Java Code Examples for org.keycloak.representations.idm.RealmRepresentation#setAttributes()

The following examples show how to use org.keycloak.representations.idm.RealmRepresentation#setAttributes() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SamlReverseProxyTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * KEYCLOAK-12612
 *
 * Tests sending a SAML {@code AuthnRequest} through a reverse proxy. In this scenario the SAML {@code AuthnRequest}
 * has a destination that matches the proxy server, but the request is forwarded to a keycloak server running in a
 * different address.
 *
 * Validation of the destination and subsequent redirection to the login screen only work if the proxy server is configured
 * as the {@code frontendUrl} of the realm.
 *
 * @throws Exception if an error occurs while running the test.
 */
@Test
public void testAuthnRequestWithReverseProxy() throws Exception {
    // send an authn request without defining the frontendUrl for the realm - should get a BAD_REQUEST response
    Document document = SAML2Request.convert(SamlClient.createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST,
            SAML_ASSERTION_CONSUMER_URL_SALES_POST, this.buildSamlProtocolUrl(proxy.getUrl())));
    testSendSamlRequest(document, Response.Status.BAD_REQUEST, containsString("Invalid Request"));

    // set the frontendUrl pointing to the reverse proxy
    RealmRepresentation rep = adminClient.realm(REALM_NAME).toRepresentation();
    try {
        if (rep.getAttributes() == null) {
            rep.setAttributes(new HashMap<>());
        }
        rep.getAttributes().put("frontendUrl", proxy.getUrl());
        adminClient.realm(REALM_NAME).update(rep);

        // resend the authn request - should succeed this time
        testSendSamlRequest(document, Response.Status.OK, containsString("login"));
    } finally {
        // restore the state of the realm (unset the frontendUrl)
        rep.getAttributes().remove("frontendUrl");
        adminClient.realm(REALM_NAME).update(rep);
    }
}
 
Example 2
Source File: SamlReverseProxyTest.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * KEYCLOAK-12944
 *
 * Tests sending a SAML {@code LogoutRequest} through a reverse proxy. In this scenario the SAML {@code LogoutRequest}
 * has a destination that matches the proxy server, but the request is forwarded to a keycloak server running in a
 * different address.
 *
 * Validation of the destination and any subsequent redirection only work if the proxy server is configured as the
 * {@code frontendUrl} of the realm.
 *
 * @throws Exception if an error occurs while running the test.
 */
@Test
public void testLogoutRequestWithReverseProxy() throws Exception {
    // send a logout request without defining the frontendUrl for the realm - should get a BAD_REQUEST response
    Document document = new SAML2LogoutRequestBuilder().destination(
            this.buildSamlProtocolUrl(proxy.getUrl()).toString()).issuer(SAML_CLIENT_ID_SALES_POST).buildDocument();
    testSendSamlRequest(document, Response.Status.BAD_REQUEST, containsString("Invalid Request"));

    // set the frontendUrl pointing to the reverse proxy
    RealmRepresentation rep = adminClient.realm(REALM_NAME).toRepresentation();
    try {
        if (rep.getAttributes() == null) {
            rep.setAttributes(new HashMap<>());
        }
        rep.getAttributes().put("frontendUrl", proxy.getUrl());
        adminClient.realm(REALM_NAME).update(rep);

        // resend the logout request - should succeed this time (we are actually not logging out anyone, just checking the request is properly validated
        testSendSamlRequest(document, Response.Status.OK, containsString("login"));
    } finally {
        // restore the state of the realm (unset the frontendUrl)
        rep.getAttributes().remove("frontendUrl");
        adminClient.realm(REALM_NAME).update(rep);
    }
}
 
Example 3
Source File: KcOidcBrokerFrontendUrlTest.java    From keycloak with Apache License 2.0 5 votes vote down vote up
@Override
protected BrokerConfiguration getBrokerConfiguration() {
    return new KcOidcBrokerConfiguration() {
        @Override 
        public RealmRepresentation createConsumerRealm() {
            RealmRepresentation realm = super.createConsumerRealm();

            Map<String, String> attributes = new HashMap<>();

            attributes.put("frontendUrl", proxy.getUrl());

            realm.setAttributes(attributes);
            
            return realm;
        }

        @Override 
        public List<ClientRepresentation> createProviderClients() {
            List<ClientRepresentation> clients = super.createProviderClients();

