/** * Delete execution * * @param execution Execution id */ @Path("/executions/{executionId}") @DELETE @NoCache public void removeExecution(@PathParam("executionId") String execution) { auth.requireManage(); AuthenticationExecutionModel model = realm.getAuthenticationExecutionById(execution); if (model == null) { session.getTransaction().setRollbackOnly(); throw new NotFoundException("Illegal execution"); } AuthenticationFlowModel parentFlow = getParentFlow(model); if (parentFlow.isBuiltIn()) { throw new BadRequestException("It is illegal to remove execution from a built in flow"); } if (model.getFlowId() != null) { AuthenticationFlowModel nonTopLevelFlow = realm.getAuthenticationFlowById(model.getFlowId()); realm.removeAuthenticationFlow(nonTopLevelFlow); } realm.removeAuthenticatorExecution(model); adminEvent.operation(OperationType.DELETE).resourcePath(uriInfo).success(); }
/** * Delete an authentication flow * * @param id Flow id */ @Path("/flows/{id}") @DELETE @NoCache public void deleteFlow(@PathParam("id") String id) { auth.requireManage(); AuthenticationFlowModel flow = realm.getAuthenticationFlowById(id); if (flow == null) { throw new NotFoundException("Could not find flow with id"); } if (flow.isBuiltIn()) { throw new BadRequestException("Can't delete built in flow"); } List<AuthenticationExecutionModel> executions = realm.getAuthenticationExecutions(id); for (AuthenticationExecutionModel execution : executions) { if (execution.getFlowId() != null) { AuthenticationFlowModel nonTopLevelFlow = realm.getAuthenticationFlowById(execution.getFlowId()); realm.removeAuthenticationFlow(nonTopLevelFlow); } realm.removeAuthenticatorExecution(execution); } realm.removeAuthenticationFlow(flow); // Use just one event for top-level flow. Using separate events won't work properly for flows of // depth 2 or bigger adminEvent.operation(OperationType.DELETE).resourcePath(uriInfo).success(); }
/** * Lower execution's priority * * @param execution Execution id */ @Path("/executions/{executionId}/lower-priority") @POST @NoCache public void lowerPriority(@PathParam("executionId") String execution) { auth.requireManage(); AuthenticationExecutionModel model = realm.getAuthenticationExecutionById(execution); if (model == null) { session.getTransaction().setRollbackOnly(); throw new NotFoundException("Illegal execution"); } AuthenticationFlowModel parentFlow = getParentFlow(model); if (parentFlow.isBuiltIn()) { throw new BadRequestException("It is illegal to modify execution in a built in flow"); } List<AuthenticationExecutionModel> executions = getSortedExecutions(parentFlow); int i = 0; for (i = 0; i < executions.size(); i++) { if (executions.get(i).getId().equals(model.getId())) { break; } } if (i + 1 >= executions.size()) return; AuthenticationExecutionModel next = executions.get(i + 1); int tmp = model.getPriority(); model.setPriority(next.getPriority()); realm.updateAuthenticatorExecution(model); next.setPriority(tmp); realm.updateAuthenticatorExecution(next); adminEvent.operation(OperationType.UPDATE).resourcePath(uriInfo).success(); }
/** * Raise execution's priority * * @param execution Execution id */ @Path("/executions/{executionId}/raise-priority") @POST @NoCache public void raisePriority(@PathParam("executionId") String execution) { auth.requireManage(); AuthenticationExecutionModel model = realm.getAuthenticationExecutionById(execution); if (model == null) { session.getTransaction().setRollbackOnly(); throw new NotFoundException("Illegal execution"); } AuthenticationFlowModel parentFlow = getParentFlow(model); if (parentFlow.isBuiltIn()) { throw new BadRequestException("It is illegal to modify execution in a built in flow"); } List<AuthenticationExecutionModel> executions = getSortedExecutions(parentFlow); AuthenticationExecutionModel previous = null; for (AuthenticationExecutionModel exe : executions) { if (exe.getId().equals(model.getId())) { break; } previous = exe; } if (previous == null) return; int tmp = previous.getPriority(); previous.setPriority(model.getPriority()); realm.updateAuthenticatorExecution(previous); model.setPriority(tmp); realm.updateAuthenticatorExecution(model); adminEvent.operation(OperationType.UPDATE).resourcePath(uriInfo).success(); }
