private ClientSessionModel createClientSession( UserModel user, String redirectUri, String clientId) { if (!user.isEnabled()) { throw new WebApplicationException( ErrorResponse.error("User is disabled", Response.Status.BAD_REQUEST)); } if (redirectUri != null && clientId == null) { throw new WebApplicationException( ErrorResponse.error("Client id missing", Response.Status.BAD_REQUEST)); } if (clientId == null) { clientId = Constants.ACCOUNT_MANAGEMENT_CLIENT_ID; } ClientModel client = realm.getClientByClientId(clientId); if (client == null || !client.isEnabled()) { throw new WebApplicationException( ErrorResponse.error(clientId + " not enabled", Response.Status.BAD_REQUEST)); } String redirect; if (redirectUri != null) { redirect = RedirectUtils.verifyRedirectUri(uriInfo, redirectUri, realm, client); if (redirect == null) { throw new WebApplicationException( ErrorResponse.error("Invalid redirect uri.", Response.Status.BAD_REQUEST)); } } else { redirect = Urls.accountBase(uriInfo.getBaseUri()).path("/").build(realm.getName()).toString(); } UserSessionModel userSession = session .sessions() .createUserSession( realm, user, user.getUsername(), clientConnection.getRemoteAddr(), "form", false, null, null); // audit.session(userSession); ClientSessionModel clientSession = session.sessions().createClientSession(realm, client); clientSession.setAuthMethod(OIDCLoginProtocol.LOGIN_PROTOCOL); clientSession.setRedirectUri(redirect); clientSession.setUserSession(userSession); return clientSession; }
protected Response handleSamlRequest(String samlRequest, String relayState) { SAMLDocumentHolder documentHolder = extractRequestDocument(samlRequest); if (documentHolder == null) { event.event(EventType.LOGIN); event.error(Errors.INVALID_TOKEN); return ErrorPage.error(session, Messages.INVALID_REQUEST); } SAML2Object samlObject = documentHolder.getSamlObject(); RequestAbstractType requestAbstractType = (RequestAbstractType) samlObject; String issuer = requestAbstractType.getIssuer().getValue(); ClientModel client = realm.getClientByClientId(issuer); if (client == null) { event.event(EventType.LOGIN); event.client(issuer); event.error(Errors.CLIENT_NOT_FOUND); return ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); } if (!client.isEnabled()) { event.event(EventType.LOGIN); event.error(Errors.CLIENT_DISABLED); return ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); } if (client.isBearerOnly()) { event.event(EventType.LOGIN); event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.BEARER_ONLY); } if (!client.isStandardFlowEnabled()) { event.event(EventType.LOGIN); event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, Messages.STANDARD_FLOW_DISABLED); } session.getContext().setClient(client); try { verifySignature(documentHolder, client); } catch (VerificationException e) { SamlService.logger.error("request validation failed", e); event.event(EventType.LOGIN); event.error(Errors.INVALID_SIGNATURE); return ErrorPage.error(session, Messages.INVALID_REQUESTER); } logger.debug("verified request"); if (samlObject instanceof AuthnRequestType) { logger.debug("** login request"); event.event(EventType.LOGIN); // Get the SAML Request Message AuthnRequestType authn = (AuthnRequestType) samlObject; return loginRequest(relayState, authn, client); } else if (samlObject instanceof LogoutRequestType) { logger.debug("** logout request"); event.event(EventType.LOGOUT); LogoutRequestType logout = (LogoutRequestType) samlObject; return logoutRequest(logout, client, relayState); } else { event.event(EventType.LOGIN); event.error(Errors.INVALID_TOKEN); return ErrorPage.error(session, Messages.INVALID_REQUEST); } }
