strapi-plugin-keycloak-realm-users 1.0.0

package/__tests__/services/keycloak-client.test.mjs

@@ -0,0 +1,651 @@
+/**
+ * @fileoverview Unit tests for the Keycloak client service.
+ * @module __tests__/services/keycloak-client
+ */
+
+import keycloakClientService from '../../server/src/services/keycloak-client.js';
+import { createMockStrapi, createMockRealmConfig, createMockKeycloakUser } from '../mocks/strapi.mjs';
+import { ERROR_MESSAGES, HTTP_STATUS } from '../../server/src/constants.js';
+
+// Mock global fetch
+const mockFetch = jest.fn();
+global.fetch = mockFetch;
+
+describe('Keycloak Client Service', () => {
+  let strapi;
+  let service;
+  let realmConfig;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    strapi = createMockStrapi();
+    service = keycloakClientService({ strapi });
+    realmConfig = createMockRealmConfig();
+    service.clearTokenCache(); // Clear token cache between tests
+  });
+
+  /**
+   * Helper to create a mock fetch response
+   */
+  const mockFetchResponse = (data, options = {}) => {
+    const { ok = true, status = 200, headers = {} } = options;
+    return Promise.resolve({
+      ok,
+      status,
+      statusText: ok ? 'OK' : 'Error',
+      json: () => Promise.resolve(data),
+      text: () => Promise.resolve(typeof data === 'string' ? data : JSON.stringify(data)),
+      headers: {
+        get: (name) => headers[name] || null,
+      },
+    });
+  };
+
+  describe('getAccessToken', () => {
+    it('should fetch and cache a new token', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+
+      const token = await service.getAccessToken(realmConfig);
+
+      expect(token).toBe('test-token');
+      expect(mockFetch).toHaveBeenCalledWith(
+        `${realmConfig.serverUrl}/realms/${realmConfig.realmName}/protocol/openid-connect/token`,
+        expect.objectContaining({
+          method: 'POST',
+          headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        })
+      );
+    });
+
+    it('should return cached token on subsequent calls', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'cached-token', expires_in: 300 })
+      );
+
+      await service.getAccessToken(realmConfig);
+      const token2 = await service.getAccessToken(realmConfig);
+
+      expect(token2).toBe('cached-token');
+      expect(mockFetch).toHaveBeenCalledTimes(1); // Only called once
+    });
+
+    it('should throw sanitized error on auth failure', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Invalid credentials', { ok: false, status: 401 })
+      );
+
+      try {
+        await service.getAccessToken(realmConfig);
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.KEYCLOAK_AUTH_FAILED);
+      }
+    });
+
+    it('should throw connection error on network failure', async () => {
+      mockFetch.mockRejectedValueOnce(new Error('Network error'));
+
+      try {
+        await service.getAccessToken(realmConfig);
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.KEYCLOAK_CONNECTION_FAILED);
+      }
+    });
+  });
+
+  describe('testConnection', () => {
+    beforeEach(() => {
+      // Setup token fetch
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should return success with realm display name', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ realm: 'test', displayName: 'Test Realm' })
+      );
+
+      const result = await service.testConnection(realmConfig);
+
+      expect(result.success).toBe(true);
+      expect(result.realmDisplayName).toBe('Test Realm');
+    });
+
+    it('should return failure with message on error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Forbidden', { ok: false, status: 403 })
+      );
+
+      const result = await service.testConnection(realmConfig);
+
+      expect(result.success).toBe(false);
+      expect(result.message).toBe('HTTP 403: Error');
+    });
+
+    it('should handle token fetch failure gracefully', async () => {
+      service.clearTokenCache();
+      mockFetch.mockReset();
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Auth failed', { ok: false, status: 401 })
+      );
+
+      const result = await service.testConnection(realmConfig);
+
+      expect(result.success).toBe(false);
+      expect(result.message).toBe(ERROR_MESSAGES.KEYCLOAK_AUTH_FAILED);
+    });
+  });
+
+  describe('getUsers', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should fetch users with pagination', async () => {
+      const users = [createMockKeycloakUser()];
+      mockFetch.mockResolvedValueOnce(mockFetchResponse(users));
+
+      const result = await service.getUsers(realmConfig, { first: 10, max: 25 });
+
+      expect(result).toEqual(users);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('first=10'),
+        expect.anything()
+      );
+    });
+
+    it('should include search parameter when provided', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse([]));
+
+      await service.getUsers(realmConfig, { search: 'john' });
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('search=john'),
+        expect.anything()
+      );
+    });
+
+    it('should throw on error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Server error', { ok: false, status: 500 })
+      );
+
+      await expect(service.getUsers(realmConfig)).rejects.toThrow();
+    });
+  });
+
+  describe('countUsers', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should return user count', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse(42));
+
+      const count = await service.countUsers(realmConfig);
+
+      expect(count).toBe(42);
+    });
+
+    it('should return 0 on error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Error', { ok: false, status: 500 })
+      );
+
