Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
643 Commits
15 Branches
98 Tags
17 MiB
Tree: 39f4afe9b6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '39f4afe9b6'
${ noResults }
python-keycloak/tests/test_keycloak_admin.py

1891 lines
70 KiB
Raw Normal View History

style: fixed docstrings everywhere
2 years ago
fix: applied tox linting check
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: completed admin unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: completed admin unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: allow query parameters for users count
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: Add update_idp
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: Add update_mapper_in_idp
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: Add update_mapper_in_idp
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: Add update_mapper_in_idp
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: added missing tests for clients
2 years ago
test: completed admin unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: added missing tests for clients
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added missing tests for clients
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added missing tests for clients
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added missing tests for clients
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: cover the cases with unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: cover the cases with unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
ci: add test case for token exchange setup
2 years ago
style: fixed docstrings everywhere
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: Allow fetching existing policies before calling create_client_authz_client_policy()
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: Allow fetching existing policies before calling create_client_authz_client_policy()
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: Allow fetching existing policies before calling create_client_authz_client_policy()
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: test authenticator and configurations
2 years ago
style: fixed docstrings everywhere
2 years ago
test: test authenticator and configurations
2 years ago
style: fixed docstrings everywhere
2 years ago
test: test authenticator and configurations
2 years ago
test: added tests for client scopes
2 years ago
style: fixed docstrings everywhere
2 years ago
test: added tests for client scopes
2 years ago
feat: Add update_mapper_in_idp
2 years ago
test: added tests for client scopes
2 years ago
test: added components tests
2 years ago
style: fixed docstrings everywhere
2 years ago
test: added components tests
2 years ago
test: completed admin unit tests
2 years ago
style: fixed docstrings everywhere
2 years ago
test: completed admin unit tests
2 years ago
style: fixed docstrings everywhere
2 years ago
test: completed admin unit tests
2 years ago
style: fixed docstrings everywhere
2 years ago
test: completed admin unit tests
2 years ago
fix: raise correct exceptions
2 years ago
test: completed admin unit tests
2 years ago
feat: add unit tests
2 years ago
fix: applied flake linting checks
2 years ago
feat: add unit tests
2 years ago
fix: applied flake linting checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
test: improved the tests on urls, back to 100%
2 years ago
feat: add unit tests
2 years ago
fix: applied flake linting checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
fix: applied flake linting checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
fix: applied flake linting checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied flake linting checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
  1. """Test the keycloak admin object."""
  3. import copy
  5. import pytest
  7. import keycloak
  8. from keycloak import KeycloakAdmin
  9. from keycloak.connection import ConnectionManager
  10. from keycloak.exceptions import (
  11. KeycloakAuthenticationError,
  12. KeycloakDeleteError,
  13. KeycloakGetError,
  14. KeycloakPostError,
  15. KeycloakPutError,
  16. )
  19. def test_keycloak_version():
  20. """Test version."""
  21. assert keycloak.__version__, keycloak.__version__
  24. def test_keycloak_admin_bad_init(env):
  25. """Test keycloak admin bad init."""
  26. with pytest.raises(TypeError) as err:
  27. KeycloakAdmin(
  28. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  29. username=env.KEYCLOAK_ADMIN,
  30. password=env.KEYCLOAK_ADMIN_PASSWORD,
  31. auto_refresh_token=1,
  32. )
  33. assert err.match("Expected a list of strings")
  35. with pytest.raises(TypeError) as err:
  36. KeycloakAdmin(
  37. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  38. username=env.KEYCLOAK_ADMIN,
  39. password=env.KEYCLOAK_ADMIN_PASSWORD,
  40. auto_refresh_token=["patch"],
  41. )
  42. assert err.match("Unexpected method in auto_refresh_token")
  45. def test_keycloak_admin_init(env):
  46. """Test keycloak admin init."""
  47. admin = KeycloakAdmin(
  48. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  49. username=env.KEYCLOAK_ADMIN,
  50. password=env.KEYCLOAK_ADMIN_PASSWORD,
  51. )
  52. assert admin.server_url == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}", admin.server_url
  53. assert admin.realm_name == "master", admin.realm_name
  54. assert isinstance(admin.connection, ConnectionManager), type(admin.connection)
  55. assert admin.client_id == "admin-cli", admin.client_id
  56. assert admin.client_secret_key is None, admin.client_secret_key
  57. assert admin.verify, admin.verify
  58. assert admin.username == env.KEYCLOAK_ADMIN, admin.username
  59. assert admin.password == env.KEYCLOAK_ADMIN_PASSWORD, admin.password
  60. assert admin.totp is None, admin.totp
  61. assert admin.token is not None, admin.token
  62. assert admin.auto_refresh_token == list(), admin.auto_refresh_token
  63. assert admin.user_realm_name is None, admin.user_realm_name
  64. assert admin.custom_headers is None, admin.custom_headers
  65. assert admin.token
  67. admin = KeycloakAdmin(
  68. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  69. username=env.KEYCLOAK_ADMIN,
  70. password=env.KEYCLOAK_ADMIN_PASSWORD,
  71. realm_name=None,
  72. user_realm_name="master",
  73. )
  74. assert admin.token
  75. admin = KeycloakAdmin(
  76. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  77. username=env.KEYCLOAK_ADMIN,
  78. password=env.KEYCLOAK_ADMIN_PASSWORD,
  79. realm_name=None,
  80. user_realm_name=None,
  81. )
  82. assert admin.token
  84. admin.create_realm(payload={"realm": "authz", "enabled": True})
  85. admin.realm_name = "authz"
  86. admin.create_client(
  87. payload={
  88. "name": "authz-client",
  89. "clientId": "authz-client",
  90. "authorizationServicesEnabled": True,
  91. "serviceAccountsEnabled": True,
  92. "clientAuthenticatorType": "client-secret",
  93. "directAccessGrantsEnabled": False,
  94. "enabled": True,
  95. "implicitFlowEnabled": False,
  96. "publicClient": False,
  97. }
  98. )
  99. secret = admin.generate_client_secrets(client_id=admin.get_client_id("authz-client"))
  100. assert KeycloakAdmin(
  101. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  102. user_realm_name="authz",
  103. client_id="authz-client",
  104. client_secret_key=secret["value"],
  105. ).token
  106. admin.delete_realm(realm_name="authz")
  108. assert (
  109. KeycloakAdmin(
  110. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  111. username=None,
  112. password=None,
  113. client_secret_key=None,
  114. custom_headers={"custom": "header"},
  115. ).token
  116. is None
  117. )
  120. def test_realms(admin: KeycloakAdmin):
  121. """Test realms."""
  122. # Get realms
  123. realms = admin.get_realms()
  124. assert len(realms) == 1, realms
  125. assert "master" == realms[0]["realm"]
  127. # Create a test realm
  128. res = admin.create_realm(payload={"realm": "test"})
  129. assert res == b"", res
  131. # Create the same realm, should fail
  132. with pytest.raises(KeycloakPostError) as err:
  133. res = admin.create_realm(payload={"realm": "test"})
  134. assert err.match('409: b\'{"errorMessage":"Conflict detected. See logs for details"}\'')
  136. # Create the same realm, skip_exists true
  137. res = admin.create_realm(payload={"realm": "test"}, skip_exists=True)
  138. assert res == {"msg": "Already exists"}, res
  140. # Get a single realm
  141. res = admin.get_realm(realm_name="test")
  142. assert res["realm"] == "test"
  144. # Get non-existing realm
  145. with pytest.raises(KeycloakGetError) as err:
  146. admin.get_realm(realm_name="non-existent")
  147. assert err.match('404: b\'{"error":"Realm not found."}\'')
  149. # Update realm
  150. res = admin.update_realm(realm_name="test", payload={"accountTheme": "test"})
  151. assert res == dict(), res
  153. # Check that the update worked
  154. res = admin.get_realm(realm_name="test")
  155. assert res["realm"] == "test"
  156. assert res["accountTheme"] == "test"
  158. # Update wrong payload
  159. with pytest.raises(KeycloakPutError) as err:
  160. admin.update_realm(realm_name="test", payload={"wrong": "payload"})
  161. assert err.match('400: b\'{"error":"Unrecognized field')
  163. # Check that get realms returns both realms
  164. realms = admin.get_realms()
  165. realm_names = [x["realm"] for x in realms]
  166. assert len(realms) == 2, realms
  167. assert "master" in realm_names, realm_names
  168. assert "test" in realm_names, realm_names
  170. # Delete the realm
  171. res = admin.delete_realm(realm_name="test")
  172. assert res == dict(), res
  174. # Check that the realm does not exist anymore
  175. with pytest.raises(KeycloakGetError) as err:
  176. admin.get_realm(realm_name="test")
  177. assert err.match('404: b\'{"error":"Realm not found."}\'')
  179. # Delete non-existing realm
  180. with pytest.raises(KeycloakDeleteError) as err:
  181. admin.delete_realm(realm_name="non-existent")
  182. assert err.match('404: b\'{"error":"Realm not found."}\'')
  185. def test_import_export_realms(admin: KeycloakAdmin, realm: str):
  186. """Test import and export of realms."""
  187. admin.realm_name = realm
  189. realm_export = admin.export_realm(export_clients=True, export_groups_and_role=True)
  190. assert realm_export != dict(), realm_export
  192. admin.delete_realm(realm_name=realm)
  193. admin.realm_name = "master"
  194. res = admin.import_realm(payload=realm_export)
  195. assert res == b"", res
  197. # Test bad import
  198. with pytest.raises(KeycloakPostError) as err:
  199. admin.import_realm(payload=dict())
  200. assert err.match('500: b\'{"error":"unknown_error"}\'')
  203. def test_users(admin: KeycloakAdmin, realm: str):
  204. """Test users."""