// Moved to static method, so it's possible to test this from other places too (for example // export-import tests) public static void assertDataImportedInRealm(RealmModel realm) { Assert.assertTrue(realm.isVerifyEmail()); Assert.assertFalse(realm.isUpdateProfileOnInitialSocialLogin()); List<RequiredCredentialModel> creds = realm.getRequiredCredentials(); Assert.assertEquals(1, creds.size()); RequiredCredentialModel cred = creds.get(0); Assert.assertEquals("password", cred.getFormLabel()); Assert.assertEquals(2, realm.getDefaultRoles().size()); Assert.assertNotNull(realm.getRole("foo")); Assert.assertNotNull(realm.getRole("bar")); UserModel user = realm.getUser("loginclient"); Assert.assertNotNull(user); Assert.assertEquals(0, realm.getSocialLinks(user).size()); List<ApplicationModel> resources = realm.getApplications(); for (ApplicationModel app : resources) { System.out.println("app: " + app.getName()); } Assert.assertEquals(5, resources.size()); // Test applications imported ApplicationModel application = realm.getApplicationByName("Application"); ApplicationModel otherApp = realm.getApplicationByName("OtherApp"); ApplicationModel accountApp = realm.getApplicationByName(Constants.ACCOUNT_MANAGEMENT_APP); ApplicationModel nonExisting = realm.getApplicationByName("NonExisting"); Assert.assertNotNull(application); Assert.assertNotNull(otherApp); Assert.assertNull(nonExisting); Map<String, ApplicationModel> apps = realm.getApplicationNameMap(); Assert.assertEquals(5, apps.size()); Assert.assertTrue(apps.values().contains(application)); Assert.assertTrue(apps.values().contains(otherApp)); Assert.assertTrue(apps.values().contains(accountApp)); realm.getApplications().containsAll(apps.values()); // Test finding applications by ID Assert.assertNull(realm.getApplicationById("982734")); Assert.assertEquals(application, realm.getApplicationById(application.getId())); // Test role mappings UserModel admin = realm.getUser("admin"); Set<RoleModel> allRoles = realm.getRoleMappings(admin); Assert.assertEquals(5, allRoles.size()); Assert.assertTrue(allRoles.contains(realm.getRole("admin"))); Assert.assertTrue(allRoles.contains(application.getRole("app-admin"))); Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-admin"))); Assert.assertTrue(allRoles.contains(accountApp.getRole(AccountRoles.VIEW_PROFILE))); Assert.assertTrue(allRoles.contains(accountApp.getRole(AccountRoles.MANAGE_ACCOUNT))); UserModel wburke = realm.getUser("wburke"); allRoles = realm.getRoleMappings(wburke); Assert.assertEquals(4, allRoles.size()); Assert.assertFalse(allRoles.contains(realm.getRole("admin"))); Assert.assertTrue(allRoles.contains(application.getRole("app-user"))); Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-user"))); Assert.assertEquals(0, realm.getRealmRoleMappings(wburke).size()); Set<RoleModel> realmRoles = realm.getRealmRoleMappings(admin); Assert.assertEquals(1, realmRoles.size()); Assert.assertEquals("admin", realmRoles.iterator().next().getName()); Set<RoleModel> appRoles = application.getApplicationRoleMappings(admin); Assert.assertEquals(1, appRoles.size()); Assert.assertEquals("app-admin", appRoles.iterator().next().getName()); // Test client ClientModel oauthClient = realm.findClient("oauthclient"); Assert.assertEquals("clientpassword", oauthClient.getSecret()); Assert.assertEquals(true, oauthClient.isEnabled()); Assert.assertNotNull(oauthClient); // Test scope relationship Set<RoleModel> allScopes = realm.getScopeMappings(oauthClient); Assert.assertEquals(2, allScopes.size()); Assert.assertTrue(allScopes.contains(realm.getRole("admin"))); Assert.assertTrue(allScopes.contains(application.getRole("app-user"))); Set<RoleModel> realmScopes = realm.getRealmScopeMappings(oauthClient); Assert.assertTrue(realmScopes.contains(realm.getRole("admin"))); Set<RoleModel> appScopes = application.getApplicationScopeMappings(oauthClient); Assert.assertTrue(appScopes.contains(application.getRole("app-user"))); // Test social linking UserModel socialUser = realm.getUser("mySocialUser"); Set<SocialLinkModel> socialLinks = realm.getSocialLinks(socialUser); Assert.assertEquals(3, socialLinks.size()); boolean facebookFound = false; boolean googleFound = false; boolean twitterFound = false; for (SocialLinkModel socialLinkModel : socialLinks) { if ("facebook".equals(socialLinkModel.getSocialProvider())) { facebookFound = true; Assert.assertEquals(socialLinkModel.getSocialUserId(), "facebook1"); Assert.assertEquals(socialLinkModel.getSocialUsername(), "fbuser1"); } else if ("google".equals(socialLinkModel.getSocialProvider())) { googleFound = true; Assert.assertEquals(socialLinkModel.getSocialUserId(), "google1"); Assert.assertEquals(socialLinkModel.getSocialUsername(), "*****@*****.