            List<String> redirectUris = new ArrayList<>();

            redirectUris.add(proxy.getUrl() + "/realms/" + REALM_CONS_NAME + "/broker/" + IDP_OIDC_ALIAS + "/endpoint/*");

            clients.get(0).setRedirectUris(redirectUris);
            
            return clients;
        }
    };
}
 
Example 4
Source File: RealmTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void updateRealmAttributes() {
    // first change
    RealmRepresentation rep = new RealmRepresentation();
    List<String> webAuthnPolicyAcceptableAaguids = new ArrayList<>();
    webAuthnPolicyAcceptableAaguids.add("aaguid1");
    webAuthnPolicyAcceptableAaguids.add("aaguid2");

    rep.setAttributes(new HashMap<>());
    rep.getAttributes().put("foo1", "bar1");
    rep.getAttributes().put("foo2", "bar2");

    rep.setWebAuthnPolicyAcceptableAaguids(webAuthnPolicyAcceptableAaguids);
    rep.setBruteForceProtected(true);
    rep.setDisplayName("dn1");

    realm.update(rep);
    assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, Matchers.nullValue(String.class), rep, ResourceType.REALM);

    rep = realm.toRepresentation();
    assertEquals("bar1", rep.getAttributes().get("foo1"));
    assertEquals("bar2", rep.getAttributes().get("foo2"));
    assertTrue(rep.isBruteForceProtected());
    assertEquals("dn1", rep.getDisplayName());
    assertEquals(webAuthnPolicyAcceptableAaguids, rep.getWebAuthnPolicyAcceptableAaguids());

    // second change
    webAuthnPolicyAcceptableAaguids.clear();
    rep.setBruteForceProtected(false);
    rep.setDisplayName("dn2");
    rep.getAttributes().put("foo1", "bar11");
    rep.getAttributes().remove("foo2");
    rep.setWebAuthnPolicyAcceptableAaguids(webAuthnPolicyAcceptableAaguids);

    realm.update(rep);
    assertAdminEvents.assertEvent(realmId, OperationType.UPDATE, Matchers.nullValue(String.class), rep, ResourceType.REALM);

    rep = realm.toRepresentation();

    assertFalse(rep.isBruteForceProtected());
    assertEquals("dn2", rep.getDisplayName());

    assertEquals("bar11", rep.getAttributes().get("foo1"));
    assertFalse(rep.getAttributes().containsKey("foo2"));
    assertTrue(rep.getWebAuthnPolicyAcceptableAaguids().isEmpty());
}
 
Example 5
Source File: ResetPasswordTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void resetPasswordExpiredCodeAndAuthSessionPerActionLifespan() throws IOException, MessagingException, InterruptedException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    realmRep.setAttributes(UserActionTokenBuilder.create().resetCredentialsLifespan(60).build());
    testRealm().update(realmRep);

    try {
        initiateResetPasswordFromResetPasswordPage("login-test");

        events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
                .session((String)null)
                .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent();

        assertEquals(1, greenMail.getReceivedMessages().length);

        MimeMessage message = greenMail.getReceivedMessages()[0];

        String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message).replace("&amp;", "&");

        setTimeOffset(70);

        log.debug("Going to reset password URI.");
        driver.navigate().to(oauth.AUTH_SERVER_ROOT + "/realms/test/login-actions/reset-credentials"); // This is necessary to delete KC_RESTART cookie that is restricted to /auth/realms/test path
        log.debug("Removing cookies.");
        driver.manage().deleteAllCookies();
        driver.navigate().to(changePasswordUrl.trim());

        errorPage.assertCurrent();
        Assert.assertEquals("Action expired.", errorPage.getError());
        String backToAppLink = errorPage.getBackToApplicationLink();
        Assert.assertTrue(backToAppLink.endsWith("/app/auth"));

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent();
    } finally {
        setTimeOffset(0);

        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}
 
Example 6
Source File: ResetPasswordTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void resetPasswordExpiredCodeAndAuthSessionPerActionMultipleTimeouts() throws IOException, MessagingException, InterruptedException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    //Make sure that one attribute settings won't affect the other
    realmRep.setAttributes(UserActionTokenBuilder.create().resetCredentialsLifespan(60).verifyEmailLifespan(300).build());
    testRealm().update(realmRep);

    try {
        initiateResetPasswordFromResetPasswordPage("login-test");

        events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
                .session((String)null)
                .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent();

        assertEquals(1, greenMail.getReceivedMessages().length);

