealm(), RESOURCE_SERVER_TEST);
AuthorizationResource authorization = client.authorization(); AuthorizationResource authorization = client.authorization();

73
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/cookies/CookiesPathTest.java
View file

@ -37,6 +37,10 @@ import java.util.Calendar;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.stream.Collectors;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.is;
import org.junit.After;
/** /**
* @author <a href="mailto:mkanis@redhat.com">Martin Kanis</a> * @author <a href="mailto:mkanis@redhat.com">Martin Kanis</a>
@ -54,6 +58,13 @@ public class CookiesPathTest extends AbstractKeycloakTest {
public static final String KC_RESTART = "KC_RESTART"; public static final String KC_RESTART = "KC_RESTART";
private CloseableHttpClient httpClient = null;
@After
public void closeHttpClient() throws IOException {
if (httpClient != null) httpClient.close();
}
@Test @Test
public void testCookiesPath() { public void testCookiesPath() {
// navigate to "/realms/foo/account" and remove cookies in the browser for the current path // navigate to "/realms/foo/account" and remove cookies in the browser for the current path
@ -88,7 +99,7 @@ public class CookiesPathTest extends AbstractKeycloakTest {
cookies.stream().forEach(cookie -> Assert.assertThat(cookie.getPath(), Matchers.endsWith("/auth/realms/foobar/"))); cookies.stream().forEach(cookie -> Assert.assertThat(cookie.getPath(), Matchers.endsWith("/auth/realms/foobar/")));
// lets back to "/realms/foo/account" to test the cookies for "foo" realm are still there and haven't been (correctly) sent to "foobar" // lets back to "/realms/foo/account" to test the cookies for "foo" realm are still there and haven't been (correctly) sent to "foobar"
URLUtils.navigateToUri( oauth.AUTH_SERVER_ROOT + "/realms/foo/account"); URLUtils.navigateToUri(OAuthClient.AUTH_SERVER_ROOT + "/realms/foo/account");
cookies = driver.manage().getCookies(); cookies = driver.manage().getCookies();
Assert.assertTrue("There should be cookies sent!", cookies.size() > 0); Assert.assertTrue("There should be cookies sent!", cookies.size() > 0);
@ -97,7 +108,7 @@ public class CookiesPathTest extends AbstractKeycloakTest {
@Test @Test
public void testMultipleCookies() throws IOException { public void testMultipleCookies() throws IOException {
String requestURI = oauth.AUTH_SERVER_ROOT + "/realms/foo/account"; String requestURI = OAuthClient.AUTH_SERVER_ROOT + "/realms/foo/account";
Calendar calendar = Calendar.getInstance(); Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.DAY_OF_YEAR, 1); calendar.add(Calendar.DAY_OF_YEAR, 1);
@ -113,16 +124,15 @@ public class CookiesPathTest extends AbstractKeycloakTest {
Assert.assertThat(cookieStore.getCookies(), Matchers.hasSize(3)); Assert.assertThat(cookieStore.getCookies(), Matchers.hasSize(3));
CloseableHttpResponse response = login(requestURI, cookieStore); login(requestURI, cookieStore);
response.close();
// old cookie has been removed // old cookie has been removed
// now we have AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION, OAuth_Token_Request_State // now we have AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION
Assert.assertThat(cookieStore.getCookies(), Matchers.hasSize(4)); Assert.assertThat(cookieStore.getCookies().stream().map(org.apache.http.cookie.Cookie::getName).collect(Collectors.toList()),
Matchers.containsInAnyOrder("AUTH_SESSION_ID", "KEYCLOAK_IDENTITY", "KEYCLOAK_SESSION"));
// does each cookie's path end with "/" // does each cookie's path end with "/"
cookieStore.getCookies().stream().filter(c -> !"OAuth_Token_Request_State".equals(c.getName())) cookieStore.getCookies().stream().map(org.apache.http.cookie.Cookie::getPath).forEach(path ->Assert.assertThat(path, Matchers.endsWith("/")));
.map(c -> c.getPath()).forEach(path ->Assert.assertThat(path, Matchers.endsWith("/")));
// KEYCLOAK_SESSION should end by AUTH_SESSION_ID value // KEYCLOAK_SESSION should end by AUTH_SESSION_ID value
