keycloak-admin 1.1.2 → 1.1.4

data/spec/configuration_spec.rb

@@ -1,113 +1,113 @@
-RSpec.describe KeycloakAdmin::RealmClient do
-
-  let(:client_id)           { "admin-cli" }
-  let(:client_secret)       { "aaaaaaaa" }
-  let(:client_realm_name)   { "master2" }
-  let(:use_service_account) { true }
-  let(:username)            { "a" }
-  let(:password)            { "b" }
-  let(:rest_client_options) { {timeout: 10 } }
-
-  before(:each) do
-    @configuration                     = KeycloakAdmin::Configuration.new
-    @configuration.server_url          = "http://auth.service.io/auth"
-    @configuration.server_domain       = "auth.service.io"
-    @configuration.client_id           = client_id
-    @configuration.client_secret       = client_secret
-    @configuration.client_realm_name   = client_realm_name
-    @configuration.use_service_account = use_service_account
-    @configuration.username            = username
-    @configuration.password            = password
-    @configuration.rest_client_options = rest_client_options
-  end
-
-  describe "#headers_for_token_retrieval" do
-    before(:each) do
-      @headers = @configuration.headers_for_token_retrieval
-    end
-    
-    context "when use_service_account is false" do
-      let(:use_service_account) { false }
-      it "returns an empty hash" do 
-        expect(@headers).to be_empty
-      end
-    end
-
-    context "when use_service_account is true" do
-      let(:use_service_account) { true }
-      it "returns a single element" do
-        expect(@headers.size).to eq 1
-      end
-
-      it "returns the Authorization Key" do
-        expect(@headers.has_key?(:Authorization)).to be true
-      end
-
-      it "returns a Basic Authorization Key" do
-        expect(@headers[:Authorization]).to start_with "Basic"
-      end
-
-      context "client_id='a' and client_secret='b'" do
-        let(:client_id)           { "a" }
-        let(:client_secret)       { "b" }
-
-        it "returns a Basic Authorization = 'Basic YTpi'" do
-          expect(@headers[:Authorization]).to eq "Basic YTpi"
-        end
-      end
-
-      context "client_id='365e3c66-fd0f-11e7-8be5-0ed5f89f718b' and client_secret='411e6f9a-fd0f-11e7-8be5-0ed5f89f718b'" do
-        let(:client_id)           { "365e3c66-fd0f-11e7-8be5-0ed5f89f718b" }
-        let(:client_secret)       { "411e6f9a-fd0f-11e7-8be5-0ed5f89f718b" }
-
-        it "returns a Basic Authorization = 'Basic MzY1ZTNjNjYtZmQwZi0xMWU3LThiZTUtMGVkNWY4OWY3MThiOjQxMWU2ZjlhLWZkMGYtMTFlNy04YmU1LTBlZDVmODlmNzE4Yg=='" do
-          expect(@headers[:Authorization]).to eq "Basic MzY1ZTNjNjYtZmQwZi0xMWU3LThiZTUtMGVkNWY4OWY3MThiOjQxMWU2ZjlhLWZkMGYtMTFlNy04YmU1LTBlZDVmODlmNzE4Yg=="
-        end
-      end
-
-    end
-  end
-
-  describe "#body_for_token_retrieval" do
-    before(:each) do
-      @body = @configuration.body_for_token_retrieval
-    end
-    context "when use_service_account is false" do
-      let(:use_service_account) { false }
-      it "returns a hash of 5 elements" do
-        expect(@body.size).to eq 5
-      end
-
-      it "returns a hash containing the username" do
-        expect(@body[:username]).to eq username
-      end
-
-      it "returns a hash containing the password" do
-        expect(@body[:password]).to eq password
-      end
-
-      it "returns a hash containing the grant_type 'password'" do
-        expect(@body[:grant_type]).to eq "password"
-      end
-
-      it "returns a hash containing the client_id" do
-        expect(@body[:client_id]).to eq client_id
-      end
-
-      it "returns a hash containing the client_secret" do
-        expect(@body[:client_secret]).to eq client_secret
-      end
-    end
-
-    context "when use_service_account is true" do
-      let(:use_service_account) { true }
-      it "returns a hash of 1 element" do
-        expect(@body.size).to eq 1
-      end
-
-      it "returns a hash containing the grant_type" do
-        expect(@body[:grant_type]).to eq "client_credentials"