        MimeMessage message = greenMail.getReceivedMessages()[0];

        String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message).replace("&amp;", "&");

        setTimeOffset(70);

        log.debug("Going to reset password URI.");
        driver.navigate().to(oauth.AUTH_SERVER_ROOT + "/realms/test/login-actions/reset-credentials"); // This is necessary to delete KC_RESTART cookie that is restricted to /auth/realms/test path
        log.debug("Removing cookies.");
        driver.manage().deleteAllCookies();
        driver.navigate().to(changePasswordUrl.trim());

        errorPage.assertCurrent();
        Assert.assertEquals("Action expired.", errorPage.getError());
        String backToAppLink = errorPage.getBackToApplicationLink();
        Assert.assertTrue(backToAppLink.endsWith("/app/auth"));

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent();
    } finally {
        setTimeOffset(0);

        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}
 
Example 7
Source File: ResetPasswordTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void resetPasswordExpiredCodeForgotPasswordFlowPerActionLifespan() throws IOException, MessagingException, InterruptedException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    realmRep.setAttributes(UserActionTokenBuilder.create().resetCredentialsLifespan(60).build());
    testRealm().update(realmRep);

    try {
        // Redirect directly to KC "forgot password" endpoint instead of "authenticate" endpoint
        String loginUrl = oauth.getLoginFormUrl();
        String forgotPasswordUrl = loginUrl.replace("/auth?", "/forgot-credentials?"); // Workaround, but works

        driver.navigate().to(forgotPasswordUrl);
        resetPasswordPage.assertCurrent();
        resetPasswordPage.changePassword("login-test");

        loginPage.assertCurrent();
        assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
        expectedMessagesCount++;

        events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
                .session((String)null)
                .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent();

        assertEquals(1, greenMail.getReceivedMessages().length);

        MimeMessage message = greenMail.getReceivedMessages()[0];

        String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message);

        setTimeOffset(70);

        driver.navigate().to(changePasswordUrl.trim());

        resetPasswordPage.assertCurrent();

        assertEquals("Action expired. Please start again.", loginPage.getError());

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent();
    } finally {
        setTimeOffset(0);

        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}
 
Example 8
Source File: ResetPasswordTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void resetPasswordExpiredCodeForgotPasswordFlowPerActionMultipleTimeouts() throws IOException, MessagingException, InterruptedException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    //Make sure that one attribute settings won't affect the other
    realmRep.setAttributes(UserActionTokenBuilder.create().resetCredentialsLifespan(60).verifyEmailLifespan(300).build());
    testRealm().update(realmRep);

    try {
        // Redirect directly to KC "forgot password" endpoint instead of "authenticate" endpoint
        String loginUrl = oauth.getLoginFormUrl();
        String forgotPasswordUrl = loginUrl.replace("/auth?", "/forgot-credentials?"); // Workaround, but works

        driver.navigate().to(forgotPasswordUrl);
        resetPasswordPage.assertCurrent();
        resetPasswordPage.changePassword("login-test");

        loginPage.assertCurrent();
        assertEquals("You should receive an email shortly with further instructions.", loginPage.getSuccessMessage());
        expectedMessagesCount++;

        events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
                .session((String)null)
                .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent();

        assertEquals(1, greenMail.getReceivedMessages().length);

        MimeMessage message = greenMail.getReceivedMessages()[0];

        String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message);

        setTimeOffset(70);

        driver.navigate().to(changePasswordUrl.trim());

        resetPasswordPage.assertCurrent();

        assertEquals("Action expired. Please start again.", loginPage.getError());

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent();
    } finally {
        setTimeOffset(0);

        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}
 
Example 9
Source File: RequiredActionEmailVerificationTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void verifyEmailExpiredCodedPerActionLifespan() throws IOException, MessagingException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    realmRep.setAttributes(UserActionTokenBuilder.create().verifyEmailLifespan(60).build());
    testRealm().update(realmRep);

    loginPage.open();
    loginPage.login("test-user@localhost", "password");

    verifyEmailPage.assertCurrent();

    Assert.assertEquals(1, greenMail.getReceivedMessages().length);

    MimeMessage message = greenMail.getLastReceivedMessage();

    String verificationUrl = getPasswordResetEmailLink(message);

    events.poll();

    try {
        setTimeOffset(70);

        driver.navigate().to(verificationUrl.trim());

        loginPage.assertCurrent();
        assertEquals("Action expired. Please start again.", loginPage.getError());