/** * Create a new authentication flow * * @param flow Authentication flow representation * @return */ @Path("/flows") @POST @NoCache @Consumes(MediaType.APPLICATION_JSON) public Response createFlow(AuthenticationFlowRepresentation flow) { auth.requireManage(); if (flow.getAlias() == null || flow.getAlias().isEmpty()) { return ErrorResponse.exists("Failed to create flow with empty alias name"); } if (realm.getFlowByAlias(flow.getAlias()) != null) { return ErrorResponse.exists("Flow " + flow.getAlias() + " already exists"); } AuthenticationFlowModel createdModel = realm.addAuthenticationFlow(RepresentationToModel.toModel(flow)); flow.setId(createdModel.getId()); adminEvent .operation(OperationType.CREATE) .resourcePath(uriInfo, createdModel.getId()) .representation(flow) .success(); return Response.status(201).build(); }
/** * Get authentication flows * * <p>Returns a list of authentication flows. */ @Path("/flows") @GET @NoCache @Produces(MediaType.APPLICATION_JSON) public List<AuthenticationFlowRepresentation> getFlows() { auth.requireAny(); List<AuthenticationFlowRepresentation> flows = new LinkedList<>(); for (AuthenticationFlowModel flow : realm.getAuthenticationFlows()) { if (flow.isTopLevel()) { flows.add(ModelToRepresentation.toRepresentation(realm, flow)); } } return flows; }
public List<AuthenticationExecutionModel> getSortedExecutions( AuthenticationFlowModel parentFlow) { List<AuthenticationExecutionModel> executions = new LinkedList<>(realm.getAuthenticationExecutions(parentFlow.getId())); Collections.sort(executions, AuthenticationExecutionModel.ExecutionComparator.SINGLETON); return executions; }
protected Response processFlow( String execution, ClientSessionModel clientSession, String flowPath, AuthenticationFlowModel flow, String errorMessage) { AuthenticationProcessor processor = new AuthenticationProcessor(); processor .setClientSession(clientSession) .setFlowPath(flowPath) .setFlowId(flow.getId()) .setConnection(clientConnection) .setEventBuilder(event) .setProtector(authManager.getProtector()) .setRealm(realm) .setSession(session) .setUriInfo(uriInfo) .setRequest(request); if (errorMessage != null) processor.setForwardedErrorMessage(new FormMessage(null, errorMessage)); try { if (execution != null) { return processor.authenticationAction(execution); } else { return processor.authenticate(); } } catch (Exception e) { return processor.handleBrowserException(e); } }
/** * Add new authentication execution to a flow * * @param flowAlias Alias of parent flow * @param data New execution JSON data containing 'provider' attribute */ @Path("/flows/{flowAlias}/executions/execution") @POST @NoCache @Consumes(MediaType.APPLICATION_JSON) public void addExecution(@PathParam("flowAlias") String flowAlias, Map<String, String> data) { auth.requireManage(); AuthenticationFlowModel parentFlow = realm.getFlowByAlias(flowAlias); if (parentFlow == null) { throw new BadRequestException("Parent flow doesn't exists"); } if (parentFlow.isBuiltIn()) { throw new BadRequestException("It is illegal to add execution to a built in flow"); } String provider = data.get("provider"); // make sure provider is one of the registered providers ProviderFactory f; if (parentFlow.getProviderId().equals(AuthenticationFlow.CLIENT_FLOW)) { f = session .getKeycloakSessionFactory() .getProviderFactory(ClientAuthenticator.class, provider); } else if (parentFlow.getProviderId().equals(AuthenticationFlow.FORM_FLOW)) { f = session.getKeycloakSessionFactory().getProviderFactory(FormAction.class, provider); } else { f = session.getKeycloakSessionFactory().getProviderFactory(Authenticator.class, provider); } if (f == null) { throw new BadRequestException("No authentication provider found for id: " + provider); } AuthenticationExecutionModel execution = new AuthenticationExecutionModel(); execution.setParentFlow(parentFlow.getId()); execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED); execution.setAuthenticatorFlow(false); execution.setAuthenticator(provider); execution.setPriority(getNextPriority(parentFlow)); execution = realm.addAuthenticatorExecution(execution); data.put("id", execution.getId()); adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(data).success(); }
/** * Add new authentication execution * * @param execution JSON model describing authentication execution */ @Path("/executions") @POST @NoCache @Consumes(MediaType.APPLICATION_JSON) public Response addExecution(AuthenticationExecutionRepresentation execution) { auth.requireManage(); AuthenticationExecutionModel model = RepresentationToModel.toModel(realm, execution); AuthenticationFlowModel parentFlow = getParentFlow(model); if (parentFlow.isBuiltIn()) { throw new BadRequestException("It is illegal to add execution to a built in flow"); } model.setPriority(getNextPriority(parentFlow)); model = realm.addAuthenticatorExecution(model); adminEvent .operation(OperationType.CREATE) .resourcePath(uriInfo, model.getId()) .representation(execution) .success(); return Response.created(uriInfo.getAbsolutePathBuilder().path(model.getId()).build()).build(); }
/** * Delete authenticator configuration * * @param id Configuration id */ @Path("config/{id}") @DELETE @NoCache public void removeAuthenticatorConfig(@PathParam("id") String id) { auth.requireManage(); AuthenticatorConfigModel config = realm.getAuthenticatorConfigById(id); if (config == null) { throw new NotFoundException("Could not find authenticator config"); } List<AuthenticationFlowModel> flows = new LinkedList<>(); for (AuthenticationFlowModel flow : realm.getAuthenticationFlows()) { for (AuthenticationExecutionModel exe : realm.getAuthenticationExecutions(flow.getId())) { if (id.equals(exe.getAuthenticatorConfig())) { exe.setAuthenticatorConfig(null); realm.updateAuthenticatorExecution(exe); } } } realm.removeAuthenticatorConfig(config); adminEvent.operation(OperationType.DELETE).resourcePath(uriInfo).success(); }
/** * Add new flow with new execution to existing flow * * @param flowAlias Alias of parent authentication flow * @param data New authentication flow / execution JSON data containing 'alias', 'type', * 'provider', and 'description' attributes */ @Path("/flows/{flowAlias}/executions/flow") @POST @NoCache @Consumes(MediaType.APPLICATION_JSON) public void addExecutionFlow(@PathParam("flowAlias") String flowAlias, Map<String, String> data) { auth.requireManage(); AuthenticationFlowModel parentFlow = realm.getFlowByAlias(flowAlias); if (parentFlow == null) { throw new BadRequestException("Parent flow doesn't exists"); } String alias = data.get("alias"); String type = data.get("type"); String provider = data.get("provider"); String description = data.get("description"); AuthenticationFlowModel newFlow = realm.getFlowByAlias(alias); if (newFlow != null) { throw new BadRequestException("New flow alias name already exists"); } newFlow = new AuthenticationFlowModel(); newFlow.setAlias(alias); newFlow.setDescription(description); newFlow.setProviderId(type); newFlow = realm.addAuthenticationFlow(newFlow); AuthenticationExecutionModel execution = new AuthenticationExecutionModel(); execution.setParentFlow(parentFlow.getId()); execution.setFlowId(newFlow.getId()); execution.setRequirement(AuthenticationExecutionModel.Requirement.DISABLED); execution.setAuthenticatorFlow(true); execution.setAuthenticator(provider); execution.setPriority(getNextPriority(parentFlow)); execution = realm.addAuthenticatorExecution(execution); data.put("id", execution.getId()); adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(data).success(); }