  205. admin.realm_name = realm
  207. # Check no users present
  208. users = admin.get_users()
  209. assert users == list(), users
  211. # Test create user
  212. user_id = admin.create_user(payload={"username": "test", "email": "test@test.test"})
  213. assert user_id is not None, user_id
  215. # Test create the same user
  216. with pytest.raises(KeycloakPostError) as err:
  217. admin.create_user(payload={"username": "test", "email": "test@test.test"})
  218. assert err.match('409: b\'{"errorMessage":"User exists with same username"}\'')
  220. # Test create the same user, exists_ok true
  221. user_id_2 = admin.create_user(
  222. payload={"username": "test", "email": "test@test.test"}, exist_ok=True
  223. )
  224. assert user_id == user_id_2
  226. # Test get user
  227. user = admin.get_user(user_id=user_id)
  228. assert user["username"] == "test", user["username"]
  229. assert user["email"] == "test@test.test", user["email"]
  231. # Test update user
  232. res = admin.update_user(user_id=user_id, payload={"firstName": "Test"})
  233. assert res == dict(), res
  234. user = admin.get_user(user_id=user_id)
  235. assert user["firstName"] == "Test"
  237. # Test update user fail
  238. with pytest.raises(KeycloakPutError) as err:
  239. admin.update_user(user_id=user_id, payload={"wrong": "payload"})
  240. assert err.match('400: b\'{"error":"Unrecognized field')
  242. # Test get users again
  243. users = admin.get_users()
  244. usernames = [x["username"] for x in users]
  245. assert "test" in usernames
  247. # Test users counts
  248. count = admin.users_count()
  249. assert count == 1, count
  251. # Test users count with query
  252. count = admin.users_count(query={"username": "notpresent"})
  253. assert count == 0
  255. # Test user groups
  256. groups = admin.get_user_groups(user_id=user["id"])
  257. assert len(groups) == 0
  259. # Test user groups bad id
  260. with pytest.raises(KeycloakGetError) as err:
  261. admin.get_user_groups(user_id="does-not-exist")
  262. assert err.match('404: b\'{"error":"User not found"}\'')
  264. # Test logout
  265. res = admin.user_logout(user_id=user["id"])
  266. assert res == dict(), res
  268. # Test logout fail
  269. with pytest.raises(KeycloakPostError) as err:
  270. admin.user_logout(user_id="non-existent-id")
  271. assert err.match('404: b\'{"error":"User not found"}\'')
  273. # Test consents
  274. res = admin.user_consents(user_id=user["id"])
  275. assert len(res) == 0, res
  277. # Test consents fail
  278. with pytest.raises(KeycloakGetError) as err:
  279. admin.user_consents(user_id="non-existent-id")
  280. assert err.match('404: b\'{"error":"User not found"}\'')
  282. # Test delete user
  283. res = admin.delete_user(user_id=user_id)
  284. assert res == dict(), res
  285. with pytest.raises(KeycloakGetError) as err:
  286. admin.get_user(user_id=user_id)
  287. err.match('404: b\'{"error":"User not found"}\'')
  289. # Test delete fail
  290. with pytest.raises(KeycloakDeleteError) as err:
  291. admin.delete_user(user_id="non-existent-id")
  292. assert err.match('404: b\'{"error":"User not found"}\'')
  295. def test_users_pagination(admin: KeycloakAdmin, realm: str):
  296. """Test user pagination."""
  297. admin.realm_name = realm
  299. for ind in range(admin.PAGE_SIZE + 50):
  300. username = f"user_{ind}"
  301. admin.create_user(payload={"username": username, "email": f"{username}@test.test"})
  303. users = admin.get_users()
  304. assert len(users) == admin.PAGE_SIZE + 50, len(users)
  306. users = admin.get_users(query={"first": 100})
  307. assert len(users) == 50, len(users)
  309. users = admin.get_users(query={"max": 20})
  310. assert len(users) == 20, len(users)
  313. def test_idps(admin: KeycloakAdmin, realm: str):
  314. """Test IDPs."""
  315. admin.realm_name = realm
  317. # Create IDP
  318. res = admin.create_idp(
  319. payload=dict(
  320. providerId="github", alias="github", config=dict(clientId="test", clientSecret="test")
  321. )
  322. )
  323. assert res == b"", res
  325. # Test create idp fail
  326. with pytest.raises(KeycloakPostError) as err:
  327. admin.create_idp(payload={"providerId": "does-not-exist", "alias": "something"})
  328. assert err.match("Invalid identity provider id"), err
  330. # Test listing
  331. idps = admin.get_idps()
  332. assert len(idps) == 1
  333. assert "github" == idps[0]["alias"]
  335. # Test IdP update
  336. res = admin.update_idp(idp_alias="github", payload=idps[0])
  338. assert res == {}, res
  340. # Test adding a mapper
  341. res = admin.add_mapper_to_idp(
  342. idp_alias="github",
  343. payload={
  344. "identityProviderAlias": "github",
  345. "identityProviderMapper": "github-user-attribute-mapper",
  346. "name": "test",
  347. },
  348. )
  349. assert res == b"", res
  351. # Test mapper fail
  352. with pytest.raises(KeycloakPostError) as err:
  353. admin.add_mapper_to_idp(idp_alias="does-no-texist", payload=dict())
  354. assert err.match('404: b\'{"error":"HTTP 404 Not Found"}\'')
  356. # Test IdP mappers listing
  357. idp_mappers = admin.get_idp_mappers(idp_alias="github")
  358. assert len(idp_mappers) == 1
  360. # Test IdP mapper update
  361. res = admin.update_mapper_in_idp(
  362. idp_alias="github",
  363. mapper_id=idp_mappers[0]["id"],
  364. # For an obscure reason, keycloak expect all fields
  365. payload={
  366. "id": idp_mappers[0]["id"],
  367. "identityProviderAlias": "github-alias",
  368. "identityProviderMapper": "github-user-attribute-mapper",
  369. "name": "test",
  370. "config": idp_mappers[0]["config"],
  371. },
  372. )
  373. assert res == dict(), res
  375. # Test delete
  376. res = admin.delete_idp(idp_alias="github")
  377. assert res == dict(), res
  379. # Test delete fail
  380. with pytest.raises(KeycloakDeleteError) as err:
  381. admin.delete_idp(idp_alias="does-not-exist")
  382. assert err.match('404: b\'{"error":"HTTP 404 Not Found"}\'')
  385. def test_user_credentials(admin: KeycloakAdmin, user: str):
  386. """Test user credentials."""
  387. res = admin.set_user_password(user_id=user, password="booya", temporary=True)
  388. assert res == dict(), res
  390. # Test user password set fail
  391. with pytest.raises(KeycloakPutError) as err:
  392. admin.set_user_password(user_id="does-not-exist", password="")
  393. assert err.match('404: b\'{"error":"User not found"}\'')
  395. credentials = admin.get_credentials(user_id=user)
  396. assert len(credentials) == 1
  397. assert credentials[0]["type"] == "password", credentials
  399. # Test get credentials fail
  400. with pytest.raises(KeycloakGetError) as err:
  401. admin.get_credentials(user_id="does-not-exist")
  402. assert err.match('404: b\'{"error":"User not found"}\'')
  404. res = admin.delete_credential(user_id=user, credential_id=credentials[0]["id"])
  405. assert res == dict(), res
  407. # Test delete fail
  408. with pytest.raises(KeycloakDeleteError) as err:
  409. admin.delete_credential(user_id=user, credential_id="does-not-exist")
  410. assert err.match('404: b\'{"error":"Credential not found"}\'')
  413. def test_social_logins(admin: KeycloakAdmin, user: str):
  414. """Test social logins."""
  415. res = admin.add_user_social_login(
  416. user_id=user, provider_id="gitlab", provider_userid="test", provider_username="test"
  417. )
  418. assert res == dict(), res
  419. admin.add_user_social_login(
  420. user_id=user, provider_id="github", provider_userid="test", provider_username="test"
  421. )
  422. assert res == dict(), res
  424. # Test add social login fail
  425. with pytest.raises(KeycloakPostError) as err:
  426. admin.add_user_social_login(
  427. user_id="does-not-exist",
  428. provider_id="does-not-exist",
  429. provider_userid="test",
  430. provider_username="test",
  431. )
  432. assert err.match('404: b\'{"error":"User not found"}\'')
  434. res = admin.get_user_social_logins(user_id=user)
  435. assert res == list(), res
  437. # Test get social logins fail
  438. with pytest.raises(KeycloakGetError) as err:
  439. admin.get_user_social_logins(user_id="does-not-exist")
  440. assert err.match('404: b\'{"error":"User not found"}\'')
  442. res = admin.delete_user_social_login(user_id=user, provider_id="gitlab")
  443. assert res == {}, res
  445. res = admin.delete_user_social_login(user_id=user, provider_id="github")
  446. assert res == {}, res
  448. with pytest.raises(KeycloakDeleteError) as err:
  449. admin.delete_user_social_login(user_id=user, provider_id="instagram")
  450. assert err.match('404: b\'{"error":"Link not found"}\''), err
  453. def test_server_info(admin: KeycloakAdmin):
  454. """Test server info."""
  455. info = admin.get_server_info()
  456. assert set(info.keys()) == {
  457. "systemInfo",
  458. "memoryInfo",
  459. "profileInfo",
  460. "themes",
  461. "socialProviders",
  462. "identityProviders",
  463. "providers",
  464. "protocolMapperTypes",
  465. "builtinProtocolMappers",
  466. "clientInstallations",
  467. "componentTypes",
  468. "passwordPolicies",
  469. "enums",
  470. }, info.keys()
  473. def test_groups(admin: KeycloakAdmin, user: str):
  474. """Test groups."""