**"); } else if ("twitter".equals(socialLinkModel.getSocialProvider())) { twitterFound = true; Assert.assertEquals(socialLinkModel.getSocialUserId(), "twitter1"); Assert.assertEquals(socialLinkModel.getSocialUsername(), "twuser1"); } } Assert.assertTrue(facebookFound && twitterFound && googleFound); UserModel foundSocialUser = realm.getUserBySocialLink(new SocialLinkModel("facebook", "facebook1", "fbuser1")); Assert.assertEquals(foundSocialUser.getLoginName(), socialUser.getLoginName()); Assert.assertNull( realm.getUserBySocialLink(new SocialLinkModel("facebook", "not-existing", "not-existing"))); SocialLinkModel foundSocialLink = realm.getSocialLink(socialUser, "facebook"); Assert.assertEquals("facebook1", foundSocialLink.getSocialUserId()); Assert.assertEquals("fbuser1", foundSocialLink.getSocialUsername()); Assert.assertEquals("facebook", foundSocialLink.getSocialProvider()); // Test removing social link Assert.assertTrue(realm.removeSocialLink(socialUser, "facebook")); Assert.assertNull(realm.getSocialLink(socialUser, "facebook")); Assert.assertFalse(realm.removeSocialLink(socialUser, "facebook")); // Test smtp config Map<String, String> smtpConfig = realm.getSmtpConfig(); Assert.assertTrue(smtpConfig.size() == 3); Assert.assertEquals("*****@*****.**", smtpConfig.get("from")); Assert.assertEquals("localhost", smtpConfig.get("host")); Assert.assertEquals("3025", smtpConfig.get("port")); // Test social config Map<String, String> socialConfig = realm.getSocialConfig(); Assert.assertTrue(socialConfig.size() == 2); Assert.assertEquals("abc", socialConfig.get("google.key")); Assert.assertEquals("def", socialConfig.get("google.secret")); // Test ldap config Map<String, String> ldapConfig = realm.getLdapServerConfig(); Assert.assertTrue(ldapConfig.size() == 5); Assert.assertEquals("ldap://localhost:10389", ldapConfig.get("connectionUrl")); Assert.assertEquals("dc=keycloak,dc=org", ldapConfig.get("baseDn")); Assert.assertEquals("ou=People,dc=keycloak,dc=org", ldapConfig.get("userDnSuffix")); // Test authentication providers List<AuthenticationProviderModel> authProviderModels = realm.getAuthenticationProviders(); Assert.assertTrue(authProviderModels.size() == 3); AuthenticationProviderModel authProv1 = authProviderModels.get(0); AuthenticationProviderModel authProv2 = authProviderModels.get(1); AuthenticationProviderModel authProv3 = authProviderModels.get(2); Assert.assertEquals(AuthProviderConstants.PROVIDER_NAME_MODEL, authProv1.getProviderName()); Assert.assertTrue(authProv1.isPasswordUpdateSupported()); Assert.assertEquals( AuthProviderConstants.PROVIDER_NAME_EXTERNAL_MODEL, authProv2.getProviderName()); Assert.assertFalse(authProv2.isPasswordUpdateSupported()); Assert.assertEquals("trustedRealm", authProv2.getConfig().get("externalRealmId")); Assert.assertEquals( AuthProviderConstants.PROVIDER_NAME_PICKETLINK, authProv3.getProviderName()); Assert.assertTrue(authProv3.isPasswordUpdateSupported()); // Test authentication linking AuthenticationLinkModel authLink = realm.getAuthenticationLink(socialUser); Assert.assertEquals(AuthProviderConstants.PROVIDER_NAME_PICKETLINK, authLink.getAuthProvider()); Assert.assertEquals("myUser1", authLink.getAuthUserId()); }
public boolean isEnabled() { if (updated != null) return updated.isEnabled(); return cached.isEnabled(); }