-      end
-    end
-  end
-end
+RSpec.describe KeycloakAdmin::RealmClient do
+
+  let(:client_id)           { "admin-cli" }
+  let(:client_secret)       { "aaaaaaaa" }
+  let(:client_realm_name)   { "master2" }
+  let(:use_service_account) { true }
+  let(:username)            { "a" }
+  let(:password)            { "b" }
+  let(:rest_client_options) { {timeout: 10 } }
+
+  before(:each) do
+    @configuration                     = KeycloakAdmin::Configuration.new
+    @configuration.server_url          = "http://auth.service.io/auth"
+    @configuration.server_domain       = "auth.service.io"
+    @configuration.client_id           = client_id
+    @configuration.client_secret       = client_secret
+    @configuration.client_realm_name   = client_realm_name
+    @configuration.use_service_account = use_service_account
+    @configuration.username            = username
+    @configuration.password            = password
+    @configuration.rest_client_options = rest_client_options
+  end
+
+  describe "#headers_for_token_retrieval" do
+    before(:each) do
+      @headers = @configuration.headers_for_token_retrieval
+    end
+    
+    context "when use_service_account is false" do
+      let(:use_service_account) { false }
+      it "returns an empty hash" do 
+        expect(@headers).to be_empty
+      end
+    end
+
+    context "when use_service_account is true" do
+      let(:use_service_account) { true }
+      it "returns a single element" do
+        expect(@headers.size).to eq 1
+      end
+
+      it "returns the Authorization Key" do
+        expect(@headers.has_key?(:Authorization)).to be true
+      end
+
+      it "returns a Basic Authorization Key" do
+        expect(@headers[:Authorization]).to start_with "Basic"
+      end
+
+      context "client_id='a' and client_secret='b'" do
+        let(:client_id)           { "a" }
+        let(:client_secret)       { "b" }
+
+        it "returns a Basic Authorization = 'Basic YTpi'" do
+          expect(@headers[:Authorization]).to eq "Basic YTpi"
+        end
+      end
+
+      context "client_id='365e3c66-fd0f-11e7-8be5-0ed5f89f718b' and client_secret='411e6f9a-fd0f-11e7-8be5-0ed5f89f718b'" do
+        let(:client_id)           { "365e3c66-fd0f-11e7-8be5-0ed5f89f718b" }
+        let(:client_secret)       { "411e6f9a-fd0f-11e7-8be5-0ed5f89f718b" }
+
+        it "returns a Basic Authorization = 'Basic MzY1ZTNjNjYtZmQwZi0xMWU3LThiZTUtMGVkNWY4OWY3MThiOjQxMWU2ZjlhLWZkMGYtMTFlNy04YmU1LTBlZDVmODlmNzE4Yg=='" do
+          expect(@headers[:Authorization]).to eq "Basic MzY1ZTNjNjYtZmQwZi0xMWU3LThiZTUtMGVkNWY4OWY3MThiOjQxMWU2ZjlhLWZkMGYtMTFlNy04YmU1LTBlZDVmODlmNzE4Yg=="
+        end
+      end
+
+    end
+  end
+
+  describe "#body_for_token_retrieval" do
+    before(:each) do
+      @body = @configuration.body_for_token_retrieval
+    end
+    context "when use_service_account is false" do
+      let(:use_service_account) { false }
+      it "returns a hash of 5 elements" do
+        expect(@body.size).to eq 5
+      end
+
+      it "returns a hash containing the username" do
+        expect(@body[:username]).to eq username
+      end
+
+      it "returns a hash containing the password" do
+        expect(@body[:password]).to eq password
+      end
+
+      it "returns a hash containing the grant_type 'password'" do
+        expect(@body[:grant_type]).to eq "password"
+      end
+
+      it "returns a hash containing the client_id" do
+        expect(@body[:client_id]).to eq client_id
+      end
+
+      it "returns a hash containing the client_secret" do
+        expect(@body[:client_secret]).to eq client_secret
+      end
+    end
+
+    context "when use_service_account is true" do
+      let(:use_service_account) { true }
+      it "returns a hash of 1 element" do
+        expect(@body.size).to eq 1
+      end
+
+      it "returns a hash containing the grant_type" do
+        expect(@body[:grant_type]).to eq "client_credentials"
+      end
+    end
+  end
+end

