// Test that when I update identityProvier, then the record in publicKey cache is cleared and it's
// not possible to authenticate with it anymore
@Test
public void testPublicKeyCacheInvalidatedWhenProviderUpdated() throws Exception {
// Configure OIDC identity provider with JWKS URL
updateIdentityProviderWithJwksUrl();
// Check that user is able to login
logInAsUserInIDPForFirstTime();
assertLoggedInAccountManagement();
logoutFromRealm(bc.consumerRealmName());
// Check that key is cached
IdentityProviderRepresentation idpRep = getIdentityProvider();
String expectedCacheKey =
PublicKeyStorageUtils.getIdpModelCacheKey(
consumerRealm().toRepresentation().getId(), idpRep.getInternalId());
TestingCacheResource cache =
testingClient
.testing(bc.consumerRealmName())
.cache(InfinispanConnectionProvider.KEYS_CACHE_NAME);
Assert.assertTrue(cache.contains(expectedCacheKey));
// Update identityProvider to some bad JWKS_URL
OIDCIdentityProviderConfigRep cfg = new OIDCIdentityProviderConfigRep(idpRep);
cfg.setJwksUrl("http://localhost:43214/non-existent");
updateIdentityProvider(idpRep);
// Check that key is not cached anymore
Assert.assertFalse(cache.contains(expectedCacheKey));
// Check that user is not able to login with IDP
setTimeOffset(20);
logInAsUserInIDP();
assertErrorPage("Unexpected error when authenticating with identity provider");
}
@Test
public void testClearKeysCache() throws Exception {
// Configure OIDC identity provider with JWKS URL
updateIdentityProviderWithJwksUrl();
// Check that user is able to login
logInAsUserInIDPForFirstTime();
assertLoggedInAccountManagement();
logoutFromRealm(bc.consumerRealmName());
// Check that key is cached
IdentityProviderRepresentation idpRep = getIdentityProvider();
String expectedCacheKey =
PublicKeyStorageUtils.getIdpModelCacheKey(
consumerRealm().toRepresentation().getId(), idpRep.getInternalId());
TestingCacheResource cache =
testingClient
.testing(bc.consumerRealmName())
.cache(InfinispanConnectionProvider.KEYS_CACHE_NAME);
Assert.assertTrue(cache.contains(expectedCacheKey));
// Clear cache and check nothing cached
consumerRealm().clearKeysCache();
Assert.assertFalse(cache.contains(expectedCacheKey));
Assert.assertEquals(cache.size(), 0);
}
private void testSingleLogout() {
log.debug("Testing single log out");
driver.navigate().to(getAccountUrl(providerRealmName()));
Assert.assertTrue(
"Should be logged in the account page", driver.getTitle().endsWith("Account Management"));
driver
.navigate()
.to(
getAuthRoot()
+ "/auth/realms/"
+ providerRealmName()
+ "/protocol/"
+ "openid-connect"
+ "/logout?redirect_uri="
+ encodeUrl(getAccountUrl(providerRealmName())));
waitForPage("log in to " + providerRealmName());
Assert.assertTrue(
"Should be on " + providerRealmName() + " realm",
driver.getCurrentUrl().contains("/auth/realms/" + providerRealmName()));
driver.navigate().to(getAccountUrl(consumerRealmName()));
Assert.assertTrue(
"Should be on " + consumerRealmName() + " realm on login page",
driver
.getCurrentUrl()
.contains("/auth/realms/" + consumerRealmName() + "/protocol/openid-connect/"));
}
@Test
public void loginWithExistingUser() {
logInAsUserInIDP();
Integer userCount = adminClient.realm(consumerRealmName()).users().count();
driver.navigate().to(getAccountUrl(consumerRealmName()));
log.debug("Clicking social " + getIDPAlias());
accountLoginPage.clickSocial(getIDPAlias());
waitForPage("log in to");
Assert.assertTrue(
"Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + providerRealmName() + "/"));
accountLoginPage.login(getUserLogin(), getUserPassword());
assertEquals(
accountPage.buildUri().toASCIIString().replace("master", "consumer") + "/",
driver.getCurrentUrl());
assertEquals(userCount, adminClient.realm(consumerRealmName()).users().count());
}
@Test
public void logInAsUserInIDP() {
driver.navigate().to(getAccountUrl(consumerRealmName()));
log.debug("Clicking social " + getIDPAlias());
accountLoginPage.clickSocial(getIDPAlias());
waitForPage("log in to");
Assert.assertTrue(
"Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + providerRealmName() + "/"));
log.debug("Logging in");
accountLoginPage.login(getUserLogin(), getUserPassword());
waitForPage("update account information");
Assert.assertTrue(updateAccountInformationPage.isCurrent());
Assert.assertTrue(
"We must be on correct realm right now",
driver.getCurrentUrl().contains("/auth/realms/" + consumerRealmName() + "/"));
log.debug("Updating info on updateAccount page");
updateAccountInformationPage.updateAccountInformation("Firstname", "Lastname");
UsersResource consumerUsers = adminClient.realm(consumerRealmName()).users();
int userCount = consumerUsers.count();
Assert.assertTrue("There must be at least one user", userCount > 0);
List<UserRepresentation> users = consumerUsers.search("", 0, userCount);
boolean isUserFound = false;
for (UserRepresentation user : users) {
if (user.getUsername().equals(getUserLogin()) && user.getEmail().equals(getUserEmail())) {
isUserFound = true;
break;
}
}
Assert.assertTrue(
"There must be user " + getUserLogin() + " in realm " + consumerRealmName(), isUserFound);
testSingleLogout();
}
// KEYCLOAK-3267
@Test
public void loginWithExistingUserWithBruteForceEnabled() {
adminClient
.realm(consumerRealmName())
.update(RealmBuilder.create().bruteForceProtected(true).failureFactor(2).build());
loginWithExistingUser();
driver.navigate().to(getAccountPasswordUrl(consumerRealmName()));
accountPasswordPage.changePassword("password", "password");
driver
.navigate()
.to(
getAuthRoot()
+ "/auth/realms/"
+ providerRealmName()
+ "/protocol/"
+ "openid-connect"
+ "/logout?redirect_uri="
+ encodeUrl(getAccountUrl(providerRealmName())));
driver.navigate().to(getAccountUrl(consumerRealmName()));
try {
waitForPage("log in to");
} catch (TimeoutException e) {
log.debug(driver.getTitle());
log.debug(driver.getPageSource());
Assert.fail("Timeout while waiting for login page");
}
for (int i = 0; i < 3; i++) {
try {
waitForElementEnabled("login");
} catch (TimeoutException e) {
Assert.fail("Timeout while waiting for login element enabled");
}
accountLoginPage.login(getUserLogin(), "invalid");
}
assertEquals("Invalid username or password.", accountLoginPage.getError());
accountLoginPage.clickSocial(getIDPAlias());
try {
waitForPage("log in to");
} catch (TimeoutException e) {
log.debug(driver.getTitle());
log.debug(driver.getPageSource());
Assert.fail("Timeout while waiting for login page");
}
Assert.assertTrue(
"Driver should be on the provider realm page right now",
driver.getCurrentUrl().contains("/auth/realms/" + providerRealmName() + "/"));
accountLoginPage.login(getUserLogin(), getUserPassword());
assertEquals("Account is disabled, contact admin.", errorPage.getError());
}