/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.testsuite.federation.kerberos;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.events.Details;
import org.keycloak.federation.kerberos.CommonKerberosConfig;
import org.keycloak.models.utils.ModelToRepresentation;
import org.keycloak.representations.idm.ComponentRepresentation;
import org.keycloak.representations.idm.UserRepresentation;
import org.keycloak.storage.UserStorageProvider;
import org.keycloak.storage.UserStorageProviderModel;
import org.keycloak.storage.ldap.LDAPStorageProviderFactory;
import org.keycloak.storage.ldap.kerberos.LDAPProviderKerberosConfig;
import org.keycloak.testsuite.util.KerberosRule;
/**
* @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
*/
public class KerberosLdapTest extends AbstractKerberosTest {
private static final String PROVIDER_CONFIG_LOCATION = "classpath:kerberos/kerberos-ldap-connection.properties";
@ClassRule
public static KerberosRule kerberosRule = new KerberosRule(PROVIDER_CONFIG_LOCATION);
@Override
protected CommonKerberosConfig getKerberosConfig() {
return new LDAPProviderKerberosConfig(getUserStorageConfiguration());
}
@Override
protected ComponentRepresentation getUserStorageConfiguration() {
Map<String,String> kerberosConfig = kerberosRule.getConfig();
MultivaluedHashMap<String, String> config = toComponentConfig(kerberosConfig);
UserStorageProviderModel model = new UserStorageProviderModel();
model.setLastSync(0);
model.setChangedSyncPeriod(-1);
model.setFullSyncPeriod(-1);
model.setName("kerberos-ldap");
model.setPriority(0);
model.setProviderId(LDAPStorageProviderFactory.PROVIDER_NAME);
model.setConfig(config);
ComponentRepresentation rep = ModelToRepresentation.toRepresentationWithoutConfig(model);
return rep;
}
@Override
protected boolean isCaseSensitiveLogin() {
return kerberosRule.isCaseSensitiveLogin();
}
@Override
protected boolean isStartEmbeddedLdapServer() {
return kerberosRule.isStartEmbeddedLdapServer();
}
@Override
protected void setKrb5ConfPath() {
kerberosRule.setKrb5ConfPath(testingClient.testing());
}
@Test
public void spnegoLoginTest() throws Exception {
spnegoLoginTestImpl();
// Assert user was imported and hasn't any required action on him. Profile info is synced from LDAP
assertUser("hnelson", "hnelson@keycloak.org", "Horatio", "Nelson", false);
}
@Test
public void writableEditModeTest() throws Exception {
// Change editMode to WRITABLE
updateProviderEditMode(UserStorageProvider.EditMode.WRITABLE);
// Login with username/password from kerberos
changePasswordPage.open();
// Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript
// to forward the user if kerberos isn't enabled.
//bypassPage.isCurrent();
//bypassPage.clickContinue();
loginPage.assertCurrent();
loginPage.login("jduke", "theduke");
Assert.assertTrue(changePasswordPage.isCurrent());
// Successfully change password now
changePasswordPage.changePassword("theduke", "newPass", "newPass");
Assert.assertTrue(driver.getPageSource().contains("Your password has been updated."));
changePasswordPage.logout();
// Only needed if you are providing a click thru to bypass kerberos. Currently there is a javascript
// to forward the user if kerberos isn't enabled.
//bypassPage.isCurrent();
//bypassPage.clickContinue();
// Login with old password doesn't work, but with new password works
loginPage.login("jduke", "theduke");
Assert.assertTrue(loginPage.isCurrent());
loginPage.login("jduke", "newPass");
changePasswordPage.assertCurrent();
changePasswordPage.logout();
// Assert SPNEGO login with the new password as mode is writable
events.clear();
Response spnegoResponse = spnegoLogin("jduke", "newPass");
org.keycloak.testsuite.Assert.assertEquals(302, spnegoResponse.getStatus());
org.keycloak.testsuite.Assert.assertEquals(302, spnegoResponse.getStatus());
List<UserRepresentation> users = testRealmResource().users().search("jduke", 0, 1);
String userId = users.get(0).getId();
events.expectLogin()
.client("kerberos-app")
.user(userId)
.detail(Details.USERNAME, "jduke")
.assertEvent();
String codeUrl = spnegoResponse.getLocation().toString();
assertAuthenticationSuccess(codeUrl);
// Change password back
changePasswordPage.open();
loginPage.login("jduke", "newPass");
changePasswordPage.assertCurrent();
changePasswordPage.changePassword("newPass", "theduke", "theduke");
}
}