From c280634bfa859aff40728be41284b2a6dd0f6a93 Mon Sep 17 00:00:00 2001 From: Bill Burke Date: Mon, 14 Nov 2016 15:06:17 -0500 Subject: [PATCH] fix tests --- dependencies/server-all/pom.xml | 4 - .../keycloak-ldap-federation/main/module.xml | 2 +- federation/ldap2/pom.xml | 2 +- federation/pom.xml | 1 - .../cache/infinispan/UserCacheSession.java | 57 +- pom.xml | 5 - services/pom.xml | 2 +- .../DefaultKeycloakTransactionManager.java | 8 +- .../AbstractKerberosLdapAdapterTest.java | 129 --- .../testsuite/admin/PermissionsTest.java | 71 -- ...erTest.java => UserStorageMapperTest.java} | 10 +- ...tionTest.java => UserStorageRestTest.java} | 4 +- .../exportimport/ExportImportUtil.java | 55 +- .../oauth/ClientAuthSignedJWTTest.java | 2 +- testsuite/integration/pom.xml | 4 - .../federation/KerberosLdapTest.java | 186 ---- .../federation/ldap/FederationTestUtils.java | 287 ------ .../federation/ldap/LDAPExampleServlet.java | 63 -- .../FederationProvidersIntegrationTest.java | 867 ------------------ .../base/LDAPGroupMapper2WaySyncTest.java | 252 ----- .../ldap/base/LDAPGroupMapperSyncTest.java | 312 ------- .../ldap/base/LDAPGroupMapperTest.java | 361 -------- .../ldap/base/LDAPMultipleAttributesTest.java | 239 ----- .../ldap/base/LDAPRoleMappingsTest.java | 355 ------- .../federation/ldap/base/LDAPSyncTest.java | 368 -------- .../keycloak/testsuite/model/ImportTest.java | 43 +- 26 files changed, 125 insertions(+), 3564 deletions(-) delete mode 100755 testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/federation/AbstractKerberosLdapAdapterTest.java rename testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/{UserFederationMapperTest.java => UserStorageMapperTest.java} (97%) rename testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/{UserFederationTest.java => UserStorageRestTest.java} (99%) delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosLdapTest.java delete mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/FederationTestUtils.java delete mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/LDAPExampleServlet.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/FederationProvidersIntegrationTest.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapper2WaySyncTest.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperSyncTest.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperTest.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPMultipleAttributesTest.java delete mode 100644 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPRoleMappingsTest.java delete mode 100755 testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPSyncTest.java diff --git a/dependencies/server-all/pom.xml b/dependencies/server-all/pom.xml index 3dcb6e5dd3c..526a0cf0575 100755 --- a/dependencies/server-all/pom.xml +++ b/dependencies/server-all/pom.xml @@ -67,10 +67,6 @@ org.keycloak keycloak-ldap-federation - - org.keycloak - keycloak-ldap-storage - org.keycloak keycloak-kerberos-federation diff --git a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-ldap-federation/main/module.xml b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-ldap-federation/main/module.xml index 58977daa1eb..43a1d64c095 100755 --- a/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-ldap-federation/main/module.xml +++ b/distribution/feature-packs/server-feature-pack/src/main/resources/modules/system/layers/keycloak/org/keycloak/keycloak-ldap-federation/main/module.xml @@ -21,7 +21,7 @@ - + diff --git a/federation/ldap2/pom.xml b/federation/ldap2/pom.xml index dccdee0233a..bf3feeab028 100755 --- a/federation/ldap2/pom.xml +++ b/federation/ldap2/pom.xml @@ -25,7 +25,7 @@ 4.0.0 - keycloak-ldap-storage + keycloak-ldap-federation Keycloak LDAP UserStoreProvider diff --git a/federation/pom.xml b/federation/pom.xml index 1318643b8d3..c0cd4941e5a 100755 --- a/federation/pom.xml +++ b/federation/pom.xml @@ -34,7 +34,6 @@ kerberos - ldap ldap2 sssd diff --git a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java index b51d911c205..5531de17531 100755 --- a/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java +++ b/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/UserCacheSession.java @@ -501,8 +501,7 @@ public class UserCacheSession implements UserCache { @Override public UserModel getServiceAccount(ClientModel client) { // Just an attempt to find the user from cache by default serviceAccount username - String username = ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + client.getClientId(); - UserModel user = getUserByUsername(username, client.getRealm()); + UserModel user = findServiceAccount(client); if (user != null && user.getServiceAccountClientLink() != null && user.getServiceAccountClientLink().equals(client.getId())) { return user; } @@ -510,6 +509,60 @@ public class UserCacheSession implements UserCache { return getDelegate().getServiceAccount(client); } + public UserModel findServiceAccount(ClientModel client) { + String username = ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + client.getClientId(); + logger.tracev("getServiceAccount: {0}", username); + username = username.toLowerCase(); + RealmModel realm = client.getRealm(); + if (realmInvalidations.contains(realm.getId())) { + logger.tracev("realmInvalidations"); + return getDelegate().getServiceAccount(client); + } + String cacheKey = getUserByUsernameCacheKey(realm.getId(), username); + if (invalidations.contains(cacheKey)) { + logger.tracev("invalidations"); + return getDelegate().getServiceAccount(client); + } + UserListQuery query = cache.get(cacheKey, UserListQuery.class); + + String userId = null; + if (query == null) { + logger.tracev("query null"); + Long loaded = cache.getCurrentRevision(cacheKey); + UserModel model = getDelegate().getServiceAccount(client); + if (model == null) { + logger.tracev("model from delegate null"); + return null; + } + userId = model.getId(); + if (invalidations.contains(userId)) return model; + if (managedUsers.containsKey(userId)) { + logger.tracev("return managed user"); + return managedUsers.get(userId); + } + + UserModel adapter = getUserAdapter(realm, userId, loaded, model); + if (adapter instanceof UserAdapter) { // this was cached, so we can cache query too + query = new UserListQuery(loaded, cacheKey, realm, model.getId()); + cache.addRevisioned(query, startupRevision); + } + managedUsers.put(userId, adapter); + return adapter; + } else { + userId = query.getUsers().iterator().next(); + if (invalidations.contains(userId)) { + logger.tracev("invalidated cache return delegate"); + return getDelegate().getUserByUsername(username, realm); + + } + logger.trace("return getUserById"); + return getUserById(userId, realm); + } + } + + + + @Override public List getUsers(RealmModel realm, boolean includeServiceAccounts) { return getDelegate().getUsers(realm, includeServiceAccounts); diff --git a/pom.xml b/pom.xml index 1e132d45417..8a61e5b0b4c 100755 --- a/pom.xml +++ b/pom.xml @@ -711,11 +711,6 @@ keycloak-ldap-federation ${project.version} - - org.keycloak - keycloak-ldap-storage - ${project.version} - org.keycloak keycloak-dependencies-server-min diff --git a/services/pom.xml b/services/pom.xml index f6421783bb7..78e3f42dcbf 100755 --- a/services/pom.xml +++ b/services/pom.xml @@ -65,7 +65,7 @@ org.keycloak - keycloak-ldap-storage + keycloak-ldap-federation provided diff --git a/services/src/main/java/org/keycloak/services/DefaultKeycloakTransactionManager.java b/services/src/main/java/org/keycloak/services/DefaultKeycloakTransactionManager.java index 0039fa01e72..4ddcaf29b6a 100755 --- a/services/src/main/java/org/keycloak/services/DefaultKeycloakTransactionManager.java +++ b/services/src/main/java/org/keycloak/services/DefaultKeycloakTransactionManager.java @@ -92,9 +92,11 @@ public class DefaultKeycloakTransactionManager implements KeycloakTransactionMan if (jtaPolicy == JTAPolicy.REQUIRES_NEW) { JtaTransactionManagerLookup jtaLookup = session.getProvider(JtaTransactionManagerLookup.class); - TransactionManager tm = jtaLookup.getTransactionManager(); - if (tm != null) { - enlist(new JtaTransactionWrapper(tm)); + if (jtaLookup != null) { + TransactionManager tm = jtaLookup.getTransactionManager(); + if (tm != null) { + enlist(new JtaTransactionWrapper(tm)); + } } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/federation/AbstractKerberosLdapAdapterTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/federation/AbstractKerberosLdapAdapterTest.java deleted file mode 100755 index e7d97b6ce72..00000000000 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/federation/AbstractKerberosLdapAdapterTest.java +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.adapter.federation; - -import org.junit.Assert; -import org.junit.Before; -import org.junit.Test; -import org.keycloak.events.Details; -import org.keycloak.federation.kerberos.CommonKerberosConfig; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.kerberos.LDAPProviderKerberosConfig; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.representations.idm.RealmRepresentation; -import org.keycloak.representations.idm.UserFederationProviderRepresentation; -import org.keycloak.representations.idm.UserRepresentation; -import org.keycloak.testsuite.admin.ApiUtil; - -import javax.ws.rs.core.Response; -import java.util.Arrays; -import java.util.Map; - -/** - * Test of LDAPFederationProvider (Kerberos backed by LDAP) - * - * @author Marek Posolda - */ -public abstract class AbstractKerberosLdapAdapterTest extends AbstractKerberosAdapterTest { - - private static final String PROVIDER_CONFIG_LOCATION = "kerberos-ldap-connection.properties"; - - @Before - public void init() throws Exception{ - Map ldapConfig = getConfig(); - UserFederationProviderRepresentation userFederationProviderRepresentation = new UserFederationProviderRepresentation(); - userFederationProviderRepresentation.setProviderName(LDAPFederationProviderFactory.PROVIDER_NAME); - userFederationProviderRepresentation.setConfig(ldapConfig); - userFederationProviderRepresentation.setPriority(0); - userFederationProviderRepresentation.setDisplayName("kerberos-ldap"); - userFederationProviderRepresentation.setFullSyncPeriod(-1); - userFederationProviderRepresentation.setChangedSyncPeriod(-1); - userFederationProviderRepresentation.setLastSync(0); - RealmRepresentation realmRepresentation = testRealmResource().toRepresentation(); - realmRepresentation.setUserFederationProviders(Arrays.asList(userFederationProviderRepresentation)); - realmRepresentation.setEventsEnabled(true); - testRealmResource().update(realmRepresentation); - } - - @Override - protected CommonKerberosConfig getKerberosConfig(UserFederationProviderModel model) { - return new LDAPProviderKerberosConfig(model); - } - - @Test - public void spnegoLoginTest() throws Exception { - spnegoLoginTestImpl(); - // Assert user was imported and hasn't any required action on him. Profile info is synced from LDAP - assertUser("hnelson", "hnelson@keycloak.org", "Horatio", "Nelson", false); - } - - @Test - public void writableEditModeTest() throws Exception { - - // Change editMode to WRITABLE - updateProviderEditMode(UserFederationProvider.EditMode.WRITABLE); - - // Login with username/password from kerberos - changePasswordPage.navigateTo(); - loginPage.isCurrent(); - loginPage.form().login("jduke", "theduke"); - changePasswordPage.isCurrent(); - - // Successfully change password now - changePasswordPage.changePasswords("theduke", "newPass", "newPass"); - Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); - changePasswordPage.logOut(); - - // Login with old password doesn't work, but with new password works - loginPage.form().login("jduke", "theduke"); - loginPage.isCurrent(); - loginPage.form().login("jduke", "newPass"); - changePasswordPage.isCurrent(); - changePasswordPage.logOut(); - - // Assert SPNEGO login with the new password as mode is writable - events.clear(); - Response spnegoResponse = spnegoLogin("jduke", "newPass"); - Assert.assertEquals(302, spnegoResponse.getStatus()); - UserRepresentation user = ApiUtil.findUserByUsername(testRealmResource(), "jduke"); - events.expectLogin() - .client("kerberos-app") - .user(user != null ? user.getId() : null) - .detail(Details.REDIRECT_URI, kerberosPortal.toString()) - //.detail(Details.AUTH_METHOD, "spnego") - .detail(Details.USERNAME, "jduke") - .assertEvent(); - - // Change password back - changePasswordPage.navigateTo();; - - loginPage.form().login("jduke", "newPass"); - changePasswordPage.isCurrent(); - changePasswordPage.changePasswords("newPass", "theduke", "theduke"); - Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); - changePasswordPage.logOut(); - - spnegoResponse.close(); - events.clear(); - } - - protected String getConnectionPropertiesLocation() { - return PROVIDER_CONFIG_LOCATION; - } -} diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java index 7d005e95dd3..b23194a7ac4 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/PermissionsTest.java @@ -1508,77 +1508,6 @@ public class PermissionsTest extends AbstractKeycloakTest { }, Resource.IDENTITY_PROVIDER, true); } - @Test - public void userFederation() { - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().getProviderInstances(); - } - }, Resource.REALM, false); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().getProviderFactories(); - } - }, Resource.REALM, false); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().getProviderFactory("nosuch"); - } - }, Resource.REALM, false); - invoke(new InvocationWithResponse() { - public void invoke(RealmResource realm, AtomicReference response) { - UserFederationProviderRepresentation rep = new UserFederationProviderRepresentation(); - rep.setProviderName("ldap"); - response.set(realm.userFederation().create(rep)); - } - }, Resource.REALM, true); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").toRepresentation(); - } - }, Resource.REALM, false); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").update(new UserFederationProviderRepresentation()); - } - }, Resource.REALM, true); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").remove(); - } - }, Resource.REALM, true); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").syncUsers("nosuch"); - } - }, Resource.REALM, true); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").getMapperTypes(); - } - }, Resource.REALM, false); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").getMappers(); - } - }, Resource.REALM, false); - invoke(new InvocationWithResponse() { - public void invoke(RealmResource realm, AtomicReference response) { - response.set(realm.userFederation().get("nosuch").addMapper(new UserFederationMapperRepresentation())); - } - }, Resource.REALM, true); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").getMapperById("nosuch"); - } - }, Resource.REALM, false); - invoke(new Invocation() { - public void invoke(RealmResource realm) { - realm.userFederation().get("nosuch").syncMapperData("nosuch", "nosuch"); - } - }, Resource.REALM, true); - } - @Test public void components() { invoke(new Invocation() { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationMapperTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserStorageMapperTest.java similarity index 97% rename from testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationMapperTest.java rename to testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserStorageMapperTest.java index dce490ec957..63aacc014f1 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationMapperTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserStorageMapperTest.java @@ -19,14 +19,11 @@ package org.keycloak.testsuite.admin; import org.junit.After; import org.junit.Before; +import org.junit.Ignore; import org.junit.Test; import org.keycloak.admin.client.resource.UserFederationProviderResource; import org.keycloak.events.admin.OperationType; import org.keycloak.events.admin.ResourceType; -import org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.role.RoleLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.role.RoleMapperConfig; import org.keycloak.representations.idm.ConfigPropertyRepresentation; import org.keycloak.representations.idm.UserFederationMapperRepresentation; import org.keycloak.representations.idm.UserFederationMapperTypeRepresentation; @@ -50,10 +47,12 @@ import java.util.Set; /** * @author Marek Posolda */ -public class UserFederationMapperTest extends AbstractAdminTest { +@Ignore +public class UserStorageMapperTest extends AbstractAdminTest { private String ldapProviderId; private String dummyProviderId; + /* @Before public void initFederationProviders() { @@ -304,4 +303,5 @@ public class UserFederationMapperTest extends AbstractAdminTest { } return null; } + */ } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserStorageRestTest.java similarity index 99% rename from testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationTest.java rename to testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserStorageRestTest.java index 48db1b509f4..1c4b3db383b 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserFederationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserStorageRestTest.java @@ -17,6 +17,7 @@ package org.keycloak.testsuite.admin; +import org.junit.Ignore; import org.junit.Test; import org.keycloak.admin.client.resource.UserFederationProvidersResource; import org.keycloak.common.constants.KerberosConstants; @@ -45,7 +46,8 @@ import java.util.Map; /** * @author Marek Posolda */ -public class UserFederationTest extends AbstractAdminTest { +@Ignore +public class UserStorageRestTest extends AbstractAdminTest { @Test public void testProviderFactories() { diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/exportimport/ExportImportUtil.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/exportimport/ExportImportUtil.java index 2c458187732..001ed86b603 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/exportimport/ExportImportUtil.