String authSessionId = cookieStore.getCookies().stream().filter(c -> "AUTH_SESSION_ID".equals(c.getName())).findFirst().get().getValue(); String authSessionId = cookieStore.getCookies().stream().filter(c -> "AUTH_SESSION_ID".equals(c.getName())).findFirst().get().getValue();
@ -152,8 +162,7 @@ public class CookiesPathTest extends AbstractKeycloakTest {
Assert.assertThat(cookies, Matchers.hasSize(3)); Assert.assertThat(cookies, Matchers.hasSize(3));
// does each cookie's path end with "/" // does each cookie's path end with "/"
cookies.stream().map(c -> c.getPath()).forEach(path -> cookies.stream().map(Cookie::getPath).forEach(path -> Assert.assertThat(path, Matchers.endsWith("/")));
Assert.assertThat(path, Matchers.endsWith("/")));
// KEYCLOAK_SESSION should end by AUTH_SESSION_ID value // KEYCLOAK_SESSION should end by AUTH_SESSION_ID value
String authSessionId = cookies.stream().filter(c -> "AUTH_SESSION_ID".equals(c.getName())).findFirst().get().getValue(); String authSessionId = cookies.stream().filter(c -> "AUTH_SESSION_ID".equals(c.getName())).findFirst().get().getValue();
@ -164,7 +173,7 @@ public class CookiesPathTest extends AbstractKeycloakTest {
@Test @Test
public void testOldCookieWithNodeInValue() throws IOException { public void testOldCookieWithNodeInValue() throws IOException {
String requestURI = oauth.AUTH_SERVER_ROOT + "/realms/foo/account"; String requestURI = OAuthClient.AUTH_SERVER_ROOT + "/realms/foo/account";
Calendar calendar = Calendar.getInstance(); Calendar calendar = Calendar.getInstance();
calendar.add(Calendar.DAY_OF_YEAR, 1); calendar.add(Calendar.DAY_OF_YEAR, 1);
@ -180,16 +189,15 @@ public class CookiesPathTest extends AbstractKeycloakTest {
Assert.assertThat(cookieStore.getCookies(), Matchers.hasSize(3)); Assert.assertThat(cookieStore.getCookies(), Matchers.hasSize(3));
CloseableHttpResponse response = login(requestURI, cookieStore); login(requestURI, cookieStore);
response.close();
// old cookie has been removed // old cookie has been removed
// now we have AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION, OAuth_Token_Request_State // now we have AUTH_SESSION_ID, KEYCLOAK_IDENTITY, KEYCLOAK_SESSION, OAuth_Token_Request_State
Assert.assertThat(cookieStore.getCookies(), Matchers.hasSize(4)); Assert.assertThat(cookieStore.getCookies().stream().map(org.apache.http.cookie.Cookie::getName).collect(Collectors.toList()),
Matchers.containsInAnyOrder("AUTH_SESSION_ID", "KEYCLOAK_IDENTITY", "KEYCLOAK_SESSION"));
// does each cookie's path end with "/" // does each cookie's path end with "/"
cookieStore.getCookies().stream().filter(c -> !"OAuth_Token_Request_State".equals(c.getName())) cookieStore.getCookies().stream().map(org.apache.http.cookie.Cookie::getPath).forEach(path ->Assert.assertThat(path, Matchers.endsWith("/")));
.map(c -> c.getPath()).forEach(path ->Assert.assertThat(path, Matchers.endsWith("/")));
// KEYCLOAK_SESSION should end by AUTH_SESSION_ID value // KEYCLOAK_SESSION should end by AUTH_SESSION_ID value
String authSessionId = cookieStore.getCookies().stream().filter(c -> "AUTH_SESSION_ID".equals(c.getName())).findFirst().get().getValue(); String authSessionId = cookieStore.getCookies().stream().filter(c -> "AUTH_SESSION_ID".equals(c.getName())).findFirst().get().getValue();
@ -215,20 +223,20 @@ public class CookiesPathTest extends AbstractKeycloakTest {
testRealms.add(foobar.build()); testRealms.add(foobar.build());
} }
// if the client is closed before the response is read, it throws
// org.apache.http.ConnectionClosedException: Premature end of Content-Length delimited message body
// that's why the this.httpClient is introduced, the client is closed either here or after test method
private CloseableHttpResponse sendRequest(HttpRequestBase request, CookieStore cookieStore, HttpCoreContext localContext) throws IOException { private CloseableHttpResponse sendRequest(HttpRequestBase request, CookieStore cookieStore, HttpCoreContext localContext) throws IOException {