  475. # Test get groups
  476. groups = admin.get_groups()
  477. assert len(groups) == 0
  479. # Test create group
  480. group_id = admin.create_group(payload={"name": "main-group"})
  481. assert group_id is not None, group_id
  483. # Test create subgroups
  484. subgroup_id_1 = admin.create_group(payload={"name": "subgroup-1"}, parent=group_id)
  485. subgroup_id_2 = admin.create_group(payload={"name": "subgroup-2"}, parent=group_id)
  487. # Test create group fail
  488. with pytest.raises(KeycloakPostError) as err:
  489. admin.create_group(payload={"name": "subgroup-1"}, parent=group_id)
  490. assert err.match('409: b\'{"error":"unknown_error"}\''), err
  492. # Test skip exists OK
  493. subgroup_id_1_eq = admin.create_group(
  494. payload={"name": "subgroup-1"}, parent=group_id, skip_exists=True
  495. )
  496. assert subgroup_id_1_eq is None
  498. # Test get groups again
  499. groups = admin.get_groups()
  500. assert len(groups) == 1, groups
  501. assert len(groups[0]["subGroups"]) == 2, groups["subGroups"]
  502. assert groups[0]["id"] == group_id
  503. assert {x["id"] for x in groups[0]["subGroups"]} == {subgroup_id_1, subgroup_id_2}
  505. # Test get groups query
  506. groups = admin.get_groups(query={"max": 10})
  507. assert len(groups) == 1, groups
  508. assert len(groups[0]["subGroups"]) == 2, groups["subGroups"]
  509. assert groups[0]["id"] == group_id
  510. assert {x["id"] for x in groups[0]["subGroups"]} == {subgroup_id_1, subgroup_id_2}
  512. # Test get group
  513. res = admin.get_group(group_id=subgroup_id_1)
  514. assert res["id"] == subgroup_id_1, res
  515. assert res["name"] == "subgroup-1"
  516. assert res["path"] == "/main-group/subgroup-1"
  518. # Test get group fail
  519. with pytest.raises(KeycloakGetError) as err:
  520. admin.get_group(group_id="does-not-exist")
  521. assert err.match('404: b\'{"error":"Could not find group by id"}\''), err
  523. # Create 1 more subgroup
  524. subsubgroup_id_1 = admin.create_group(payload={"name": "subsubgroup-1"}, parent=subgroup_id_2)
  525. main_group = admin.get_group(group_id=group_id)
  527. # Test nested searches
  528. res = admin.get_subgroups(group=main_group, path="/main-group/subgroup-2/subsubgroup-1")
  529. assert res is not None, res
  530. assert res["id"] == subsubgroup_id_1
  532. # Test empty search
  533. res = admin.get_subgroups(group=main_group, path="/none")
  534. assert res is None, res
  536. # Test get group by path
  537. res = admin.get_group_by_path(path="/main-group/subgroup-1")
  538. assert res is None, res
  540. res = admin.get_group_by_path(path="/main-group/subgroup-1", search_in_subgroups=True)
  541. assert res is not None, res
  542. assert res["id"] == subgroup_id_1, res
  544. res = admin.get_group_by_path(
  545. path="/main-group/subgroup-2/subsubgroup-1/test", search_in_subgroups=True
  546. )
  547. assert res is None, res
  549. res = admin.get_group_by_path(
  550. path="/main-group/subgroup-2/subsubgroup-1", search_in_subgroups=True
  551. )
  552. assert res is not None, res
  553. assert res["id"] == subsubgroup_id_1
  555. res = admin.get_group_by_path(path="/main-group")
  556. assert res is not None, res
  557. assert res["id"] == group_id, res
  559. # Test group members
  560. res = admin.get_group_members(group_id=subgroup_id_2)
  561. assert len(res) == 0, res
  563. # Test fail group members
  564. with pytest.raises(KeycloakGetError) as err:
  565. admin.get_group_members(group_id="does-not-exist")
  566. assert err.match('404: b\'{"error":"Could not find group by id"}\'')
  568. res = admin.group_user_add(user_id=user, group_id=subgroup_id_2)
  569. assert res == dict(), res
  571. res = admin.get_group_members(group_id=subgroup_id_2)
  572. assert len(res) == 1, res
  573. assert res[0]["id"] == user
  575. # Test get group members query
  576. res = admin.get_group_members(group_id=subgroup_id_2, query={"max": 10})
  577. assert len(res) == 1, res
  578. assert res[0]["id"] == user
  580. with pytest.raises(KeycloakDeleteError) as err:
  581. admin.group_user_remove(user_id="does-not-exist", group_id=subgroup_id_2)
  582. assert err.match('404: b\'{"error":"User not found"}\''), err
  584. res = admin.group_user_remove(user_id=user, group_id=subgroup_id_2)
  585. assert res == dict(), res
  587. # Test set permissions
  588. res = admin.group_set_permissions(group_id=subgroup_id_2, enabled=True)
  589. assert res["enabled"], res
  590. res = admin.group_set_permissions(group_id=subgroup_id_2, enabled=False)
  591. assert not res["enabled"], res
  592. with pytest.raises(KeycloakPutError) as err:
  593. admin.group_set_permissions(group_id=subgroup_id_2, enabled="blah")
  594. assert err.match('500: b\'{"error":"unknown_error"}\''), err
  596. # Test update group
  597. res = admin.update_group(group_id=subgroup_id_2, payload={"name": "new-subgroup-2"})
  598. assert res == dict(), res
  599. assert admin.get_group(group_id=subgroup_id_2)["name"] == "new-subgroup-2"
  601. # test update fail
  602. with pytest.raises(KeycloakPutError) as err:
  603. admin.update_group(group_id="does-not-exist", payload=dict())
  604. assert err.match('404: b\'{"error":"Could not find group by id"}\''), err
  606. # Test delete
  607. res = admin.delete_group(group_id=group_id)
  608. assert res == dict(), res
  609. assert len(admin.get_groups()) == 0
  611. # Test delete fail
  612. with pytest.raises(KeycloakDeleteError) as err:
  613. admin.delete_group(group_id="does-not-exist")
  614. assert err.match('404: b\'{"error":"Could not find group by id"}\''), err
  617. def test_clients(admin: KeycloakAdmin, realm: str):
  618. """Test clients."""
  619. admin.realm_name = realm
  621. # Test get clients
  622. clients = admin.get_clients()
  623. assert len(clients) == 6, clients
  624. assert {x["name"] for x in clients} == set(
  625. [
  626. "${client_admin-cli}",
  627. "${client_security-admin-console}",
  628. "${client_account-console}",
  629. "${client_broker}",
  630. "${client_account}",
  631. "${client_realm-management}",
  632. ]
  633. ), clients
  635. # Test create client
  636. client_id = admin.create_client(payload={"name": "test-client", "clientId": "test-client"})
  637. assert client_id, client_id
  639. with pytest.raises(KeycloakPostError) as err:
  640. admin.create_client(payload={"name": "test-client", "clientId": "test-client"})
  641. assert err.match('409: b\'{"errorMessage":"Client test-client already exists"}\''), err
  643. client_id_2 = admin.create_client(
  644. payload={"name": "test-client", "clientId": "test-client"}, skip_exists=True
  645. )
  646. assert client_id == client_id_2, client_id_2
  648. # Test get client
  649. res = admin.get_client(client_id=client_id)
  650. assert res["clientId"] == "test-client", res
  651. assert res["name"] == "test-client", res
  652. assert res["id"] == client_id, res
  654. with pytest.raises(KeycloakGetError) as err:
  655. admin.get_client(client_id="does-not-exist")
  656. assert err.match('404: b\'{"error":"Could not find client"}\'')
  657. assert len(admin.get_clients()) == 7
  659. # Test get client id
  660. assert admin.get_client_id(client_id="test-client") == client_id
  661. assert admin.get_client_id(client_id="does-not-exist") is None
  663. # Test update client
  664. res = admin.update_client(client_id=client_id, payload={"name": "test-client-change"})
  665. assert res == dict(), res
  667. with pytest.raises(KeycloakPutError) as err:
  668. admin.update_client(client_id="does-not-exist", payload={"name": "test-client-change"})
  669. assert err.match('404: b\'{"error":"Could not find client"}\'')
  671. # Test client mappers
  672. res = admin.get_mappers_from_client(client_id=client_id)
  673. assert len(res) == 0
  675. with pytest.raises(KeycloakPostError) as err:
  676. admin.add_mapper_to_client(client_id="does-not-exist", payload=dict())
  677. assert err.match('404: b\'{"error":"Could not find client"}\'')
  679. res = admin.add_mapper_to_client(
  680. client_id=client_id,
  681. payload={
  682. "name": "test-mapper",
  683. "protocol": "openid-connect",