+      const count = await service.countUsers(realmConfig);
+
+      expect(count).toBe(0);
+    });
+  });
+
+  describe('getUserById', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should return user by ID', async () => {
+      const user = createMockKeycloakUser();
+      mockFetch.mockResolvedValueOnce(mockFetchResponse(user));
+
+      const result = await service.getUserById(realmConfig, 'user-123');
+
+      expect(result).toEqual(user);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('/users/user-123'),
+        expect.anything()
+      );
+    });
+
+    it('should throw USER_NOT_FOUND on 404', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Not found', { ok: false, status: HTTP_STATUS.NOT_FOUND })
+      );
+
+      try {
+        await service.getUserById(realmConfig, 'missing');
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.USER_NOT_FOUND);
+      }
+    });
+  });
+
+  describe('createUser', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should create user and return ID from Location header', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('', {
+          ok: true,
+          status: 201,
+          headers: { Location: 'https://keycloak.example.com/admin/realms/test/users/new-user-id' },
+        })
+      );
+
+      const result = await service.createUser(realmConfig, {
+        username: 'newuser',
+        email: 'new@example.com',
+      });
+
+      expect(result.userId).toBe('new-user-id');
+    });
+
+    it('should throw USER_ALREADY_EXISTS on 409', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Conflict', { ok: false, status: HTTP_STATUS.CONFLICT })
+      );
+
+      try {
+        await service.createUser(realmConfig, { username: 'existing' });
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.USER_ALREADY_EXISTS);
+      }
+    });
+  });
+
+  describe('updateUser', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should update user successfully', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true, status: 204 }));
+
+      const result = await service.updateUser(realmConfig, 'user-123', {
+        firstName: 'Updated',
+      });
+
+      expect(result.success).toBe(true);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('/users/user-123'),
+        expect.objectContaining({ method: 'PUT' })
+      );
+    });
+
+    it('should throw USER_NOT_FOUND on 404', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Not found', { ok: false, status: HTTP_STATUS.NOT_FOUND })
+      );
+
+      try {
+        await service.updateUser(realmConfig, 'missing', {});
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.USER_NOT_FOUND);
+      }
+    });
+  });
+
+  describe('deleteUser', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should delete user successfully', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true, status: 204 }));
+
+      const result = await service.deleteUser(realmConfig, 'user-123');
+
+      expect(result.success).toBe(true);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('/users/user-123'),
+        expect.objectContaining({ method: 'DELETE' })
+      );
+    });
+  });
+
+  describe('resetPassword', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should reset password with temporary flag', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+
+      const result = await service.resetPassword(realmConfig, 'user-123', 'NewPass!', true);
+
+      expect(result.success).toBe(true);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('/reset-password'),
+        expect.objectContaining({
+          body: expect.stringContaining('"temporary":true'),
+        })
+      );
+    });
+
+    it('should throw PASSWORD_RESET_FAILED on error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Failed', { ok: false, status: 400 })
+      );
+
+      try {
+        await service.resetPassword(realmConfig, 'user-123', 'weak');
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.PASSWORD_RESET_FAILED);
+      }
+    });
+  });
+
+  describe('enableUser / disableUser', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should enable user by updating enabled field', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+
+      await service.enableUser(realmConfig, 'user-123');
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.anything(),
+        expect.objectContaining({
+          body: JSON.stringify({ enabled: true }),
+        })
+      );
+    });
+
+    it('should disable user by updating enabled field', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+
+      await service.disableUser(realmConfig, 'user-123');
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.anything(),
+        expect.objectContaining({
+          body: JSON.stringify({ enabled: false }),
+        })
+      );
+    });
+  });
+
+  describe('executeEmailActions', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should send email actions with lifespan', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+
+      await service.executeEmailActions(realmConfig, 'user-123', ['VERIFY_EMAIL'], 3600);
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('lifespan=3600'),
+        expect.objectContaining({
+          body: JSON.stringify(['VERIFY_EMAIL']),
+        })
+      );
+    });
+
+    it('should throw EMAIL_SEND_FAILED on error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Email failed', { ok: false, status: 500 })
+      );
+
+      try {
+        await service.executeEmailActions(realmConfig, 'user-123', ['VERIFY_EMAIL']);
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.EMAIL_SEND_FAILED);
+      }
+    });
+  });
+
+  describe('sendVerificationEmail / sendResetPasswordEmail', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should send verification email', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+
