keycloak · mposolda · Aug 9, 2024 · Aug 8, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,23 +13,24 @@ jobs:
       - name: Build Keycloak Client Libs
         uses: ./.github/actions/build-keycloak
 
-  admin-client-tests:
-    name: Admin client tests (Jakarta, JEE)
+  client-tests:
+    name: Client tests (Jakarta, JEE)
     runs-on: ubuntu-latest
     needs: build
     timeout-minutes: 30
     strategy:
       matrix:
-        keycloak_server_version: [ "24.0", "25.0", "nightly" ]
+        keycloak_server_version: [ "25.0", "nightly" ]
     steps:
       - uses: actions/checkout@v4
 
       - id: test-setup
         name: Test setup
         uses: ./.github/actions/test-setup
 
-      - name: Run unit tests
+      - name: Run client tests
         run: |
           mvn -B -f testsuite/admin-client-tests/pom.xml test -Dkeycloak.version.docker.image=${{ matrix.keycloak_server_version }}
           mvn -B -f testsuite/admin-client-jee-tests/pom.xml test -Dkeycloak.version.docker.image=${{ matrix.keycloak_server_version }}
+          mvn -B -f testsuite/authz-tests/pom.xml test -Dkeycloak.version.docker.image=${{ matrix.keycloak_server_version }}
 
diff --git a/...ests/src/test/java/org/keycloak/client/testsuite/adminclient/AbstractAdminClientTest.java b/...ests/src/test/java/org/keycloak/client/testsuite/adminclient/AbstractAdminClientTest.java
@@ -1,34 +1,14 @@
 package org.keycloak.client.testsuite.adminclient;
 
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.BeforeAll;
 import org.keycloak.admin.client.Keycloak;
-import org.keycloak.client.testsuite.KeycloakContainersTestsuiteContext;
-import org.keycloak.client.testsuite.RemoteTestsuiteContext;
-import org.keycloak.client.testsuite.TestConstants;
-import org.keycloak.client.testsuite.TestsuiteContext;
+import org.keycloak.client.testsuite.framework.Inject;
 
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
 public abstract class AbstractAdminClientTest {
 
-    private static TestsuiteContext testsuiteContext;
-    protected static Keycloak adminClient;
-
-    @BeforeAll
-    public static void beforeAll() {
-        String keycloakLifecycle = System.getProperty(TestConstants.PROPERTY_KEYCLOAK_LIFECYCLE);
-        testsuiteContext = "remote".equalsIgnoreCase(keycloakLifecycle) ? new RemoteTestsuiteContext() : new KeycloakContainersTestsuiteContext();
-
-        testsuiteContext.startKeycloakServer();
-        adminClient = testsuiteContext.getKeycloakAdminClient();
-    }
-
-    @AfterAll
-    public static void afterAll() {
-        testsuiteContext.stopKeycloakServer();
-    }
-
+    @Inject
+    protected Keycloak adminClient;
 