// Moved to static method, so it's possible to test this from other places too (for example // export-import tests) public static void assertDataImportedInRealm(KeycloakSession session, RealmModel realm) { Assert.assertTrue(realm.isVerifyEmail()); List<RequiredCredentialModel> creds = realm.getRequiredCredentials(); Assert.assertEquals(1, creds.size()); RequiredCredentialModel cred = creds.get(0); Assert.assertEquals("password", cred.getFormLabel()); Assert.assertEquals(3, realm.getDefaultRoles().size()); Assert.assertNotNull(realm.getRole("foo")); Assert.assertNotNull(realm.getRole("bar")); UserModel user = session.users().getUserByUsername("loginclient", realm); Assert.assertNotNull(user); Assert.assertEquals(0, session.users().getFederatedIdentities(user, realm).size()); List<ClientModel> resources = realm.getClients(); Assert.assertEquals(7, resources.size()); // Test applications imported ClientModel application = realm.getClientByClientId("Application"); ClientModel otherApp = realm.getClientByClientId("OtherApp"); ClientModel accountApp = realm.getClientByClientId(Constants.ACCOUNT_MANAGEMENT_CLIENT_ID); ClientModel nonExisting = realm.getClientByClientId("NonExisting"); Assert.assertNotNull(application); Assert.assertNotNull(otherApp); Assert.assertNull(nonExisting); Map<String, ClientModel> clients = realm.getClientNameMap(); Assert.assertEquals(7, clients.size()); Assert.assertTrue(clients.values().contains(application)); Assert.assertTrue(clients.values().contains(otherApp)); Assert.assertTrue(clients.values().contains(accountApp)); realm.getClients().containsAll(clients.values()); Assert.assertEquals("Applicationn", application.getName()); Assert.assertEquals(50, application.getNodeReRegistrationTimeout()); Map<String, Integer> appRegisteredNodes = application.getRegisteredNodes(); Assert.assertEquals(2, appRegisteredNodes.size()); Assert.assertTrue(10 == appRegisteredNodes.get("node1")); Assert.assertTrue(20 == appRegisteredNodes.get("172.10.15.20")); // test clientAuthenticatorType Assert.assertEquals(application.getClientAuthenticatorType(), "client-secret"); Assert.assertEquals(otherApp.getClientAuthenticatorType(), "client-jwt"); // Test finding applications by ID Assert.assertNull(realm.getClientById("982734")); Assert.assertEquals(application, realm.getClientById(application.getId())); // Test role mappings UserModel admin = session.users().getUserByUsername("admin", realm); // user without creation timestamp in import Assert.assertNull(admin.getCreatedTimestamp()); Set<RoleModel> allRoles = admin.getRoleMappings(); Assert.assertEquals(3, allRoles.size()); Assert.assertTrue(allRoles.contains(realm.getRole("admin"))); Assert.assertTrue(allRoles.contains(application.getRole("app-admin"))); Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-admin"))); Assert.assertTrue(application.getRole("app-admin").isScopeParamRequired()); Assert.assertFalse(otherApp.getRole("otherapp-admin").isScopeParamRequired()); Assert.assertFalse(otherApp.getRole("otherapp-user").isScopeParamRequired()); UserModel wburke = session.users().getUserByUsername("wburke", realm); // user with creation timestamp in import Assert.assertEquals(new Long(123654), wburke.getCreatedTimestamp()); allRoles = wburke.getRoleMappings(); Assert.assertEquals(2, allRoles.size()); Assert.assertFalse(allRoles.contains(realm.getRole("admin"))); Assert.assertTrue(allRoles.contains(application.getRole("app-user"))); Assert.assertTrue(allRoles.contains(otherApp.getRole("otherapp-user"))); Assert.assertEquals(0, wburke.getRealmRoleMappings().size()); UserModel loginclient = session.users().getUserByUsername("loginclient", realm); // user with creation timestamp as string in import Assert.assertEquals(new Long(123655), loginclient.getCreatedTimestamp()); Set<RoleModel> realmRoles = admin.getRealmRoleMappings(); Assert.assertEquals(1, realmRoles.size()); Assert.assertEquals("admin", realmRoles.iterator().next().getName()); Set<RoleModel> appRoles = admin.getClientRoleMappings(application); Assert.assertEquals(1, appRoles.size()); Assert.assertEquals("app-admin", appRoles.iterator().next().getName()); // Test attributes Map<String, List<String>> attrs = wburke.getAttributes(); Assert.assertEquals(1, attrs.size()); List<String> attrVals = attrs.get("email"); Assert.assertEquals(1, attrVals.size()); Assert.assertEquals("*****@*****.