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/exportimport/ExportImportUtil.java @@ -25,10 +25,11 @@ import org.keycloak.admin.client.resource.ClientTemplateResource; import org.keycloak.admin.client.resource.RealmResource; import org.keycloak.admin.client.resource.UserResource; import org.keycloak.common.constants.KerberosConstants; -import org.keycloak.federation.ldap.mappers.FullNameLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.FullNameLDAPFederationMapperFactory; +import org.keycloak.component.ComponentModel; import org.keycloak.models.Constants; import org.keycloak.models.LDAPConstants; +import org.keycloak.models.UserFederationMapperModel; +import org.keycloak.models.UserFederationProviderModel; import org.keycloak.models.utils.DefaultAuthenticationFlows; import org.keycloak.protocol.oidc.OIDCLoginProtocol; import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; @@ -37,6 +38,8 @@ import org.keycloak.representations.idm.AuthenticationFlowRepresentation; import org.keycloak.representations.idm.ClientMappingsRepresentation; import org.keycloak.representations.idm.ClientRepresentation; import org.keycloak.representations.idm.ClientTemplateRepresentation; +import org.keycloak.representations.idm.ComponentExportRepresentation; +import org.keycloak.representations.idm.ComponentRepresentation; import org.keycloak.representations.idm.FederatedIdentityRepresentation; import org.keycloak.representations.idm.IdentityProviderRepresentation; import org.keycloak.representations.idm.ProtocolMapperRepresentation; @@ -49,6 +52,11 @@ import org.keycloak.representations.idm.authorization.PolicyRepresentation; import org.keycloak.representations.idm.authorization.ResourceRepresentation; import org.keycloak.representations.idm.authorization.ResourceServerRepresentation; import org.keycloak.representations.idm.authorization.ScopeRepresentation; +import org.keycloak.storage.UserStorageProvider; +import org.keycloak.storage.UserStorageProviderModel; +import org.keycloak.storage.ldap.mappers.FullNameLDAPStorageMapper; +import org.keycloak.storage.ldap.mappers.FullNameLDAPStorageMapperFactory; +import org.keycloak.storage.ldap.mappers.LDAPStorageMapper; import org.keycloak.testsuite.admin.ApiUtil; import org.keycloak.testsuite.client.KeycloakTestingClient; import org.keycloak.testsuite.util.RealmRepUtil; @@ -260,33 +268,34 @@ public class ExportImportUtil { Assert.assertEquals("googleId", google.getConfig().get("clientId")); Assert.assertEquals("googleSecret", google.getConfig().get("clientSecret")); + ////////////////// // Test federation providers + // on import should convert UserfederationProviderRepresentation to Component model List fedProviders = realm.getUserFederationProviders(); - Assert.assertTrue(fedProviders.size() == 2); - UserFederationProviderRepresentation ldap1 = fedProviders.get(0); - Assert.assertEquals("MyLDAPProvider1", ldap1.getDisplayName()); - Assert.assertEquals("ldap", ldap1.getProviderName()); - Assert.assertEquals(1, ldap1.getPriority()); - Assert.assertEquals("ldap://foo", ldap1.getConfig().get(LDAPConstants.CONNECTION_URL)); + Assert.assertTrue(fedProviders == null || fedProviders.size() == 0); + List storageProviders = realmRsc.components().query(realm.getId(), UserStorageProvider.class.getName()); + Assert.assertTrue(storageProviders.size() == 2); + ComponentRepresentation ldap1 = storageProviders.get(0); + ComponentRepresentation ldap2 = storageProviders.get(1); + if (!"MyLDAPProvider1".equals(ldap1.getName())) { + ldap2 = ldap1; + ldap1 = storageProviders.get(1); + } + Assert.assertEquals("MyLDAPProvider1", ldap1.getName()); + Assert.assertEquals("ldap", ldap1.getProviderId()); + Assert.assertEquals("1", ldap1.getConfig().getFirst("priority")); + Assert.assertEquals("ldap://foo", ldap1.getConfig().getFirst(LDAPConstants.CONNECTION_URL)); - UserFederationProviderRepresentation ldap2 = fedProviders.get(1); - Assert.assertEquals("MyLDAPProvider2", ldap2.getDisplayName()); - Assert.assertEquals("ldap://bar", ldap2.getConfig().get(LDAPConstants.CONNECTION_URL)); + Assert.assertEquals("MyLDAPProvider2", ldap2.getName()); + Assert.assertEquals("ldap://bar", ldap2.getConfig().getFirst(LDAPConstants.CONNECTION_URL)); // Test federation mappers - List fedMappers1 = realmRsc.userFederation().get(ldap1.getId()).getMappers(); - Assert.assertTrue(fedMappers1.size() == 1); - UserFederationMapperRepresentation fullNameMapper = fedMappers1.iterator().next(); + List fedMappers1 = realmRsc.components().query(ldap1.getId(), LDAPStorageMapper.class.getName()); + ComponentRepresentation fullNameMapper = fedMappers1.iterator().next(); Assert.assertEquals("FullNameMapper", fullNameMapper.getName()); - Assert.assertEquals(FullNameLDAPFederationMapperFactory.PROVIDER_ID, fullNameMapper.getFederationMapperType()); - //Assert.assertEquals(ldap1.getId(), fullNameMapper.getFederationProviderId()); - Assert.assertEquals("cn", fullNameMapper.getConfig().get(FullNameLDAPFederationMapper.LDAP_FULL_NAME_ATTRIBUTE)); - - // All builtin LDAP mappers should be here - List fedMappers2 = realmRsc.userFederation().get(ldap2.getId()).getMappers(); - Assert.assertTrue(fedMappers2.size() > 3); - List allMappers = realm.getUserFederationMappers(); - Assert.assertEquals(allMappers.size(), fedMappers1.size() + fedMappers2.size()); + Assert.assertEquals(FullNameLDAPStorageMapperFactory.PROVIDER_ID, fullNameMapper.getProviderId()); + Assert.assertEquals("cn", fullNameMapper.getConfig().getFirst(FullNameLDAPStorageMapper.LDAP_FULL_NAME_ATTRIBUTE)); + ///////////////// // Assert that federation link wasn't created during import Assert.assertNull(testingClient.testing().getUserByUsernameFromFedProviderFactory(realm.getRealm(), "wburke")); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java index eba2baf8d42..0e78d2e9257 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oauth/ClientAuthSignedJWTTest.java @@ -158,7 +158,7 @@ public class ClientAuthSignedJWTTest extends AbstractKeycloakTest { defaultUser = UserBuilder.create() .id(KeycloakModelUtils.generateId()) - .serviceAccountId(app1.getClientId()) + //.serviceAccountId(app1.getClientId()) .username("test-user@localhost") .password("password") .build(); diff --git a/testsuite/integration/pom.xml b/testsuite/integration/pom.xml index 8aa1afb5b23..d1311b59eaf 100755 --- a/testsuite/integration/pom.xml +++ b/testsuite/integration/pom.xml @@ -126,10 +126,6 @@ org.keycloak keycloak-ldap-federation - - org.keycloak - keycloak-ldap-storage - org.keycloak keycloak-kerberos-federation diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosLdapTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosLdapTest.java deleted file mode 100755 index f4a625f7c59..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/KerberosLdapTest.java +++ /dev/null @@ -1,186 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.keycloak.events.Details; -import org.keycloak.federation.kerberos.CommonKerberosConfig; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.kerberos.LDAPProviderKerberosConfig; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.representations.idm.CredentialRepresentation; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.AssertEvents; -import org.keycloak.testsuite.rule.KerberosRule; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.WebRule; -import org.keycloak.utils.CredentialHelper; - -import javax.ws.rs.core.Response; -import java.net.URL; -import java.util.Map; - -/** - * Test of LDAPFederationProvider (Kerberos backed by LDAP) - * - * @author Marek Posolda - */ -public class KerberosLdapTest extends AbstractKerberosTest { - - private static final String PROVIDER_CONFIG_LOCATION = "kerberos/kerberos-ldap-connection.properties"; - - private static UserFederationProviderModel ldapModel = null; - - private static KerberosRule kerberosRule = new KerberosRule(PROVIDER_CONFIG_LOCATION); - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - CredentialHelper.setAlternativeCredential(manager.getSession(), CredentialRepresentation.KERBEROS, appRealm); - URL url = getClass().getResource("/kerberos-test/kerberos-app-keycloak.json"); - keycloakRule.createApplicationDeployment() - .name("kerberos-portal").contextPath("/kerberos-portal") - .servletClass(KerberosCredDelegServlet.class).adapterConfigPath(url.getPath()) - .role("user").deployApplication(); - - Map ldapConfig = kerberosRule.getConfig(); - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "kerberos-ldap", -1, -1, 0); - } - }) { - - @Override - protected void importRealm() { - server.importRealm(getClass().getResourceAsStream("/kerberos-test/kerberosrealm.json")); - } - - }; - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(kerberosRule) - .around(keycloakRule); - - @Rule - public WebRule webRule = new WebRule(this); - - @Rule - public AssertEvents events = new AssertEvents(keycloakRule); - - @Override - protected CommonKerberosConfig getKerberosConfig() { - return new LDAPProviderKerberosConfig(ldapModel); - } - - @Override - protected KeycloakRule getKeycloakRule() { - return keycloakRule; - } - - @Override - protected AssertEvents getAssertEvents() { - return events; - } - - - @Test - public void spnegoLoginTest() throws Exception { - spnegoLoginTestImpl(); - - // Assert user was imported and hasn't any required action on him. Profile info is synced from LDAP - assertUser("hnelson", "hnelson@keycloak.org", "Horatio", "Nelson", false); - } - - @Test - @Override - public void usernamePasswordLoginTest() throws Exception { - super.usernamePasswordLoginTest(); - } - - @Test - public void writableEditModeTest() throws Exception { - KeycloakRule keycloakRule = getKeycloakRule(); - AssertEvents events = getAssertEvents(); - - // Change editMode to WRITABLE - updateProviderEditMode(UserFederationProvider.EditMode.WRITABLE); - - // Login with username/password from kerberos - changePasswordPage.open(); - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - loginPage.assertCurrent(); - loginPage.login("jduke", "theduke"); - changePasswordPage.assertCurrent(); - - // Successfully change password now - changePasswordPage.changePassword("theduke", "newPass", "newPass"); - Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); - changePasswordPage.logout(); - - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - - // Login with old password doesn't work, but with new password works - loginPage.login("jduke", "theduke"); - loginPage.assertCurrent(); - loginPage.login("jduke", "newPass"); - changePasswordPage.assertCurrent(); - changePasswordPage.logout(); - - // Assert SPNEGO login with the new password as mode is writable - events.clear(); - Response spnegoResponse = spnegoLogin("jduke", "newPass"); - Assert.assertEquals(302, spnegoResponse.getStatus()); - events.expectLogin() - .client("kerberos-app") - .user(keycloakRule.getUser("test", "jduke").getId()) - .detail(Details.REDIRECT_URI, KERBEROS_APP_URL) - //.detail(Details.AUTH_METHOD, "spnego") - .detail(Details.USERNAME, "jduke") - .assertEvent(); - - // Change password back - changePasswordPage.open(); - // Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript - // to forward the user if kerberos isn't enabled. - //bypassPage.isCurrent(); - //bypassPage.clickContinue(); - - loginPage.login("jduke", "newPass"); - changePasswordPage.assertCurrent(); - changePasswordPage.changePassword("newPass", "theduke", "theduke"); - Assert.assertTrue(driver.getPageSource().contains("Your password has been updated.")); - changePasswordPage.logout(); - - spnegoResponse.close(); - events.clear(); - } - -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/FederationTestUtils.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/FederationTestUtils.java deleted file mode 100644 index f8f83faafe0..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/FederationTestUtils.java +++ /dev/null @@ -1,287 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap; - -import org.junit.Assert; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.LDAPUtils; -import org.keycloak.federation.ldap.idm.model.LDAPObject; -import org.keycloak.federation.ldap.idm.query.internal.LDAPQuery; -import org.keycloak.federation.ldap.idm.store.ldap.LDAPIdentityStore; -import org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.LDAPGroupMapperMode; -import org.keycloak.federation.ldap.mappers.membership.group.GroupLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.membership.group.GroupLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.group.GroupMapperConfig; -import org.keycloak.federation.ldap.mappers.membership.role.RoleLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.membership.role.RoleLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.role.RoleMapperConfig; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserCredentialModel; -import org.keycloak.models.UserFederationMapperModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserFederationSyncResult; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserProvider; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.models.utils.UserModelDelegate; -import org.keycloak.representations.idm.CredentialRepresentation; - -import java.util.Arrays; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Map; -import java.util.Set; - -/** - * @author Marek Posolda - */ -public class FederationTestUtils { - - public static UserModel addLocalUser(KeycloakSession session, RealmModel realm, String username, String email, String password) { - UserModel user = session.userStorage().addUser(realm, username); - user.setEmail(email); - user.setEnabled(true); - - UserCredentialModel creds = new UserCredentialModel(); - creds.setType(CredentialRepresentation.PASSWORD); - creds.setValue(password); - - session.userCredentialManager().updateCredential(realm, user, creds); - return user; - } - - public static LDAPObject addLDAPUser(LDAPFederationProvider ldapProvider, RealmModel realm, final String username, - final String firstName, final String lastName, final String email, final String street, final String... postalCode) { - UserModel helperUser = new UserModelDelegate(null) { - - @Override - public String getUsername() { - return username; - } - - @Override - public String getFirstName() { - return firstName; - } - - @Override - public String getLastName() { - return lastName; - } - - @Override - public String getEmail() { - return email; - } - - @Override - public List getAttribute(String name) { - if ("postal_code".equals(name) && postalCode != null && postalCode.length > 0) { - return Arrays.asList(postalCode); - } else if ("street".equals(name) && street != null) { - return Collections.singletonList(street); - } else { - return Collections.emptyList(); - } - } - }; - return LDAPUtils.addUserToLDAP(ldapProvider, realm, helperUser); - } - - public static void updateLDAPPassword(LDAPFederationProvider ldapProvider, LDAPObject ldapUser, String password) { - ldapProvider.getLdapIdentityStore().updatePassword(ldapUser, password); - - // Enable MSAD user through userAccountControls - if (ldapProvider.getLdapIdentityStore().getConfig().isActiveDirectory()) { - ldapUser.setSingleAttribute(LDAPConstants.USER_ACCOUNT_CONTROL, "512"); - ldapProvider.getLdapIdentityStore().update(ldapUser); - } - } - - public static LDAPFederationProvider getLdapProvider(KeycloakSession keycloakSession, UserFederationProviderModel ldapFedModel) { - LDAPFederationProviderFactory ldapProviderFactory = (LDAPFederationProviderFactory) keycloakSession.getKeycloakSessionFactory().getProviderFactory(UserFederationProvider.class, ldapFedModel.getProviderName()); - return ldapProviderFactory.getInstance(keycloakSession, ldapFedModel); - } - - public static void assertUserImported(UserProvider userProvider, RealmModel realm, String username, String expectedFirstName, String expectedLastName, String expectedEmail, String expectedPostalCode) { - UserModel user = userProvider.getUserByUsername(username, realm); - Assert.assertNotNull(user); - Assert.assertEquals(expectedFirstName, user.getFirstName()); - Assert.assertEquals(expectedLastName, user.getLastName()); - Assert.assertEquals(expectedEmail, user.getEmail()); - Assert.assertEquals(expectedPostalCode, user.getFirstAttribute("postal_code")); - } - - - // CRUD model mappers - - public static void addZipCodeLDAPMapper(RealmModel realm, UserFederationProviderModel providerModel) { - addUserAttributeMapper(realm, providerModel, "zipCodeMapper", "postal_code", LDAPConstants.POSTAL_CODE); - } - - public static UserFederationMapperModel addUserAttributeMapper(RealmModel realm, UserFederationProviderModel providerModel, String mapperName, String userModelAttributeName, String ldapAttributeName) { - UserFederationMapperModel mapperModel = KeycloakModelUtils.createUserFederationMapperModel(mapperName, providerModel.getId(), UserAttributeLDAPFederationMapperFactory.PROVIDER_ID, - UserAttributeLDAPFederationMapper.USER_MODEL_ATTRIBUTE, userModelAttributeName, - UserAttributeLDAPFederationMapper.LDAP_ATTRIBUTE, ldapAttributeName, - UserAttributeLDAPFederationMapper.READ_ONLY, "false", - UserAttributeLDAPFederationMapper.ALWAYS_READ_VALUE_FROM_LDAP, "false", - UserAttributeLDAPFederationMapper.IS_MANDATORY_IN_LDAP, "false"); - return realm.addUserFederationMapper(mapperModel); - } - - public static void addOrUpdateRoleLDAPMappers(RealmModel realm, UserFederationProviderModel providerModel, LDAPGroupMapperMode mode) { - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(providerModel.getId(), "realmRolesMapper"); - if (mapperModel != null) { - mapperModel.getConfig().put(RoleMapperConfig.MODE, mode.toString()); - realm.updateUserFederationMapper(mapperModel); - } else { - String baseDn = providerModel.getConfig().get(LDAPConstants.BASE_DN); - mapperModel = KeycloakModelUtils.createUserFederationMapperModel("realmRolesMapper", providerModel.getId(), RoleLDAPFederationMapperFactory.PROVIDER_ID, - RoleMapperConfig.ROLES_DN, "ou=RealmRoles," + baseDn, - RoleMapperConfig.USE_REALM_ROLES_MAPPING, "true", - RoleMapperConfig.MODE, mode.toString()); - realm.addUserFederationMapper(mapperModel); - } - - mapperModel = realm.getUserFederationMapperByName(providerModel.getId(), "financeRolesMapper"); - if (mapperModel != null) { - mapperModel.getConfig().put(RoleMapperConfig.MODE, mode.toString()); - realm.updateUserFederationMapper(mapperModel); - } else { - String baseDn = providerModel.getConfig().get(LDAPConstants.BASE_DN); - mapperModel = KeycloakModelUtils.createUserFederationMapperModel("financeRolesMapper", providerModel.getId(), RoleLDAPFederationMapperFactory.PROVIDER_ID, - RoleMapperConfig.ROLES_DN, "ou=FinanceRoles," + baseDn, - RoleMapperConfig.USE_REALM_ROLES_MAPPING, "false", - RoleMapperConfig.CLIENT_ID, "finance", - RoleMapperConfig.MODE, mode.toString()); - realm.addUserFederationMapper(mapperModel); - } - } - - public static void addOrUpdateGroupMapper(RealmModel realm, UserFederationProviderModel providerModel, LDAPGroupMapperMode mode, String descriptionAttrName, String... otherConfigOptions) { - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(providerModel.getId(), "groupsMapper"); - if (mapperModel != null) { - mapperModel.getConfig().put(GroupMapperConfig.MODE, mode.toString()); - updateGroupMapperConfigOptions(mapperModel, otherConfigOptions); - realm.updateUserFederationMapper(mapperModel); - } else { - String baseDn = providerModel.getConfig().get(LDAPConstants.BASE_DN); - mapperModel = KeycloakModelUtils.createUserFederationMapperModel("groupsMapper", providerModel.getId(), GroupLDAPFederationMapperFactory.PROVIDER_ID, - GroupMapperConfig.GROUPS_DN, "ou=Groups," + baseDn, - GroupMapperConfig.MAPPED_GROUP_ATTRIBUTES, descriptionAttrName, - GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "true", - GroupMapperConfig.MODE, mode.toString()); - updateGroupMapperConfigOptions(mapperModel, otherConfigOptions); - realm.addUserFederationMapper(mapperModel); - } - } - - public static void updateGroupMapperConfigOptions(UserFederationMapperModel mapperModel, String... configOptions) { - for (int i=0 ; i allUsers = ldapQuery.getResultList(); - - for (LDAPObject ldapUser : allUsers) { - ldapStore.remove(ldapUser); - } - } - - public static void removeAllLDAPRoles(KeycloakSession session, RealmModel appRealm, UserFederationProviderModel ldapModel, String mapperName) { - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), mapperName); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - LDAPQuery roleQuery = getRoleMapper(mapperModel, ldapProvider, appRealm).createRoleQuery(); - List ldapRoles = roleQuery.getResultList(); - for (LDAPObject ldapRole : ldapRoles) { - ldapProvider.getLdapIdentityStore().remove(ldapRole); - } - } - - public static void removeAllLDAPGroups(KeycloakSession session, RealmModel appRealm, UserFederationProviderModel ldapModel, String mapperName) { - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), mapperName); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - LDAPQuery roleQuery = getGroupMapper(mapperModel, ldapProvider, appRealm).createGroupQuery(); - List ldapRoles = roleQuery.getResultList(); - for (LDAPObject ldapRole : ldapRoles) { - ldapProvider.getLdapIdentityStore().remove(ldapRole); - } - } - - public static void createLDAPRole(KeycloakSession session, RealmModel appRealm, UserFederationProviderModel ldapModel, String mapperName, String roleName) { - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), mapperName); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - getRoleMapper(mapperModel, ldapProvider, appRealm).createLDAPRole(roleName); - } - - public static LDAPObject createLDAPGroup(KeycloakSession session, RealmModel appRealm, UserFederationProviderModel ldapModel, String groupName, String... additionalAttrs) { - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - Map> additAttrs = new HashMap<>(); - for (int i=0 ; iMarek Posolda - */ -public class LDAPExampleServlet extends HttpServlet { - - - @Override - protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { - KeycloakSecurityContext securityContext = (KeycloakSecurityContext) req.getAttribute(KeycloakSecurityContext.class.getName()); - IDToken idToken = securityContext.getIdToken(); - - PrintWriter out = resp.getWriter(); - out.println("LDAP Portal"); - out.println(""); - - out.printf("", "preferred_username", idToken.getPreferredUsername()); - out.println(); - out.printf("", "name", idToken.getName()); - out.println(); - out.printf("", "email", idToken.getEmail()); - out.println(); - - for (Map.Entry claim : idToken.getOtherClaims().entrySet()) { - String value = claim.getValue().toString(); - out.printf("", claim.getKey(), value); - out.println(); - } - - out.println("
Attribute nameAttribute values
%s%s
%s%s
%s%s
%s%s
"); - out.flush(); - } - -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/FederationProvidersIntegrationTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/FederationProvidersIntegrationTest.java deleted file mode 100755 index 11ed2f63436..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/FederationProvidersIntegrationTest.java +++ /dev/null @@ -1,867 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap.base; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.junit.runners.MethodSorters; -import org.keycloak.OAuth2Constants; -import org.keycloak.credential.CredentialModel; -import org.keycloak.federation.ldap.LDAPConfig; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.idm.model.LDAPObject; -import org.keycloak.federation.ldap.mappers.FullNameLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.FullNameLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.HardcodedLDAPRoleMapper; -import org.keycloak.federation.ldap.mappers.HardcodedLDAPRoleMapperFactory; -import org.keycloak.federation.ldap.mappers.UserAttributeLDAPFederationMapper; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.ModelException; -import org.keycloak.models.ModelReadOnlyException; -import org.keycloak.models.RealmModel; -import org.keycloak.models.RoleModel; -import org.keycloak.models.UserCredentialModel; -import org.keycloak.models.UserFederationMapperModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.models.utils.ModelToRepresentation; -import org.keycloak.representations.AccessToken; -import org.keycloak.representations.idm.RealmRepresentation; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.OAuthClient; -import org.keycloak.testsuite.federation.ldap.FederationTestUtils; -import org.keycloak.testsuite.pages.AccountPasswordPage; -import org.keycloak.testsuite.pages.AccountUpdateProfilePage; -import org.keycloak.testsuite.pages.AppPage; -import org.keycloak.testsuite.pages.LoginPage; -import org.keycloak.testsuite.pages.RegisterPage; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.LDAPRule; -import org.keycloak.testsuite.rule.WebResource; -import org.keycloak.testsuite.rule.WebRule; -import org.keycloak.util.JsonSerialization; -import org.openqa.selenium.WebDriver; - -import java.io.FileOutputStream; -import java.util.List; -import java.util.Map; - -import static org.junit.Assert.assertEquals; - -/** - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class FederationProvidersIntegrationTest { - - private static LDAPRule ldapRule = new LDAPRule(); - - private static UserFederationProviderModel ldapModel = null; - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - FederationTestUtils.addLocalUser(manager.getSession(), appRealm, "marykeycloak", "mary@test.com", "password-app"); - - Map ldapConfig = ldapRule.getConfig(); - ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "true"); - ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString()); - - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap", -1, -1, 0); - FederationTestUtils.addZipCodeLDAPMapper(appRealm, ldapModel); - - // Delete all LDAP users and add some new for testing - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - FederationTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm); - - LDAPObject john = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, john, "Password1"); - - LDAPObject existing = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "existing", "Existing", "Foo", "existing@email.org", null, "5678"); - - appRealm.getClientByClientId("test-app").setDirectAccessGrantsEnabled(true); - } - }); - - /* - @Test - public void exportJson() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - FileOutputStream os = new FileOutputStream("/Users/williamburke/jboss/keycloak/p1b-repo/keycloak/fed-provider.json"); - RealmManager manager = new RealmManager(session); - RealmModel appRealm = manager.getRealm("test"); - RealmRepresentation rep = ModelToRepresentation.toRepresentation(appRealm, true); - JsonSerialization.writeValueToStream(os, rep); - os.close(); - - } - */ - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(ldapRule) - .around(keycloakRule); - - @Rule - public WebRule webRule = new WebRule(this); - - @WebResource - protected OAuthClient oauth; - - @WebResource - protected WebDriver driver; - - @WebResource - protected AppPage appPage; - - @WebResource - protected RegisterPage registerPage; - - @WebResource - protected LoginPage loginPage; - - @WebResource - protected AccountUpdateProfilePage profilePage; - - @WebResource - protected AccountPasswordPage changePasswordPage; - -// @Test -// @Ignore -// public void runit() throws Exception { -// Thread.sleep(10000000); -// -// } - - - @Test - public void caseInSensitiveImport() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmManager manager = new RealmManager(session); - RealmModel appRealm = manager.getRealm("test"); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - LDAPObject jbrown2 = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "JBrown2", "John", "Brown2", "jbrown2@email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, jbrown2, "Password1"); - LDAPObject jbrown3 = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "jbrown3", "John", "Brown3", "JBrown3@email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, jbrown3, "Password1"); - } finally { - keycloakRule.stopSession(session, true); - } - - loginSuccessAndLogout("jbrown2", "Password1"); - loginSuccessAndLogout("JBrown2", "Password1"); - loginSuccessAndLogout("jbrown2@email.org", "Password1"); - loginSuccessAndLogout("JBrown2@email.org", "Password1"); - - loginSuccessAndLogout("jbrown3", "Password1"); - loginSuccessAndLogout("JBrown3", "Password1"); - loginSuccessAndLogout("jbrown3@email.org", "Password1"); - loginSuccessAndLogout("JBrown3@email.org", "Password1"); - } - - private void loginSuccessAndLogout(String username, String password) { - loginPage.open(); - loginPage.login(username, password); - Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); - Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); - oauth.openLogout(); - } - - @Test - public void caseInsensitiveSearch() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmManager manager = new RealmManager(session); - RealmModel appRealm = manager.getRealm("test"); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - LDAPObject jbrown4 = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "JBrown4", "John", "Brown4", "jbrown4@email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, jbrown4, "Password1"); - LDAPObject jbrown5 = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "jbrown5", "John", "Brown5", "JBrown5@Email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, jbrown5, "Password1"); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmManager manager = new RealmManager(session); - RealmModel appRealm = manager.getRealm("test"); - - // search by username - List users = session.users().searchForUser("JBROwn4", appRealm); - Assert.assertEquals(1, users.size()); - UserModel user4 = users.get(0); - Assert.assertEquals("jbrown4", user4.getUsername()); - Assert.assertEquals("jbrown4@email.org", user4.getEmail()); - - // search by email - users = session.users().searchForUser("JBROwn5@eMAil.org", appRealm); - Assert.assertEquals(1, users.size()); - UserModel user5 = users.get(0); - Assert.assertEquals("jbrown5", user5.getUsername()); - Assert.assertEquals("jbrown5@email.org", user5.getEmail()); - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void deleteFederationLink() { - loginLdap(); - { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmManager manager = new RealmManager(session); - - RealmModel appRealm = manager.getRealm("test"); - appRealm.removeUserFederationProvider(ldapModel); - Assert.assertEquals(0, appRealm.getUserFederationProviders().size()); - } finally { - keycloakRule.stopSession(session, true); - } - } - loginPage.open(); - loginPage.login("johnkeycloak", "Password1"); - loginPage.assertCurrent(); - - Assert.assertEquals("Invalid username or password.", loginPage.getError()); - - { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmManager manager = new RealmManager(session); - - RealmModel appRealm = manager.getRealm("test"); - ldapModel = appRealm.addUserFederationProvider(ldapModel.getProviderName(), ldapModel.getConfig(), ldapModel.getPriority(), ldapModel.getDisplayName(), -1, -1, 0); - FederationTestUtils.addZipCodeLDAPMapper(appRealm, ldapModel); - } finally { - keycloakRule.stopSession(session, true); - } - } - loginLdap(); - - } - - @Test - public void loginClassic() { - loginPage.open(); - loginPage.login("marykeycloak", "password-app"); - - Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); - Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); - - } - - @Test - public void loginLdap() { - loginPage.open(); - loginPage.login("johnkeycloak", "Password1"); - - Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); - Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); - - profilePage.open(); - Assert.assertEquals("John", profilePage.getFirstName()); - Assert.assertEquals("Doe", profilePage.getLastName()); - Assert.assertEquals("john@email.org", profilePage.getEmail()); - } - - @Test - public void loginLdapWithDirectGrant() throws Exception { - OAuthClient.AccessTokenResponse response = oauth.doGrantAccessTokenRequest("password", "johnkeycloak", "Password1"); - assertEquals(200, response.getStatusCode()); - AccessToken accessToken = oauth.verifyToken(response.getAccessToken()); - - response = oauth.doGrantAccessTokenRequest("password", "johnkeycloak", ""); - assertEquals(401, response.getStatusCode()); - } - - @Test - public void loginLdapWithEmail() { - loginPage.open(); - loginPage.login("john@email.org", "Password1"); - - Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); - Assert.assertNotNull(oauth.getCurrentQuery().get(OAuth2Constants.CODE)); - } - - @Test - public void loginLdapWithoutPassword() { - loginPage.open(); - loginPage.login("john@email.org", ""); - Assert.assertEquals("Invalid username or password.", loginPage.getError()); - } - - @Test - public void passwordChangeLdap() throws Exception { - changePasswordPage.open(); - loginPage.login("johnkeycloak", "Password1"); - changePasswordPage.changePassword("Password1", "New-password1", "New-password1"); - - Assert.assertEquals("Your password has been updated.", profilePage.getSuccess()); - - changePasswordPage.logout(); - - loginPage.open(); - loginPage.login("johnkeycloak", "Bad-password1"); - Assert.assertEquals("Invalid username or password.", loginPage.getError()); - - loginPage.open(); - loginPage.login("johnkeycloak", "New-password1"); - Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); - - // Change password back to previous value - changePasswordPage.open(); - changePasswordPage.changePassword("New-password1", "Password1", "Password1"); - Assert.assertEquals("Your password has been updated.", profilePage.getSuccess()); - } - - @Test - public void registerExistingLdapUser() { - loginPage.open(); - loginPage.clickRegister(); - registerPage.assertCurrent(); - - // check existing username - registerPage.register("firstName", "lastName", "email@mail.cz", "existing", "Password1", "Password1"); - registerPage.assertCurrent(); - Assert.assertEquals("Username already exists.", registerPage.getError()); - - // Check existing email - registerPage.register("firstName", "lastName", "existing@email.org", "nonExisting", "Password1", "Password1"); - registerPage.assertCurrent(); - Assert.assertEquals("Email already exists.", registerPage.getError()); - } - - @Test - public void registerUserLdapSuccess() { - loginPage.open(); - loginPage.clickRegister(); - registerPage.assertCurrent(); - - registerPage.register("firstName", "lastName", "email2@check.cz", "registerUserSuccess2", "Password1", "Password1"); - Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); - - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - UserModel user = session.users().getUserByUsername("registerUserSuccess2", appRealm); - Assert.assertNotNull(user); - Assert.assertNotNull(user.getFederationLink()); - Assert.assertEquals(user.getFederationLink(), ldapModel.getId()); - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void testCaseSensitiveAttributeName() { - KeycloakSession session = keycloakRule.startSession(); - - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - LDAPObject johnZip = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "johnzip", "John", "Zip", "johnzip@email.org", null, "12398"); - - // Remove default zipcode mapper and add the mapper for "POstalCode" to test case sensitivity - UserFederationMapperModel currentZipMapper = appRealm.getUserFederationMapperByName(ldapModel.getId(), "zipCodeMapper"); - appRealm.removeUserFederationMapper(currentZipMapper); - FederationTestUtils.addUserAttributeMapper(appRealm, ldapModel, "zipCodeMapper-cs", "postal_code", "POstalCode"); - - // Fetch user from LDAP and check that postalCode is filled - UserModel user = session.users().getUserByUsername("johnzip", appRealm); - String postalCode = user.getFirstAttribute("postal_code"); - Assert.assertEquals("12398", postalCode); - - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void testCommaInUsername() { - KeycloakSession session = keycloakRule.startSession(); - boolean skip = false; - - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - // Workaround as comma is not allowed in sAMAccountName on active directory. So we will skip the test for this configuration - LDAPConfig config = ldapFedProvider.getLdapIdentityStore().getConfig(); - if (config.isActiveDirectory() && config.getUsernameLdapAttribute().equals(LDAPConstants.SAM_ACCOUNT_NAME)) { - skip = true; - } - - if (!skip) { - LDAPObject johnComma = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "john,comma", "John", "Comma", "johncomma@email.org", null, "12387"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, johnComma, "Password1"); - - LDAPObject johnPlus = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "john+plus,comma", "John", "Plus", "johnplus@email.org", null, "12387"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, johnPlus, "Password1"); - } - } finally { - keycloakRule.stopSession(session, false); - } - - if (!skip) { - // Try to import the user with comma in username into Keycloak - loginSuccessAndLogout("john,comma", "Password1"); - loginSuccessAndLogout("john+plus,comma", "Password1"); - } - } - - @Test - public void testDirectLDAPUpdate() { - KeycloakSession session = keycloakRule.startSession(); - - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - LDAPObject johnDirect = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "johndirect", "John", "Direct", "johndirect@email.org", null, "12399"); - - // Fetch user from LDAP and check that postalCode is filled - UserModel user = session.users().getUserByUsername("johndirect", appRealm); - String postalCode = user.getFirstAttribute("postal_code"); - Assert.assertEquals("12399", postalCode); - - // Directly update user in LDAP - johnDirect.setSingleAttribute(LDAPConstants.POSTAL_CODE, "12400"); - johnDirect.setSingleAttribute(LDAPConstants.SN, "DirectLDAPUpdated"); - ldapFedProvider.getLdapIdentityStore().update(johnDirect); - - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - UserModel user = session.users().getUserByUsername("johndirect", appRealm); - - // Verify that postalCode is still the same as we read it's value from Keycloak DB - user = session.users().getUserByUsername("johndirect", appRealm); - String postalCode = user.getFirstAttribute("postal_code"); - Assert.assertEquals("12399", postalCode); - - // Check user.getAttributes() - postalCode = user.getAttributes().get("postal_code").get(0); - Assert.assertEquals("12399", postalCode); - - // LastName is new as lastName mapper will read the value from LDAP - String lastName = user.getLastName(); - Assert.assertEquals("DirectLDAPUpdated", lastName); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - - // Update postalCode mapper to always read the value from LDAP - UserFederationMapperModel zipMapper = appRealm.getUserFederationMapperByName(ldapModel.getId(), "zipCodeMapper"); - zipMapper.getConfig().put(UserAttributeLDAPFederationMapper.ALWAYS_READ_VALUE_FROM_LDAP, "true"); - appRealm.updateUserFederationMapper(zipMapper); - - // Update lastName mapper to read the value from Keycloak DB - UserFederationMapperModel lastNameMapper = appRealm.getUserFederationMapperByName(ldapModel.getId(), "last name"); - lastNameMapper.getConfig().put(UserAttributeLDAPFederationMapper.ALWAYS_READ_VALUE_FROM_LDAP, "false"); - appRealm.updateUserFederationMapper(lastNameMapper); - - // Verify that postalCode is read from LDAP now - UserModel user = session.users().getUserByUsername("johndirect", appRealm); - String postalCode = user.getFirstAttribute("postal_code"); - Assert.assertEquals("12400", postalCode); - - // Check user.getAttributes() - postalCode = user.getAttributes().get("postal_code").get(0); - Assert.assertEquals("12400", postalCode); - - Assert.assertFalse(user.getAttributes().containsKey(UserModel.LAST_NAME)); - - // lastName is read from Keycloak DB now - String lastName = user.getLastName(); - Assert.assertEquals("Direct", lastName); - - } finally { - keycloakRule.stopSession(session, false); - } - } - - - // TODO: Rather separate test for fullNameMapper to better test all the possibilities - @Test - public void testFullNameMapper() { - KeycloakSession session = keycloakRule.startSession(); - UserFederationMapperModel firstNameMapper = null; - - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - - // assert that user "fullnameUser" is not in local DB - Assert.assertNull(session.users().getUserByUsername("fullname", appRealm)); - - // Add the user with some fullName into LDAP directly. Ensure that fullName is saved into "cn" attribute in LDAP (currently mapped to model firstName) - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "fullname", "James Dee", "Dee", "fullname@email.org", null, "4578"); - - // add fullname mapper to the provider and remove "firstNameMapper". For this test, we will simply map full name to the LDAP attribute, which was before firstName ( "givenName" on active directory, "cn" on other LDAP servers) - firstNameMapper = appRealm.getUserFederationMapperByName(ldapModel.getId(), "first name"); - String ldapFirstNameAttributeName = firstNameMapper.getConfig().get(UserAttributeLDAPFederationMapper.LDAP_ATTRIBUTE); - appRealm.removeUserFederationMapper(firstNameMapper); - - UserFederationMapperModel fullNameMapperModel = KeycloakModelUtils.createUserFederationMapperModel("full name", ldapModel.getId(), FullNameLDAPFederationMapperFactory.PROVIDER_ID, - FullNameLDAPFederationMapper.LDAP_FULL_NAME_ATTRIBUTE, ldapFirstNameAttributeName, - FullNameLDAPFederationMapper.READ_ONLY, "false"); - appRealm.addUserFederationMapper(fullNameMapperModel); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - - // Assert user is successfully imported in Keycloak DB now with correct firstName and lastName - FederationTestUtils.assertUserImported(session.users(), appRealm, "fullname", "James", "Dee", "fullname@email.org", "4578"); - - // change mapper to writeOnly - UserFederationMapperModel fullNameMapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "full name"); - fullNameMapperModel.getConfig().put(FullNameLDAPFederationMapper.WRITE_ONLY, "true"); - appRealm.updateUserFederationMapper(fullNameMapperModel); - } finally { - keycloakRule.stopSession(session, true); - } - - - // Assert changing user in Keycloak will change him in LDAP too... - session = keycloakRule.startSession(); - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - - UserModel fullnameUser = session.users().getUserByUsername("fullname", appRealm); - fullnameUser.setFirstName("James2"); - fullnameUser.setLastName("Dee2"); - } finally { - keycloakRule.stopSession(session, true); - } - - - // Assert changed user available in Keycloak - session = keycloakRule.startSession(); - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - - // Assert user is successfully imported in Keycloak DB now with correct firstName and lastName - FederationTestUtils.assertUserImported(session.users(), appRealm, "fullname", "James2", "Dee2", "fullname@email.org", "4578"); - - // Remove "fullnameUser" to assert he is removed from LDAP. Revert mappers to previous state - UserModel fullnameUser = session.users().getUserByUsername("fullname", appRealm); - session.users().removeUser(appRealm, fullnameUser); - - // Revert mappers - UserFederationMapperModel fullNameMapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "full name"); - appRealm.removeUserFederationMapper(fullNameMapperModel); - - firstNameMapper.setId(null); - appRealm.addUserFederationMapper(firstNameMapper); - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void testHardcodedRoleMapper() { - KeycloakSession session = keycloakRule.startSession(); - UserFederationMapperModel firstNameMapper = null; - - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - RoleModel hardcodedRole = appRealm.addRole("hardcoded-role"); - - // assert that user "johnkeycloak" doesn't have hardcoded role - UserModel john = session.users().getUserByUsername("johnkeycloak", appRealm); - Assert.assertFalse(john.hasRole(hardcodedRole)); - - UserFederationMapperModel hardcodedMapperModel = KeycloakModelUtils.createUserFederationMapperModel("hardcoded role", ldapModel.getId(), HardcodedLDAPRoleMapperFactory.PROVIDER_ID, - HardcodedLDAPRoleMapper.ROLE, "hardcoded-role"); - appRealm.addUserFederationMapper(hardcodedMapperModel); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = new RealmManager(session).getRealmByName("test"); - RoleModel hardcodedRole = appRealm.getRole("hardcoded-role"); - - // Assert user is successfully imported in Keycloak DB now with correct firstName and lastName - UserModel john = session.users().getUserByUsername("johnkeycloak", appRealm); - Assert.assertTrue(john.hasRole(hardcodedRole)); - - // Can't remove user from hardcoded role - try { - john.deleteRoleMapping(hardcodedRole); - Assert.fail("Didn't expected to remove role mapping"); - } catch (ModelException expected) { - } - - // Revert mappers - UserFederationMapperModel hardcodedMapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "hardcoded role"); - appRealm.removeUserFederationMapper(hardcodedMapperModel); - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void testImportExistingUserFromLDAP() throws Exception { - // Add LDAP user with same email like existing model user - keycloakRule.update(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "marykeycloak", "Mary1", "Kelly1", "mary1@email.org", null, "123"); - FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "mary-duplicatemail", "Mary2", "Kelly2", "mary@test.com", null, "123"); - LDAPObject marynoemail = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "marynoemail", "Mary1", "Kelly1", null, null, "123"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, marynoemail, "Password1"); - } - - }); - - // Try to import the duplicated LDAP user into Keycloak - loginPage.open(); - loginPage.login("mary-duplicatemail", "password"); - Assert.assertEquals("Email already exists.", loginPage.getError()); - - loginPage.login("mary1@email.org", "password"); - Assert.assertEquals("Username already exists.", loginPage.getError()); - - loginSuccessAndLogout("marynoemail", "Password1"); - } - - @Test - public void testReadonly() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - UserFederationProviderModel model = new UserFederationProviderModel(ldapModel.getId(), ldapModel.getProviderName(), ldapModel.getConfig(), - ldapModel.getPriority(), ldapModel.getDisplayName(), -1, -1, 0); - model.getConfig().put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.READ_ONLY.toString()); - appRealm.updateUserFederationProvider(model); - UserModel user = session.users().getUserByUsername("johnkeycloak", appRealm); - Assert.assertNotNull(user); - Assert.assertNotNull(user.getFederationLink()); - Assert.assertEquals(user.getFederationLink(), ldapModel.getId()); - try { - user.setEmail("error@error.com"); - Assert.fail("should fail"); - } catch (ModelReadOnlyException e) { - - } - try { - user.setLastName("Berk"); - Assert.fail("should fail"); - } catch (ModelReadOnlyException e) { - - } - try { - user.setFirstName("Bilbo"); - Assert.fail("should fail"); - } catch (ModelReadOnlyException e) { - - } - try { - UserCredentialModel cred = UserCredentialModel.password("PoopyPoop1"); - session.userCredentialManager().updateCredential(appRealm, user, cred); - Assert.fail("should fail"); - } catch (ModelReadOnlyException e) { - - } - - Assert.assertTrue(session.users().removeUser(appRealm, user)); - } finally { - keycloakRule.stopSession(session, false); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - Assert.assertEquals(UserFederationProvider.EditMode.WRITABLE.toString(), appRealm.getUserFederationProviders().get(0).getConfig().get(LDAPConstants.EDIT_MODE)); - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void testRemoveFederatedUser() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - UserModel user = session.users().getUserByUsername("registerUserSuccess2", appRealm); - Assert.assertNotNull(user); - Assert.assertNotNull(user.getFederationLink()); - Assert.assertEquals(user.getFederationLink(), ldapModel.getId()); - - Assert.assertTrue(session.users().removeUser(appRealm, user)); - Assert.assertNull(session.users().getUserByUsername("registerUserSuccess2", appRealm)); - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void testSearch() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - FederationTestUtils.addLDAPUser(ldapProvider, appRealm, "username1", "John1", "Doel1", "user1@email.org", null, "121"); - FederationTestUtils.addLDAPUser(ldapProvider, appRealm, "username2", "John2", "Doel2", "user2@email.org", null, "122"); - FederationTestUtils.addLDAPUser(ldapProvider, appRealm, "username3", "John3", "Doel3", "user3@email.org", null, "123"); - FederationTestUtils.addLDAPUser(ldapProvider, appRealm, "username4", "John4", "Doel4", "user4@email.org", null, "124"); - - // Users are not at local store at this moment - Assert.assertNull(session.userStorage().getUserByUsername("username1", appRealm)); - Assert.assertNull(session.userStorage().getUserByUsername("username2", appRealm)); - Assert.assertNull(session.userStorage().getUserByUsername("username3", appRealm)); - Assert.assertNull(session.userStorage().getUserByUsername("username4", appRealm)); - - // search by username - session.users().searchForUser("username1", appRealm); - FederationTestUtils.assertUserImported(session.userStorage(), appRealm, "username1", "John1", "Doel1", "user1@email.org", "121"); - - // search by email - session.users().searchForUser("user2@email.org", appRealm); - FederationTestUtils.assertUserImported(session.userStorage(), appRealm, "username2", "John2", "Doel2", "user2@email.org", "122"); - - // search by lastName - session.users().searchForUser("Doel3", appRealm); - FederationTestUtils.assertUserImported(session.userStorage(), appRealm, "username3", "John3", "Doel3", "user3@email.org", "123"); - - // search by firstName + lastName - session.users().searchForUser("John4 Doel4", appRealm); - FederationTestUtils.assertUserImported(session.userStorage(), appRealm, "username4", "John4", "Doel4", "user4@email.org", "124"); - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void testSearchWithCustomLDAPFilter() { - // Add custom filter for searching users - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - ldapModel.getConfig().put(LDAPConstants.CUSTOM_USER_SEARCH_FILTER, "(|(mail=user5@email.org)(mail=user6@email.org))"); - appRealm.updateUserFederationProvider(ldapModel); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - RealmModel appRealm = session.realms().getRealmByName("test"); - - FederationTestUtils.addLDAPUser(ldapProvider, appRealm, "username5", "John5", "Doel5", "user5@email.org", null, "125"); - FederationTestUtils.addLDAPUser(ldapProvider, appRealm, "username6", "John6", "Doel6", "user6@email.org", null, "126"); - FederationTestUtils.addLDAPUser(ldapProvider, appRealm, "username7", "John7", "Doel7", "user7@email.org", null, "127"); - - // search by email - session.users().searchForUser("user5@email.org", appRealm); - FederationTestUtils.assertUserImported(session.userStorage(), appRealm, "username5", "John5", "Doel5", "user5@email.org", "125"); - - session.users().searchForUser("John6 Doel6", appRealm); - FederationTestUtils.assertUserImported(session.userStorage(), appRealm, "username6", "John6", "Doel6", "user6@email.org", "126"); - - session.users().searchForUser("user7@email.org", appRealm); - session.users().searchForUser("John7 Doel7", appRealm); - Assert.assertNull(session.userStorage().getUserByUsername("username7", appRealm)); - - // Remove custom filter - ldapModel.getConfig().remove(LDAPConstants.CUSTOM_USER_SEARCH_FILTER); - appRealm.updateUserFederationProvider(ldapModel); - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void testUnsynced() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - UserFederationProviderModel model = new UserFederationProviderModel(ldapModel.getId(), ldapModel.getProviderName(), ldapModel.getConfig(), ldapModel.getPriority(), - ldapModel.getDisplayName(), -1, -1, 0); - model.getConfig().put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.UNSYNCED.toString()); - appRealm.updateUserFederationProvider(model); - UserModel user = session.users().getUserByUsername("johnkeycloak", appRealm); - Assert.assertNotNull(user); - Assert.assertNotNull(user.getFederationLink()); - Assert.assertEquals(user.getFederationLink(), ldapModel.getId()); - - UserCredentialModel cred = UserCredentialModel.password("Candycand1"); - session.userCredentialManager().updateCredential(appRealm, user, cred); - CredentialModel userCredentialValueModel = session.userCredentialManager().getStoredCredentialsByType(appRealm, user, CredentialModel.PASSWORD).get(0); - Assert.assertEquals(UserCredentialModel.PASSWORD, userCredentialValueModel.getType()); - Assert.assertTrue(session.userCredentialManager().isValid(appRealm, user, cred)); - - // LDAP password is still unchanged - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, model); - LDAPObject ldapUser = ldapProvider.loadLDAPUserByUsername(appRealm, "johnkeycloak"); - ldapProvider.getLdapIdentityStore().validatePassword(ldapUser, "Password1"); - - // User is deleted just locally - Assert.assertTrue(session.users().removeUser(appRealm, user)); - - // Assert user not available locally, but will be reimported from LDAP once searched - Assert.assertNull(session.userStorage().getUserByUsername("johnkeycloak", appRealm)); - Assert.assertNotNull(session.users().getUserByUsername("johnkeycloak", appRealm)); - } finally { - keycloakRule.stopSession(session, false); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - Assert.assertEquals(UserFederationProvider.EditMode.WRITABLE.toString(), appRealm.getUserFederationProviders().get(0).getConfig().get(LDAPConstants.EDIT_MODE)); - } finally { - keycloakRule.stopSession(session, false); - } - } - -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapper2WaySyncTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapper2WaySyncTest.java deleted file mode 100755 index 41690d58ffb..