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR)
                .error(Errors.EXPIRED_CODE)
                .client((String)null)
                .user(testUserId)
                .session((String)null)
                .clearDetails()
                .detail(Details.ACTION, VerifyEmailActionToken.TOKEN_TYPE)
                .assertEvent();
    } finally {
        setTimeOffset(0);
        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}
 
Example 10
Source File: RequiredActionEmailVerificationTest.java    From keycloak with Apache License 2.0 4 votes vote down vote up
@Test
public void verifyEmailExpiredCodedPerActionMultipleTimeouts() throws IOException, MessagingException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    //Make sure that one attribute settings won't affect the other
    realmRep.setAttributes(UserActionTokenBuilder.create().verifyEmailLifespan(60).resetCredentialsLifespan(300).build());
    testRealm().update(realmRep);

    loginPage.open();
    loginPage.login("test-user@localhost", "password");

    verifyEmailPage.assertCurrent();

    Assert.assertEquals(1, greenMail.getReceivedMessages().length);

    MimeMessage message = greenMail.getLastReceivedMessage();

    String verificationUrl = getPasswordResetEmailLink(message);

    events.poll();

    try {
        setTimeOffset(70);

        driver.navigate().to(verificationUrl.trim());

        loginPage.assertCurrent();
        assertEquals("Action expired. Please start again.", loginPage.getError());

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR)
                .error(Errors.EXPIRED_CODE)
                .client((String)null)
                .user(testUserId)
                .session((String)null)
                .clearDetails()
                .detail(Details.ACTION, VerifyEmailActionToken.TOKEN_TYPE)
                .assertEvent();
    } finally {
        setTimeOffset(0);
        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}
 
Example 11
Source File: ResetPasswordTest.java    From keycloak with Apache License 2.0 3 votes vote down vote up
@Test
public void resetPasswordExpiredCodeShortPerActionLifespan() throws IOException, MessagingException, InterruptedException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    realmRep.setAttributes(UserActionTokenBuilder.create().resetCredentialsLifespan(60).build());
    testRealm().update(realmRep);

    try {
        initiateResetPasswordFromResetPasswordPage("login-test");

        events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
                .session((String)null)
                .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent();

        assertEquals(1, greenMail.getReceivedMessages().length);

        MimeMessage message = greenMail.getReceivedMessages()[0];

        String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message);

        setTimeOffset(70);

        driver.navigate().to(changePasswordUrl.trim());

        loginPage.assertCurrent();

        assertEquals("Action expired. Please start again.", loginPage.getError());

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent();
    } finally {
        setTimeOffset(0);

        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}
 
Example 12
Source File: ResetPasswordTest.java    From keycloak with Apache License 2.0 3 votes vote down vote up
@Test
public void resetPasswordExpiredCodeShortPerActionMultipleTimeouts() throws IOException, MessagingException, InterruptedException {
    RealmRepresentation realmRep = testRealm().toRepresentation();
    Map<String, String> originalAttributes = Collections.unmodifiableMap(new HashMap<>(realmRep.getAttributes()));

    //Make sure that one attribute settings won't affect the other
    realmRep.setAttributes(UserActionTokenBuilder.create().resetCredentialsLifespan(60).verifyEmailLifespan(300).build());

    testRealm().update(realmRep);

    try {
        initiateResetPasswordFromResetPasswordPage("login-test");

        events.expectRequiredAction(EventType.SEND_RESET_PASSWORD)
                .session((String)null)
                .user(userId).detail(Details.USERNAME, "login-test").detail(Details.EMAIL, "login@test.com").assertEvent();

        assertEquals(1, greenMail.getReceivedMessages().length);

        MimeMessage message = greenMail.getReceivedMessages()[0];

        String changePasswordUrl = MailUtils.getPasswordResetEmailLink(message);

        setTimeOffset(70);

        driver.navigate().to(changePasswordUrl.trim());

        loginPage.assertCurrent();

        assertEquals("Action expired. Please start again.", loginPage.getError());

        events.expectRequiredAction(EventType.EXECUTE_ACTION_TOKEN_ERROR).error("expired_code").client((String) null).user(userId).session((String) null).clearDetails().detail(Details.ACTION, ResetCredentialsActionToken.TOKEN_TYPE).assertEvent();
    } finally {
        setTimeOffset(0);

        realmRep.setAttributes(originalAttributes);
        testRealm().update(realmRep);
    }
}