KEYCLOAK-8707 Fix client template to scope migration
This commit is contained in:
Hynek Mlnarik
Hynek Mlnařík
parent
c9cd060417
commit
d395043fc7
7 changed files with 229 additions and 36 deletions
|
|
@ -0,0 +1,68 @@
|
|||
/*
|
||||
* Copyright 2018 Red Hat, Inc. and/or its affiliates
|
||||
* and other contributors as indicated by the @author tags.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.keycloak.connections.jpa.updater.liquibase.custom;
|
||||
|
||||
import java.sql.PreparedStatement;
|
||||
import java.sql.ResultSet;
|
||||
import liquibase.exception.CustomChangeException;
|
||||
import liquibase.statement.core.InsertStatement;
|
||||
import liquibase.structure.core.Table;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author hmlnarik
|
||||
*/
|
||||
public class JpaUpdate4_0_0_DefaultClientScopes extends CustomKeycloakTask {
|
||||
|
||||
@Override
|
||||
protected void generateStatementsImpl() throws CustomChangeException {
|
||||
String clientTableName = database.correctObjectName("CLIENT", Table.class);
|
||||
String clientScopeClientTableName = database.correctObjectName("CLIENT_SCOPE_CLIENT", Table.class);
|
||||
|
||||
try (PreparedStatement statement = jdbcConnection.prepareStatement("SELECT ID, CLIENT_TEMPLATE_ID FROM " + clientTableName);
|
||||
ResultSet rs = statement.executeQuery()) {
|
||||
while (rs.next()) {
|
||||
String clientId = rs.getString(1);
|
||||
String clientTemplateId = rs.getString(2);
|
||||
|
||||
if (clientId == null || clientId.trim().isEmpty()) {
|
||||
continue;
|
||||
}
|
||||
if (clientTemplateId == null || clientTemplateId.trim().isEmpty()) {
|
||||
continue;
|
||||
}
|
||||
|
||||
statements.add(
|
||||
new InsertStatement(null, null, clientScopeClientTableName)
|
||||
.addColumnValue("CLIENT_ID", clientId.trim())
|
||||
.addColumnValue("SCOPE_ID", clientTemplateId.trim())
|
||||
.addColumnValue("DEFAULT_SCOPE", Boolean.TRUE)
|
||||
);
|
||||
}
|
||||
|
||||
confirmationMessage.append("Updated " + statements.size() + " records in CLIENT_SCOPE_CLIENT table");
|
||||
} catch (Exception e) {
|
||||
throw new CustomChangeException(getTaskId() + ": Exception when updating data from previous version", e);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
protected String getTaskId() {
|
||||
return "Update 4.0.0.Final (Default client scopes)";
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -85,7 +85,12 @@
|
|||
|
||||
</changeSet>
|
||||
|
||||
<changeSet author="mposolda@redhat.com" id="4.0.0-KEYCLOAK-5579">
|
||||
<changeSet author="mposolda@redhat.com" id="4.0.0-KEYCLOAK-5579-fixed">
|
||||
<preConditions onFail="MARK_RAN" onSqlOutput="TEST">
|
||||
<not>
|
||||
<changeSetExecuted id="4.0.0-KEYCLOAK-5579" author="mposolda@redhat.com" changeLogFile="META-INF/jpa-changelog-4.0.0.xml" />
|
||||
</not>
|
||||
</preConditions>
|
||||
|
||||
<!-- 1 - Rename clientTemplate to clientScope and drop some unused things from clientTemplate -->
|
||||
<dropForeignKeyConstraint baseTableName="CLIENT_TEMPLATE_ATTRIBUTES" constraintName="FK_CL_TEMPL_ATTR_TEMPL" />
|
||||
|
|
@ -147,15 +152,6 @@
|
|||
constraintName="FK_CL_SCOPE_ATTR_SCOPE" referencedTableName="CLIENT_SCOPE" referencedColumnNames="ID" />
|
||||
|
||||
<!-- 2 - Client binding to more clientScopes -->
|
||||
<!-- Foreign key dropped above TODO:mposolda migration existing clientTemplate to default clientScope -->