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapper2WaySyncTest.java +++ /dev/null @@ -1,252 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap.base; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Rule; -import org.junit.Test; -import org.junit.runners.MethodSorters; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.mappers.membership.LDAPGroupMapperMode; -import org.keycloak.federation.ldap.mappers.membership.group.GroupLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.group.GroupMapperConfig; -import org.keycloak.models.GroupModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserFederationMapperModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserFederationSyncResult; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.federation.ldap.FederationTestUtils; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.LDAPRule; - -import java.util.Map; - -/** - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class LDAPGroupMapper2WaySyncTest { - - @ClassRule - public static LDAPRule ldapRule = new LDAPRule(); - - private static UserFederationProviderModel ldapModel = null; - private static String descriptionAttrName = null; - - @Rule - public KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - Map ldapConfig = ldapRule.getConfig(); - ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "true"); - ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString()); - ldapConfig.put(LDAPConstants.BATCH_SIZE_FOR_SYNC, "4"); // Issues with pagination on ApacheDS - - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap", -1, -1, 0); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - descriptionAttrName = ldapFedProvider.getLdapIdentityStore().getConfig().isActiveDirectory() ? "displayName" : "description"; - - // Add group mapper - FederationTestUtils.addOrUpdateGroupMapper(appRealm, ldapModel, LDAPGroupMapperMode.LDAP_ONLY, descriptionAttrName); - - // Remove all LDAP groups - FederationTestUtils.removeAllLDAPGroups(session, appRealm, ldapModel, "groupsMapper"); - - // Add some groups for testing into Keycloak - removeAllModelGroups(appRealm); - - GroupModel group1 = appRealm.createGroup("group1"); - appRealm.moveGroup(group1, null); - group1.setSingleAttribute(descriptionAttrName, "group1 - description1"); - - GroupModel group11 = appRealm.createGroup("group11"); - appRealm.moveGroup(group11, group1); - - GroupModel group12 = appRealm.createGroup("group12"); - appRealm.moveGroup(group12, group1); - group12.setSingleAttribute(descriptionAttrName, "group12 - description12"); - - GroupModel group2 = appRealm.createGroup("group2"); - appRealm.moveGroup(group2, null); - } - }); - - - @Test - public void test01_syncNoPreserveGroupInheritance() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - // Update group mapper to skip preserve inheritance and check it will pass now - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "false"); - realm.updateUserFederationMapper(mapperModel); - - // Sync from Keycloak into LDAP - UserFederationSyncResult syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - - // Delete all KC groups now - removeAllModelGroups(realm); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group1")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group11")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group2")); - } finally { - keycloakRule.stopSession(session, true); - } - - - - session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - // Sync from LDAP back into Keycloak - UserFederationSyncResult syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0); - - // Assert groups are imported to keycloak. All are at top level - GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1"); - GroupModel kcGroup11 = KeycloakModelUtils.findGroupByPath(realm, "/group11"); - GroupModel kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group12"); - GroupModel kcGroup2 = KeycloakModelUtils.findGroupByPath(realm, "/group2"); - - Assert.assertEquals(0, kcGroup1.getSubGroups().size()); - - Assert.assertEquals("group1 - description1", kcGroup1.getFirstAttribute(descriptionAttrName)); - Assert.assertNull(kcGroup11.getFirstAttribute(descriptionAttrName)); - Assert.assertEquals("group12 - description12", kcGroup12.getFirstAttribute(descriptionAttrName)); - Assert.assertNull(kcGroup2.getFirstAttribute(descriptionAttrName)); - - // test drop non-existing works - testDropNonExisting(session, realm, mapperModel, ldapProvider); - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void test02_syncWithGroupInheritance() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - // Update group mapper to skip preserve inheritance and check it will pass now - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "true"); - realm.updateUserFederationMapper(mapperModel); - - // Sync from Keycloak into LDAP - UserFederationSyncResult syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - - // Delete all KC groups now - removeAllModelGroups(realm); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group1")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group11")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group2")); - } finally { - keycloakRule.stopSession(session, true); - } - - - - session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - // Sync from LDAP back into Keycloak - UserFederationSyncResult syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 4, 0, 0, 0); - - // Assert groups are imported to keycloak. All are at top level - GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1"); - GroupModel kcGroup11 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group11"); - GroupModel kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group12"); - GroupModel kcGroup2 = KeycloakModelUtils.findGroupByPath(realm, "/group2"); - - Assert.assertEquals(2, kcGroup1.getSubGroups().size()); - - Assert.assertEquals("group1 - description1", kcGroup1.getFirstAttribute(descriptionAttrName)); - Assert.assertNull(kcGroup11.getFirstAttribute(descriptionAttrName)); - Assert.assertEquals("group12 - description12", kcGroup12.getFirstAttribute(descriptionAttrName)); - Assert.assertNull(kcGroup2.getFirstAttribute(descriptionAttrName)); - - // test drop non-existing works - testDropNonExisting(session, realm, mapperModel, ldapProvider); - } finally { - keycloakRule.stopSession(session, true); - } - } - - - private static void removeAllModelGroups(RealmModel appRealm) { - for (GroupModel group : appRealm.getTopLevelGroups()) { - appRealm.removeGroup(group); - } - } - - private void testDropNonExisting(KeycloakSession session, RealmModel realm, UserFederationMapperModel mapperModel, LDAPFederationProvider ldapProvider) { - // Put some group directly to LDAP - FederationTestUtils.createLDAPGroup(session, realm, ldapModel, "group3"); - - // Sync and assert our group is still in LDAP - UserFederationSyncResult syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 0, 4, 0, 0); - Assert.assertNotNull(FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, realm).loadLDAPGroupByName("group3")); - - // Change config to drop non-existing groups - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.DROP_NON_EXISTING_GROUPS_DURING_SYNC, "true"); - realm.updateUserFederationMapper(mapperModel); - - // Sync and assert group removed from LDAP - syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromKeycloakToFederationProvider(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 0, 4, 1, 0); - Assert.assertNull(FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, realm).loadLDAPGroupByName("group3")); - } -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperSyncTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperSyncTest.java deleted file mode 100755 index 9a6b31baad8..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperSyncTest.java +++ /dev/null @@ -1,312 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap.base; - -import org.junit.Assert; -import org.junit.Before; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.junit.runners.MethodSorters; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.LDAPUtils; -import org.keycloak.federation.ldap.idm.model.LDAPObject; -import org.keycloak.federation.ldap.mappers.membership.LDAPGroupMapperMode; -import org.keycloak.federation.ldap.mappers.membership.MembershipType; -import org.keycloak.federation.ldap.mappers.membership.group.GroupLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.membership.group.GroupLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.group.GroupMapperConfig; -import org.keycloak.models.GroupModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.ModelException; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserFederationMapperModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserFederationSyncResult; -import org.keycloak.models.UserModel; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.federation.ldap.FederationTestUtils; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.LDAPRule; - -import java.util.List; -import java.util.Map; -import java.util.Set; - -/** - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class LDAPGroupMapperSyncTest { - - private static LDAPRule ldapRule = new LDAPRule(); - - private static UserFederationProviderModel ldapModel = null; - private static String descriptionAttrName = null; - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - Map ldapConfig = ldapRule.getConfig(); - ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "true"); - ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString()); - - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap", -1, -1, 0); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - descriptionAttrName = ldapFedProvider.getLdapIdentityStore().getConfig().isActiveDirectory() ? "displayName" : "description"; - - // Add group mapper - FederationTestUtils.addOrUpdateGroupMapper(appRealm, ldapModel, LDAPGroupMapperMode.LDAP_ONLY, descriptionAttrName); - - // Remove all LDAP groups - FederationTestUtils.removeAllLDAPGroups(session, appRealm, ldapModel, "groupsMapper"); - - // Add some groups for testing - LDAPObject group1 = FederationTestUtils.createLDAPGroup(manager.getSession(), appRealm, ldapModel, "group1", descriptionAttrName, "group1 - description"); - LDAPObject group11 = FederationTestUtils.createLDAPGroup(manager.getSession(), appRealm, ldapModel, "group11"); - LDAPObject group12 = FederationTestUtils.createLDAPGroup(manager.getSession(), appRealm, ldapModel, "group12", descriptionAttrName, "group12 - description"); - - LDAPUtils.addMember(ldapFedProvider, MembershipType.DN, LDAPConstants.MEMBER, group1, group11, false); - LDAPUtils.addMember(ldapFedProvider, MembershipType.DN, LDAPConstants.MEMBER, group1, group12, true); - } - }); - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(ldapRule) - .around(keycloakRule); - - @Before - public void before() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - List kcGroups = realm.getTopLevelGroups(); - for (GroupModel kcGroup : kcGroups) { - realm.removeGroup(kcGroup); - } - } finally { - keycloakRule.stopSession(session, true); - } - } - - @Test - public void test01_syncNoPreserveGroupInheritance() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - GroupLDAPFederationMapper groupMapper = FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, realm); - - // Add recursive group mapping to LDAP. Check that sync with preserve group inheritance will fail - LDAPObject group1 = groupMapper.loadLDAPGroupByName("group1"); - LDAPObject group12 = groupMapper.loadLDAPGroupByName("group12"); - LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, group12, group1, true); - - try { - new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - Assert.fail("Not expected group sync to pass"); - } catch (ModelException expected) { - Assert.assertTrue(expected.getMessage().contains("Recursion detected")); - } - - // Update group mapper to skip preserve inheritance and check it will pass now - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "false"); - realm.updateUserFederationMapper(mapperModel); - - new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - - // Assert groups are imported to keycloak. All are at top level - GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1"); - GroupModel kcGroup11 = KeycloakModelUtils.findGroupByPath(realm, "/group11"); - GroupModel kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group12"); - - Assert.assertEquals(0, kcGroup1.getSubGroups().size()); - - Assert.assertEquals("group1 - description", kcGroup1.getFirstAttribute(descriptionAttrName)); - Assert.assertNull(kcGroup11.getFirstAttribute(descriptionAttrName)); - Assert.assertEquals("group12 - description", kcGroup12.getFirstAttribute(descriptionAttrName)); - - // Cleanup - remove recursive mapping in LDAP - LDAPUtils.deleteMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, group12, group1, true); - - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void test02_syncWithGroupInheritance() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - GroupLDAPFederationMapper groupMapper = FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, realm); - - // Sync groups with inheritance - UserFederationSyncResult syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 3, 0, 0, 0); - - // Assert groups are imported to keycloak including their inheritance from LDAP - GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1"); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group11")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group12")); - GroupModel kcGroup11 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group11"); - GroupModel kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group12"); - - Assert.assertEquals(2, kcGroup1.getSubGroups().size()); - - Assert.assertEquals("group1 - description", kcGroup1.getFirstAttribute(descriptionAttrName)); - Assert.assertNull(kcGroup11.getFirstAttribute(descriptionAttrName)); - Assert.assertEquals("group12 - description", kcGroup12.getFirstAttribute(descriptionAttrName)); - - // Update description attributes in LDAP - LDAPObject group1 = groupMapper.loadLDAPGroupByName("group1"); - group1.setSingleAttribute(descriptionAttrName, "group1 - changed description"); - ldapProvider.getLdapIdentityStore().update(group1); - - LDAPObject group12 = groupMapper.loadLDAPGroupByName("group12"); - group12.setAttribute(descriptionAttrName, null); - ldapProvider.getLdapIdentityStore().update(group12); - - // Sync and assert groups updated - syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 0, 3, 0, 0); - - // Assert attributes changed in keycloak - kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1"); - kcGroup12 = KeycloakModelUtils.findGroupByPath(realm, "/group1/group12"); - Assert.assertEquals("group1 - changed description", kcGroup1.getFirstAttribute(descriptionAttrName)); - Assert.assertNull(kcGroup12.getFirstAttribute(descriptionAttrName)); - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void test03_syncWithDropNonExistingGroups() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - // Sync groups with inheritance - UserFederationSyncResult syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 3, 0, 0, 0); - - // Assert groups are imported to keycloak including their inheritance from LDAP - GroupModel kcGroup1 = KeycloakModelUtils.findGroupByPath(realm, "/group1"); - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/group11")); - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/group12")); - - Assert.assertEquals(2, kcGroup1.getSubGroups().size()); - - // Create some new groups in keycloak - GroupModel model1 = realm.createGroup("model1"); - realm.moveGroup(model1, null); - GroupModel model2 = realm.createGroup("model2"); - kcGroup1.addChild(model2); - - // Sync groups again from LDAP. Nothing deleted - syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - FederationTestUtils.assertSyncEquals(syncResult, 0, 3, 0, 0); - - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/group11")); - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/group12")); - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/model1")); - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/model2")); - - // Update group mapper to drop non-existing groups during sync - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.DROP_NON_EXISTING_GROUPS_DURING_SYNC, "true"); - realm.updateUserFederationMapper(mapperModel); - - // Sync groups again from LDAP. Assert LDAP non-existing groups deleted - syncResult = new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapProvider, session, realm); - Assert.assertEquals(3, syncResult.getUpdated()); - Assert.assertTrue(syncResult.getRemoved() == 2); - - // Sync and assert groups updated - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/group11")); - Assert.assertNotNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/group12")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/model1")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group1/model2")); - } finally { - keycloakRule.stopSession(session, false); - } - } - - - - @Test - public void test04_syncNoPreserveGroupInheritanceWithLazySync() throws Exception { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel realm = session.realms().getRealmByName("test"); - UserFederationMapperModel mapperModel = realm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - GroupLDAPFederationMapper groupMapper = FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, realm); - - // Update group mapper to skip preserve inheritance - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.PRESERVE_GROUP_INHERITANCE, "false"); - realm.updateUserFederationMapper(mapperModel); - - // Add user to LDAP and put him as member of group11 - FederationTestUtils.removeAllLDAPUsers(ldapProvider, realm); - LDAPObject johnLdap = FederationTestUtils.addLDAPUser(ldapProvider, realm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapProvider, johnLdap, "Password1"); - groupMapper.addGroupMappingInLDAP("group11", johnLdap); - - // Assert groups not yet imported to Keycloak DB - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group1")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group11")); - Assert.assertNull(KeycloakModelUtils.findGroupByPath(realm, "/group12")); - - // Load user from LDAP to Keycloak DB - UserModel john = session.users().getUserByUsername("johnkeycloak", realm); - Set johnGroups = john.getGroups(); - - // Assert just those groups, which john was memberOf exists because they were lazily created - GroupModel group1 = KeycloakModelUtils.findGroupByPath(realm, "/group1"); - GroupModel group11 = KeycloakModelUtils.findGroupByPath(realm, "/group11"); - GroupModel group12 = KeycloakModelUtils.findGroupByPath(realm, "/group12"); - Assert.assertNull(group1); - Assert.assertNotNull(group11); - Assert.assertNull(group12); - - Assert.assertEquals(1, johnGroups.size()); - Assert.assertTrue(johnGroups.contains(group11)); - - // Delete group mapping - john.leaveGroup(group11); - - } finally { - keycloakRule.stopSession(session, false); - } - } - -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperTest.java deleted file mode 100755 index cdbd6957e36..