public void recurseExecutions( AuthenticationFlowModel flow, List<AuthenticationExecutionInfoRepresentation> result, int level) { int index = 0; List<AuthenticationExecutionModel> executions = realm.getAuthenticationExecutions(flow.getId()); for (AuthenticationExecutionModel execution : executions) { AuthenticationExecutionInfoRepresentation rep = new AuthenticationExecutionInfoRepresentation(); rep.setLevel(level); rep.setIndex(index++); rep.setRequirementChoices(new LinkedList<String>()); if (execution.isAuthenticatorFlow()) { AuthenticationFlowModel flowRef = realm.getAuthenticationFlowById(execution.getFlowId()); if (AuthenticationFlow.BASIC_FLOW.equals(flowRef.getProviderId())) { rep.getRequirementChoices() .add(AuthenticationExecutionModel.Requirement.ALTERNATIVE.name()); rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name()); rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name()); } else if (AuthenticationFlow.FORM_FLOW.equals(flowRef.getProviderId())) { rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name()); rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name()); rep.setProviderId(execution.getAuthenticator()); rep.setAuthenticationConfig(execution.getAuthenticatorConfig()); } else if (AuthenticationFlow.CLIENT_FLOW.equals(flowRef.getProviderId())) { rep.getRequirementChoices() .add(AuthenticationExecutionModel.Requirement.ALTERNATIVE.name()); rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.REQUIRED.name()); rep.getRequirementChoices().add(AuthenticationExecutionModel.Requirement.DISABLED.name()); } rep.setDisplayName(flowRef.getAlias()); rep.setConfigurable(false); rep.setId(execution.getId()); rep.setAuthenticationFlow(execution.isAuthenticatorFlow()); rep.setRequirement(execution.getRequirement().name()); rep.setFlowId(execution.getFlowId()); result.add(rep); AuthenticationFlowModel subFlow = realm.getAuthenticationFlowById(execution.getFlowId()); recurseExecutions(subFlow, result, level + 1); } else { String providerId = execution.getAuthenticator(); ConfigurableAuthenticatorFactory factory = CredentialHelper.getConfigurableAuthenticatorFactory(session, providerId); rep.setDisplayName(factory.getDisplayType()); rep.setConfigurable(factory.isConfigurable()); for (AuthenticationExecutionModel.Requirement choice : factory.getRequirementChoices()) { rep.getRequirementChoices().add(choice.name()); } rep.setId(execution.getId()); if (factory.isConfigurable()) { AuthenticatorConfigModel authenticatorConfig = realm.getAuthenticatorConfigById(execution.getAuthenticatorConfig()); if (authenticatorConfig != null) { rep.setAlias(authenticatorConfig.getAlias()); } } rep.setRequirement(execution.getRequirement().name()); rep.setProviderId(execution.getAuthenticator()); rep.setAuthenticationConfig(execution.getAuthenticatorConfig()); result.add(rep); } } }
protected void copy(String newName, AuthenticationFlowModel from, AuthenticationFlowModel to) { for (AuthenticationExecutionModel execution : realm.getAuthenticationExecutions(from.getId())) { if (execution.isAuthenticatorFlow()) { AuthenticationFlowModel subFlow = realm.getAuthenticationFlowById(execution.getFlowId()); AuthenticationFlowModel copy = new AuthenticationFlowModel(); copy.setAlias(newName + " " + subFlow.getAlias()); copy.setDescription(subFlow.getDescription()); copy.setProviderId(subFlow.getProviderId()); copy.setBuiltIn(false); copy.setTopLevel(false); copy = realm.addAuthenticationFlow(copy); execution.setFlowId(copy.getId()); copy(newName, subFlow, copy); } execution.setId(null); execution.setParentFlow(to.getId()); realm.addAuthenticatorExecution(execution); } }