|
||||
<dropColumn tableName="CLIENT" columnName="CLIENT_TEMPLATE_ID" />
|
||||
<dropDefaultValue tableName="CLIENT" columnName="USE_TEMPLATE_CONFIG"/>
|
||||
<dropDefaultValue tableName="CLIENT" columnName="USE_TEMPLATE_SCOPE" />
|
||||
<dropDefaultValue tableName="CLIENT" columnName="USE_TEMPLATE_MAPPERS" />
|
||||
<dropColumn tableName="CLIENT" columnName="USE_TEMPLATE_CONFIG" />
|
||||
<dropColumn tableName="CLIENT" columnName="USE_TEMPLATE_SCOPE" />
|
||||
<dropColumn tableName="CLIENT" columnName="USE_TEMPLATE_MAPPERS" />
|
||||
|
||||
<createTable tableName="CLIENT_SCOPE_CLIENT">
|
||||
<column name="CLIENT_ID" type="VARCHAR(36)">
|
||||
<constraints nullable="false"/>
|
||||
|
|
@ -171,6 +167,16 @@
|
|||
<addForeignKeyConstraint baseColumnNames="CLIENT_ID" baseTableName="CLIENT_SCOPE_CLIENT" constraintName="FK_C_CLI_SCOPE_CLIENT" referencedColumnNames="ID" referencedTableName="CLIENT"/>
|
||||
<addForeignKeyConstraint baseColumnNames="SCOPE_ID" baseTableName="CLIENT_SCOPE_CLIENT" constraintName="FK_C_CLI_SCOPE_SCOPE" referencedColumnNames="ID" referencedTableName="CLIENT_SCOPE"/>
|
||||
|
||||
<customChange class="org.keycloak.connections.jpa.updater.liquibase.custom.JpaUpdate4_0_0_DefaultClientScopes" />
|
||||
|
||||
<dropColumn tableName="CLIENT" columnName="CLIENT_TEMPLATE_ID" />
|
||||
<dropDefaultValue tableName="CLIENT" columnName="USE_TEMPLATE_CONFIG"/>
|
||||
<dropDefaultValue tableName="CLIENT" columnName="USE_TEMPLATE_SCOPE" />
|
||||
<dropDefaultValue tableName="CLIENT" columnName="USE_TEMPLATE_MAPPERS" />
|
||||
<dropColumn tableName="CLIENT" columnName="USE_TEMPLATE_CONFIG" />
|
||||
<dropColumn tableName="CLIENT" columnName="USE_TEMPLATE_SCOPE" />
|
||||
<dropColumn tableName="CLIENT" columnName="USE_TEMPLATE_MAPPERS" />
|
||||
|
||||
<!-- Default client scopes (global scopes configured at realm level) -->
|
||||
<createTable tableName="DEFAULT_CLIENT_SCOPE">
|
||||
<column name="REALM_ID" type="VARCHAR(36)">
|
||||
|
|
|
|||
|
|
@ -66,10 +66,13 @@ import java.util.LinkedList;
|
|||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.function.Function;
|
||||
import java.util.function.Predicate;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import org.keycloak.common.Profile;
|
||||
import org.hamcrest.Matcher;
|
||||
import org.hamcrest.Matchers;
|
||||
import static org.junit.Assert.assertThat;
|
||||
|
||||
/**
|
||||
*
|
||||
|
|
@ -635,21 +638,39 @@ public class ExportImportUtil {
|
|||
Assert.assertTrue(!source.stream().filter(object -> !predicate.stream().filter(predicate1 -> predicate1.test(object)).findFirst().isPresent()).findAny().isPresent());
|
||||
}
|
||||
|
||||
private static Matcher<Iterable<? super String>> getDefaultClientScopeNameMatcher(ClientRepresentation rep) {
|
||||
switch (rep.getClientId()) {
|
||||
case "client-with-template":
|
||||
return Matchers.hasItem("Default_test_template");
|
||||
default:
|
||||
return Matchers.not(Matchers.hasItem("Default_test_template"));
|
||||
}
|
||||
}
|
||||
|
||||
public static void testClientDefaultClientScopes(RealmResource realm) {
|
||||
for (ClientRepresentation rep : realm.clients().findAll(true)) {
|
||||
Matcher<Iterable<? super String>> expectedDefaultClientScopeNames = getDefaultClientScopeNameMatcher(rep);
|
||||
|
||||