CloseableHttpClient c = HttpClientBuilder.create().setDefaultCookieStore(cookieStore).setRedirectStrategy(new LaxRedirectStrategy()).build(); if (httpClient != null) httpClient.close();
httpClient = HttpClientBuilder.create().setDefaultCookieStore(cookieStore).setRedirectStrategy(new LaxRedirectStrategy()).build();
CloseableHttpResponse response = c.execute(request, localContext); return httpClient.execute(request, localContext);
return response;
} }
private CookieStore getCorrectCookies(String uri) throws IOException { private CookieStore getCorrectCookies(String uri) throws IOException {
CookieStore cookieStore = new BasicCookieStore(); CookieStore cookieStore = new BasicCookieStore();
HttpGet request = new HttpGet(uri); HttpGet request = new HttpGet(uri);
CloseableHttpResponse response = sendRequest(request, new BasicCookieStore(), new HttpCoreContext()); try (CloseableHttpResponse response = sendRequest(request, new BasicCookieStore(), new HttpCoreContext())) {
for (org.apache.http.Header h: response.getHeaders("Set-Cookie")) { for (org.apache.http.Header h: response.getHeaders("Set-Cookie")) {
if (h.getValue().contains(AuthenticationSessionManager.AUTH_SESSION_ID)) { if (h.getValue().contains(AuthenticationSessionManager.AUTH_SESSION_ID)) {
cookieStore.addCookie(parseCookie(h.getValue(), AuthenticationSessionManager.AUTH_SESSION_ID)); cookieStore.addCookie(parseCookie(h.getValue(), AuthenticationSessionManager.AUTH_SESSION_ID));
@ -236,8 +244,7 @@ public class CookiesPathTest extends AbstractKeycloakTest {
cookieStore.addCookie(parseCookie(h.getValue(), KC_RESTART)); cookieStore.addCookie(parseCookie(h.getValue(), KC_RESTART));
} }
} }
}
response.close();
return cookieStore; return cookieStore;
} }
@ -267,18 +274,18 @@ public class CookiesPathTest extends AbstractKeycloakTest {
return c; return c;
} }
private CloseableHttpResponse login(String requestURI, CookieStore cookieStore) throws IOException { private void login(String requestURI, CookieStore cookieStore) throws IOException {
HttpCoreContext httpContext = new HttpCoreContext(); HttpCoreContext httpContext = new HttpCoreContext();
HttpGet request = new HttpGet(requestURI); HttpGet request = new HttpGet(requestURI);
// send an initial request, we are redirected to login page // send an initial request, we are redirected to login page
CloseableHttpResponse response = sendRequest(request, cookieStore, httpContext); String entityContent;
String s = IOUtils.toString(response.getEntity().getContent(), "UTF-8"); try (CloseableHttpResponse response = sendRequest(request, cookieStore, httpContext)) {
response.close(); entityContent = IOUtils.toString(response.getEntity().getContent(), "UTF-8");
String action = ActionURIUtils.getActionURIFromPageSource(s); }
// send credentials to login form // send credentials to login form
HttpPost post = new HttpPost(action); HttpPost post = new HttpPost(ActionURIUtils.getActionURIFromPageSource(entityContent));
List<NameValuePair> params = new LinkedList<>(); List<NameValuePair> params = new LinkedList<>();
params.add(new BasicNameValuePair("username", "foo")); params.add(new BasicNameValuePair("username", "foo"));
params.add(new BasicNameValuePair("password", "password")); params.add(new BasicNameValuePair("password", "password"));
@ -286,6 +293,8 @@ public class CookiesPathTest extends AbstractKeycloakTest {
post.setHeader("Content-Type", "application/x-www-form-urlencoded"); post.setHeader("Content-Type", "application/x-www-form-urlencoded");
post.setEntity(new UrlEncodedFormEntity(params)); post.setEntity(new UrlEncodedFormEntity(params));
return sendRequest(post, cookieStore, httpContext); try (CloseableHttpResponse response = sendRequest(post, cookieStore, httpContext)) {
Assert.assertThat("Expected successful login.", response.getStatusLine().getStatusCode(), is(equalTo(200)));
}
} }
} }