  684. "protocolMapper": "oidc-usermodel-attribute-mapper",
  685. },
  686. )
  687. assert res == b""
  688. assert len(admin.get_mappers_from_client(client_id=client_id)) == 1
  690. mapper = admin.get_mappers_from_client(client_id=client_id)[0]
  691. with pytest.raises(KeycloakPutError) as err:
  692. admin.update_client_mapper(client_id=client_id, mapper_id="does-not-exist", payload=dict())
  693. assert err.match('404: b\'{"error":"Model not found"}\'')
  694. mapper["config"]["user.attribute"] = "test"
  695. res = admin.update_client_mapper(client_id=client_id, mapper_id=mapper["id"], payload=mapper)
  696. assert res == dict()
  698. res = admin.remove_client_mapper(client_id=client_id, client_mapper_id=mapper["id"])
  699. assert res == dict()
  700. with pytest.raises(KeycloakDeleteError) as err:
  701. admin.remove_client_mapper(client_id=client_id, client_mapper_id=mapper["id"])
  702. assert err.match('404: b\'{"error":"Model not found"}\'')
  704. # Test client sessions
  705. with pytest.raises(KeycloakGetError) as err:
  706. admin.get_client_all_sessions(client_id="does-not-exist")
  707. assert err.match('404: b\'{"error":"Could not find client"}\'')
  709. assert admin.get_client_all_sessions(client_id=client_id) == list()
  710. assert admin.get_client_sessions_stats() == list()
  712. # Test authz
  713. auth_client_id = admin.create_client(
  714. payload={
  715. "name": "authz-client",
  716. "clientId": "authz-client",
  717. "authorizationServicesEnabled": True,
  718. "serviceAccountsEnabled": True,
  719. }
  720. )
  721. res = admin.get_client_authz_settings(client_id=auth_client_id)
  722. assert res["allowRemoteResourceManagement"]
  723. assert res["decisionStrategy"] == "UNANIMOUS"
  724. assert len(res["policies"]) >= 0
  726. with pytest.raises(KeycloakGetError) as err:
  727. admin.get_client_authz_settings(client_id=client_id)
  728. assert err.match('500: b\'{"error":"HTTP 500 Internal Server Error"}\'')
  730. # Authz resources
  731. res = admin.get_client_authz_resources(client_id=auth_client_id)
  732. assert len(res) == 1
  733. assert res[0]["name"] == "Default Resource"
  735. with pytest.raises(KeycloakGetError) as err:
  736. admin.get_client_authz_resources(client_id=client_id)
  737. assert err.match('500: b\'{"error":"unknown_error"}\'')
  739. res = admin.create_client_authz_resource(
  740. client_id=auth_client_id, payload={"name": "test-resource"}
  741. )
  742. assert res["name"] == "test-resource", res
  743. test_resource_id = res["_id"]
  745. with pytest.raises(KeycloakPostError) as err:
  746. admin.create_client_authz_resource(
  747. client_id=auth_client_id, payload={"name": "test-resource"}
  748. )
  749. assert err.match('409: b\'{"error":"invalid_request"')
  750. assert admin.create_client_authz_resource(
  751. client_id=auth_client_id, payload={"name": "test-resource"}, skip_exists=True
  752. ) == {"msg": "Already exists"}
  754. res = admin.get_client_authz_resources(client_id=auth_client_id)
  755. assert len(res) == 2
  756. assert {x["name"] for x in res} == {"Default Resource", "test-resource"}
  758. # Authz policies
  759. res = admin.get_client_authz_policies(client_id=auth_client_id)
  760. assert len(res) == 1, res
  761. assert res[0]["name"] == "Default Policy"
  762. assert len(admin.get_client_authz_policies(client_id=client_id)) == 1
  764. with pytest.raises(KeycloakGetError) as err:
  765. admin.get_client_authz_policies(client_id="does-not-exist")
  766. assert err.match('404: b\'{"error":"Could not find client"}\'')
  768. role_id = admin.get_realm_role(role_name="offline_access")["id"]
  769. res = admin.create_client_authz_role_based_policy(
  770. client_id=auth_client_id,
  771. payload={"name": "test-authz-rb-policy", "roles": [{"id": role_id}]},
  772. )
  773. assert res["name"] == "test-authz-rb-policy", res
  775. with pytest.raises(KeycloakPostError) as err:
  776. admin.create_client_authz_role_based_policy(
  777. client_id=auth_client_id,
  778. payload={"name": "test-authz-rb-policy", "roles": [{"id": role_id}]},
  779. )
  780. assert err.match('409: b\'{"error":"Policy with name')
  781. assert admin.create_client_authz_role_based_policy(
  782. client_id=auth_client_id,
  783. payload={"name": "test-authz-rb-policy", "roles": [{"id": role_id}]},
  784. skip_exists=True,
  785. ) == {"msg": "Already exists"}
  786. assert len(admin.get_client_authz_policies(client_id=auth_client_id)) == 2
  788. # Test authz permissions
  789. res = admin.get_client_authz_permissions(client_id=auth_client_id)
  790. assert len(res) == 1, res
  791. assert res[0]["name"] == "Default Permission"
  792. assert len(admin.get_client_authz_permissions(client_id=client_id)) == 1
  794. with pytest.raises(KeycloakGetError) as err:
  795. admin.get_client_authz_permissions(client_id="does-not-exist")
  796. assert err.match('404: b\'{"error":"Could not find client"}\'')
  798. res = admin.create_client_authz_resource_based_permission(
  799. client_id=auth_client_id,
  800. payload={"name": "test-permission-rb", "resources": [test_resource_id]},
  801. )
  802. assert res, res
  803. assert res["name"] == "test-permission-rb"
  804. assert res["resources"] == [test_resource_id]
  806. with pytest.raises(KeycloakPostError) as err:
  807. admin.create_client_authz_resource_based_permission(
  808. client_id=auth_client_id,
  809. payload={"name": "test-permission-rb", "resources": [test_resource_id]},
  810. )
  811. assert err.match('409: b\'{"error":"Policy with name')
  812. assert admin.create_client_authz_resource_based_permission(
  813. client_id=auth_client_id,
  814. payload={"name": "test-permission-rb", "resources": [test_resource_id]},
  815. skip_exists=True,
  816. ) == {"msg": "Already exists"}
  817. assert len(admin.get_client_authz_permissions(client_id=auth_client_id)) == 2
  819. # Test authz scopes
  820. res = admin.get_client_authz_scopes(client_id=auth_client_id)
  821. assert len(res) == 0, res
  823. with pytest.raises(KeycloakGetError) as err:
  824. admin.get_client_authz_scopes(client_id=client_id)
  825. assert err.match('500: b\'{"error":"unknown_error"}\'')
  827. # Test service account user
  828. res = admin.get_client_service_account_user(client_id=auth_client_id)
  829. assert res["username"] == "service-account-authz-client", res
  831. with pytest.raises(KeycloakGetError) as err:
  832. admin.get_client_service_account_user(client_id=client_id)
  833. assert err.match('400: b\'{"error":"unknown_error"}\'')
  835. # Test delete client
  836. res = admin.delete_client(client_id=auth_client_id)
  837. assert res == dict(), res
  838. with pytest.raises(KeycloakDeleteError) as err:
  839. admin.delete_client(client_id=auth_client_id)
  840. assert err.match('404: b\'{"error":"Could not find client"}\'')
  842. # Test client credentials
  843. admin.create_client(
  844. payload={
  845. "name": "test-confidential",
  846. "enabled": True,
  847. "protocol": "openid-connect",
  848. "publicClient": False,
  849. "redirectUris": ["http://localhost/*"],
  850. "webOrigins": ["+"],
  851. "clientId": "test-confidential",
  852. "secret": "test-secret",
  853. "clientAuthenticatorType": "client-secret",
  854. }
  855. )
  856. with pytest.raises(KeycloakGetError) as err:
  857. admin.get_client_secrets(client_id="does-not-exist")
  858. assert err.match('404: b\'{"error":"Could not find client"}\'')
  860. secrets = admin.get_client_secrets(
  861. client_id=admin.get_client_id(client_id="test-confidential")
  862. )
  863. assert secrets == {"type": "secret", "value": "test-secret"}
  865. with pytest.raises(KeycloakPostError) as err:
  866. admin.generate_client_secrets(client_id="does-not-exist")
  867. assert err.match('404: b\'{"error":"Could not find client"}\'')
  869. res = admin.generate_client_secrets(
  870. client_id=admin.get_client_id(client_id="test-confidential")
  871. )
  872. assert res
  873. assert (
  874. admin.get_client_secrets(client_id=admin.get_client_id(client_id="test-confidential"))
  875. == res
  876. )
  879. def test_realm_roles(admin: KeycloakAdmin, realm: str):
  880. """Test realm roles."""