assertThat("Default client scopes for " + rep.getClientId(), rep.getDefaultClientScopes(), expectedDefaultClientScopeNames);
|
||||
}
|
||||
}
|
||||
|
||||
public static void testRealmDefaultClientScopes(RealmResource realm) {
|
||||
// Assert built-in scopes were created in realm
|
||||
List<ClientScopeRepresentation> clientScopes = realm.clientScopes().findAll();
|
||||
Map<String, ClientScopeRepresentation> clientScopesMap = clientScopes
|
||||
.stream().collect(Collectors.toMap(clientScope -> clientScope.getName(), clientScope -> clientScope));
|
||||
Map<String, ClientScopeRepresentation> clientScopesMap = clientScopes.stream()
|
||||
.collect(Collectors.toMap(ClientScopeRepresentation::getName, Function.identity()));
|
||||
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(OAuth2Constants.SCOPE_PROFILE));
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(OAuth2Constants.SCOPE_EMAIL));
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(OAuth2Constants.SCOPE_ADDRESS));
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(OAuth2Constants.SCOPE_PHONE));
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(OAuth2Constants.OFFLINE_ACCESS));
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(OIDCLoginProtocolFactory.ROLES_SCOPE));
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(OIDCLoginProtocolFactory.WEB_ORIGINS_SCOPE));
|
||||
org.keycloak.testsuite.Assert.assertTrue(clientScopesMap.containsKey(SamlProtocolFactory.SCOPE_ROLE_LIST));
|
||||
assertThat(clientScopesMap.keySet(), Matchers.hasItems(
|
||||
OAuth2Constants.SCOPE_PROFILE,
|
||||
OAuth2Constants.SCOPE_EMAIL,
|
||||
OAuth2Constants.SCOPE_ADDRESS,
|
||||
OAuth2Constants.SCOPE_PHONE,
|
||||
OAuth2Constants.OFFLINE_ACCESS,
|
||||
OIDCLoginProtocolFactory.ROLES_SCOPE,
|
||||
OIDCLoginProtocolFactory.WEB_ORIGINS_SCOPE,
|
||||
SamlProtocolFactory.SCOPE_ROLE_LIST
|
||||
));
|
||||
|
||||
// Check content of some client scopes
|
||||
Map<String, ProtocolMapperRepresentation> protocolMappers = clientScopesMap.get(OAuth2Constants.SCOPE_EMAIL).getProtocolMappers()
|
||||
|
|
@ -662,17 +683,21 @@ public class ExportImportUtil {
|
|||
org.keycloak.testsuite.Assert.assertNames(offlineRoleScopes, OAuth2Constants.OFFLINE_ACCESS);
|
||||
|
||||
// Check default client scopes and optional client scopes expected
|
||||
Map<String, ClientScopeRepresentation> defaultClientScopes = realm.getDefaultDefaultClientScopes()
|
||||
.stream().collect(Collectors.toMap(clientScope -> clientScope.getName(), clientScope -> clientScope));
|
||||
org.keycloak.testsuite.Assert.assertTrue(defaultClientScopes.containsKey(OAuth2Constants.SCOPE_PROFILE));
|
||||
org.keycloak.testsuite.Assert.assertTrue(defaultClientScopes.containsKey(OAuth2Constants.SCOPE_EMAIL));
|
||||
org.keycloak.testsuite.Assert.assertTrue(defaultClientScopes.containsKey(OIDCLoginProtocolFactory.ROLES_SCOPE));
|
||||
org.keycloak.testsuite.Assert.assertTrue(defaultClientScopes.containsKey(OIDCLoginProtocolFactory.WEB_ORIGINS_SCOPE));
|
||||
Set<String> defaultClientScopes = realm.getDefaultDefaultClientScopes()
|
||||
.stream().map(ClientScopeRepresentation::getName).collect(Collectors.toSet());
|
||||
assertThat(defaultClientScopes, Matchers.hasItems(
|
||||
OAuth2Constants.SCOPE_PROFILE,
|
||||
OAuth2Constants.SCOPE_EMAIL,
|
||||
OIDCLoginProtocolFactory.ROLES_SCOPE,