3
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/federation/kerberos/AbstractKerberosTest.java
View file

@ -20,7 +20,6 @@ package org.keycloak.testsuite.federation.kerberos;
import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson; import static org.keycloak.testsuite.admin.AbstractAdminTest.loadJson;
import java.net.URI; import java.net.URI;
import java.nio.charset.Charset;
import java.security.Principal; import java.security.Principal;
import java.util.Hashtable; import java.util.Hashtable;
import java.util.List; import java.util.List;
@ -315,7 +314,7 @@ public abstract class AbstractKerberosTest extends AbstractAuthTest {
protected OAuthClient.AccessTokenResponse assertAuthenticationSuccess(String codeUrl) throws Exception { protected OAuthClient.AccessTokenResponse assertAuthenticationSuccess(String codeUrl) throws Exception {
List<NameValuePair> pairs = URLEncodedUtils.parse(new URI(codeUrl), Charset.forName("UTF-8")); List<NameValuePair> pairs = URLEncodedUtils.parse(new URI(codeUrl), "UTF-8");
String code = null; String code = null;
String state = null; String state = null;
for (NameValuePair pair : pairs) { for (NameValuePair pair : pairs) {

28
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/PasswordHashingTest.java
View file

@ -19,61 +19,33 @@ package org.keycloak.testsuite.forms;
import org.jboss.arquillian.container.test.api.Deployment; import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.graphene.page.Page; import org.jboss.arquillian.graphene.page.Page;
import org.jboss.shrinkwrap.api.spec.WebArchive; import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.OAuth2Constants;
import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.common.util.Base64; import org.keycloak.common.util.Base64;
import org.keycloak.credential.CredentialModel; import org.keycloak.credential.CredentialModel;
import org.keycloak.credential.hash.Pbkdf2PasswordHashProvider; import org.keycloak.credential.hash.Pbkdf2PasswordHashProvider;
import org.keycloak.credential.hash.Pbkdf2PasswordHashProviderFactory; import org.keycloak.credential.hash.Pbkdf2PasswordHashProviderFactory;
import org.keycloak.credential.hash.Pbkdf2Sha256PasswordHashProviderFactory; import org.keycloak.credential.hash.Pbkdf2Sha256PasswordHashProviderFactory;
import org.keycloak.credential.hash.Pbkdf2Sha512PasswordHashProviderFactory; import org.keycloak.credential.hash.Pbkdf2Sha512PasswordHashProviderFactory;
import org.keycloak.events.Details;
import org.keycloak.events.EventType;
import org.keycloak.models.BrowserSecurityHeaders;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.models.utils.RepresentationToModel;
import org.keycloak.representations.idm.CredentialRepresentation; import org.keycloak.representations.idm.CredentialRepresentation;
import org.keycloak.representations.idm.ErrorRepresentation; import org.keycloak.representations.idm.ErrorRepresentation;
import org.keycloak.representations.idm.EventRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.AssertEvents;
import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.admin.ApiUtil;
import org.keycloak.testsuite.client.KeycloakTestingClient;
import org.keycloak.testsuite.pages.AccountUpdateProfilePage; import org.keycloak.testsuite.pages.AccountUpdateProfilePage;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.pages.AppPage.RequestType;
import org.keycloak.testsuite.pages.ErrorPage;
import org.keycloak.testsuite.pages.LoginPage; import org.keycloak.testsuite.pages.LoginPage;
import org.keycloak.testsuite.pages.LoginPasswordUpdatePage;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment; import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import org.keycloak.testsuite.util.RealmBuilder;
import org.keycloak.testsuite.util.UserBuilder; import org.keycloak.testsuite.util.UserBuilder;
import org.keycloak.util.JsonSerialization;
import javax.crypto.SecretKeyFactory; import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.PBEKeySpec;
import javax.ws.rs.BadRequestException; import javax.ws.rs.BadRequestException;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.core.Response;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.KeySpec; import java.security.spec.KeySpec;
import java.util.Map;
import static org.junit.Assert.assertArrayEquals; import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
/** /**

8
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/CacheTest.java
View file

@ -21,22 +21,17 @@ package org.keycloak.testsuite.model;
import org.jboss.arquillian.container.test.api.Deployment; import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.TargetsContainer; import org.jboss.arquillian.container.test.api.TargetsContainer;
import org.jboss.shrinkwrap.api.spec.WebArchive; import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.ClassRule;
import org.junit.Test; import org.junit.Test;
import org.keycloak.admin.client.resource.UserResource; import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.models.ClientModel; import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel; import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel; import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel; import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel; import org.keycloak.models.UserSessionModel;
import org.keycloak.models.cache.infinispan.ClientAdapter; import org.keycloak.models.cache.infinispan.ClientAdapter;
import org.keycloak.models.cache.infinispan.RealmAdapter; import org.keycloak.models.cache.infinispan.RealmAdapter;
import org.keycloak.testsuite.federation.ldap.AbstractLDAPTest;
import org.keycloak.testsuite.pages.AppPage;
import org.keycloak.testsuite.runonserver.RunOnServerDeployment; import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
import java.util.List;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
@ -47,10 +42,7 @@ import static org.keycloak.testsuite.arquillian.DeploymentTargetModifier.AUTH_SE
import org.keycloak.testsuite.AbstractTestRealmKeycloakTest; import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
import org.keycloak.testsuite.Assert; import org.keycloak.testsuite.Assert;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.representations.idm.RealmRepresentation;
import org.keycloak.testsuite.client.KeycloakTestingClient;
import org.keycloak.testsuite.arquillian.TestContext;
/** /**
* @author <a href="mailto:bill@burkecentral.com">Bill Burke</a> * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>