  881. admin.realm_name = realm
  883. # Test get realm roles
  884. roles = admin.get_realm_roles()
  885. assert len(roles) == 3, roles
  886. role_names = [x["name"] for x in roles]
  887. assert "uma_authorization" in role_names, role_names
  888. assert "offline_access" in role_names, role_names
  890. # Test empty members
  891. with pytest.raises(KeycloakGetError) as err:
  892. admin.get_realm_role_members(role_name="does-not-exist")
  893. assert err.match('404: b\'{"error":"Could not find role"}\'')
  894. members = admin.get_realm_role_members(role_name="offline_access")
  895. assert members == list(), members
  897. # Test create realm role
  898. role_id = admin.create_realm_role(payload={"name": "test-realm-role"}, skip_exists=True)
  899. assert role_id, role_id
  900. with pytest.raises(KeycloakPostError) as err:
  901. admin.create_realm_role(payload={"name": "test-realm-role"})
  902. assert err.match('409: b\'{"errorMessage":"Role with name test-realm-role already exists"}\'')
  903. role_id_2 = admin.create_realm_role(payload={"name": "test-realm-role"}, skip_exists=True)
  904. assert role_id == role_id_2
  906. # Test update realm role
  907. res = admin.update_realm_role(
  908. role_name="test-realm-role", payload={"name": "test-realm-role-update"}
  909. )
  910. assert res == dict(), res
  911. with pytest.raises(KeycloakPutError) as err:
  912. admin.update_realm_role(
  913. role_name="test-realm-role", payload={"name": "test-realm-role-update"}
  914. )
  915. assert err.match('404: b\'{"error":"Could not find role"}\''), err
  917. # Test realm role user assignment
  918. user_id = admin.create_user(payload={"username": "role-testing", "email": "test@test.test"})
  919. with pytest.raises(KeycloakPostError) as err:
  920. admin.assign_realm_roles(user_id=user_id, roles=["bad"])
  921. assert err.match('500: b\'{"error":"unknown_error"}\'')
  922. res = admin.assign_realm_roles(
  923. user_id=user_id,
  924. roles=[
  925. admin.get_realm_role(role_name="offline_access"),
  926. admin.get_realm_role(role_name="test-realm-role-update"),
  927. ],
  928. )
  929. assert res == dict(), res
  930. assert admin.get_user(user_id=user_id)["username"] in [
  931. x["username"] for x in admin.get_realm_role_members(role_name="offline_access")
  932. ]
  933. assert admin.get_user(user_id=user_id)["username"] in [
  934. x["username"] for x in admin.get_realm_role_members(role_name="test-realm-role-update")
  935. ]
  937. roles = admin.get_realm_roles_of_user(user_id=user_id)
  938. assert len(roles) == 3
  939. assert "offline_access" in [x["name"] for x in roles]
  940. assert "test-realm-role-update" in [x["name"] for x in roles]
  942. with pytest.raises(KeycloakDeleteError) as err:
  943. admin.delete_realm_roles_of_user(user_id=user_id, roles=["bad"])
  944. assert err.match('500: b\'{"error":"unknown_error"}\'')
  945. res = admin.delete_realm_roles_of_user(
  946. user_id=user_id, roles=[admin.get_realm_role(role_name="offline_access")]
  947. )
  948. assert res == dict(), res
  949. assert admin.get_realm_role_members(role_name="offline_access") == list()
  950. roles = admin.get_realm_roles_of_user(user_id=user_id)
  951. assert len(roles) == 2
  952. assert "offline_access" not in [x["name"] for x in roles]
  953. assert "test-realm-role-update" in [x["name"] for x in roles]
  955. roles = admin.get_available_realm_roles_of_user(user_id=user_id)
  956. assert len(roles) == 2
  957. assert "offline_access" in [x["name"] for x in roles]
  958. assert "uma_authorization" in [x["name"] for x in roles]
  960. # Test realm role group assignment
  961. group_id = admin.create_group(payload={"name": "test-group"})
  962. with pytest.raises(KeycloakPostError) as err:
  963. admin.assign_group_realm_roles(group_id=group_id, roles=["bad"])
  964. assert err.match('500: b\'{"error":"unknown_error"}\'')
  965. res = admin.assign_group_realm_roles(
  966. group_id=group_id,
  967. roles=[
  968. admin.get_realm_role(role_name="offline_access"),
  969. admin.get_realm_role(role_name="test-realm-role-update"),
  970. ],
  971. )
  972. assert res == dict(), res
  974. roles = admin.get_group_realm_roles(group_id=group_id)
  975. assert len(roles) == 2
  976. assert "offline_access" in [x["name"] for x in roles]
  977. assert "test-realm-role-update" in [x["name"] for x in roles]
  979. with pytest.raises(KeycloakDeleteError) as err:
  980. admin.delete_group_realm_roles(group_id=group_id, roles=["bad"])
  981. assert err.match('500: b\'{"error":"unknown_error"}\'')
  982. res = admin.delete_group_realm_roles(
  983. group_id=group_id, roles=[admin.get_realm_role(role_name="offline_access")]
  984. )
  985. assert res == dict(), res
  986. roles = admin.get_group_realm_roles(group_id=group_id)
  987. assert len(roles) == 1
  988. assert "test-realm-role-update" in [x["name"] for x in roles]
  990. # Test composite realm roles
  991. composite_role = admin.create_realm_role(payload={"name": "test-composite-role"})
  992. with pytest.raises(KeycloakPostError) as err:
  993. admin.add_composite_realm_roles_to_role(role_name=composite_role, roles=["bad"])
  994. assert err.match('500: b\'{"error":"unknown_error"}\'')
  995. res = admin.add_composite_realm_roles_to_role(
  996. role_name=composite_role, roles=[admin.get_realm_role(role_name="test-realm-role-update")]
  997. )
  998. assert res == dict(), res
  1000. res = admin.get_composite_realm_roles_of_role(role_name=composite_role)
  1001. assert len(res) == 1
  1002. assert "test-realm-role-update" in res[0]["name"]
  1003. with pytest.raises(KeycloakGetError) as err:
  1004. admin.get_composite_realm_roles_of_role(role_name="bad")
  1005. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1007. res = admin.get_composite_realm_roles_of_user(user_id=user_id)
  1008. assert len(res) == 4
  1009. assert "offline_access" in {x["name"] for x in res}
  1010. assert "test-realm-role-update" in {x["name"] for x in res}
  1011. assert "uma_authorization" in {x["name"] for x in res}
  1012. with pytest.raises(KeycloakGetError) as err:
  1013. admin.get_composite_realm_roles_of_user(user_id="bad")
  1014. assert err.match('404: b\'{"error":"User not found"}\'')
  1016. with pytest.raises(KeycloakDeleteError) as err:
  1017. admin.remove_composite_realm_roles_to_role(role_name=composite_role, roles=["bad"])
  1018. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1019. res = admin.remove_composite_realm_roles_to_role(
  1020. role_name=composite_role, roles=[admin.get_realm_role(role_name="test-realm-role-update")]
  1021. )
  1022. assert res == dict(), res
  1024. res = admin.get_composite_realm_roles_of_role(role_name=composite_role)
  1025. assert len(res) == 0
  1027. # Test delete realm role
  1028. res = admin.delete_realm_role(role_name=composite_role)
  1029. assert res == dict(), res
  1030. with pytest.raises(KeycloakDeleteError) as err:
  1031. admin.delete_realm_role(role_name=composite_role)
  1032. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1035. def test_client_roles(admin: KeycloakAdmin, client: str):
  1036. """Test client roles."""
  1037. # Test get client roles
  1038. res = admin.get_client_roles(client_id=client)
  1039. assert len(res) == 0
  1040. with pytest.raises(KeycloakGetError) as err:
  1041. admin.get_client_roles(client_id="bad")
  1042. assert err.match('404: b\'{"error":"Could not find client"}\'')
  1044. # Test create client role
  1045. client_role_id = admin.create_client_role(
  1046. client_role_id=client, payload={"name": "client-role-test"}, skip_exists=True
  1047. )
  1048. with pytest.raises(KeycloakPostError) as err:
  1049. admin.create_client_role(client_role_id=client, payload={"name": "client-role-test"})
  1050. assert err.match('409: b\'{"errorMessage":"Role with name client-role-test already exists"}\'')
  1051. client_role_id_2 = admin.create_client_role(
  1052. client_role_id=client, payload={"name": "client-role-test"}, skip_exists=True
  1053. )
  1054. assert client_role_id == client_role_id_2
  1056. # Test get client role
  1057. res = admin.get_client_role(client_id=client, role_name="client-role-test")
  1058. assert res["name"] == client_role_id
  1059. with pytest.raises(KeycloakGetError) as err:
  1060. admin.get_client_role(client_id=client, role_name="bad")
  1061. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1063. res_ = admin.get_client_role_id(client_id=client, role_name="client-role-test")
  1064. assert res_ == res["id"]
  1065. with pytest.raises(KeycloakGetError) as err:
  1066. admin.get_client_role_id(client_id=client, role_name="bad")
  1067. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1068. assert len(admin.get_client_roles(client_id=client)) == 1
  1070. # Test update client role
  1071. res = admin.update_client_role(
  1072. client_role_id=client,
  1073. role_name="client-role-test",
  1074. payload={"name": "client-role-test-update"},
  1075. )
  1076. assert res == dict()
  1077. with pytest.raises(KeycloakPutError) as err:
  1078. res = admin.update_client_role(
  1079. client_role_id=client,
  1080. role_name="client-role-test",
  1081. payload={"name": "client-role-test-update"},
  1082. )
  1083. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1085. # Test user with client role
  1086. res = admin.get_client_role_members(client_id=client, role_name="client-role-test-update")
  1087. assert len(res) == 0
  1088. with pytest.raises(KeycloakGetError) as err:
  1089. admin.get_client_role_members(client_id=client, role_name="bad")
  1090. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1092. user_id = admin.create_user(payload={"username": "test", "email": "test@test.test"})
  1093. with pytest.raises(KeycloakPostError) as err:
  1094. admin.assign_client_role(user_id=user_id, client_id=client, roles=["bad"])
  1095. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1096. res = admin.assign_client_role(
  1097. user_id=user_id,
  1098. client_id=client,
  1099. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1100. )
  1101. assert res == dict()
  1102. assert (
  1103. len(admin.get_client_role_members(client_id=client, role_name="client-role-test-update"))
  1104. == 1
  1105. )
  1107. roles = admin.get_client_roles_of_user(user_id=user_id, client_id=client)
  1108. assert len(roles) == 1, roles
  1109. with pytest.raises(KeycloakGetError) as err:
  1110. admin.get_client_roles_of_user(user_id=user_id, client_id="bad")
  1111. assert err.match('404: b\'{"error":"Client not found"}\'')
  1113. roles = admin.get_composite_client_roles_of_user(user_id=user_id, client_id=client)
  1114. assert len(roles) == 1, roles
  1115. with pytest.raises(KeycloakGetError) as err:
  1116. admin.get_composite_client_roles_of_user(user_id=user_id, client_id="bad")
  1117. assert err.match('404: b\'{"error":"Client not found"}\'')
  1119. roles = admin.get_available_client_roles_of_user(user_id=user_id, client_id=client)
  1120. assert len(roles) == 0, roles
  1121. with pytest.raises(KeycloakGetError) as err:
  1122. admin.get_composite_client_roles_of_user(user_id=user_id, client_id="bad")
  1123. assert err.match('404: b\'{"error":"Client not found"}\'')
  1125. with pytest.raises(KeycloakDeleteError) as err:
  1126. admin.delete_client_roles_of_user(user_id=user_id, client_id=client, roles=["bad"])
  1127. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1128. admin.delete_client_roles_of_user(
  1129. user_id=user_id,
  1130. client_id=client,
  1131. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1132. )
  1133. assert len(admin.get_client_roles_of_user(user_id=user_id, client_id=client)) == 0
  1135. # Test groups and client roles
  1136. res = admin.get_client_role_groups(client_id=client, role_name="client-role-test-update")
  1137. assert len(res) == 0
  1138. with pytest.raises(KeycloakGetError) as err:
  1139. admin.get_client_role_groups(client_id=client, role_name="bad")
  1140. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1142. group_id = admin.create_group(payload={"name": "test-group"})
  1143. res = admin.get_group_client_roles(group_id=group_id, client_id=client)
  1144. assert len(res) == 0
  1145. with pytest.raises(KeycloakGetError) as err:
  1146. admin.get_group_client_roles(group_id=group_id, client_id="bad")
  1147. assert err.match('404: b\'{"error":"Client not found"}\'')
  1149. with pytest.raises(KeycloakPostError) as err:
  1150. admin.assign_group_client_roles(group_id=group_id, client_id=client, roles=["bad"])
  1151. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1152. res = admin.assign_group_client_roles(
  1153. group_id=group_id,
  1154. client_id=client,
  1155. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1156. )
  1157. assert res == dict()
  1158. assert (
  1159. len(admin.get_client_role_groups(client_id=client, role_name="client-role-test-update"))
  1160. == 1
  1161. )
  1162. assert len(admin.get_group_client_roles(group_id=group_id, client_id=client)) == 1
  1164. with pytest.raises(KeycloakDeleteError) as err:
  1165. admin.delete_group_client_roles(group_id=group_id, client_id=client, roles=["bad"])
  1166. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1167. res = admin.delete_group_client_roles(
  1168. group_id=group_id,
  1169. client_id=client,
  1170. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1171. )
  1172. assert res == dict()
  1174. # Test composite client roles
  1175. with pytest.raises(KeycloakPostError) as err:
  1176. admin.add_composite_client_roles_to_role(
  1177. client_role_id=client, role_name="client-role-test-update", roles=["bad"]
  1178. )
  1179. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1180. res = admin.add_composite_client_roles_to_role(
  1181. client_role_id=client,
  1182. role_name="client-role-test-update",
  1183. roles=[admin.get_realm_role(role_name="offline_access")],
  1184. )
  1185. assert res == dict()
  1186. assert admin.get_client_role(client_id=client, role_name="client-role-test-update")[
  1187. "composite"
  1188. ]
  1190. # Test delete of client role
  1191. res = admin.delete_client_role(client_role_id=client, role_name="client-role-test-update")
  1192. assert res == dict()
  1193. with pytest.raises(KeycloakDeleteError) as err:
  1194. admin.delete_client_role(client_role_id=client, role_name="client-role-test-update")
  1195. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1198. def test_enable_token_exchange(admin: KeycloakAdmin, realm: str):
  1199. """Test enable token exchange."""