data/spec/integration/client_authorization_spec.rb

@@ -0,0 +1,93 @@
+RSpec.describe 'ClientAuthorization' do
+
+  before(:each) do
+    skip("This test requires to be run in a Github action.")  unless ENV["GITHUB_ACTIONS"]
+
+    KeycloakAdmin.configure do |config|
+      config.use_service_account = false
+      config.server_url          = "http://localhost:8080/"
+      config.client_id           = "admin-cli"
+      config.client_realm_name   = "master"
+      config.username            = "admin"
+      config.password            = "admin"
+      config.rest_client_options = { timeout: 5, verify_ssl: false }
+    end
+  end
+
+  after(:each) do
+    configure
+  end
+
+  describe "ClientAuthorization Suite" do
+    it do
+      realm_name = "dummy"
+
+      client = KeycloakAdmin.realm(realm_name).clients.find_by_client_id("dummy-client")
+      client.authorization_services_enabled = true
+      KeycloakAdmin.realm(realm_name).clients.update(client)
+
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).list.size).to eql(0)
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).list.size).to eql(1)
+      expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').list.size).to eql(0)
+
+      realm_role =  KeycloakAdmin.realm(realm_name).roles.get("default-roles-dummy")
+
+      scope_1 = KeycloakAdmin.realm(realm_name).authz_scopes(client.id).create!("POST_1", "POST 1 scope", "http://asdas")
+      scope_2 = KeycloakAdmin.realm(realm_name).authz_scopes(client.id).create!("POST_2", "POST 2 scope", "http://asdas")
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).search("POST").first.name).to eql("POST_1")
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id).get(scope_1.id).name).to eql("POST_1")
+
+      resource = KeycloakAdmin.realm(realm_name).authz_resources(client.id).create!("Dummy Resource", "type", ["/asdf/*", "/tmp/"], true, "display_name", [], {"a": ["b", "c"]})
+
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).find_by("Dummy Resource", "", "", "", "").first.name).to eql("Dummy Resource")
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).find_by("", "type", "", "", "").first.name).to eql("Dummy Resource")
+
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).scopes.count).to eql(0)
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).uris.count).to eql(2)
+      KeycloakAdmin.realm(realm_name).authz_resources(client.id).update(resource.id,
+                                                                             {
+                                                                               "name": "Dummy Resource",
+                                                                               "type": "type",
+                                                                               "owner_managed_access": true,
+                                                                               "display_name": "display_name",
+                                                                               "attributes": {"a":["b","c"]},
+                                                                               "uris": [ "/asdf/*" , "/tmp/45" ],
+                                                                               "scopes":[
+                                                                                 {name: scope_1.name},{name: scope_2.name}
+                                                                               ],
+                                                                               "icon_uri": "https://icon.ico"
+                                                                             }
+      )
+
+      expect(KeycloakAdmin.realm(realm_name).authz_resources(client.id).get(resource.id).scopes.count).to eql(2)
+
+      policy = KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').create!("Policy 1", "description", "role", "POSITIVE", "UNANIMOUS", true, [{id: realm_role.id, required: true}])
+      expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').find_by("Policy 1", "role").first.name).to eql("Policy 1")
+      expect(KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').get(policy.id).name).to eql("Policy 1")
+      scope_permission = KeycloakAdmin.realm(realm_name).authz_permissions(client.id, :scope).create!("Dummy Scope Permission", "scope description", "UNANIMOUS", "POSITIVE", [resource.id], [policy.id], [scope_1.id, scope_2.id], "")
+      resource_permission = KeycloakAdmin.realm(realm_name).authz_permissions(client.id, :resource).create!("Dummy Resource Permission", "resource description", "UNANIMOUS", "POSITIVE", [resource.id], [policy.id], nil, "")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "", resource.id).list.size).to eql(2)
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").get(resource_permission.id).name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_scopes(client.id, resource.id).list.size).to eql(2)
+
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'scope').list.size).to eql(3)
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'resource').list.size).to eql(3)
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(resource_permission.name, nil).first.name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(resource_permission.name, resource.id).first.name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id).first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, resource.id, "POST_1").first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "resource").find_by(nil, resource.id).first.name).to eql("Dummy Resource Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(nil, resource.id).first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(nil, resource.id, "POST_1").first.name).to eql("Dummy Scope Permission")
+      expect(KeycloakAdmin.realm(realm_name).authz_permissions(client.id, "scope").find_by(scope_permission.name, nil).first.name).to eql("Dummy Scope Permission")
+
+      KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'scope').delete(scope_permission.id)
+      KeycloakAdmin.realm(realm_name).authz_permissions(client.id, 'resource').delete(resource_permission.id)
+      KeycloakAdmin.realm(realm_name).authz_policies(client.id, 'role').delete(policy.id)
+      KeycloakAdmin.realm(realm_name).authz_resources(client.id).delete(resource.id)
+      KeycloakAdmin.realm(realm_name).authz_scopes(client.id).delete(scope_1.id)
+      KeycloakAdmin.realm(realm_name).authz_scopes(client.id).delete(scope_2.id)
+
+    end
+  end
+end