 }
diff --git a/testsuite/authz-tests/pom.xml b/testsuite/authz-tests/pom.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.keycloak</groupId>
+        <artifactId>keycloak-client-testsuite-parent</artifactId>
+        <version>26.0.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>keycloak-autz-client-testsuite</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-client-testsuite-framework</artifactId>
+            <version>${project.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+</project>
diff --git a/...uite/authz-tests/src/test/java/org/keycloak/client/testsuite/authz/AbstractAuthzTest.java b/...uite/authz-tests/src/test/java/org/keycloak/client/testsuite/authz/AbstractAuthzTest.java
@@ -0,0 +1,38 @@
+package org.keycloak.client.testsuite.authz;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UncheckedIOException;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.client.testsuite.framework.Inject;
+import org.keycloak.client.testsuite.common.RealmImporter;
+import org.keycloak.client.testsuite.common.RealmRepsSupplier;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.util.JsonSerialization;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public abstract class AbstractAuthzTest implements RealmRepsSupplier {
+
+    @Inject
+    protected Keycloak adminClient;
+
+    @Inject
+    protected RealmImporter realmImporter;
+
+    @BeforeEach
+    public void importRealms() {
+        realmImporter.importRealmsIfNotImported(this);
+    }
+
+    protected RealmRepresentation loadRealm(InputStream is) {
+        try {
+            return JsonSerialization.readValue(is, RealmRepresentation.class);
+        } catch (IOException ioe) {
+            throw new UncheckedIOException(ioe);
+        }
+    }
+}
diff --git a/...-tests/src/test/java/org/keycloak/client/testsuite/policyenforcer/EnforcerConfigTest.java b/...-tests/src/test/java/org/keycloak/client/testsuite/policyenforcer/EnforcerConfigTest.java
@@ -0,0 +1,59 @@
+package org.keycloak.client.testsuite.policyenforcer;
+
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
+import org.junit.jupiter.api.Test;
+import org.keycloak.adapters.authorization.PolicyEnforcer;
+import org.keycloak.client.testsuite.authz.AbstractAuthzTest;
+import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
+import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.testsuite.util.AuthzTestUtils;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+/**
+ * @author <a href="mailto:psilva@redhat.com">Pedro Igor</a>
+ */
+public class EnforcerConfigTest extends AbstractAuthzTest {
+
+
+    @Override
+    public List<RealmRepresentation> getRealmsForImport() {
+        RealmRepresentation realm = loadRealm(getClass().getResourceAsStream("/authorization-test/test-authz-realm.json"));
+        return Collections.singletonList(realm);
+    }
+
+    @Test
+    public void testMultiplePathsWithSameName() {
+        PolicyEnforcer policyEnforcer = AuthzTestUtils.createPolicyEnforcer("enforcer-config-paths-same-name.json", true);
+        Map<String, PolicyEnforcerConfig.PathConfig> paths = policyEnforcer.getPaths();
+        assertEquals(1, paths.size());
+        assertEquals(4, paths.values().iterator().next().getMethods().size());
+    }
+
+    @Test
+    public void testPathConfigClaimInformationPoint() {
+        PolicyEnforcer policyEnforcer = AuthzTestUtils.createPolicyEnforcer("enforcer-config-path-cip.json", true);
+        Map<String, PolicyEnforcerConfig.PathConfig> paths = policyEnforcer.getPaths();
+
+        assertEquals(1, paths.size());
+
+        PolicyEnforcerConfig.PathConfig pathConfig = paths.values().iterator().next();
+        Map<String, Map<String, Object>> cipConfig = pathConfig.getClaimInformationPointConfig();
+
+        assertEquals(1, cipConfig.size());
+
+        Map<String, Object> claims = cipConfig.get("claims");
+
+        assertNotNull(claims);
+
+        assertEquals(3, claims.size());
+        assertEquals("{request.parameter['a']}", claims.get("claim-a"));
+        assertEquals("{request.header['b']}", claims.get("claim-b"));
+        assertEquals("{request.cookie['c']}", claims.get("claim-c"));
+    }
+}
+
diff --git a/testsuite/authz-tests/src/test/resources/authorization-test/enforcer-config-path-cip.json b/testsuite/authz-tests/src/test/resources/authorization-test/enforcer-config-path-cip.json
@@ -0,0 +1,28 @@
+{
+  "realm": "test-realm-authz",
+  "auth-server-url": "http://localhost:8180",
+  "resource": "test-app-authz",
+  "credentials": {
+    "secret": "secret"
+  },
+  "paths": [
+    {
+      "path": "/v1/product/*",
+      "methods": [
+        {
+          "method": "POST",
+          "scopes": [
+            "create"
+          ]
+        }
+      ],
+      "claim-information-point": {
+        "claims": {
+          "claim-a": "{request.parameter['a']}",
+          "claim-b": "{request.header['b']}",
+          "claim-c": "{request.cookie['c']}"
+        }
+      }
+    }
+  ]
+}
diff --git a/...te/authz-tests/src/test/resources/authorization-test/enforcer-config-paths-same-name.json b/...te/authz-tests/src/test/resources/authorization-test/enforcer-config-paths-same-name.json
@@ -0,0 +1,55 @@
+
+{
+  "realm": "test-realm-authz",
+  "auth-server-url": "http://localhost:8180",
+  "resource": "test-app-authz",
+  "credentials": {
+    "secret": "secret"
+  },
+  "paths": [
+    {
+      "path": "/v1/product/*",
+      "methods": [
+        {
+          "method": "POST",
+          "scopes": [
+            "create"
+          ]
+        }
+      ]
+    },
+    {
+      "path": "/v1/product/*",
+      "methods": [
+        {
+          "method": "GET",
+          "scopes": [
+            "view"
+          ]
+        }
+      ]
+    },
+    {
+      "path": "/v1/product/*",
+      "methods": [
+        {
+          "method": "PUT",
+          "scopes": [
+            "update"
+          ]
+        }
+      ]
+    },
+    {
+      "path": "/v1/product/*",
+      "methods": [
+        {
+          "method": "DELETE",
+          "scopes": [
+            "delete"
+          ]
+        }
+      ]
+    }
+  ]
+}
diff --git a/testsuite/authz-tests/src/test/resources/authorization-test/test-authz-realm.json b/testsuite/authz-tests/src/test/resources/authorization-test/test-authz-realm.json
@@ -0,0 +1,48 @@
+{
+  "id": "test-realm-authz",
+  "realm": "test-realm-authz",
+  "enabled": true,
+  "sslRequired": "external",
+  "requiredCredentials": [ "password" ],
+  "users": [
+    {
+      "username": "service-account-test-app-authz",
+      "enabled": true,
+      "serviceAccountClientId": "test-app-authz",
+      "clientRoles": {
+        "test-app-authz" : ["uma_protection"]
+      }
+    }
+  ],
+  "clients": [
+    {
+      "clientId": "test-app-authz",
+      "enabled": true,
+      "baseUrl": "/test-app-authz",
+      "adminUrl": "/test-app-authz",
+      "bearerOnly": false,
+      "authorizationSettings": {
+        "allowRemoteResourceManagement": true,
+        "policyEnforcementMode": "ENFORCING",
+        "resources": [
+          {
+            "name": "Product Resource",
+            "uri": "/v1/product/*",
+            "scopes": [
+              {
+                "name": "view",
+                "name": "create",
+                "name": "delete",
+                "name": "update"
+              }
+            ]
+          }
+        ]
+      },
+      "redirectUris": [
+        "/test-app-authz/*"
+      ],
+      "secret": "secret"
+    }
+  ]
+}
diff --git a/testsuite/framework/pom.xml b/testsuite/framework/pom.xml
@@ -30,6 +30,11 @@
             <artifactId>keycloak-admin-client</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-policy-enforcer</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-junit5</artifactId>