+      await service.sendVerificationEmail(realmConfig, 'user-123');
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.anything(),
+        expect.objectContaining({
+          body: JSON.stringify(['VERIFY_EMAIL']),
+        })
+      );
+    });
+
+    it('should send password reset email', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+
+      await service.sendResetPasswordEmail(realmConfig, 'user-123');
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.anything(),
+        expect.objectContaining({
+          body: JSON.stringify(['UPDATE_PASSWORD']),
+        })
+      );
+    });
+  });
+
+  describe('getRealmRoles / getUserRoles', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should get realm roles', async () => {
+      const roles = [{ id: '1', name: 'admin' }];
+      mockFetch.mockResolvedValueOnce(mockFetchResponse(roles));
+
+      const result = await service.getRealmRoles(realmConfig);
+
+      expect(result).toEqual(roles);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('/roles'),
+        expect.anything()
+      );
+    });
+
+    it('should get user roles', async () => {
+      const roles = [{ id: '1', name: 'user' }];
+      mockFetch.mockResolvedValueOnce(mockFetchResponse(roles));
+
+      const result = await service.getUserRoles(realmConfig, 'user-123');
+
+      expect(result).toEqual(roles);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('/users/user-123/role-mappings/realm'),
+        expect.anything()
+      );
+    });
+  });
+
+  describe('assignRoles / removeRoles', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should assign roles with POST', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+      const roles = [{ id: '1', name: 'admin' }];
+
+      await service.assignRoles(realmConfig, 'user-123', roles);
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.anything(),
+        expect.objectContaining({
+          method: 'POST',
+          body: JSON.stringify(roles),
+        })
+      );
+    });
+
+    it('should remove roles with DELETE', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true }));
+      const roles = [{ id: '1', name: 'admin' }];
+
+      await service.removeRoles(realmConfig, 'user-123', roles);
+
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.anything(),
+        expect.objectContaining({
+          method: 'DELETE',
+          body: JSON.stringify(roles),
+        })
+      );
+    });
+
+    it('should throw ROLE_ASSIGNMENT_FAILED on assign error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Failed', { ok: false, status: 400 })
+      );
+
+      try {
+        await service.assignRoles(realmConfig, 'user-123', []);
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.ROLE_ASSIGNMENT_FAILED);
+      }
+    });
+  });
+
+  describe('getUserSessions', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should return user sessions', async () => {
+      const sessions = [{ id: 'session-1', start: Date.now() }];
+      mockFetch.mockResolvedValueOnce(mockFetchResponse(sessions));
+
+      const result = await service.getUserSessions(realmConfig, 'user-123');
+
+      expect(result).toEqual(sessions);
+    });
+
+    it('should return empty array on error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Error', { ok: false, status: 500 })
+      );
+
+      const result = await service.getUserSessions(realmConfig, 'user-123');
+
+      expect(result).toEqual([]);
+    });
+  });
+
+  describe('logoutUser', () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+    });
+
+    it('should logout user successfully', async () => {
+      mockFetch.mockResolvedValueOnce(mockFetchResponse('', { ok: true, status: 204 }));
+
+      const result = await service.logoutUser(realmConfig, 'user-123');
+
+      expect(result.success).toBe(true);
+      expect(mockFetch).toHaveBeenLastCalledWith(
+        expect.stringContaining('/logout'),
+        expect.objectContaining({ method: 'POST' })
+      );
+    });
+
+    it('should throw LOGOUT_FAILED on error', async () => {
+      mockFetch.mockResolvedValueOnce(
+        mockFetchResponse('Failed', { ok: false, status: 500 })
+      );
+
+      try {
+        await service.logoutUser(realmConfig, 'user-123');
+        fail('Should have thrown');
+      } catch (err) {
+        expect(err.sanitizedMessage).toBe(ERROR_MESSAGES.LOGOUT_FAILED);
+      }
+    });
+  });
+
+  describe('clearTokenCache', () => {
+    it('should clear specific realm token', async () => {
+      mockFetch.mockResolvedValue(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+
+      await service.getAccessToken(realmConfig);
+      service.clearTokenCache(realmConfig);
+      await service.getAccessToken(realmConfig);
+
+      // Should have been called twice (token was cleared)
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+    });
+
+    it('should clear all tokens when no config provided', async () => {
+      mockFetch.mockResolvedValue(
+        mockFetchResponse({ access_token: 'test-token', expires_in: 300 })
+      );
+
+      // Use different realmName to get different cache keys
+      const realm1 = createMockRealmConfig({ realmName: 'realm-one' });
+      const realm2 = createMockRealmConfig({ realmName: 'realm-two' });
+
+      await service.getAccessToken(realm1);
+      await service.getAccessToken(realm2);
+      service.clearTokenCache();
+      await service.getAccessToken(realm1);
+      await service.getAccessToken(realm2);
+
+      // Should have been called 4 times (2 initial + 2 after clear)
+      expect(mockFetch).toHaveBeenCalledTimes(4);
+    });
+  });
+});