  1200. # Test enabling token exchange between two confidential clients
  1201. admin.realm_name = realm
  1203. # Create test clients
  1204. source_client_id = admin.create_client(
  1205. payload={"name": "Source Client", "clientId": "source-client"}
  1206. )
  1207. target_client_id = admin.create_client(
  1208. payload={"name": "Target Client", "clientId": "target-client"}
  1209. )
  1210. for c in admin.get_clients():
  1211. if c["clientId"] == "realm-management":
  1212. realm_management_id = c["id"]
  1213. break
  1214. else:
  1215. raise AssertionError("Missing realm management client")
  1217. # Enable permissions on the Superset client
  1218. admin.update_client_management_permissions(
  1219. payload={"enabled": True}, client_id=target_client_id
  1220. )
  1222. # Fetch various IDs and strings needed when creating the permission
  1223. token_exchange_permission_id = admin.get_client_management_permissions(
  1224. client_id=target_client_id
  1225. )["scopePermissions"]["token-exchange"]
  1226. scopes = admin.get_client_authz_policy_scopes(
  1227. client_id=realm_management_id, policy_id=token_exchange_permission_id
  1228. )
  1230. for s in scopes:
  1231. if s["name"] == "token-exchange":
  1232. token_exchange_scope_id = s["id"]
  1233. break
  1234. else:
  1235. raise AssertionError("Missing token-exchange scope")
  1237. resources = admin.get_client_authz_policy_resources(
  1238. client_id=realm_management_id, policy_id=token_exchange_permission_id
  1239. )
  1240. for r in resources:
  1241. if r["name"] == f"client.resource.{target_client_id}":
  1242. token_exchange_resource_id = r["_id"]
  1243. break
  1244. else:
  1245. raise AssertionError("Missing client resource")
  1247. # Create a client policy for source client
  1248. policy_name = "Exchange source client token with target client token"
  1249. client_policy_id = admin.create_client_authz_client_policy(
  1250. payload={
  1251. "type": "client",
  1252. "logic": "POSITIVE",
  1253. "decisionStrategy": "UNANIMOUS",
  1254. "name": policy_name,
  1255. "clients": [source_client_id],
  1256. },
  1257. client_id=realm_management_id,
  1258. )["id"]
  1259. policies = admin.get_client_authz_client_policies(client_id=realm_management_id)
  1260. for policy in policies:
  1261. if policy["name"] == policy_name:
  1262. assert policy["clients"] == [source_client_id]
  1263. break
  1264. else:
  1265. raise AssertionError("Missing client policy")
  1267. # Update permissions on the target client to reference this policy
  1268. permission_name = admin.get_client_authz_scope_permission(
  1269. client_id=realm_management_id, scope_id=token_exchange_permission_id
  1270. )["name"]
  1271. admin.update_client_authz_scope_permission(
  1272. payload={
  1273. "id": token_exchange_permission_id,
  1274. "name": permission_name,
  1275. "type": "scope",
  1276. "logic": "POSITIVE",
  1277. "decisionStrategy": "UNANIMOUS",
  1278. "resources": [token_exchange_resource_id],
  1279. "scopes": [token_exchange_scope_id],
  1280. "policies": [client_policy_id],
  1281. },
  1282. client_id=realm_management_id,
  1283. scope_id=token_exchange_permission_id,
  1284. )
  1287. def test_email(admin: KeycloakAdmin, user: str):
  1288. """Test email."""
  1289. # Emails will fail as we don't have SMTP test setup
  1290. with pytest.raises(KeycloakPutError) as err:
  1291. admin.send_update_account(user_id=user, payload=dict())
  1292. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1294. admin.update_user(user_id=user, payload={"enabled": True})
  1295. with pytest.raises(KeycloakPutError) as err:
  1296. admin.send_verify_email(user_id=user)
  1297. assert err.match('500: b\'{"errorMessage":"Failed to send execute actions email"}\'')
  1300. def test_get_sessions(admin: KeycloakAdmin):
  1301. """Test get sessions."""
  1302. sessions = admin.get_sessions(user_id=admin.get_user_id(username=admin.username))
  1303. assert len(sessions) >= 1
  1304. with pytest.raises(KeycloakGetError) as err:
  1305. admin.get_sessions(user_id="bad")
  1306. assert err.match('404: b\'{"error":"User not found"}\'')
  1309. def test_get_client_installation_provider(admin: KeycloakAdmin, client: str):
  1310. """Test get client installation provider."""
  1311. with pytest.raises(KeycloakGetError) as err:
  1312. admin.get_client_installation_provider(client_id=client, provider_id="bad")
  1313. assert err.match('404: b\'{"error":"Unknown Provider"}\'')
  1315. installation = admin.get_client_installation_provider(
  1316. client_id=client, provider_id="keycloak-oidc-keycloak-json"
  1317. )
  1318. assert set(installation.keys()) == {
  1319. "auth-server-url",
  1320. "confidential-port",
  1321. "credentials",
  1322. "realm",
  1323. "resource",
  1324. "ssl-required",
  1325. }
  1328. def test_auth_flows(admin: KeycloakAdmin, realm: str):
  1329. """Test auth flows."""
  1330. admin.realm_name = realm
  1332. res = admin.get_authentication_flows()
  1333. assert len(res) == 8, res
  1334. assert set(res[0].keys()) == {
  1335. "alias",
  1336. "authenticationExecutions",
  1337. "builtIn",
  1338. "description",
  1339. "id",
  1340. "providerId",
  1341. "topLevel",
  1342. }
  1343. assert {x["alias"] for x in res} == {
  1344. "reset credentials",
  1345. "browser",
  1346. "http challenge",
  1347. "registration",
  1348. "docker auth",
  1349. "direct grant",
  1350. "first broker login",
  1351. "clients",
  1352. }
  1354. with pytest.raises(KeycloakGetError) as err:
  1355. admin.get_authentication_flow_for_id(flow_id="bad")
  1356. assert err.match('404: b\'{"error":"Could not find flow with id"}\'')
  1357. browser_flow_id = [x for x in res if x["alias"] == "browser"][0]["id"]
  1358. res = admin.get_authentication_flow_for_id(flow_id=browser_flow_id)
  1359. assert res["alias"] == "browser"
  1361. # Test copying
  1362. with pytest.raises(KeycloakPostError) as err:
  1363. admin.copy_authentication_flow(payload=dict(), flow_alias="bad")
  1364. assert err.match("404: b''")
  1366. res = admin.copy_authentication_flow(payload={"newName": "test-browser"}, flow_alias="browser")
  1367. assert res == b"", res
  1368. assert len(admin.get_authentication_flows()) == 9
  1370. # Test create
  1371. res = admin.create_authentication_flow(
  1372. payload={"alias": "test-create", "providerId": "basic-flow"}
  1373. )
  1374. assert res == b""
  1375. with pytest.raises(KeycloakPostError) as err:
  1376. admin.create_authentication_flow(payload={"alias": "test-create", "builtIn": False})
  1377. assert err.match('409: b\'{"errorMessage":"Flow test-create already exists"}\'')
  1378. assert admin.create_authentication_flow(
  1379. payload={"alias": "test-create"}, skip_exists=True
  1380. ) == {"msg": "Already exists"}
  1382. # Test flow executions
  1383. res = admin.get_authentication_flow_executions(flow_alias="browser")
  1384. assert len(res) == 8, res
  1385. with pytest.raises(KeycloakGetError) as err:
  1386. admin.get_authentication_flow_executions(flow_alias="bad")
  1387. assert err.match("404: b''")
  1388. exec_id = res[0]["id"]
  1390. res = admin.get_authentication_flow_execution(execution_id=exec_id)
  1391. assert set(res.keys()) == {
  1392. "alternative",
  1393. "authenticator",
  1394. "authenticatorFlow",
  1395. "conditional",
  1396. "disabled",
  1397. "enabled",
  1398. "id",
  1399. "parentFlow",
  1400. "priority",
  1401. "required",
  1402. "requirement",
  1403. }, res
  1404. with pytest.raises(KeycloakGetError) as err:
  1405. admin.get_authentication_flow_execution(execution_id="bad")
  1406. assert err.match('404: b\'{"error":"Illegal execution"}\'')
  1408. with pytest.raises(KeycloakPostError) as err:
  1409. admin.create_authentication_flow_execution(payload=dict(), flow_alias="browser")
  1410. assert err.match('400: b\'{"error":"It is illegal to add execution to a built in flow"}\'')
  1412. res = admin.create_authentication_flow_execution(
  1413. payload={"provider": "auth-cookie"}, flow_alias="test-create"
  1414. )
  1415. assert res == b""
  1416. assert len(admin.get_authentication_flow_executions(flow_alias="test-create")) == 1
  1418. with pytest.raises(KeycloakPutError) as err:
  1419. admin.update_authentication_flow_executions(
  1420. payload={"required": "yes"}, flow_alias="test-create"
  1421. )
  1422. assert err.match('400: b\'{"error":"Unrecognized field')
  1423. payload = admin.get_authentication_flow_executions(flow_alias="test-create")[0]
  1424. payload["displayName"] = "test"
  1425. res = admin.update_authentication_flow_executions(payload=payload, flow_alias="test-create")
  1426. assert res
  1428. exec_id = admin.get_authentication_flow_executions(flow_alias="test-create")[0]["id"]
  1429. res = admin.delete_authentication_flow_execution(execution_id=exec_id)
  1430. assert res == dict()
  1431. with pytest.raises(KeycloakDeleteError) as err:
  1432. admin.delete_authentication_flow_execution(execution_id=exec_id)