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPGroupMapperTest.java +++ /dev/null @@ -1,361 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap.base; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.junit.runners.MethodSorters; -import org.keycloak.federation.ldap.LDAPConfig; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.LDAPUtils; -import org.keycloak.federation.ldap.idm.model.LDAPDn; -import org.keycloak.federation.ldap.idm.model.LDAPObject; -import org.keycloak.federation.ldap.mappers.membership.LDAPGroupMapperMode; -import org.keycloak.federation.ldap.mappers.membership.MembershipType; -import org.keycloak.federation.ldap.mappers.membership.group.GroupLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.membership.group.GroupLDAPFederationMapperFactory; -import org.keycloak.federation.ldap.mappers.membership.group.GroupMapperConfig; -import org.keycloak.models.GroupModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.ModelException; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserFederationMapperModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.federation.ldap.FederationTestUtils; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.LDAPRule; - -import java.util.List; -import java.util.Map; -import java.util.Set; - -/** - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class LDAPGroupMapperTest { - - private static LDAPRule ldapRule = new LDAPRule(); - - private static UserFederationProviderModel ldapModel = null; - private static String descriptionAttrName = null; - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - FederationTestUtils.addLocalUser(manager.getSession(), appRealm, "mary", "mary@test.com", "password-app"); - FederationTestUtils.addLocalUser(manager.getSession(), appRealm, "john", "john@test.com", "password-app"); - - Map ldapConfig = ldapRule.getConfig(); - ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "true"); - ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString()); - - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap", -1, -1, 0); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - descriptionAttrName = ldapFedProvider.getLdapIdentityStore().getConfig().isActiveDirectory() ? "displayName" : "description"; - - // Add group mapper - FederationTestUtils.addOrUpdateGroupMapper(appRealm, ldapModel, LDAPGroupMapperMode.LDAP_ONLY, descriptionAttrName); - - // Remove all LDAP groups - FederationTestUtils.removeAllLDAPGroups(session, appRealm, ldapModel, "groupsMapper"); - - // Add some groups for testing - LDAPObject group1 = FederationTestUtils.createLDAPGroup(manager.getSession(), appRealm, ldapModel, "group1", descriptionAttrName, "group1 - description"); - LDAPObject group11 = FederationTestUtils.createLDAPGroup(manager.getSession(), appRealm, ldapModel, "group11"); - LDAPObject group12 = FederationTestUtils.createLDAPGroup(manager.getSession(), appRealm, ldapModel, "group12", descriptionAttrName, "group12 - description"); - - LDAPUtils.addMember(ldapFedProvider, MembershipType.DN, LDAPConstants.MEMBER, group1, group11, false); - LDAPUtils.addMember(ldapFedProvider, MembershipType.DN, LDAPConstants.MEMBER, group1, group12, true); - - // Sync LDAP groups to Keycloak DB - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - new GroupLDAPFederationMapperFactory().create(session).syncDataFromFederationProviderToKeycloak(mapperModel, ldapFedProvider, session, appRealm); - - // Delete all LDAP users - FederationTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm); - - // Add some LDAP users for testing - LDAPObject john = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, john, "Password1"); - - LDAPObject mary = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "marykeycloak", "Mary", "Kelly", "mary@email.org", null, "5678"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, mary, "Password1"); - - LDAPObject rob = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "robkeycloak", "Rob", "Brown", "rob@email.org", null, "8910"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, rob, "Password1"); - - LDAPObject james = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "jameskeycloak", "James", "Brown", "james@email.org", null, "8910"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, james, "Password1"); - - } - }); - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(ldapRule) - .around(keycloakRule); - - @Test - public void test01_ldapOnlyGroupMappings() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.LDAP_ONLY.toString()); - appRealm.updateUserFederationMapper(mapperModel); - - UserModel john = session.users().getUserByUsername("johnkeycloak", appRealm); - UserModel mary = session.users().getUserByUsername("marykeycloak", appRealm); - - // 1 - Grant some groups in LDAP - - // This group should already exists as it was imported from LDAP - GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1"); - john.joinGroup(group1); - - // This group should already exists as it was imported from LDAP - GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11"); - mary.joinGroup(group11); - - // This group should already exists as it was imported from LDAP - GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12"); - john.joinGroup(group12); - mary.joinGroup(group12); - - // 2 - Check that group mappings are not in local Keycloak DB (They are in LDAP). - - UserModel johnDb = session.userStorage().getUserByUsername("johnkeycloak", appRealm); - Set johnDbGroups = johnDb.getGroups(); - Assert.assertEquals(0, johnDbGroups.size()); - - // 3 - Check that group mappings are in LDAP and hence available through federation - - Set johnGroups = john.getGroups(); - Assert.assertEquals(2, johnGroups.size()); - Assert.assertTrue(johnGroups.contains(group1)); - Assert.assertFalse(johnGroups.contains(group11)); - Assert.assertTrue(johnGroups.contains(group12)); - - // 4 - Check through userProvider - List group1Members = session.users().getGroupMembers(appRealm, group1, 0, 10); - List group11Members = session.users().getGroupMembers(appRealm, group11, 0, 10); - List group12Members = session.users().getGroupMembers(appRealm, group12, 0, 10); - - Assert.assertEquals(1, group1Members.size()); - Assert.assertEquals("johnkeycloak", group1Members.get(0).getUsername()); - Assert.assertEquals(1, group11Members.size()); - Assert.assertEquals("marykeycloak", group11Members.get(0).getUsername()); - Assert.assertEquals(2, group12Members.size()); - - // 4 - Delete some group mappings and check they are deleted - - john.leaveGroup(group1); - john.leaveGroup(group12); - - mary.leaveGroup(group1); - mary.leaveGroup(group12); - - johnGroups = john.getGroups(); - Assert.assertEquals(0, johnGroups.size()); - - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void test02_readOnlyGroupMappings() { - KeycloakSession session = keycloakRule.startSession(); - try { - System.out.println("starting test02_readOnlyGroupMappings"); - RealmModel appRealm = session.realms().getRealmByName("test"); - - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.READ_ONLY.toString()); - appRealm.updateUserFederationMapper(mapperModel); - - UserModel mary = session.users().getUserByUsername("marykeycloak", appRealm); - - GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1"); - GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11"); - GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12"); - - // Add some group mappings directly into LDAP - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - GroupLDAPFederationMapper groupMapper = FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm); - - LDAPObject maryLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "marykeycloak"); - groupMapper.addGroupMappingInLDAP("group1", maryLdap); - groupMapper.addGroupMappingInLDAP("group11", maryLdap); - - // Add some group mapping to model - mary.joinGroup(group12); - - // Assert that mary has both LDAP and DB mapped groups - Set maryGroups = mary.getGroups(); - Assert.assertEquals(3, maryGroups.size()); - Assert.assertTrue(maryGroups.contains(group1)); - Assert.assertTrue(maryGroups.contains(group11)); - Assert.assertTrue(maryGroups.contains(group12)); - - // Assert that access through DB will have just DB mapped groups - System.out.println("******"); - UserModel maryDB = session.userStorage().getUserByUsername("marykeycloak", appRealm); - Set maryDBGroups = maryDB.getGroups(); - Assert.assertFalse(maryDBGroups.contains(group1)); - Assert.assertFalse(maryDBGroups.contains(group11)); - Assert.assertTrue(maryDBGroups.contains(group12)); - - // Check through userProvider - List group1Members = session.users().getGroupMembers(appRealm, group1, 0, 10); - List group11Members = session.users().getGroupMembers(appRealm, group11, 0, 10); - List group12Members = session.users().getGroupMembers(appRealm, group12, 0, 10); - Assert.assertEquals(1, group1Members.size()); - Assert.assertEquals("marykeycloak", group1Members.get(0).getUsername()); - Assert.assertEquals(1, group11Members.size()); - Assert.assertEquals("marykeycloak", group11Members.get(0).getUsername()); - Assert.assertEquals(1, group12Members.size()); - Assert.assertEquals("marykeycloak", group12Members.get(0).getUsername()); - - mary.leaveGroup(group12); - try { - mary.leaveGroup(group1); - Assert.fail("It wasn't expected to successfully delete LDAP group mappings in READ_ONLY mode"); - } catch (ModelException expected) { - } - - // Delete role mappings directly in LDAP - deleteGroupMappingsInLDAP(groupMapper, maryLdap, "group1"); - deleteGroupMappingsInLDAP(groupMapper, maryLdap, "group11"); - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void test03_importGroupMappings() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.IMPORT.toString()); - appRealm.updateUserFederationMapper(mapperModel); - - // Add some group mappings directly in LDAP - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - GroupLDAPFederationMapper groupMapper = FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm); - - LDAPObject robLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "robkeycloak"); - groupMapper.addGroupMappingInLDAP("group11", robLdap); - groupMapper.addGroupMappingInLDAP("group12", robLdap); - - // Get user and check that he has requested groupa from LDAP - UserModel rob = session.users().getUserByUsername("robkeycloak", appRealm); - Set robGroups = rob.getGroups(); - - GroupModel group1 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1"); - GroupModel group11 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group11"); - GroupModel group12 = KeycloakModelUtils.findGroupByPath(appRealm, "/group1/group12"); - - Assert.assertFalse(robGroups.contains(group1)); - Assert.assertTrue(robGroups.contains(group11)); - Assert.assertTrue(robGroups.contains(group12)); - - // Delete some group mappings in LDAP and check that it doesn't have any effect and user still has groups - deleteGroupMappingsInLDAP(groupMapper, robLdap, "group11"); - deleteGroupMappingsInLDAP(groupMapper, robLdap, "group12"); - robGroups = rob.getGroups(); - Assert.assertTrue(robGroups.contains(group11)); - Assert.assertTrue(robGroups.contains(group12)); - - // Delete group mappings through model and verifies that user doesn't have them anymore - rob.leaveGroup(group11); - rob.leaveGroup(group12); - robGroups = rob.getGroups(); - Assert.assertEquals(0, robGroups.size()); - } finally { - keycloakRule.stopSession(session, false); - } - } - - - // KEYCLOAK-2682 - @Test - public void test04_groupReferencingNonExistentMember() { - KeycloakSession session = keycloakRule.startSession(); - try { - // Ignoring this test on ActiveDirectory as it's not allowed to have LDAP group referencing nonexistent member. KEYCLOAK-2682 was related to OpenLDAP TODO: Better solution than programmatic... - LDAPConfig config = FederationTestUtils.getLdapProvider(session, ldapModel).getLdapIdentityStore().getConfig(); - if (config.isActiveDirectory()) { - return; - } - - RealmModel appRealm = session.realms().getRealmByName("test"); - - UserFederationMapperModel mapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "groupsMapper"); - FederationTestUtils.updateGroupMapperConfigOptions(mapperModel, GroupMapperConfig.MODE, LDAPGroupMapperMode.LDAP_ONLY.toString()); - appRealm.updateUserFederationMapper(mapperModel); - - // 1 - Add some group to LDAP for testing - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - GroupLDAPFederationMapper groupMapper = FederationTestUtils.getGroupMapper(mapperModel, ldapProvider, appRealm); - LDAPObject group2 = FederationTestUtils.createLDAPGroup(session, appRealm, ldapModel, "group2", descriptionAttrName, "group2 - description"); - - // 2 - Add one existing user rob to LDAP group - LDAPObject jamesLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "jameskeycloak"); - LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, group2, jamesLdap, false); - - // 3 - Add non-existing user to LDAP group - LDAPDn nonExistentDn = LDAPDn.fromString(ldapProvider.getLdapIdentityStore().getConfig().getUsersDn()); - nonExistentDn.addFirst(jamesLdap.getRdnAttributeName(), "nonexistent"); - LDAPObject nonExistentLdapUser = new LDAPObject(); - nonExistentLdapUser.setDn(nonExistentDn); - LDAPUtils.addMember(ldapProvider, MembershipType.DN, LDAPConstants.MEMBER, group2, nonExistentLdapUser, true); - - // 4 - Check group members. Just existing user rob should be present - groupMapper.syncDataFromFederationProviderToKeycloak(); - GroupModel kcGroup2 = KeycloakModelUtils.findGroupByPath(appRealm, "/group2"); - List groupUsers = session.users().getGroupMembers(appRealm, kcGroup2, 0, 5); - Assert.assertEquals(1, groupUsers.size()); - UserModel rob = groupUsers.get(0); - Assert.assertEquals("jameskeycloak", rob.getUsername()); - - } finally { - keycloakRule.stopSession(session, false); - } - } - - private void deleteGroupMappingsInLDAP(GroupLDAPFederationMapper groupMapper, LDAPObject ldapUser, String groupName) { - LDAPObject ldapGroup = groupMapper.loadLDAPGroupByName(groupName); - groupMapper.deleteGroupMappingInLDAP(ldapUser, ldapGroup); - } -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPMultipleAttributesTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPMultipleAttributesTest.java deleted file mode 100755 index 7db180afc44..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPMultipleAttributesTest.java +++ /dev/null @@ -1,239 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap.base; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.junit.runners.MethodSorters; -import org.keycloak.OAuth2Constants; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.idm.model.LDAPObject; -import org.keycloak.models.ClientModel; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserModel; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.protocol.oidc.OIDCLoginProtocolService; -import org.keycloak.protocol.oidc.mappers.UserAttributeMapper; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.OAuthClient; -import org.keycloak.testsuite.federation.ldap.FederationTestUtils; -import org.keycloak.testsuite.federation.ldap.LDAPExampleServlet; -import org.keycloak.testsuite.pages.LoginPage; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.LDAPRule; -import org.keycloak.testsuite.rule.WebResource; -import org.keycloak.testsuite.rule.WebRule; -import org.openqa.selenium.WebDriver; - -import javax.ws.rs.core.UriBuilder; -import java.net.URL; -import java.util.Arrays; -import java.util.LinkedHashSet; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; - -/** - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class LDAPMultipleAttributesTest { - - protected String APP_SERVER_BASE_URL = "http://localhost:8081"; - protected String LOGIN_URL = OIDCLoginProtocolService.authUrl(UriBuilder.fromUri(APP_SERVER_BASE_URL + "/auth")).build("test").toString(); - - private static LDAPRule ldapRule = new LDAPRule(); - - private static UserFederationProviderModel ldapModel = null; - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - Map ldapConfig = ldapRule.getConfig(); - ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString()); - - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap", -1, -1, 0); - FederationTestUtils.addZipCodeLDAPMapper(appRealm, ldapModel); - FederationTestUtils.addUserAttributeMapper(appRealm, ldapModel, "streetMapper", "street", LDAPConstants.STREET); - - // Remove current users and add default users - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - FederationTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm); - - LDAPObject james = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "jbrown", "James", "Brown", "jbrown@keycloak.org", null, "88441"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, james, "Password1"); - - // User for testing duplicating surname and postalCode - LDAPObject bruce = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "bwilson", "Bruce", "Wilson", "bwilson@keycloak.org", "Elm 5", "88441", "77332"); - bruce.setAttribute("sn", new LinkedHashSet<>(Arrays.asList("Wilson", "Schneider"))); - ldapFedProvider.getLdapIdentityStore().update(bruce); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, bruce, "Password1"); - - // Create ldap-portal client - ClientModel ldapClient = KeycloakModelUtils.createClient(appRealm, "ldap-portal"); - ldapClient.addRedirectUri("/ldap-portal"); - ldapClient.addRedirectUri("/ldap-portal/*"); - ldapClient.setManagementUrl("/ldap-portal"); - ldapClient.addProtocolMapper(UserAttributeMapper.createClaimMapper("postalCode", "postal_code", "postal_code", "String", true, "", true, true, true)); - ldapClient.addProtocolMapper(UserAttributeMapper.createClaimMapper("street", "street", "street", "String", true, "", true, true, false)); - ldapClient.addScopeMapping(appRealm.getRole("user")); - ldapClient.setSecret("password"); - - // Deploy ldap-portal client - URL url = getClass().getResource("/ldap/ldap-app-keycloak.json"); - keycloakRule.createApplicationDeployment() - .name("ldap-portal").contextPath("/ldap-portal") - .servletClass(LDAPExampleServlet.class).adapterConfigPath(url.getPath()) - .role("user").deployApplication(); - } - }); - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(ldapRule) - .around(keycloakRule); - - @Rule - public WebRule webRule = new WebRule(this); - - @WebResource - protected WebDriver driver; - - @WebResource - protected OAuthClient oauth; - - @WebResource - protected LoginPage loginPage; - - @Test - public void testModel() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - FederationTestUtils.assertUserImported(session.users(), appRealm, "jbrown", "James", "Brown", "jbrown@keycloak.org", "88441"); - - UserModel user = session.users().getUserByUsername("bwilson", appRealm); - Assert.assertEquals("bwilson@keycloak.org", user.getEmail()); - Assert.assertEquals("Bruce", user.getFirstName()); - - // There are 2 lastnames in ldif - Assert.assertTrue("Wilson".equals(user.getLastName()) || "Schneider".equals(user.getLastName())); - - // Actually there are 2 postalCodes - List postalCodes = user.getAttribute("postal_code"); - assertPostalCodes(postalCodes, "88441", "77332"); - List tmp = new LinkedList<>(); - tmp.addAll(postalCodes); - postalCodes = tmp; - postalCodes.remove("77332"); - user.setAttribute("postal_code", postalCodes); - - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - UserModel user = session.users().getUserByUsername("bwilson", appRealm); - List postalCodes = user.getAttribute("postal_code"); - assertPostalCodes(postalCodes, "88441"); - List tmp = new LinkedList<>(); - tmp.addAll(postalCodes); - postalCodes = tmp; - postalCodes.add("77332"); - user.setAttribute("postal_code", postalCodes); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - UserModel user = session.users().getUserByUsername("bwilson", appRealm); - assertPostalCodes(user.getAttribute("postal_code"), "88441", "77332"); - } finally { - keycloakRule.stopSession(session, true); - } - } - - private void assertPostalCodes(List postalCodes, String... expectedPostalCodes) { - if (expectedPostalCodes == null && postalCodes.isEmpty()) { - return; - } - - - Assert.assertEquals(expectedPostalCodes.length, postalCodes.size()); - for (String expected : expectedPostalCodes) { - if (!postalCodes.contains(expected)) { - Assert.fail("postalCode '" + expected + "' not in postalCodes: " + postalCodes); - } - } - } - - @Test - public void ldapPortalEndToEndTest() { - // Login as bwilson - driver.navigate().to(APP_SERVER_BASE_URL + "/ldap-portal"); - Assert.assertTrue(driver.getCurrentUrl().startsWith(LOGIN_URL)); - loginPage.login("bwilson", "Password1"); - Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/ldap-portal")); - String pageSource = driver.getPageSource(); - System.out.println(pageSource); - Assert.assertTrue(pageSource.contains("bwilson") && pageSource.contains("Bruce")); - Assert.assertTrue(pageSource.contains("street") && pageSource.contains("Elm 5")); - Assert.assertTrue(pageSource.contains("postal_code") && pageSource.contains("88441") && pageSource.contains("77332")); - - // Logout - String logoutUri = OIDCLoginProtocolService.logoutUrl(UriBuilder.fromUri(APP_SERVER_BASE_URL + "/auth")) - .queryParam(OAuth2Constants.REDIRECT_URI, APP_SERVER_BASE_URL + "/ldap-portal").build("test").toString(); - driver.navigate().to(logoutUri); - - // Login as jbrown - driver.navigate().to(APP_SERVER_BASE_URL + "/ldap-portal"); - Assert.assertTrue(driver.getCurrentUrl().startsWith(LOGIN_URL)); - loginPage.login("jbrown", "Password1"); - Assert.assertTrue(driver.getCurrentUrl().startsWith(APP_SERVER_BASE_URL + "/ldap-portal")); - pageSource = driver.getPageSource(); - System.out.println(pageSource); - Assert.assertTrue(pageSource.contains("jbrown") && pageSource.contains("James Brown")); - Assert.assertFalse(pageSource.contains("street")); - Assert.assertTrue(pageSource.contains("postal_code") && pageSource.contains("88441")); - Assert.assertFalse(pageSource.contains("77332")); - - // Logout - driver.navigate().to(logoutUri); - } - - - -} - - diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPRoleMappingsTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPRoleMappingsTest.java deleted file mode 100644 index 0d35d21998d..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPRoleMappingsTest.java +++ /dev/null @@ -1,355 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap.base; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Rule; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.junit.runners.MethodSorters; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.idm.model.LDAPObject; -import org.keycloak.federation.ldap.mappers.membership.LDAPGroupMapperMode; -import org.keycloak.federation.ldap.mappers.membership.role.RoleLDAPFederationMapper; -import org.keycloak.models.AccountRoles; -import org.keycloak.models.ClientModel; -import org.keycloak.models.Constants; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.ModelException; -import org.keycloak.models.RealmModel; -import org.keycloak.models.RoleModel; -import org.keycloak.models.UserFederationMapperModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserModel; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.testsuite.OAuthClient; -import org.keycloak.testsuite.federation.ldap.FederationTestUtils; -import org.keycloak.testsuite.pages.AppPage; -import org.keycloak.testsuite.pages.LoginPage; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.LDAPRule; -import org.keycloak.testsuite.rule.WebResource; -import org.keycloak.testsuite.rule.WebRule; -import org.openqa.selenium.WebDriver; - -import java.util.Map; -import java.util.Set; - -/** - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class LDAPRoleMappingsTest { - - private static LDAPRule ldapRule = new LDAPRule(); - - private static UserFederationProviderModel ldapModel = null; - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - FederationTestUtils.addLocalUser(manager.getSession(), appRealm, "mary", "mary@test.com", "password-app"); - - Map ldapConfig = ldapRule.getConfig(); - ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "true"); - ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString()); - - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap", -1, -1, 0); - - // Delete all LDAP users - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - FederationTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm); - - // Add sample application - ClientModel finance = appRealm.addClient("finance"); - - // Delete all LDAP roles - FederationTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ldapModel, LDAPGroupMapperMode.LDAP_ONLY); - FederationTestUtils.removeAllLDAPRoles(manager.getSession(), appRealm, ldapModel, "realmRolesMapper"); - FederationTestUtils.removeAllLDAPRoles(manager.getSession(), appRealm, ldapModel, "financeRolesMapper"); - - // Add some users for testing - LDAPObject john = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "johnkeycloak", "John", "Doe", "john@email.org", null, "1234"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, john, "Password1"); - - LDAPObject mary = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "marykeycloak", "Mary", "Kelly", "mary@email.org", null, "5678"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, mary, "Password1"); - - LDAPObject rob = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "robkeycloak", "Rob", "Brown", "rob@email.org", null, "8910"); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, rob, "Password1"); - - // Add some roles for testing - FederationTestUtils.createLDAPRole(manager.getSession(), appRealm, ldapModel, "realmRolesMapper", "realmRole1"); - FederationTestUtils.createLDAPRole(manager.getSession(), appRealm, ldapModel, "realmRolesMapper", "realmRole2"); - FederationTestUtils.createLDAPRole(manager.getSession(), appRealm, ldapModel, "financeRolesMapper", "financeRole1"); - - // Sync LDAP roles to Keycloak DB - FederationTestUtils.syncRolesFromLDAP(appRealm, ldapFedProvider, ldapModel); - } - }); - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(ldapRule) - .around(keycloakRule); - - @Rule - public WebRule webRule = new WebRule(this); - - @WebResource - protected OAuthClient oauth; - - @WebResource - protected WebDriver driver; - - @WebResource - protected AppPage appPage; - - @WebResource - protected LoginPage loginPage; - - @Test - public void test01_ldapOnlyRoleMappings() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - FederationTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ldapModel, LDAPGroupMapperMode.LDAP_ONLY); - - UserModel john = session.users().getUserByUsername("johnkeycloak", appRealm); - UserModel mary = session.users().getUserByUsername("marykeycloak", appRealm); - - // 1 - Grant some roles in LDAP - - // This role should already exists as it was imported from LDAP - RoleModel realmRole1 = appRealm.getRole("realmRole1"); - john.grantRole(realmRole1); - - // This role should already exists as it was imported from LDAP - RoleModel realmRole2 = appRealm.getRole("realmRole2"); - mary.grantRole(realmRole2); - - // This role may already exists from previous test (was imported from LDAP), but may not - RoleModel realmRole3 = appRealm.getRole("realmRole3"); - if (realmRole3 == null) { - realmRole3 = appRealm.addRole("realmRole3"); - } - - john.grantRole(realmRole3); - mary.grantRole(realmRole3); - - ClientModel accountApp = appRealm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); - ClientModel financeApp = appRealm.getClientByClientId("finance"); - - RoleModel manageAccountRole = accountApp.getRole(AccountRoles.MANAGE_ACCOUNT); - RoleModel financeRole1 = financeApp.getRole("financeRole1"); - john.grantRole(financeRole1); - - // 2 - Check that role mappings are not in local Keycloak DB (They are in LDAP). - - UserModel johnDb = session.userStorage().getUserByUsername("johnkeycloak", appRealm); - Set johnDbRoles = johnDb.getRoleMappings(); - Assert.assertFalse(johnDbRoles.contains(realmRole1)); - Assert.assertFalse(johnDbRoles.contains(realmRole2)); - Assert.assertFalse(johnDbRoles.contains(realmRole3)); - Assert.assertFalse(johnDbRoles.contains(financeRole1)); - Assert.assertTrue(johnDbRoles.contains(manageAccountRole)); - - // 3 - Check that role mappings are in LDAP and hence available through federation - - Set johnRoles = john.getRoleMappings(); - Assert.assertTrue(johnRoles.contains(realmRole1)); - Assert.assertFalse(johnRoles.contains(realmRole2)); - Assert.assertTrue(johnRoles.contains(realmRole3)); - Assert.assertTrue(johnRoles.contains(financeRole1)); - Assert.assertTrue(johnRoles.contains(manageAccountRole)); - - Set johnRealmRoles = john.getRealmRoleMappings(); - Assert.assertEquals(2, johnRealmRoles.size()); - Assert.assertTrue(johnRealmRoles.contains(realmRole1)); - Assert.assertTrue(johnRealmRoles.contains(realmRole3)); - - // account roles are not mapped in LDAP. Those are in Keycloak DB - Set johnAccountRoles = john.getClientRoleMappings(accountApp); - Assert.assertTrue(johnAccountRoles.contains(manageAccountRole)); - - Set johnFinanceRoles = john.getClientRoleMappings(financeApp); - Assert.assertEquals(1, johnFinanceRoles.size()); - Assert.assertTrue(johnFinanceRoles.contains(financeRole1)); - - // 4 - Delete some role mappings and check they are deleted - - john.deleteRoleMapping(realmRole3); - john.deleteRoleMapping(realmRole1); - john.deleteRoleMapping(financeRole1); - john.deleteRoleMapping(manageAccountRole); - - johnRoles = john.getRoleMappings(); - Assert.assertFalse(johnRoles.contains(realmRole1)); - Assert.assertFalse(johnRoles.contains(realmRole2)); - Assert.assertFalse(johnRoles.contains(realmRole3)); - Assert.assertFalse(johnRoles.contains(financeRole1)); - Assert.assertFalse(johnRoles.contains(manageAccountRole)); - - // Cleanup - mary.deleteRoleMapping(realmRole2); - mary.deleteRoleMapping(realmRole3); - john.grantRole(manageAccountRole); - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void test02_readOnlyRoleMappings() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - FederationTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ldapModel, LDAPGroupMapperMode.READ_ONLY); - - UserModel mary = session.users().getUserByUsername("marykeycloak", appRealm); - - RoleModel realmRole1 = appRealm.getRole("realmRole1"); - RoleModel realmRole2 = appRealm.getRole("realmRole2"); - RoleModel realmRole3 = appRealm.getRole("realmRole3"); - if (realmRole3 == null) { - realmRole3 = appRealm.addRole("realmRole3"); - } - - // Add some role mappings directly into LDAP - UserFederationMapperModel roleMapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "realmRolesMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - RoleLDAPFederationMapper roleMapper = FederationTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm); - - LDAPObject maryLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "marykeycloak"); - roleMapper.addRoleMappingInLDAP("realmRole1", maryLdap); - roleMapper.addRoleMappingInLDAP("realmRole2", maryLdap); - - // Add some role to model - mary.grantRole(realmRole3); - - // Assert that mary has both LDAP and DB mapped roles - Set maryRoles = mary.getRealmRoleMappings(); - Assert.assertTrue(maryRoles.contains(realmRole1)); - Assert.assertTrue(maryRoles.contains(realmRole2)); - Assert.assertTrue(maryRoles.contains(realmRole3)); - - // Assert that access through DB will have just DB mapped role - UserModel maryDB = session.userStorage().getUserByUsername("marykeycloak", appRealm); - Set maryDBRoles = maryDB.getRealmRoleMappings(); - Assert.assertFalse(maryDBRoles.contains(realmRole1)); - Assert.assertFalse(maryDBRoles.contains(realmRole2)); - Assert.assertTrue(maryDBRoles.contains(realmRole3)); - - mary.deleteRoleMapping(realmRole3); - try { - mary.deleteRoleMapping(realmRole1); - Assert.fail("It wasn't expected to successfully delete LDAP role mappings in READ_ONLY mode"); - } catch (ModelException expected) { - } - - // Delete role mappings directly in LDAP - deleteRoleMappingsInLDAP(roleMapper, maryLdap, "realmRole1"); - deleteRoleMappingsInLDAP(roleMapper, maryLdap, "realmRole2"); - } finally { - keycloakRule.stopSession(session, false); - } - - session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - UserModel mary = session.users().getUserByUsername("marykeycloak", appRealm); - - // Assert role mappings is not available - Set maryRoles = mary.getRealmRoleMappings(); - Assert.assertFalse(maryRoles.contains(appRealm.getRole("realmRole1"))); - Assert.assertFalse(maryRoles.contains(appRealm.getRole("realmRole2"))); - Assert.assertFalse(maryRoles.contains(appRealm.getRole("realmRole3"))); - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void test03_importRoleMappings() { - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel appRealm = session.realms().getRealmByName("test"); - - FederationTestUtils.addOrUpdateRoleLDAPMappers(appRealm, ldapModel, LDAPGroupMapperMode.IMPORT); - - // Add some role mappings directly in LDAP - UserFederationMapperModel roleMapperModel = appRealm.getUserFederationMapperByName(ldapModel.getId(), "realmRolesMapper"); - LDAPFederationProvider ldapProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - RoleLDAPFederationMapper roleMapper = FederationTestUtils.getRoleMapper(roleMapperModel, ldapProvider, appRealm); - - LDAPObject robLdap = ldapProvider.loadLDAPUserByUsername(appRealm, "robkeycloak"); - roleMapper.addRoleMappingInLDAP("realmRole1", robLdap); - roleMapper.addRoleMappingInLDAP("realmRole2", robLdap); - - // Get user and check that he has requested roles from LDAP - UserModel rob = session.users().getUserByUsername("robkeycloak", appRealm); - RoleModel realmRole1 = appRealm.getRole("realmRole1"); - RoleModel realmRole2 = appRealm.getRole("realmRole2"); - RoleModel realmRole3 = appRealm.getRole("realmRole3"); - if (realmRole3 == null) { - realmRole3 = appRealm.addRole("realmRole3"); - } - Set robRoles = rob.getRealmRoleMappings(); - Assert.assertTrue(robRoles.contains(realmRole1)); - Assert.assertTrue(robRoles.contains(realmRole2)); - Assert.assertFalse(robRoles.contains(realmRole3)); - - // Add some role mappings in model and check that user has it - rob.grantRole(realmRole3); - robRoles = rob.getRealmRoleMappings(); - Assert.assertTrue(robRoles.contains(realmRole3)); - - // Delete some role mappings in LDAP and check that it doesn't have any effect and user still has role - deleteRoleMappingsInLDAP(roleMapper, robLdap, "realmRole1"); - deleteRoleMappingsInLDAP(roleMapper, robLdap, "realmRole2"); - robRoles = rob.getRealmRoleMappings(); - Assert.assertTrue(robRoles.contains(realmRole1)); - Assert.assertTrue(robRoles.contains(realmRole2)); - - // Delete role mappings through model and verifies that user doesn't have them anymore - rob.deleteRoleMapping(realmRole1); - rob.deleteRoleMapping(realmRole2); - rob.deleteRoleMapping(realmRole3); - robRoles = rob.getRealmRoleMappings(); - Assert.assertFalse(robRoles.contains(realmRole1)); - Assert.assertFalse(robRoles.contains(realmRole2)); - Assert.assertFalse(robRoles.contains(realmRole3)); - } finally { - keycloakRule.stopSession(session, false); - } - } - - private void deleteRoleMappingsInLDAP(RoleLDAPFederationMapper roleMapper, LDAPObject ldapUser, String roleName) { - LDAPObject ldapRole1 = roleMapper.loadLDAPRoleByName(roleName); - roleMapper.deleteRoleMappingInLDAP(ldapUser, ldapRole1); - } -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPSyncTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPSyncTest.java deleted file mode 100755 index e300ffd13d0..00000000000 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/LDAPSyncTest.java +++ /dev/null @@ -1,368 +0,0 @@ -/* - * Copyright 2016 Red Hat, Inc. and/or its affiliates - * and other contributors as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.keycloak.testsuite.federation.ldap.base; - -import org.junit.Assert; -import org.junit.ClassRule; -import org.junit.FixMethodOrder; -import org.junit.Test; -import org.junit.rules.RuleChain; -import org.junit.rules.TestRule; -import org.junit.runners.MethodSorters; -import org.keycloak.common.util.Time; -import org.keycloak.federation.ldap.LDAPFederationProvider; -import org.keycloak.federation.ldap.LDAPFederationProviderFactory; -import org.keycloak.federation.ldap.idm.model.LDAPObject; -import