public void testAttributes() throws Exception {
keycloakRule.update(
new KeycloakRule.KeycloakSetup() {
@Override
public void config(
RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
ClientModel app = appRealm.getClientByClientId(APP_SERVER_BASE_URL + "/employee2/");
app.addProtocolMapper(
GroupMembershipMapper.create("groups", "group", null, null, true));
app.addProtocolMapper(
UserAttributeStatementMapper.createAttributeMapper(
"topAttribute", "topAttribute", "topAttribute", "Basic", null, false, null));
app.addProtocolMapper(
UserAttributeStatementMapper.createAttributeMapper(
"level2Attribute",
"level2Attribute",
"level2Attribute",
"Basic",
null,
false,
null));
}
},
"demo");
{
SendUsernameServlet.sentPrincipal = null;
SendUsernameServlet.checkRoles = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/");
assertAtLoginPagePostBinding();
List<String> requiredRoles = new LinkedList<>();
requiredRoles.add("manager");
requiredRoles.add("user");
SendUsernameServlet.checkRoles = requiredRoles;
loginPage.login("level2GroupUser", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee2/");
SendUsernameServlet.checkRoles = null;
SamlPrincipal principal = (SamlPrincipal) SendUsernameServlet.sentPrincipal;
Assert.assertNotNull(principal);
assertEquals(
"*****@*****.**", principal.getAttribute(X500SAMLProfileConstants.EMAIL.get()));
assertEquals("true", principal.getAttribute("topAttribute"));
assertEquals("true", principal.getAttribute("level2Attribute"));
List<String> groups = principal.getAttributes("group");
Assert.assertNotNull(groups);
Set<String> groupSet = new HashSet<>();
assertEquals("*****@*****.**", principal.getFriendlyAttribute("email"));
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/employee2/", true);
}
{
SendUsernameServlet.sentPrincipal = null;
SendUsernameServlet.checkRoles = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/");
assertAtLoginPagePostBinding();
List<String> requiredRoles = new LinkedList<>();
requiredRoles.add("manager");
requiredRoles.add("employee");
requiredRoles.add("user");
SendUsernameServlet.checkRoles = requiredRoles;
loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee2/");
SendUsernameServlet.checkRoles = null;
SamlPrincipal principal = (SamlPrincipal) SendUsernameServlet.sentPrincipal;
Assert.assertNotNull(principal);
assertEquals(
"*****@*****.**", principal.getAttribute(X500SAMLProfileConstants.EMAIL.get()));
assertEquals("*****@*****.**", principal.getFriendlyAttribute("email"));
assertEquals("617", principal.getAttribute("phone"));
Assert.assertNull(principal.getFriendlyAttribute("phone"));
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/?GLO=true");
checkLoggedOut(APP_SERVER_BASE_URL + "/employee2/", true);
}
keycloakRule.update(
new KeycloakRule.KeycloakSetup() {
@Override
public void config(
RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
ClientModel app = appRealm.getClientByClientId(APP_SERVER_BASE_URL + "/employee2/");
for (ProtocolMapperModel mapper : app.getProtocolMappers()) {
if (mapper.getName().equals("role-list")) {
app.removeProtocolMapper(mapper);
mapper.setId(null);
mapper.getConfig().put(RoleListMapper.SINGLE_ROLE_ATTRIBUTE, "true");
mapper.getConfig().put(AttributeStatementHelper.SAML_ATTRIBUTE_NAME, "memberOf");
app.addProtocolMapper(mapper);
}
}
app.addProtocolMapper(
HardcodedAttributeMapper.create(
"hardcoded-attribute",
"hardcoded-attribute",
"Basic",
null,
"hard",
false,
null));
app.addProtocolMapper(HardcodedRole.create("hardcoded-role", "hardcoded-role"));
app.addProtocolMapper(RoleNameMapper.create("renamed-role", "manager", "el-jefe"));
app.addProtocolMapper(
RoleNameMapper.create(
"renamed-employee-role",
APP_SERVER_BASE_URL + "/employee/.employee",
"pee-on"));
}
},
"demo");
System.out.println(">>>>>>>>>> single role attribute <<<<<<<<");
{
SendUsernameServlet.sentPrincipal = null;
SendUsernameServlet.checkRoles = null;
driver.navigate().to(APP_SERVER_BASE_URL + "/employee2/");
assertAtLoginPagePostBinding();
List<String> requiredRoles = new LinkedList<>();
requiredRoles.add("el-jefe");
requiredRoles.add("user");
requiredRoles.add("hardcoded-role");
requiredRoles.add("pee-on");
SendUsernameServlet.checkRoles = requiredRoles;
loginPage.login("bburke", "password");
assertEquals(driver.getCurrentUrl(), APP_SERVER_BASE_URL + "/employee2/");
SendUsernameServlet.checkRoles = null;
SamlPrincipal principal = (SamlPrincipal) SendUsernameServlet.sentPrincipal;
Assert.assertNotNull(principal);
assertEquals("hard", principal.getAttribute("hardcoded-attribute"));
}
}
@Test
public void testAttributes() throws Exception {
// this test has a hardcoded SAMLRequest and we hack a SP face servlet to get the SAMLResponse
// so we can look
// at the assertions sent. This is because Picketlink, AFAICT, does not give you any way to get
// access to
// the assertion.