  1433. assert err.match('404: b\'{"error":"Illegal execution"}\'')
  1435. # Test subflows
  1436. res = admin.create_authentication_flow_subflow(
  1437. payload={
  1438. "alias": "test-subflow",
  1439. "provider": "basic-flow",
  1440. "type": "something",
  1441. "description": "something",
  1442. },
  1443. flow_alias="test-browser",
  1444. )
  1445. assert res == b""
  1446. with pytest.raises(KeycloakPostError) as err:
  1447. admin.create_authentication_flow_subflow(
  1448. payload={"alias": "test-subflow", "providerId": "basic-flow"},
  1449. flow_alias="test-browser",
  1450. )
  1451. assert err.match('409: b\'{"errorMessage":"New flow alias name already exists"}\'')
  1452. res = admin.create_authentication_flow_subflow(
  1453. payload={
  1454. "alias": "test-subflow",
  1455. "provider": "basic-flow",
  1456. "type": "something",
  1457. "description": "something",
  1458. },
  1459. flow_alias="test-create",
  1460. skip_exists=True,
  1461. )
  1462. assert res == {"msg": "Already exists"}
  1464. # Test delete auth flow
  1465. flow_id = [x for x in admin.get_authentication_flows() if x["alias"] == "test-browser"][0][
  1466. "id"
  1467. ]
  1468. res = admin.delete_authentication_flow(flow_id=flow_id)
  1469. assert res == dict()
  1470. with pytest.raises(KeycloakDeleteError) as err:
  1471. admin.delete_authentication_flow(flow_id=flow_id)
  1472. assert err.match('404: b\'{"error":"Could not find flow with id"}\'')
  1475. def test_authentication_configs(admin: KeycloakAdmin, realm: str):
  1476. """Test authentication configs."""
  1477. admin.realm_name = realm
  1479. # Test list of auth providers
  1480. res = admin.get_authenticator_providers()
  1481. assert len(res) == 39
  1483. res = admin.get_authenticator_provider_config_description(provider_id="auth-cookie")
  1484. assert res == {
  1485. "helpText": "Validates the SSO cookie set by the auth server.",
  1486. "name": "Cookie",
  1487. "properties": [],
  1488. "providerId": "auth-cookie",
  1489. }
  1491. # Test authenticator config
  1492. # Currently unable to find a sustainable way to fetch the config id,
  1493. # therefore testing only failures
  1494. with pytest.raises(KeycloakGetError) as err:
  1495. admin.get_authenticator_config(config_id="bad")
  1496. assert err.match('404: b\'{"error":"Could not find authenticator config"}\'')
  1498. with pytest.raises(KeycloakPutError) as err:
  1499. admin.update_authenticator_config(payload=dict(), config_id="bad")
  1500. assert err.match('404: b\'{"error":"Could not find authenticator config"}\'')
  1502. with pytest.raises(KeycloakDeleteError) as err:
  1503. admin.delete_authenticator_config(config_id="bad")
  1504. assert err.match('404: b\'{"error":"Could not find authenticator config"}\'')
  1507. def test_sync_users(admin: KeycloakAdmin, realm: str):
  1508. """Test sync users."""
  1509. admin.realm_name = realm
  1511. # Only testing the error message
  1512. with pytest.raises(KeycloakPostError) as err:
  1513. admin.sync_users(storage_id="does-not-exist", action="triggerFullSync")
  1514. assert err.match('404: b\'{"error":"Could not find component"}\'')
  1517. def test_client_scopes(admin: KeycloakAdmin, realm: str):
  1518. """Test client scopes."""
  1519. admin.realm_name = realm
  1521. # Test get client scopes
  1522. res = admin.get_client_scopes()
  1523. scope_names = {x["name"] for x in res}
  1524. assert len(res) == 10
  1525. assert "email" in scope_names
  1526. assert "profile" in scope_names
  1527. assert "offline_access" in scope_names
  1529. with pytest.raises(KeycloakGetError) as err:
  1530. admin.get_client_scope(client_scope_id="does-not-exist")
  1531. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1533. scope = admin.get_client_scope(client_scope_id=res[0]["id"])
  1534. assert res[0] == scope
  1536. scope = admin.get_client_scope_by_name(client_scope_name=res[0]["name"])
  1537. assert res[0] == scope
  1539. # Test create client scope
  1540. res = admin.create_client_scope(payload={"name": "test-scope"}, skip_exists=True)
  1541. assert res
  1542. res2 = admin.create_client_scope(payload={"name": "test-scope"}, skip_exists=True)
  1543. assert res == res2
  1544. with pytest.raises(KeycloakPostError) as err:
  1545. admin.create_client_scope(payload={"name": "test-scope"}, skip_exists=False)
  1546. assert err.match('409: b\'{"errorMessage":"Client Scope test-scope already exists"}\'')
  1548. # Test update client scope
  1549. with pytest.raises(KeycloakPutError) as err:
  1550. admin.update_client_scope(client_scope_id="does-not-exist", payload=dict())
  1551. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1553. res_update = admin.update_client_scope(
  1554. client_scope_id=res, payload={"name": "test-scope-update"}
  1555. )
  1556. assert res_update == dict()
  1557. admin.get_client_scope(client_scope_id=res)["name"] == "test-scope-update"
  1559. # Test get mappers
  1560. mappers = admin.get_mappers_from_client_scope(client_scope_id=res)
  1561. assert mappers == list()
  1563. # Test add mapper
  1564. with pytest.raises(KeycloakPostError) as err:
  1565. admin.add_mapper_to_client_scope(client_scope_id=res, payload=dict())
  1566. assert err.match('404: b\'{"error":"ProtocolMapper provider not found"}\'')
  1568. res_add = admin.add_mapper_to_client_scope(
  1569. client_scope_id=res,
  1570. payload={
  1571. "name": "test-mapper",
  1572. "protocol": "openid-connect",
  1573. "protocolMapper": "oidc-usermodel-attribute-mapper",
  1574. },
  1575. )
  1576. assert res_add == b""
  1577. assert len(admin.get_mappers_from_client_scope(client_scope_id=res)) == 1
  1579. # Test update mapper
  1580. test_mapper = admin.get_mappers_from_client_scope(client_scope_id=res)[0]
  1581. with pytest.raises(KeycloakPutError) as err:
  1582. admin.update_mapper_in_client_scope(
  1583. client_scope_id="does-not-exist", protocol_mapper_id=test_mapper["id"], payload=dict()
  1584. )
  1585. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1586. test_mapper["config"]["user.attribute"] = "test"
  1587. res_update = admin.update_mapper_in_client_scope(
  1588. client_scope_id=res, protocol_mapper_id=test_mapper["id"], payload=test_mapper
  1589. )
  1590. assert res_update == dict()
  1591. assert (
  1592. admin.get_mappers_from_client_scope(client_scope_id=res)[0]["config"]["user.attribute"]
  1593. == "test"
  1594. )
  1596. # Test delete mapper
  1597. res_del = admin.delete_mapper_from_client_scope(
  1598. client_scope_id=res, protocol_mapper_id=test_mapper["id"]
  1599. )
  1600. assert res_del == dict()
  1601. with pytest.raises(KeycloakDeleteError) as err:
  1602. admin.delete_mapper_from_client_scope(
  1603. client_scope_id=res, protocol_mapper_id=test_mapper["id"]
  1604. )
  1605. assert err.match('404: b\'{"error":"Model not found"}\'')
  1607. # Test default default scopes
  1608. res_defaults = admin.get_default_default_client_scopes()
  1609. assert len(res_defaults) == 6
  1611. with pytest.raises(KeycloakPutError) as err:
  1612. admin.add_default_default_client_scope(scope_id="does-not-exist")
  1613. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1615. res_add = admin.add_default_default_client_scope(scope_id=res)
  1616. assert res_add == dict()
  1617. assert len(admin.get_default_default_client_scopes()) == 7
  1619. with pytest.raises(KeycloakDeleteError) as err:
  1620. admin.delete_default_default_client_scope(scope_id="does-not-exist")
  1621. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1623. res_del = admin.delete_default_default_client_scope(scope_id=res)
  1624. assert res_del == dict()
  1625. assert len(admin.get_default_default_client_scopes()) == 6
  1627. # Test default optional scopes
  1628. res_defaults = admin.get_default_optional_client_scopes()
  1629. assert len(res_defaults) == 4
  1631. with pytest.raises(KeycloakPutError) as err:
  1632. admin.add_default_optional_client_scope(scope_id="does-not-exist")
  1633. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1635. res_add = admin.add_default_optional_client_scope(scope_id=res)
  1636. assert res_add == dict()
  1637. assert len(admin.get_default_optional_client_scopes()) == 5
  1639. with pytest.raises(KeycloakDeleteError) as err:
  1640. admin.delete_default_optional_client_scope(scope_id="does-not-exist")
  1641. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1643. res_del = admin.delete_default_optional_client_scope(scope_id=res)
  1644. assert res_del == dict()
  1645. assert len(admin.get_default_optional_client_scopes()) == 4
  1647. # Test client scope delete
  1648. res_del = admin.delete_client_scope(client_scope_id=res)
  1649. assert res_del == dict()
  1650. with pytest.raises(KeycloakDeleteError) as err:
  1651. admin.delete_client_scope(client_scope_id=res)
  1652. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1655. def test_components(admin: KeycloakAdmin, realm: str):
  1656. """Test components."""