|
||||
OIDCLoginProtocolFactory.WEB_ORIGINS_SCOPE
|
||||
));
|
||||
|
||||
Map<String, ClientScopeRepresentation> optionalClientScopes = realm.getDefaultOptionalClientScopes()
|
||||
.stream().collect(Collectors.toMap(clientScope -> clientScope.getName(), clientScope -> clientScope));
|
||||
org.keycloak.testsuite.Assert.assertTrue(optionalClientScopes.containsKey(OAuth2Constants.SCOPE_ADDRESS));
|
||||
org.keycloak.testsuite.Assert.assertTrue(optionalClientScopes.containsKey(OAuth2Constants.SCOPE_PHONE));
|
||||
org.keycloak.testsuite.Assert.assertTrue(optionalClientScopes.containsKey(OAuth2Constants.OFFLINE_ACCESS));
|
||||
Set<String> optionalClientScopes = realm.getDefaultOptionalClientScopes()
|
||||
.stream().map(ClientScopeRepresentation::getName).collect(Collectors.toSet());
|
||||
assertThat(optionalClientScopes, Matchers.hasItems(
|
||||
OAuth2Constants.SCOPE_ADDRESS,
|
||||
OAuth2Constants.SCOPE_PHONE,
|
||||
OAuth2Constants.OFFLINE_ACCESS
|
||||
));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -106,6 +106,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
|
|||
|
||||
if (supportsAuthzService) {
|
||||
expectedClientIds.add("authz-servlet");
|
||||
expectedClientIds.add("client-with-template");
|
||||
}
|
||||
|
||||
assertNames(migrationRealm.clients().findAll(), expectedClientIds.toArray(new String[expectedClientIds.size()]));
|
||||
|
|
@ -211,6 +212,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
|
|||
protected void testMigrationTo4_0_0() {
|
||||
testRealmDefaultClientScopes(this.masterRealm);
|
||||
testRealmDefaultClientScopes(this.migrationRealm);
|
||||
testClientDefaultClientScopes(this.migrationRealm);
|
||||
testOfflineScopeAddedToClient();
|
||||
}
|
||||
|
||||
|
|
@ -493,6 +495,11 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
|
|||
ExportImportUtil.testRealmDefaultClientScopes(realm);
|
||||
}
|
||||
|
||||
private void testClientDefaultClientScopes(RealmResource realm) {
|
||||
log.info("Testing default client scopes transferred from client scope in realm: " + realm.toRepresentation().getRealm());
|
||||
ExportImportUtil.testClientDefaultClientScopes(realm);
|
||||
}
|
||||
|
||||
private void testOfflineScopeAddedToClient() {
|
||||
log.infof("Testing offline_access optional scope present in realm %s for client migration-test-client", migrationRealm.toRepresentation().getRealm());
|
||||
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@ import org.keycloak.representations.idm.RealmRepresentation;
|
|||
import org.keycloak.testsuite.arquillian.DeploymentTargetModifier;
|
||||
import org.keycloak.testsuite.runonserver.RunOnServerDeployment;
|
||||
import org.keycloak.testsuite.utils.io.IOUtil;
|
||||
import org.keycloak.testsuite.util.WaitUtils;
|
||||
import org.keycloak.util.JsonSerialization;
|
||||
|
||||
import java.io.IOException;
|
||||
|
|
|
|||
|
|
@ -2108,7 +2108,15 @@
|
|||
}, {
|
||||
"client" : "security-admin-console",
|
||||
"roles" : [ "realm-admin" ]
|
||||
} ]
|
||||
} ],
|
||||
"migration-test-client": [
|
||||
{
|
||||
"clientTemplate": "Default test template",
|
||||
"roles": [
|
||||
"migration-test-client-role"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"clients" : [ {
|
||||
"id" : "6f27b0c3-9fc0-4e04-b69a-2031349acf04",
|
||||
|
|
@ -2802,6 +2810,33 @@
|
|||
"useTemplateScope" : false,