data/spec/representation/attack_detection_representation_spec.rb

@@ -1,16 +1,16 @@
-# frozen_string_literal: true
-
-RSpec.describe KeycloakAdmin::AttackDetectionRepresentation do
-  describe '.from_hash' do
-    it 'converts json response to class structure' do
-      rep = described_class.from_hash({
-        'numFailures' => 2,
-        'disabled' => true,
-        'lastIPFailure' => 12345,
-        'last_failure' => 12345678
-      })
-      expect(rep.num_failures).to eq 2
-      expect(rep).to be_a described_class
-    end
-  end
+# frozen_string_literal: true
+
+RSpec.describe KeycloakAdmin::AttackDetectionRepresentation do
+  describe '.from_hash' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash({
+        'numFailures' => 2,
+        'disabled' => true,
+        'lastIPFailure' => 12345,
+        'last_failure' => 12345678
+      })
+      expect(rep.num_failures).to eq 2
+      expect(rep).to be_a described_class
+    end
+  end
 end

data/spec/representation/client_authz_permission_representation_spec.rb

@@ -0,0 +1,52 @@
+RSpec.describe KeycloakAdmin::ClientAuthzPermissionRepresentation do
+  describe '.from_hash, #resource based permission' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash({
+                                        "id" => "e9e3bc49-fe11-4287-b6fc-fa8be4930ffa",
+                                        "resources" => ["4f55e984-d1ec-405c-a25c-1387f88acd5c"],
+                                        "policies" => ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"],
+                                        "name" => "delme policy",
+                                        "description" => "Delme policy description",
+                                        "decisionStrategy" => "UNANIMOUS",
+                                        "resourceType" => ""
+                                      })
+      expect(rep.id).to eq "e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"
+      expect(rep.resources).to eq ["4f55e984-d1ec-405c-a25c-1387f88acd5c"]
+      expect(rep.policies).to eq ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"]
+      expect(rep.name).to eq "delme policy"
+      expect(rep.description).to eq "Delme policy description"
+      expect(rep.decision_strategy).to eq "UNANIMOUS"
+      expect(rep.resource_type).to eq ""
+      expect(rep).to be_a described_class
+    end
+  end
+
+  describe '.from_hash, #scope based permission' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash(
+
+        { "id" => "4d762e5d-bf3d-4641-8f94-97e8a1869d1d",
+          "name" => "permission name",
+          "description" => "permission description",
+          "type" => "scope",
+          "policies" => ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"],
+          "resources" => ["4f55e984-d1ec-405c-a25c-1387f88acd5c"],
+          "scopes" => ["7c4809c5-33b6-4668-a318-19b302214d20"],
+          "logic" => "POSITIVE",
+          "decisionStrategy" => "UNANIMOUS"
+        })
+      expect(rep.id).to eq "4d762e5d-bf3d-4641-8f94-97e8a1869d1d"
+      expect(rep.resources).to eq ["4f55e984-d1ec-405c-a25c-1387f88acd5c"]
+      expect(rep.policies).to eq ["e9e3bc49-fe11-4287-b6fc-fa8be4930ffa"]
+      expect(rep.scopes).to eq ["7c4809c5-33b6-4668-a318-19b302214d20"]
+      expect(rep.name).to eq "permission name"
+      expect(rep.description).to eq "permission description"
+      expect(rep.decision_strategy).to eq "UNANIMOUS"
+      expect(rep.logic).to eq "POSITIVE"
+      expect(rep.type).to eq "scope"
+      expect(rep.resource_type).to eq nil
+      expect(rep).to be_a described_class
+    end
+  end
+
+end