diff --git a/testsuite/framework/src/main/java/org/keycloak/client/testsuite/TestsuiteContext.java b/testsuite/framework/src/main/java/org/keycloak/client/testsuite/TestsuiteContext.java
diff --git a/...uite/framework/src/main/java/org/keycloak/client/testsuite/common/AdminClientFactory.java b/...uite/framework/src/main/java/org/keycloak/client/testsuite/common/AdminClientFactory.java
@@ -0,0 +1,34 @@
+package org.keycloak.client.testsuite.common;
+
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.client.testsuite.framework.LifeCycle;
+import org.keycloak.client.testsuite.framework.TestProviderFactory;
+import org.keycloak.client.testsuite.framework.TestRegistry;
+import org.keycloak.client.testsuite.server.KeycloakServerProvider;
+
+/**
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public class AdminClientFactory implements TestProviderFactory<Keycloak> {
+
+    @Override
+    public LifeCycle getLifeCycle() {
+        return LifeCycle.CLASS;
+    }
+
+    @Override
+    public Class<Keycloak> getProviderClass() {
+        return Keycloak.class;
+    }
+
+    @Override
+    public Keycloak createProvider(TestRegistry registry) {
+        KeycloakServerProvider kcServer = registry.getOrCreateProvider(KeycloakServerProvider.class);
+        return kcServer.createAdminClient();
+    }
+
+    @Override
+    public void closeProvider(Keycloak adminClient) {
+        adminClient.close();
+    }
+}