/** * Copy existing authentication flow under a new name * * <p>The new name is given as 'newName' attribute of the passed JSON object * * @param flowAlias Name of the existing authentication flow * @param data JSON containing 'newName' attribute */ @Path("/flows/{flowAlias}/copy") @POST @NoCache @Consumes(MediaType.APPLICATION_JSON) public Response copy(@PathParam("flowAlias") String flowAlias, Map<String, String> data) { auth.requireManage(); String newName = data.get("newName"); if (realm.getFlowByAlias(newName) != null) { return Response.status(Response.Status.CONFLICT).build(); } AuthenticationFlowModel flow = realm.getFlowByAlias(flowAlias); if (flow == null) { logger.debug("flow not found: " + flowAlias); return Response.status(NOT_FOUND).build(); } AuthenticationFlowModel copy = new AuthenticationFlowModel(); copy.setAlias(newName); copy.setDescription(flow.getDescription()); copy.setProviderId(flow.getProviderId()); copy.setBuiltIn(false); copy.setTopLevel(flow.isTopLevel()); copy = realm.addAuthenticationFlow(copy); copy(newName, flow, copy); data.put("id", copy.getId()); adminEvent.operation(OperationType.CREATE).resourcePath(uriInfo).representation(data).success(); return Response.status(201).build(); }
// Moved to static method, so it's possible to test this from other places too (for example // export-import tests) public static void assertDataImportedInRealm(KeycloakSession session, RealmModel realm) { Assert.assertTrue(realm.isVerifyEmail()); List<RequiredCredentialModel> creds = realm.getRequiredCredentials(); Assert.assertEquals(1, creds.size()); RequiredCredentialModel cred = creds.get(0); Assert.assertEquals("password", cred.getFormLabel()); Assert.assertEquals(3, realm.getDefaultRoles().size()); Assert.assertNotNull(realm.getRole("foo")); Assert.assertNotNull(realm.getRole("bar")); UserModel user = session.users().getUserByUsername("loginclient", realm); Assert.assertNotNull(user); Assert.assertEquals(0, session.users().getFederatedIdentities(user, realm).size()); List<ClientModel> resources = realm.getClients(); Assert.assertEquals(7, resources.size()); // Test applications imported ClientModel application = realm.getClientByClientId("Application"); ClientModel otherApp = realm.getClientByClientId("OtherApp"); ClientModel accountApp = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); ClientModel nonExisting = realm.getClientByClientId("NonExisting"); Assert.assertNotNull(application); Assert.assertNotNull(otherApp); Assert.assertNull(nonExisting); Map<String, ClientModel> clients = realm.getClientNameMap(); Assert.assertEquals(7, clients.size()); Assert.assertTrue(clients.values().contains(application)); Assert.assertTrue(clients.values().contains(otherApp)); Assert.assertTrue(clients.values().contains(accountApp)); realm.getClients().containsAll(clients.values()); Assert.assertEquals("Applicationn", application.getName()); Assert.assertEquals(50, application.getNodeReRegistrationTimeout()); Map<String, Integer> appRegisteredNodes = application.getRegisteredNodes(); Assert.assertEquals(2, appRegisteredNodes.size()); Assert.assertTrue(10 == appRegisteredNodes.get("node1")); Assert.assertTrue(20 == appRegisteredNodes.get("172.10.15.20")); // test clientAuthenticatorType Assert.assertEquals(application.getClientAuthenticatorType(), "client-secret"); Assert.assertEquals(otherApp.getClientAuthenticatorType(), "client-jwt"); // Test finding applications by ID Assert.assertNull(realm.getClientById("982734")); Assert.assertEquals(application, realm.getClientById(application.getId())); // Test role mappings UserModel admin = session.users().getUserByUsername("admin", realm); // user without creation timestamp in import Assert.assertNull(admin.getCreatedTimestamp()); Set<RoleModel> allRoles = admin.getRoleMappings(); Assert.assertEquals(3, allRoles.size()); Assert.assertTrue(allRoles.contains(realm.getRole("admin"))); Assert.assertTrue(allRoles.contains(application.getRole("app-admin"))); Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-admin"))); Assert.assertTrue(application.getRole("app-admin").isScopeParamRequired()); Assert.assertFalse(otherApp.getRole("otherapp-admin").isScopeParamRequired()); Assert.assertFalse(otherApp.getRole("otherapp-user").isScopeParamRequired()); UserModel wburke = session.users().getUserByUsername("wburke", realm); // user with creation timestamp in import Assert.assertEquals(new Long(123654), wburke.getCreatedTimestamp()); allRoles = wburke.getRoleMappings(); Assert.assertEquals(2, allRoles.size()); Assert.assertFalse(allRoles.contains(realm.getRole("admin"))); Assert.assertTrue(allRoles.contains(application.getRole("app-user"))); Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-user"))); Assert.assertEquals(0, wburke.getRealmRoleMappings().size()); UserModel loginclient = session.users().getUserByUsername("loginclient", realm); // user with creation timestamp as string in import Assert.assertEquals(new Long(123655), loginclient.getCreatedTimestamp()); Set<RoleModel> realmRoles = admin.getRealmRoleMappings(); Assert.assertEquals(1, realmRoles.size()); Assert.assertEquals("admin", realmRoles.iterator().next().getName()); Set<RoleModel> appRoles = admin.getClientRoleMappings(application); Assert.assertEquals(1, appRoles.size()); Assert.assertEquals("app-admin", appRoles.iterator().next().getName()); // Test attributes Map<String, List<String>> attrs = wburke.getAttributes(); Assert.assertEquals(1, attrs.size()); List<String> attrVals = attrs.get("email"); Assert.assertEquals(1, attrVals.size()); Assert.assertEquals("*****@*****.**", attrVals.get(0)); attrs = admin.getAttributes(); Assert.assertEquals(2, attrs.size()); attrVals = attrs.get("key1"); Assert.assertEquals(1, attrVals.size()); Assert.assertEquals("val1", attrVals.get(0)); attrVals = attrs.get("key2"); Assert.assertEquals(2, attrVals.size()); Assert.assertTrue(attrVals.contains("val21") && attrVals.contains("val22")); // Test client ClientModel oauthClient = realm.getClientByClientId("oauthclient"); Assert.assertEquals("clientpassword", oauthClient.getSecret()); Assert.assertEquals(true, oauthClient.isEnabled()); Assert.assertNotNull(oauthClient); // Test scope relationship Set<RoleModel> allScopes = oauthClient.getScopeMappings(); Assert.assertEquals(2, allScopes.size()); Assert.assertTrue(allScopes.contains(realm.getRole("admin"))); Assert.assertTrue(allScopes.contains(application.getRole("app-user"))); Set<RoleModel> realmScopes = oauthClient.getRealmScopeMappings(); Assert.assertTrue(realmScopes.contains(realm.getRole("admin"))); Set<RoleModel> appScopes = application.getClientScopeMappings(oauthClient); Assert.assertTrue(appScopes.contains(application.getRole("app-user"))); // Test social linking UserModel socialUser = session.users().getUserByUsername("mySocialUser", realm); Set<FederatedIdentityModel> socialLinks = session.users().getFederatedIdentities(socialUser, realm); Assert.assertEquals(3, socialLinks.size()); boolean facebookFound = false; boolean googleFound = false; boolean twitterFound = false; for (FederatedIdentityModel federatedIdentityModel : socialLinks) { if ("facebook".equals(federatedIdentityModel.getIdentityProvider())) { facebookFound = true; Assert.assertEquals(federatedIdentityModel.getUserId(), "facebook1"); Assert.assertEquals(federatedIdentityModel.getUserName(), "fbuser1"); } else if ("google".equals(federatedIdentityModel.getIdentityProvider())) { googleFound = true; Assert.assertEquals(federatedIdentityModel.getUserId(), "google1"); Assert.assertEquals(federatedIdentityModel.getUserName(), "*****@*****.