**", attrVals.get(0)); attrs = admin.getAttributes(); Assert.assertEquals(2, attrs.size()); attrVals = attrs.get("key1"); Assert.assertEquals(1, attrVals.size()); Assert.assertEquals("val1", attrVals.get(0)); attrVals = attrs.get("key2"); Assert.assertEquals(2, attrVals.size()); Assert.assertTrue(attrVals.contains("val21") && attrVals.contains("val22")); // Test client ClientModel oauthClient = realm.getClientByClientId("oauthclient"); Assert.assertEquals("clientpassword", oauthClient.getSecret()); Assert.assertEquals(true, oauthClient.isEnabled()); Assert.assertNotNull(oauthClient); // Test scope relationship Set<RoleModel> allScopes = oauthClient.getScopeMappings(); Assert.assertEquals(2, allScopes.size()); Assert.assertTrue(allScopes.contains(realm.getRole("admin"))); Assert.assertTrue(allScopes.contains(application.getRole("app-user"))); Set<RoleModel> realmScopes = oauthClient.getRealmScopeMappings(); Assert.assertTrue(realmScopes.contains(realm.getRole("admin"))); Set<RoleModel> appScopes = application.getClientScopeMappings(oauthClient); Assert.assertTrue(appScopes.contains(application.getRole("app-user"))); // Test social linking UserModel socialUser = session.users().getUserByUsername("mySocialUser", realm); Set<FederatedIdentityModel> socialLinks = session.users().getFederatedIdentities(socialUser, realm); Assert.assertEquals(3, socialLinks.size()); boolean facebookFound = false; boolean googleFound = false; boolean twitterFound = false; for (FederatedIdentityModel federatedIdentityModel : socialLinks) { if ("facebook".equals(federatedIdentityModel.getIdentityProvider())) { facebookFound = true; Assert.assertEquals(federatedIdentityModel.getUserId(), "facebook1"); Assert.assertEquals(federatedIdentityModel.getUserName(), "fbuser1"); } else if ("google".equals(federatedIdentityModel.getIdentityProvider())) { googleFound = true; Assert.assertEquals(federatedIdentityModel.getUserId(), "google1"); Assert.assertEquals(federatedIdentityModel.getUserName(), "*****@*****.**"); } else if ("twitter".equals(federatedIdentityModel.getIdentityProvider())) { twitterFound = true; Assert.assertEquals(federatedIdentityModel.getUserId(), "twitter1"); Assert.assertEquals(federatedIdentityModel.getUserName(), "twuser1"); } } Assert.assertTrue(facebookFound && twitterFound && googleFound); UserModel foundSocialUser = session .users() .getUserByFederatedIdentity( new FederatedIdentityModel("facebook", "facebook1", "fbuser1"), realm); Assert.assertEquals(foundSocialUser.getUsername(), socialUser.getUsername()); Assert.assertNull( session .users() .getUserByFederatedIdentity( new FederatedIdentityModel("facebook", "not-existing", "not-existing"), realm)); FederatedIdentityModel foundSocialLink = session.users().getFederatedIdentity(socialUser, "facebook", realm); Assert.assertEquals("facebook1", foundSocialLink.getUserId()); Assert.assertEquals("fbuser1", foundSocialLink.getUserName()); Assert.assertEquals("facebook", foundSocialLink.getIdentityProvider()); // Test removing social link Assert.assertTrue(session.users().removeFederatedIdentity(realm, socialUser, "facebook")); Assert.assertNull(session.users().getFederatedIdentity(socialUser, "facebook", realm)); Assert.assertFalse(session.users().removeFederatedIdentity(realm, socialUser, "facebook")); session .users() .addFederatedIdentity( realm, socialUser, new FederatedIdentityModel("facebook", "facebook1", "fbuser1")); // Test smtp config Map<String, String> smtpConfig = realm.getSmtpConfig(); Assert.assertTrue(smtpConfig.size() == 3); Assert.assertEquals("*****@*****.