  1657. admin.realm_name = realm
  1659. # Test get components
  1660. res = admin.get_components()
  1661. assert len(res) == 12
  1663. with pytest.raises(KeycloakGetError) as err:
  1664. admin.get_component(component_id="does-not-exist")
  1665. assert err.match('404: b\'{"error":"Could not find component"}\'')
  1667. res_get = admin.get_component(component_id=res[0]["id"])
  1668. assert res_get == res[0]
  1670. # Test create component
  1671. with pytest.raises(KeycloakPostError) as err:
  1672. admin.create_component(payload={"bad": "dict"})
  1673. assert err.match('400: b\'{"error":"Unrecognized field')
  1675. res = admin.create_component(
  1676. payload={
  1677. "name": "Test Component",
  1678. "providerId": "max-clients",
  1679. "providerType": "org.keycloak.services.clientregistration."
  1680. + "policy.ClientRegistrationPolicy",
  1681. "config": {"max-clients": ["1000"]},
  1682. }
  1683. )
  1684. assert res
  1685. assert admin.get_component(component_id=res)["name"] == "Test Component"
  1687. # Test update component
  1688. component = admin.get_component(component_id=res)
  1689. component["name"] = "Test Component Update"
  1691. with pytest.raises(KeycloakPutError) as err:
  1692. admin.update_component(component_id="does-not-exist", payload=dict())
  1693. assert err.match('404: b\'{"error":"Could not find component"}\'')
  1694. res_upd = admin.update_component(component_id=res, payload=component)
  1695. assert res_upd == dict()
  1696. assert admin.get_component(component_id=res)["name"] == "Test Component Update"
  1698. # Test delete component
  1699. res_del = admin.delete_component(component_id=res)
  1700. assert res_del == dict()
  1701. with pytest.raises(KeycloakDeleteError) as err:
  1702. admin.delete_component(component_id=res)
  1703. assert err.match('404: b\'{"error":"Could not find component"}\'')
  1706. def test_keys(admin: KeycloakAdmin, realm: str):
  1707. """Test keys."""
  1708. admin.realm_name = realm
  1709. assert set(admin.get_keys()["active"].keys()) == {"AES", "HS256", "RS256", "RSA-OAEP"}
  1710. assert {k["algorithm"] for k in admin.get_keys()["keys"]} == {
  1711. "HS256",
  1712. "RSA-OAEP",
  1713. "AES",
  1714. "RS256",
  1715. }
  1718. def test_events(admin: KeycloakAdmin, realm: str):
  1719. """Test events."""
  1720. admin.realm_name = realm
  1722. events = admin.get_events()
  1723. assert events == list()
  1725. with pytest.raises(KeycloakPutError) as err:
  1726. admin.set_events(payload={"bad": "conf"})
  1727. assert err.match('400: b\'{"error":"Unrecognized field')
  1729. res = admin.set_events(payload={"adminEventsDetailsEnabled": True, "adminEventsEnabled": True})
  1730. assert res == dict()
  1732. admin.create_client(payload={"name": "test", "clientId": "test"})
  1734. events = admin.get_events()
  1735. assert events == list()
  1738. def test_auto_refresh(admin: KeycloakAdmin, realm: str):
  1739. """Test auto refresh token."""
  1740. # Test get refresh
  1741. admin.auto_refresh_token = list()
  1742. admin.connection = ConnectionManager(
  1743. base_url=admin.server_url,
  1744. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  1745. timeout=60,
  1746. verify=admin.verify,
  1747. )
  1749. with pytest.raises(KeycloakAuthenticationError) as err:
  1750. admin.get_realm(realm_name=realm)
  1751. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  1753. admin.auto_refresh_token = ["get"]
  1754. del admin.token["refresh_token"]
  1755. assert admin.get_realm(realm_name=realm)
  1757. # Test bad refresh token
  1758. admin.connection = ConnectionManager(
  1759. base_url=admin.server_url,
  1760. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  1761. timeout=60,
  1762. verify=admin.verify,
  1763. )
  1764. admin.token["refresh_token"] = "bad"
  1765. with pytest.raises(KeycloakPostError) as err:
  1766. admin.get_realm(realm_name="test-refresh")
  1767. assert err.match(
  1768. '400: b\'{"error":"invalid_grant","error_description":"Invalid refresh token"}\''
  1769. )
  1770. admin.realm_name = "master"
  1771. admin.get_token()
  1772. admin.realm_name = realm
  1774. # Test post refresh
  1775. admin.connection = ConnectionManager(
  1776. base_url=admin.server_url,
  1777. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  1778. timeout=60,
  1779. verify=admin.verify,
  1780. )
  1781. with pytest.raises(KeycloakAuthenticationError) as err:
  1782. admin.create_realm(payload={"realm": "test-refresh"})
  1783. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  1785. admin.auto_refresh_token = ["get", "post"]
  1786. admin.realm_name = "master"
  1787. admin.user_logout(user_id=admin.get_user_id(username=admin.username))
  1788. assert admin.create_realm(payload={"realm": "test-refresh"}) == b""
  1789. admin.realm_name = realm
  1791. # Test update refresh
  1792. admin.connection = ConnectionManager(
  1793. base_url=admin.server_url,
  1794. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  1795. timeout=60,
  1796. verify=admin.verify,
  1797. )
  1798. with pytest.raises(KeycloakAuthenticationError) as err:
  1799. admin.update_realm(realm_name="test-refresh", payload={"accountTheme": "test"})
  1800. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  1802. admin.auto_refresh_token = ["get", "post", "put"]
  1803. assert (
  1804. admin.update_realm(realm_name="test-refresh", payload={"accountTheme": "test"}) == dict()
  1805. )
  1807. # Test delete refresh
  1808. admin.connection = ConnectionManager(
  1809. base_url=admin.server_url,
  1810. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  1811. timeout=60,
  1812. verify=admin.verify,
  1813. )
  1814. with pytest.raises(KeycloakAuthenticationError) as err:
  1815. admin.delete_realm(realm_name="test-refresh")
  1816. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  1818. admin.auto_refresh_token = ["get", "post", "put", "delete"]
  1819. assert admin.delete_realm(realm_name="test-refresh") == dict()
  1822. def test_get_required_actions(admin: KeycloakAdmin, realm: str):
  1823. """Test requried actions."""
  1824. admin.realm_name = realm
  1825. ractions = admin.get_required_actions()
  1826. assert isinstance(ractions, list)
  1827. for ra in ractions:
  1828. for key in [
  1829. "alias",
  1830. "name",
  1831. "providerId",
  1832. "enabled",
  1833. "defaultAction",
  1834. "priority",
  1835. "config",
  1836. ]:
  1837. assert key in ra
  1840. def test_get_required_action_by_alias(admin: KeycloakAdmin, realm: str):
  1841. """Test get required action by alias."""
  1842. admin.realm_name = realm
  1843. ractions = admin.get_required_actions()
  1844. ra = admin.get_required_action_by_alias("UPDATE_PASSWORD")
  1845. assert ra in ractions
  1846. assert ra["alias"] == "UPDATE_PASSWORD"
  1847. assert admin.get_required_action_by_alias("does-not-exist") is None
  1850. def test_update_required_action(admin: KeycloakAdmin, realm: str):
  1851. """Test update required action."""
  1852. admin.realm_name = realm
  1853. ra = admin.get_required_action_by_alias("UPDATE_PASSWORD")
  1854. old = copy.deepcopy(ra)
  1855. ra["enabled"] = False
  1856. admin.update_required_action("UPDATE_PASSWORD", ra)
  1857. newra = admin.get_required_action_by_alias("UPDATE_PASSWORD")
  1858. assert old != newra
  1859. assert newra["enabled"] is False
  1862. def test_get_composite_client_roles_of_group(
  1863. admin: KeycloakAdmin, realm: str, client: str, group: str, composite_client_role: str
  1864. ):
  1865. """Test get composite client roles of group."""
  1866. admin.realm_name = realm
  1867. role = admin.get_client_role(client, composite_client_role)
  1868. admin.assign_group_client_roles(group_id=group, client_id=client, roles=[role])
  1869. result = admin.get_composite_client_roles_of_group(client, group)
  1870. assert role["id"] in [x["id"] for x in result]
  1873. def test_get_role_client_level_children(
  1874. admin: KeycloakAdmin, realm: str, client: str, composite_client_role: str, client_role: str
  1875. ):
  1876. """Test get children of composite client role."""
  1877. admin.realm_name = realm
  1878. child = admin.get_client_role(client, client_role)
  1879. parent = admin.get_client_role(client, composite_client_role)
  1880. res = admin.get_role_client_level_children(client, parent["id"])
  1881. assert child["id"] in [x["id"] for x in res]
  1884. def test_upload_certificate(admin: KeycloakAdmin, realm: str, client: str, selfsigned_cert: tuple):
  1885. """Test upload certificate."""
  1886. admin.realm_name = realm
  1887. cert, _ = selfsigned_cert
  1888. cert = cert.decode("utf-8").strip()
  1889. admin.upload_certificate(client, cert)
  1890. cl = admin.get_client(client)
  1891. assert cl["attributes"]["jwt.credential.certificate"] == "".join(cert.splitlines()[1:-1])