**"); } else if ("twitter".equals(federatedIdentityModel.getIdentityProvider())) { twitterFound = true; Assert.assertEquals(federatedIdentityModel.getUserId(), "twitter1"); Assert.assertEquals(federatedIdentityModel.getUserName(), "twuser1"); } } Assert.assertTrue(facebookFound && twitterFound && googleFound); UserModel foundSocialUser = session .users() .getUserByFederatedIdentity( new FederatedIdentityModel("facebook", "facebook1", "fbuser1"), realm); Assert.assertEquals(foundSocialUser.getUsername(), socialUser.getUsername()); Assert.assertNull( session .users() .getUserByFederatedIdentity( new FederatedIdentityModel("facebook", "not-existing", "not-existing"), realm)); FederatedIdentityModel foundSocialLink = session.users().getFederatedIdentity(socialUser, "facebook", realm); Assert.assertEquals("facebook1", foundSocialLink.getUserId()); Assert.assertEquals("fbuser1", foundSocialLink.getUserName()); Assert.assertEquals("facebook", foundSocialLink.getIdentityProvider()); // Test removing social link Assert.assertTrue(session.users().removeFederatedIdentity(realm, socialUser, "facebook")); Assert.assertNull(session.users().getFederatedIdentity(socialUser, "facebook", realm)); Assert.assertFalse(session.users().removeFederatedIdentity(realm, socialUser, "facebook")); session .users() .addFederatedIdentity( realm, socialUser, new FederatedIdentityModel("facebook", "facebook1", "fbuser1")); // Test smtp config Map<String, String> smtpConfig = realm.getSmtpConfig(); Assert.assertTrue(smtpConfig.size() == 3); Assert.assertEquals("*****@*****.**", smtpConfig.get("from")); Assert.assertEquals("localhost", smtpConfig.get("host")); Assert.assertEquals("3025", smtpConfig.get("port")); // Test identity providers List<IdentityProviderModel> identityProviders = realm.getIdentityProviders(); Assert.assertEquals(1, identityProviders.size()); IdentityProviderModel google = identityProviders.get(0); Assert.assertEquals("google1", google.getAlias()); Assert.assertEquals("google", google.getProviderId()); Assert.assertTrue(google.isEnabled()); Assert.assertEquals("googleId", google.getConfig().get("clientId")); Assert.assertEquals("googleSecret", google.getConfig().get("clientSecret")); // Test federation providers List<UserFederationProviderModel> fedProviders = realm.getUserFederationProviders(); Assert.assertTrue(fedProviders.size() == 2); UserFederationProviderModel ldap1 = fedProviders.get(0); Assert.assertEquals("MyLDAPProvider1", ldap1.getDisplayName()); Assert.assertEquals("ldap", ldap1.getProviderName()); Assert.assertEquals(1, ldap1.getPriority()); Assert.assertEquals("ldap://foo", ldap1.getConfig().get(LDAPConstants.CONNECTION_URL)); UserFederationProviderModel ldap2 = fedProviders.get(1); Assert.assertEquals("MyLDAPProvider2", ldap2.getDisplayName()); Assert.assertEquals("ldap://bar", ldap2.getConfig().get(LDAPConstants.CONNECTION_URL)); // Test federation mappers Set<UserFederationMapperModel> fedMappers1 = realm.getUserFederationMappersByFederationProvider(ldap1.getId()); Assert.assertTrue(fedMappers1.size() == 1); UserFederationMapperModel fullNameMapper = fedMappers1.iterator().next(); Assert.assertEquals("FullNameMapper", fullNameMapper.getName()); Assert.assertEquals( FullNameLDAPFederationMapperFactory.PROVIDER_ID, fullNameMapper.getFederationMapperType()); Assert.assertEquals(ldap1.getId(), fullNameMapper.getFederationProviderId()); Assert.assertEquals( "cn", fullNameMapper.getConfig().get(FullNameLDAPFederationMapper.LDAP_FULL_NAME_ATTRIBUTE)); // All builtin LDAP mappers should be here Set<UserFederationMapperModel> fedMappers2 = realm.getUserFederationMappersByFederationProvider(ldap2.getId()); Assert.assertTrue(fedMappers2.size() > 3); Set<UserFederationMapperModel> allMappers = realm.getUserFederationMappers(); Assert.assertEquals(allMappers.size(), fedMappers1.size() + fedMappers2.size()); // Assert that federation link wasn't created during import UserFederationProviderFactory factory = (UserFederationProviderFactory) session .getKeycloakSessionFactory() .getProviderFactory(UserFederationProvider.class, "dummy"); Assert.assertNull(factory.getInstance(session, null).getUserByUsername(realm, "wburke")); // Test builtin authentication flows AuthenticationFlowModel clientFlow = realm.getClientAuthenticationFlow(); Assert.assertEquals( DefaultAuthenticationFlows.CLIENT_AUTHENTICATION_FLOW, clientFlow.getAlias()); Assert.assertNotNull(realm.getAuthenticationFlowById(clientFlow.getId())); Assert.assertTrue(realm.getAuthenticationExecutions(clientFlow.getId()).size() > 0); AuthenticationFlowModel resetFlow = realm.getResetCredentialsFlow(); Assert.assertEquals(DefaultAuthenticationFlows.RESET_CREDENTIALS_FLOW, resetFlow.getAlias()); Assert.assertNotNull(realm.getAuthenticationFlowById(resetFlow.getId())); Assert.assertTrue(realm.getAuthenticationExecutions(resetFlow.getId()).size() > 0); // Test protocol mappers. Default application has all the builtin protocol mappers. OtherApp // just gss credential Assert.assertNotNull( application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "username")); Assert.assertNotNull( application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "email")); Assert.assertNotNull( application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "given name")); Assert.assertNull( application.getProtocolMapperByName( OIDCLoginProtocol.LOGIN_PROTOCOL, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME)); Assert.assertEquals(1, otherApp.getProtocolMappers().size()); Assert.assertNull( otherApp.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "username")); ProtocolMapperModel gssCredentialMapper = otherApp.getProtocolMapperByName( OIDCLoginProtocol.LOGIN_PROTOCOL, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME); Assert.assertEquals( KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME, gssCredentialMapper.getName()); Assert.assertEquals(OIDCLoginProtocol.LOGIN_PROTOCOL, gssCredentialMapper.getProtocol()); Assert.assertEquals(UserSessionNoteMapper.PROVIDER_ID, gssCredentialMapper.getProtocolMapper()); String includeInAccessToken = gssCredentialMapper.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN); String includeInIdToken = gssCredentialMapper.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN); Assert.assertTrue(includeInAccessToken.equalsIgnoreCase("true")); Assert.assertTrue(includeInIdToken == null || Boolean.parseBoolean(includeInIdToken) == false); // Test user consents admin = session.users().getUserByUsername("admin", realm); Assert.assertEquals(2, admin.getConsents().size()); UserConsentModel appAdminConsent = admin.getConsentByClient(application.getId()); Assert.assertEquals(2, appAdminConsent.getGrantedRoles().size()); Assert.assertTrue( appAdminConsent.getGrantedProtocolMappers() == null || appAdminConsent.getGrantedProtocolMappers().isEmpty()); Assert.assertTrue(appAdminConsent.isRoleGranted(realm.getRole("admin"))); Assert.assertTrue(appAdminConsent.isRoleGranted(application.getRole("app-admin"))); UserConsentModel otherAppAdminConsent = admin.getConsentByClient(otherApp.getId()); Assert.assertEquals(1, otherAppAdminConsent.getGrantedRoles().size()); Assert.assertEquals(1, otherAppAdminConsent.getGrantedProtocolMappers().size()); Assert.assertTrue(otherAppAdminConsent.isRoleGranted(realm.getRole("admin"))); Assert.assertFalse(otherAppAdminConsent.isRoleGranted(application.getRole("app-admin"))); Assert.assertTrue(otherAppAdminConsent.isProtocolMapperGranted(gssCredentialMapper)); // Test service accounts Assert.assertFalse(application.isServiceAccountsEnabled()); Assert.assertTrue(otherApp.isServiceAccountsEnabled()); Assert.assertNull(session.users().getUserByServiceAccountClient(application)); UserModel linked = session.users().getUserByServiceAccountClient(otherApp); Assert.assertNotNull(linked); Assert.assertEquals("my-service-user", linked.getUsername()); }