**", smtpConfig.get("from")); Assert.assertEquals("localhost", smtpConfig.get("host")); Assert.assertEquals("3025", smtpConfig.get("port")); // Test identity providers List<IdentityProviderModel> identityProviders = realm.getIdentityProviders(); Assert.assertEquals(1, identityProviders.size()); IdentityProviderModel google = identityProviders.get(0); Assert.assertEquals("google1", google.getAlias()); Assert.assertEquals("google", google.getProviderId()); Assert.assertTrue(google.isEnabled()); Assert.assertEquals("googleId", google.getConfig().get("clientId")); Assert.assertEquals("googleSecret", google.getConfig().get("clientSecret")); // Test federation providers List<UserFederationProviderModel> fedProviders = realm.getUserFederationProviders(); Assert.assertTrue(fedProviders.size() == 2); UserFederationProviderModel ldap1 = fedProviders.get(0); Assert.assertEquals("MyLDAPProvider1", ldap1.getDisplayName()); Assert.assertEquals("ldap", ldap1.getProviderName()); Assert.assertEquals(1, ldap1.getPriority()); Assert.assertEquals("ldap://foo", ldap1.getConfig().get(LDAPConstants.CONNECTION_URL)); UserFederationProviderModel ldap2 = fedProviders.get(1); Assert.assertEquals("MyLDAPProvider2", ldap2.getDisplayName()); Assert.assertEquals("ldap://bar", ldap2.getConfig().get(LDAPConstants.CONNECTION_URL)); // Test federation mappers Set<UserFederationMapperModel> fedMappers1 = realm.getUserFederationMappersByFederationProvider(ldap1.getId()); Assert.assertTrue(fedMappers1.size() == 1); UserFederationMapperModel fullNameMapper = fedMappers1.iterator().next(); Assert.assertEquals("FullNameMapper", fullNameMapper.getName()); Assert.assertEquals( FullNameLDAPFederationMapperFactory.PROVIDER_ID, fullNameMapper.getFederationMapperType()); Assert.assertEquals(ldap1.getId(), fullNameMapper.getFederationProviderId()); Assert.assertEquals( "cn", fullNameMapper.getConfig().get(FullNameLDAPFederationMapper.LDAP_FULL_NAME_ATTRIBUTE)); // All builtin LDAP mappers should be here Set<UserFederationMapperModel> fedMappers2 = realm.getUserFederationMappersByFederationProvider(ldap2.getId()); Assert.assertTrue(fedMappers2.size() > 3); Set<UserFederationMapperModel> allMappers = realm.getUserFederationMappers(); Assert.assertEquals(allMappers.size(), fedMappers1.size() + fedMappers2.size()); // Assert that federation link wasn't created during import UserFederationProviderFactory factory = (UserFederationProviderFactory) session .getKeycloakSessionFactory() .getProviderFactory(UserFederationProvider.class, "dummy"); Assert.assertNull(factory.getInstance(session, null).getUserByUsername(realm, "wburke")); // Test builtin authentication flows AuthenticationFlowModel clientFlow = realm.getClientAuthenticationFlow(); Assert.assertEquals( DefaultAuthenticationFlows.CLIENT_AUTHENTICATION_FLOW, clientFlow.getAlias()); Assert.assertNotNull(realm.getAuthenticationFlowById(clientFlow.getId())); Assert.assertTrue(realm.getAuthenticationExecutions(clientFlow.getId()).size() > 0); AuthenticationFlowModel resetFlow = realm.getResetCredentialsFlow(); Assert.assertEquals(DefaultAuthenticationFlows.RESET_CREDENTIALS_FLOW, resetFlow.getAlias()); Assert.assertNotNull(realm.getAuthenticationFlowById(resetFlow.getId())); Assert.assertTrue(realm.getAuthenticationExecutions(resetFlow.getId()).size() > 0); // Test protocol mappers. Default application has all the builtin protocol mappers. OtherApp // just gss credential Assert.assertNotNull( application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "username")); Assert.assertNotNull( application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "email")); Assert.assertNotNull( application.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "given name")); Assert.assertNull( application.getProtocolMapperByName( OIDCLoginProtocol.LOGIN_PROTOCOL, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME)); Assert.assertEquals(1, otherApp.getProtocolMappers().size()); Assert.assertNull( otherApp.getProtocolMapperByName(OIDCLoginProtocol.LOGIN_PROTOCOL, "username")); ProtocolMapperModel gssCredentialMapper = otherApp.getProtocolMapperByName( OIDCLoginProtocol.LOGIN_PROTOCOL, KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME); Assert.assertEquals( KerberosConstants.GSS_DELEGATION_CREDENTIAL_DISPLAY_NAME, gssCredentialMapper.getName()); Assert.assertEquals(OIDCLoginProtocol.LOGIN_PROTOCOL, gssCredentialMapper.getProtocol()); Assert.assertEquals(UserSessionNoteMapper.PROVIDER_ID, gssCredentialMapper.getProtocolMapper()); String includeInAccessToken = gssCredentialMapper.