org.keycloak.models.KeycloakSession; -import org.keycloak.models.KeycloakSessionFactory; -import org.keycloak.models.LDAPConstants; -import org.keycloak.models.RealmModel; -import org.keycloak.models.UserFederationMapperModel; -import org.keycloak.models.UserFederationProvider; -import org.keycloak.models.UserFederationProviderModel; -import org.keycloak.models.UserFederationSyncResult; -import org.keycloak.models.UserModel; -import org.keycloak.models.UserProvider; -import org.keycloak.models.utils.KeycloakModelUtils; -import org.keycloak.services.managers.RealmManager; -import org.keycloak.services.managers.UsersSyncManager; -import org.keycloak.testsuite.federation.ldap.FederationTestUtils; -import org.keycloak.testsuite.rule.KeycloakRule; -import org.keycloak.testsuite.rule.LDAPRule; - -import java.util.Map; - -/** - * @author Marek Posolda - */ -@FixMethodOrder(MethodSorters.NAME_ASCENDING) -public class LDAPSyncTest { - - private static LDAPRule ldapRule = new LDAPRule(); - - private static UserFederationProviderModel ldapModel = null; - - private static KeycloakRule keycloakRule = new KeycloakRule(new KeycloakRule.KeycloakSetup() { - - @Override - public void config(RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) { - // Other tests may left Time offset uncleared, which could cause issues - Time.setOffset(0); - - Map ldapConfig = ldapRule.getConfig(); - ldapConfig.put(LDAPConstants.SYNC_REGISTRATIONS, "false"); - ldapConfig.put(LDAPConstants.EDIT_MODE, UserFederationProvider.EditMode.WRITABLE.toString()); - ldapModel = appRealm.addUserFederationProvider(LDAPFederationProviderFactory.PROVIDER_NAME, ldapConfig, 0, "test-ldap", - -1, -1, 0); - - FederationTestUtils.addZipCodeLDAPMapper(appRealm, ldapModel); - - // Delete all LDAP users and add 5 new users for testing - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - FederationTestUtils.removeAllLDAPUsers(ldapFedProvider, appRealm); - - for (int i=1 ; i<=5 ; i++) { - LDAPObject ldapUser = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "user" + i, "User" + i + "FN", "User" + i + "LN", "user" + i + "@email.org", null, "12" + i); - FederationTestUtils.updateLDAPPassword(ldapFedProvider, ldapUser, "Password1"); - } - } - }); - - @ClassRule - public static TestRule chain = RuleChain - .outerRule(ldapRule) - .around(keycloakRule); - -// @Test -// public void test01runit() throws Exception { -// Thread.sleep(10000000); -// } - - @Test - public void test01LDAPSync() { - UsersSyncManager usersSyncManager = new UsersSyncManager(); - - // wait a bit - sleep(ldapRule.getSleepTime()); - - KeycloakSession session = keycloakRule.startSession(); - try { - KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); - UserFederationSyncResult syncResult = usersSyncManager.syncAllUsers(sessionFactory, "test", ldapModel); - FederationTestUtils.assertSyncEquals(syncResult, 5, 0, 0, 0); - } finally { - keycloakRule.stopSession(session, false); - } - - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - UserProvider userProvider = session.userStorage(); - // Assert users imported - FederationTestUtils.assertUserImported(userProvider, testRealm, "user1", "User1FN", "User1LN", "user1@email.org", "121"); - FederationTestUtils.assertUserImported(userProvider, testRealm, "user2", "User2FN", "User2LN", "user2@email.org", "122"); - FederationTestUtils.assertUserImported(userProvider, testRealm, "user3", "User3FN", "User3LN", "user3@email.org", "123"); - FederationTestUtils.assertUserImported(userProvider, testRealm, "user4", "User4FN", "User4LN", "user4@email.org", "124"); - FederationTestUtils.assertUserImported(userProvider, testRealm, "user5", "User5FN", "User5LN", "user5@email.org", "125"); - - // Assert lastSync time updated - Assert.assertTrue(ldapModel.getLastSync() > 0); - for (UserFederationProviderModel persistentFedModel : testRealm.getUserFederationProviders()) { - if (LDAPFederationProviderFactory.PROVIDER_NAME.equals(persistentFedModel.getProviderName())) { - Assert.assertTrue(persistentFedModel.getLastSync() > 0); - } else { - // Dummy provider has still 0 - Assert.assertEquals(0, persistentFedModel.getLastSync()); - } - } - - // wait a bit - sleep(ldapRule.getSleepTime()); - - // Add user to LDAP and update 'user5' in LDAP - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - FederationTestUtils.addLDAPUser(ldapFedProvider, testRealm, "user6", "User6FN", "User6LN", "user6@email.org", null, "126"); - LDAPObject ldapUser5 = ldapFedProvider.loadLDAPUserByUsername(testRealm, "user5"); - // NOTE: Changing LDAP attributes directly here - ldapUser5.setSingleAttribute(LDAPConstants.EMAIL, "user5Updated@email.org"); - ldapUser5.setSingleAttribute(LDAPConstants.POSTAL_CODE, "521"); - ldapFedProvider.getLdapIdentityStore().update(ldapUser5); - - // Assert still old users in local provider - FederationTestUtils.assertUserImported(userProvider, testRealm, "user5", "User5FN", "User5LN", "user5@email.org", "125"); - Assert.assertNull(userProvider.getUserByUsername("user6", testRealm)); - - // Trigger partial sync - KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); - UserFederationSyncResult syncResult = usersSyncManager.syncChangedUsers(sessionFactory, "test", ldapModel); - FederationTestUtils.assertSyncEquals(syncResult, 1, 1, 0, 0); - } finally { - keycloakRule.stopSession(session, false); - } - - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - UserProvider userProvider = session.userStorage(); - // Assert users updated in local provider - FederationTestUtils.assertUserImported(userProvider, testRealm, "user5", "User5FN", "User5LN", "user5updated@email.org", "521"); - FederationTestUtils.assertUserImported(userProvider, testRealm, "user6", "User6FN", "User6LN", "user6@email.org", "126"); - } finally { - keycloakRule.stopSession(session, false); - } - } - - @Test - public void test02duplicateUsernameAndEmailSync() { - LDAPObject duplicatedLdapUser; - - KeycloakSession session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - - FederationTestUtils.addLocalUser(session, testRealm, "user7", "user7@email.org", "password"); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - - // Add user to LDAP with duplicated username "user7" - duplicatedLdapUser = FederationTestUtils.addLDAPUser(ldapFedProvider, testRealm, "user7", "User7FN", "User7LN", "user7-something@email.org", null, "126"); - - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - - // Assert syncing from LDAP fails due to duplicated username - UserFederationSyncResult result = new UsersSyncManager().syncAllUsers(session.getKeycloakSessionFactory(), "test", ldapModel); - Assert.assertEquals(1, result.getFailed()); - - // Remove "user7" from LDAP - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - ldapFedProvider.getLdapIdentityStore().remove(duplicatedLdapUser); - - // Add user to LDAP with duplicated email "user7@email.org" - duplicatedLdapUser = FederationTestUtils.addLDAPUser(ldapFedProvider, testRealm, "user7-something", "User7FNN", "User7LNL", "user7@email.org", null, "126"); - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - - // Assert syncing from LDAP fails due to duplicated email - UserFederationSyncResult result = new UsersSyncManager().syncAllUsers(session.getKeycloakSessionFactory(), "test", ldapModel); - Assert.assertEquals(1, result.getFailed()); - Assert.assertNull(session.userStorage().getUserByUsername("user7-something", testRealm)); - - // Update LDAP user to avoid duplicated email - duplicatedLdapUser.setSingleAttribute(LDAPConstants.EMAIL, "user7-changed@email.org"); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - ldapFedProvider.getLdapIdentityStore().update(duplicatedLdapUser); - - // Assert user successfully synced now - result = new UsersSyncManager().syncAllUsers(session.getKeycloakSessionFactory(), "test", ldapModel); - Assert.assertEquals(0, result.getFailed()); - } finally { - keycloakRule.stopSession(session, true); - } - - // Assert user imported in another transaction - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - FederationTestUtils.assertUserImported(session.userStorage(), testRealm, "user7-something", "User7FNN", "User7LNL", "user7-changed@email.org", "126"); - } finally { - keycloakRule.stopSession(session, false); - } - } - - // KEYCLOAK-1571 - @Test - public void test03SameUUIDAndUsernameSync() { - KeycloakSession session = keycloakRule.startSession(); - String origUuidAttrName; - - try { - RealmModel testRealm = session.realms().getRealm("test"); - - // Remove all users from model - for (UserModel user : session.userStorage().getUsers(testRealm, true)) { - session.userStorage().removeUser(testRealm, user); - } - - UserFederationProviderModel providerModel = KeycloakModelUtils.findUserFederationProviderByDisplayName(ldapModel.getDisplayName(), testRealm); - - // Change name of UUID attribute to same like usernameAttribute - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - String uidAttrName = ldapFedProvider.getLdapIdentityStore().getConfig().getUsernameLdapAttribute(); - origUuidAttrName = providerModel.getConfig().get(LDAPConstants.UUID_LDAP_ATTRIBUTE); - providerModel.getConfig().put(LDAPConstants.UUID_LDAP_ATTRIBUTE, uidAttrName); - - // Need to change this due to ApacheDS pagination bug (For other LDAP servers, pagination works fine) TODO: Remove once ApacheDS upgraded and pagination is fixed - providerModel.getConfig().put(LDAPConstants.BATCH_SIZE_FOR_SYNC, "10"); - testRealm.updateUserFederationProvider(providerModel); - - } finally { - keycloakRule.stopSession(session, true); - } - - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - UserFederationProviderModel providerModel = KeycloakModelUtils.findUserFederationProviderByDisplayName(ldapModel.getDisplayName(), testRealm); - - KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); - UserFederationSyncResult syncResult = new UsersSyncManager().syncAllUsers(sessionFactory, "test", providerModel); - Assert.assertEquals(0, syncResult.getFailed()); - - } finally { - keycloakRule.stopSession(session, false); - } - - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - - // Assert users imported with correct LDAP_ID - FederationTestUtils.assertUserImported(session.users(), testRealm, "user1", "User1FN", "User1LN", "user1@email.org", "121"); - FederationTestUtils.assertUserImported(session.users(), testRealm, "user2", "User2FN", "User2LN", "user2@email.org", "122"); - UserModel user1 = session.users().getUserByUsername("user1", testRealm); - Assert.assertEquals("user1", user1.getFirstAttribute(LDAPConstants.LDAP_ID)); - - // Revert config changes - UserFederationProviderModel providerModel = KeycloakModelUtils.findUserFederationProviderByDisplayName(ldapModel.getDisplayName(), testRealm); - providerModel.getConfig().put(LDAPConstants.UUID_LDAP_ATTRIBUTE, origUuidAttrName); - testRealm.updateUserFederationProvider(providerModel); - } finally { - keycloakRule.stopSession(session, true); - } - } - - // KEYCLOAK-1728 - @Test - public void test04MissingLDAPUsernameSync() { - KeycloakSession session = keycloakRule.startSession(); - String origUsernameAttrName; - - try { - RealmModel testRealm = session.realms().getRealm("test"); - - // Remove all users from model - for (UserModel user : session.userStorage().getUsers(testRealm, true)) { - session.userStorage().removeUser(testRealm, user); - } - - UserFederationProviderModel providerModel = KeycloakModelUtils.findUserFederationProviderByDisplayName(ldapModel.getDisplayName(), testRealm); - - // Add street mapper and add some user including street - UserFederationMapperModel streetMapper = FederationTestUtils.addUserAttributeMapper(testRealm, ldapModel, "streetMapper", "street", LDAPConstants.STREET); - LDAPFederationProvider ldapFedProvider = FederationTestUtils.getLdapProvider(session, ldapModel); - LDAPObject streetUser = FederationTestUtils.addLDAPUser(ldapFedProvider, testRealm, "user8", "User8FN", "User8LN", "user8@email.org", "user8street", "126"); - - // Change name of username attribute name to street - origUsernameAttrName = providerModel.getConfig().get(LDAPConstants.USERNAME_LDAP_ATTRIBUTE); - providerModel.getConfig().put(LDAPConstants.USERNAME_LDAP_ATTRIBUTE, "street"); - - // Need to change this due to ApacheDS pagination bug (For other LDAP servers, pagination works fine) TODO: Remove once ApacheDS upgraded and pagination is fixed - providerModel.getConfig().put(LDAPConstants.BATCH_SIZE_FOR_SYNC, "10"); - testRealm.updateUserFederationProvider(providerModel); - - } finally { - keycloakRule.stopSession(session, true); - } - - // Just user8 synced. All others failed to sync - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - UserFederationProviderModel providerModel = KeycloakModelUtils.findUserFederationProviderByDisplayName(ldapModel.getDisplayName(), testRealm); - - KeycloakSessionFactory sessionFactory = session.getKeycloakSessionFactory(); - UserFederationSyncResult syncResult = new UsersSyncManager().syncAllUsers(sessionFactory, "test", providerModel); - Assert.assertEquals(1, syncResult.getAdded()); - Assert.assertTrue(syncResult.getFailed() > 0); - } finally { - keycloakRule.stopSession(session, false); - } - - session = keycloakRule.startSession(); - try { - RealmModel testRealm = session.realms().getRealm("test"); - - // Revert config changes - UserFederationProviderModel providerModel = KeycloakModelUtils.findUserFederationProviderByDisplayName(ldapModel.getDisplayName(), testRealm); - providerModel.getConfig().put(LDAPConstants.USERNAME_LDAP_ATTRIBUTE, origUsernameAttrName); - testRealm.updateUserFederationProvider(providerModel); - UserFederationMapperModel streetMapper = testRealm.getUserFederationMapperByName(providerModel.getId(), "streetMapper"); - testRealm.removeUserFederationMapper(streetMapper); - } finally { - keycloakRule.stopSession(session, true); - } - } - - private void sleep(int time) { - try { - Thread.sleep(time); - } catch (InterruptedException ie) { - throw new RuntimeException(ie); - } - } -} diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java index 98c74375488..f1936458bf5 100755 --- a/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java +++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/model/ImportTest.java @@ -22,8 +22,7 @@ import org.junit.FixMethodOrder; import org.junit.Test; import org.junit.runners.MethodSorters; import org.keycloak.common.constants.KerberosConstants; -import org.keycloak.federation.ldap.mappers.FullNameLDAPFederationMapper; -import org.keycloak.federation.ldap.mappers.FullNameLDAPFederationMapperFactory; +import org.keycloak.component.ComponentModel; import org.keycloak.models.AuthenticationFlowModel; import org.keycloak.models.ClientModel; import org.keycloak.models.ClientTemplateModel; @@ -49,6 +48,9 @@ import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper; import org.keycloak.representations.idm.RealmRepresentation; import org.keycloak.services.managers.RealmManager; +import org.keycloak.storage.UserStorageProviderModel; +import org.keycloak.storage.ldap.mappers.FullNameLDAPStorageMapper; +import org.keycloak.storage.ldap.mappers.FullNameLDAPStorageMapperFactory; import java.util.List; import java.util.Map; @@ -278,31 +280,28 @@ public class ImportTest extends AbstractModelTest { // Test federation providers List fedProviders = realm.getUserFederationProviders(); - Assert.assertTrue(fedProviders.size() == 2); - UserFederationProviderModel ldap1 = fedProviders.get(0); - Assert.assertEquals("MyLDAPProvider1", ldap1.getDisplayName()); - Assert.assertEquals("ldap", ldap1.getProviderName()); + Assert.assertTrue(fedProviders.size() == 0); + List storageProviders = realm.getUserStorageProviders(); + Assert.assertTrue(storageProviders.size() == 2); + UserStorageProviderModel ldap1 = storageProviders.get(0); + Assert.assertEquals("MyLDAPProvider1", ldap1.getName()); + Assert.assertEquals("ldap", ldap1.getProviderId()); Assert.assertEquals(1, ldap1.getPriority()); - Assert.assertEquals("ldap://foo", ldap1.getConfig().get(LDAPConstants.CONNECTION_URL)); + Assert.assertEquals("ldap://foo", ldap1.getConfig().getFirst(LDAPConstants.CONNECTION_URL)); - UserFederationProviderModel ldap2 = fedProviders.get(1); - Assert.assertEquals("MyLDAPProvider2", ldap2.getDisplayName()); - Assert.assertEquals("ldap://bar", ldap2.getConfig().get(LDAPConstants.CONNECTION_URL)); + UserStorageProviderModel ldap2 = storageProviders.get(1); + Assert.assertEquals("MyLDAPProvider2", ldap2.getName()); + Assert.assertEquals("ldap://bar", ldap2.getConfig().getFirst(LDAPConstants.CONNECTION_URL)); // Test federation mappers - Set fedMappers1 = realm.getUserFederationMappersByFederationProvider(ldap1.getId()); - Assert.assertTrue(fedMappers1.size() == 1); - UserFederationMapperModel fullNameMapper = fedMappers1.iterator().next(); + Set userFedMappers1 = realm.getUserFederationMappers(); + Assert.assertTrue(userFedMappers1.size() == 0); + List fedMappers1 = realm.getComponents(ldap1.getId()); + ComponentModel fullNameMapper = fedMappers1.iterator().next(); Assert.assertEquals("FullNameMapper", fullNameMapper.getName()); - Assert.assertEquals(FullNameLDAPFederationMapperFactory.PROVIDER_ID, fullNameMapper.getFederationMapperType()); - Assert.assertEquals(ldap1.getId(), fullNameMapper.getFederationProviderId()); - Assert.assertEquals("cn", fullNameMapper.getConfig().get(FullNameLDAPFederationMapper.LDAP_FULL_NAME_ATTRIBUTE)); - - // All builtin LDAP mappers should be here - Set fedMappers2 = realm.getUserFederationMappersByFederationProvider(ldap2.getId()); - Assert.assertTrue(fedMappers2.size() > 3); - Set allMappers = realm.getUserFederationMappers(); - Assert.assertEquals(allMappers.size(), fedMappers1.size() + fedMappers2.size()); + Assert.assertEquals(FullNameLDAPStorageMapperFactory.PROVIDER_ID, fullNameMapper.getProviderId()); + Assert.assertEquals(ldap1.getId(), fullNameMapper.getParentId()); + Assert.assertEquals("cn", fullNameMapper.getConfig().getFirst(FullNameLDAPStorageMapper.LDAP_FULL_NAME_ATTRIBUTE)); // Assert that federation link wasn't created during import UserFederationProviderFactory factory = (UserFederationProviderFactory)session.getKeycloakSessionFactory().getProviderFactory(UserFederationProvider.class, "dummy");