1
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/model/UserSessionInitializerTest.java
View file

@ -24,7 +24,6 @@ import org.junit.After;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.resource.UserResource; import org.keycloak.admin.client.resource.UserResource;
import org.keycloak.common.util.Time; import org.keycloak.common.util.Time;
import org.keycloak.connections.infinispan.InfinispanConnectionProvider; import org.keycloak.connections.infinispan.InfinispanConnectionProvider;

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/OfflineTokenTest.java
View file

@ -513,11 +513,12 @@ public class OfflineTokenTest extends AbstractKeycloakTest {
tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "secret1"); tokenResponse = oauth.doRefreshTokenRequest(tokenResponse.getRefreshToken(), "secret1");
// Use accessToken to admin REST request // Use accessToken to admin REST request
Keycloak offlineTokenAdmin = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth", try (Keycloak offlineTokenAdmin = Keycloak.getInstance(AuthServerTestEnricher.getAuthServerContextRoot() + "/auth",
AuthRealm.MASTER, Constants.ADMIN_CLI_CLIENT_ID, tokenResponse.getAccessToken()); AuthRealm.MASTER, Constants.ADMIN_CLI_CLIENT_ID, tokenResponse.getAccessToken())) {
RealmRepresentation testRealm = offlineTokenAdmin.realm("test").toRepresentation(); RealmRepresentation testRealm = offlineTokenAdmin.realm("test").toRepresentation();
Assert.assertNotNull(testRealm); Assert.assertNotNull(testRealm);
} }
}
// KEYCLOAK-4525 // KEYCLOAK-4525

2
testsuite/integration-arquillian/tests/base/src/test/resources/openshift/client-storage/openshift-version.json
View file

@ -8,4 +8,4 @@
"goVersion": "", "goVersion": "",
"compiler": "", "compiler": "",
"platform": "" "platform": ""
}ssss }

12
testsuite/integration-arquillian/tests/pom.xml
View file

@ -1438,11 +1438,21 @@
<version>${appium.client.version}</version> <version>${appium.client.version}</version>
</dependency> </dependency>
<!--
httpclient and httpcore are here to ensure we use the same version
as in keycloak/pom.xml and to prevent the other versions beeing present
on classpath during tests (as a transitive dependencies e.g.).
There has beeen issues due to this.
-->
<dependency> <dependency>
<groupId>org.apache.httpcomponents</groupId> <groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId> <artifactId>httpclient</artifactId>
<version>4.5.3</version>
</dependency> </dependency>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpcore</artifactId>
</dependency>
<dependency> <dependency>
<groupId>jfree</groupId> <groupId>jfree</groupId>
<artifactId>jfreechart</artifactId> <artifactId>jfreechart</artifactId>

3
testsuite/integration-deprecated/src/test/java/org/keycloak/testsuite/broker/OIDCKeyCloakServerBrokerBasicTest.java
View file

@ -127,7 +127,7 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP
@Test @Test
public void testLogoutWorksWithTokenTimeout() { public void testLogoutWorksWithTokenTimeout() {
Keycloak keycloak = Keycloak.getInstance("http://localhost:8081/auth", "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID); try (Keycloak keycloak = Keycloak.getInstance("http://localhost:8081/auth", "master", "admin", "admin", org.keycloak.models.Constants.ADMIN_CLI_CLIENT_ID)) {
RealmRepresentation realm = keycloak.realm("realm-with-oidc-identity-provider").toRepresentation(); RealmRepresentation realm = keycloak.realm("realm-with-oidc-identity-provider").toRepresentation();
assertNotNull(realm); assertNotNull(realm);
int oldLifespan = realm.getAccessTokenLifespan(); int oldLifespan = realm.getAccessTokenLifespan();
@ -144,6 +144,7 @@ public class OIDCKeyCloakServerBrokerBasicTest extends AbstractKeycloakIdentityP
idp.getConfig().put("backchannelSupported", "true"); idp.getConfig().put("backchannelSupported", "true");
keycloak.realm("realm-with-broker").identityProviders().get("kc-oidc-idp").update(idp); keycloak.realm("realm-with-broker").identityProviders().get("kc-oidc-idp").update(idp);
} }
}
@Test @Test
public void testSuccessfulAuthenticationWithoutUpdateProfile() { public void testSuccessfulAuthenticationWithoutUpdateProfile() {