|
||||
"useTemplateMappers" : false
|
||||
},
|
||||
{
|
||||
"id": "26519045-3cd4-4f2a-974b-e1447907834a",
|
||||
"clientId": "client-with-template",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "**********",
|
||||
"redirectUris": [],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
"consentRequired": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": true,
|
||||
"frontchannelLogout": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {},
|
||||
"fullScopeAllowed": false,
|
||||
"nodeReRegistrationTimeout": -1,
|
||||
"clientTemplate": "Default test template",
|
||||
"useTemplateConfig": false,
|
||||
"useTemplateScope": true,
|
||||
"useTemplateMappers": true
|
||||
},
|
||||
{
|
||||
"id": "70e8e897-82d4-49ab-82c9-c37e1a48b6bb",
|
||||
"clientId": "authz-servlet",
|
||||
|
|
@ -2858,7 +2893,15 @@
|
|||
]
|
||||
}
|
||||
}],
|
||||
"clientTemplates" : [ ],
|
||||
"clientTemplates": [
|
||||
{
|
||||
"id": "d43ae38d-80a1-471a-9a80-5f9a0d34d7a4",
|
||||
"name": "Default test template",
|
||||
"description": "Test client template",
|
||||
"protocol": "openid-connect",
|
||||
"fullScopeAllowed": false
|
||||
}
|
||||
],
|
||||
"browserSecurityHeaders" : {
|
||||
"xContentTypeOptions" : "nosniff",
|
||||
"xFrameOptions" : "SAMEORIGIN",
|
||||
|
|
|
|||
|
|
@ -313,6 +313,16 @@
|
|||
"notBefore" : 0,
|
||||
"groups" : [ ]
|
||||
} ],
|
||||
"clientScopeMappings" : {
|
||||
"migration-test-client": [
|
||||
{
|
||||
"clientTemplate": "Default test template",
|
||||
"roles": [
|
||||
"migration-test-client-role"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"clients" : [ {
|
||||
"id" : "6b9ba4ca-fb7c-4e17-a3e6-88f3a17397cc",
|
||||
"clientId" : "account",
|
||||
|
|
@ -1010,6 +1020,33 @@
|
|||
"useTemplateScope" : false,
|
||||
"useTemplateMappers" : false
|
||||
},
|
||||
{
|
||||
"id": "26519045-3cd4-4f2a-974b-e1447907834a",
|
||||
"clientId": "client-with-template",
|
||||
"surrogateAuthRequired": false,
|
||||
"enabled": true,
|
||||
"clientAuthenticatorType": "client-secret",
|
||||
"secret": "**********",
|
||||
"redirectUris": [],
|
||||
"webOrigins": [],
|
||||
"notBefore": 0,
|
||||
"bearerOnly": false,
|
||||
"consentRequired": false,
|
||||
"standardFlowEnabled": true,
|
||||
"implicitFlowEnabled": false,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"serviceAccountsEnabled": false,
|
||||
"publicClient": true,
|
||||
"frontchannelLogout": false,
|
||||
"protocol": "openid-connect",
|
||||
"attributes": {},
|
||||
"fullScopeAllowed": false,
|
||||
"nodeReRegistrationTimeout": -1,
|
||||
"clientTemplate": "Default test template",
|
||||
"useTemplateConfig": false,
|
||||
"useTemplateScope": true,
|
||||
"useTemplateMappers": true
|
||||
},
|
||||
{
|
||||
"id": "70e8e897-82d4-49ab-82c9-c37e1a48b6bb",
|
||||
"clientId": "authz-servlet",
|
||||
|
|
@ -1066,7 +1103,15 @@
|
|||
]
|
||||
}
|
||||
}],
|
||||
"clientTemplates" : [ ],
|
||||
"clientTemplates": [
|
||||
{
|
||||
"id": "d43ae38d-80a1-471a-9a80-5f9a0d34d7a4",
|
||||
"name": "Default test template",
|
||||
"description": "Test client template",
|
||||
"protocol": "openid-connect",
|
||||
"fullScopeAllowed": false
|
||||
}
|
||||
],
|
||||
"browserSecurityHeaders" : {
|
||||
"xContentTypeOptions" : "nosniff",
|
||||
"xRobotsTag" : "none",
|
||||
|
|
|
|||
Loading…
Reference in a new issue