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN); String includeInIdToken = gssCredentialMapper.getConfig().get(OIDCAttributeMapperHelper.INCLUDE_IN_ID_TOKEN); Assert.assertTrue(includeInAccessToken.equalsIgnoreCase("true")); Assert.assertTrue(includeInIdToken == null || Boolean.parseBoolean(includeInIdToken) == false); // Test user consents admin = session.users().getUserByUsername("admin", realm); Assert.assertEquals(2, admin.getConsents().size()); UserConsentModel appAdminConsent = admin.getConsentByClient(application.getId()); Assert.assertEquals(2, appAdminConsent.getGrantedRoles().size()); Assert.assertTrue( appAdminConsent.getGrantedProtocolMappers() == null || appAdminConsent.getGrantedProtocolMappers().isEmpty()); Assert.assertTrue(appAdminConsent.isRoleGranted(realm.getRole("admin"))); Assert.assertTrue(appAdminConsent.isRoleGranted(application.getRole("app-admin"))); UserConsentModel otherAppAdminConsent = admin.getConsentByClient(otherApp.getId()); Assert.assertEquals(1, otherAppAdminConsent.getGrantedRoles().size()); Assert.assertEquals(1, otherAppAdminConsent.getGrantedProtocolMappers().size()); Assert.assertTrue(otherAppAdminConsent.isRoleGranted(realm.getRole("admin"))); Assert.assertFalse(otherAppAdminConsent.isRoleGranted(application.getRole("app-admin"))); Assert.assertTrue(otherAppAdminConsent.isProtocolMapperGranted(gssCredentialMapper)); // Test service accounts Assert.assertFalse(application.isServiceAccountsEnabled()); Assert.assertTrue(otherApp.isServiceAccountsEnabled()); Assert.assertNull(session.users().getUserByServiceAccountClient(application)); UserModel linked = session.users().getUserByServiceAccountClient(otherApp); Assert.assertNotNull(linked); Assert.assertEquals("my-service-user", linked.getUsername()); }
public boolean verifyCode(String code) { if (!checkSsl()) { event.error(Errors.SSL_REQUIRED); response = ErrorPage.error(session, Messages.HTTPS_REQUIRED); return false; } if (!realm.isEnabled()) { event.error(Errors.REALM_DISABLED); response = ErrorPage.error(session, Messages.REALM_NOT_ENABLED); return false; } ClientSessionCode.ParseResult result = ClientSessionCode.parseResult(code, session, realm); clientCode = result.getCode(); if (clientCode == null) { if (result.isClientSessionNotFound()) { // timeout try { ClientSessionModel clientSession = RestartLoginCookie.restartSession(session, realm, code); if (clientSession != null) { event .clone() .detail(Details.RESTART_AFTER_TIMEOUT, "true") .error(Errors.EXPIRED_CODE); response = processFlow( null, clientSession, AUTHENTICATE_PATH, realm.getBrowserFlow(), Messages.LOGIN_TIMEOUT); return false; } } catch (Exception e) { logger.error("failed to parse RestartLoginCookie", e); } } event.error(Errors.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE); return false; } ClientSessionModel clientSession = clientCode.getClientSession(); if (clientSession == null) { event.error(Errors.INVALID_CODE); response = ErrorPage.error(session, Messages.INVALID_CODE); return false; } event.detail(Details.CODE_ID, clientSession.getId()); ClientModel client = clientSession.getClient(); if (client == null) { event.error(Errors.CLIENT_NOT_FOUND); response = ErrorPage.error(session, Messages.UNKNOWN_LOGIN_REQUESTER); session.sessions().removeClientSession(realm, clientSession); return false; } if (!client.isEnabled()) { event.error(Errors.CLIENT_NOT_FOUND); response = ErrorPage.error(session, Messages.LOGIN_REQUESTER_NOT_ENABLED); session.sessions().removeClientSession(realm, clientSession); return false; } session.getContext().setClient(client); return true; }