data/spec/representation/client_authz_policy_representation_spec.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakAdmin::ClientAuthzPolicyRepresentation do
+  let(:realm_name) { "valid-realm" }
+  let(:client_id) { "valid-client-id" }
+  let(:policy_id) { "valid-policy-id" }
+  let(:role_id) { "valid-role-id" }
+  let(:role_name) { "valid-role-name" }
+  let(:policy_name) { "valid-policy-name" }
+  let(:policy_description) { "valid-policy-description" }
+  let(:policy_type) { "role" }
+  let(:policy_logic) { "POSITIVE" }
+  let(:policy_decision_strategy) { "UNANIMOUS" }
+  let(:policy) do
+    {
+      "id": policy_id,
+      "name": policy_name,
+      "description": policy_description,
+      "type": policy_type,
+      "logic": policy_logic,
+      "decisionStrategy": policy_decision_strategy,
+      "roles": [{ "id": role_id, "required": true }]
+    }
+  end
+  let(:client_authz_policy) { KeycloakAdmin.realm(realm_name).authz_policies(client_id, 'role') }
+
+  before(:each) do
+    stub_token_client
+  end
+
+  describe "#create!" do
+    before(:each) do
+      allow_any_instance_of(RestClient::Resource).to receive(:post).and_return policy.to_json
+    end
+
+    it "returns created authz policy" do
+      response = client_authz_policy.create!(policy_name, policy_description, policy_type, policy_logic, policy_decision_strategy, true, [{ id: role_id, required: true }])
+      expect(response.id).to eq policy_id
+      expect(response.name).to eq policy_name
+      expect(response.description).to eq policy_description
+      expect(response.type).to eq policy_type
+      expect(response.logic).to eq policy_logic
+      expect(response.decision_strategy).to eq policy_decision_strategy
+      expect(response.roles).to eq [{ "id" => role_id, "required" => true }]
+    end
+  end
+end

data/spec/representation/client_authz_resource_representation_spec.rb

@@ -0,0 +1,33 @@
+RSpec.describe KeycloakAdmin::ClientAuthzResourceRepresentation do
+  describe '.from_hash' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash({
+                                        "name" => "Default Resource",
+                                        "type" => "urn:delme-client-id:resources:default",
+                                        "owner" => {
+                                          "id" => "d259b451-371b-432a-a526-3508f3a36f3b",
+                                          "name" => "delme-client-id"
+                                        },
+                                        "ownerManagedAccess" => true,
+                                        "displayName" => "Display Name",
+                                        "attributes" => { "a" => ["b"]},
+                                        "_id" => "385966a2-14b9-4cc4-9539-5f2fe1008222",
+                                        "uris" => ["/*"],
+                                        "scopes" => [{"id"=>"c0779ce3-0900-4ea3-b1d6-b23e1f19c662",
+                                                    "name" => "GET",
+                                                    "iconUri" => "http=>//asdfasdf"}],
+                                        "icon_uri" => "http://icon"
+                                      })
+      expect(rep.id).to eq "385966a2-14b9-4cc4-9539-5f2fe1008222"
+      expect(rep.name).to eq "Default Resource"
+      expect(rep.type).to eq "urn:delme-client-id:resources:default"
+      expect(rep.uris).to eq ["/*"]
+      expect(rep.owner_managed_access).to eq true
+      expect(rep.attributes).to eq({ :"a" => ["b"]})
+      expect(rep.display_name).to eq "Display Name"
+      expect(rep.scopes[0].id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
+      expect(rep.scopes[0].name).to eq "GET"
+      expect(rep).to be_a described_class
+    end
+  end
+end

data/spec/representation/client_authz_scope_representation_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+RSpec.describe KeycloakAdmin::ClientAuthzScopeRepresentation do
+  describe '.from_hash' do
+    it 'converts json response to class structure' do
+      rep = described_class.from_hash({
+                                        "id" =>"c0779ce3-0900-4ea3-b1d6-b23e1f19c662",
+                                        "name" => "GET",
+                                        "iconUri" => "http://asdfasdf/image.png",
+                                        "displayName" => "GET authz scope"
+                                      })
+      expect(rep.id).to eq "c0779ce3-0900-4ea3-b1d6-b23e1f19c662"
+      expect(rep.name).to eq "GET"
+      expect(rep.icon_uri).to eq "http://asdfasdf/image.png"
+      expect(rep.display_name).to eq "GET authz scope"
+      expect(rep).to be_a described_class
+    end
+  end
+end