{
SamlSPFacade.samlResponse = null;
driver.navigate().to("http://*****:*****@redhat.com");
email = true;
} else if (attr.getName().equals("phone")) {
Assert.assertEquals(
JBossSAMLURIConstants.ATTRIBUTE_FORMAT_BASIC.get(), attr.getNameFormat());
Assert.assertEquals(attr.getAttributeValue().get(0), "617");
phone = true;
} else if (attr.getName().equals("Role")) {
if (attr.getAttributeValue().get(0).equals("manager")) managerRole = true;
if (attr.getAttributeValue().get(0).equals("user")) userRole = true;
}
}
}
Assert.assertTrue(email);
Assert.assertTrue(phone);
Assert.assertTrue(userRole);
Assert.assertTrue(managerRole);
}
keycloakRule.update(
new KeycloakRule.KeycloakSetup() {
@Override
public void config(
RealmManager manager, RealmModel adminstrationRealm, RealmModel appRealm) {
ClientModel app = appRealm.getClientByClientId("http://localhost:8081/employee/");
for (ProtocolMapperModel mapper : app.getProtocolMappers()) {
if (mapper.getName().equals("role-list")) {
app.removeProtocolMapper(mapper);
mapper.setId(null);
mapper.getConfig().put(RoleListMapper.SINGLE_ROLE_ATTRIBUTE, "true");
mapper.getConfig().put(AttributeStatementHelper.SAML_ATTRIBUTE_NAME, "memberOf");
app.addProtocolMapper(mapper);
}
}
app.addProtocolMapper(
HardcodedAttributeMapper.create(
"hardcoded-attribute",
"hardcoded-attribute",
"Basic",
null,
"hard",
false,
null));
app.addProtocolMapper(HardcodedRole.create("hardcoded-role", "hardcoded-role"));
app.addProtocolMapper(RoleNameMapper.create("renamed-role", "manager", "el-jefe"));
app.addProtocolMapper(
RoleNameMapper.create(
"renamed-employee-role", "http://localhost:8081/employee/.employee", "pee-on"));
}
},
"demo");
System.out.println(">>>>>>>>>> single role attribute <<<<<<<<");
{
SamlSPFacade.samlResponse = null;
driver.navigate().to("http://localhost:8081/employee/");
System.out.println(driver.getCurrentUrl());
Assert.assertEquals(driver.getCurrentUrl(), "http://localhost:8081/employee/");
Assert.assertNotNull(SamlSPFacade.samlResponse);
SAML2Response saml2Response = new SAML2Response();
byte[] samlResponse = PostBindingUtil.base64Decode(SamlSPFacade.samlResponse);
ResponseType rt = saml2Response.getResponseType(new ByteArrayInputStream(samlResponse));
Assert.assertTrue(rt.getAssertions().size() == 1);
AssertionType assertion = rt.getAssertions().get(0).getAssertion();
// test attributes and roles
boolean userRole = false;
boolean managerRole = false;
boolean single = false;
boolean hardcodedRole = false;
boolean hardcodedAttribute = false;
boolean peeOn = false;
for (AttributeStatementType statement : assertion.getAttributeStatements()) {
for (AttributeStatementType.ASTChoiceType choice : statement.getAttributes()) {
AttributeType attr = choice.getAttribute();
if (attr.getName().equals("memberOf")) {
if (single) Assert.fail("too many role attributes");
single = true;
for (Object value : attr.getAttributeValue()) {
if (value.equals("el-jefe")) managerRole = true;
if (value.equals("user")) userRole = true;
if (value.equals("hardcoded-role")) hardcodedRole = true;
if (value.equals("pee-on")) peeOn = true;
}
} else if (attr.getName().equals("hardcoded-attribute")) {
hardcodedAttribute = true;
Assert.assertEquals(attr.getAttributeValue().get(0), "hard");
}
}
}
Assert.assertTrue(single);
Assert.assertTrue(hardcodedAttribute);
Assert.assertTrue(hardcodedRole);
Assert.assertTrue(peeOn);
Assert.assertTrue(userRole);
Assert.assertTrue(managerRole);
}
}
