Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
670 Commits
16 Branches
109 Tags
19 MiB
Tree: 96d4f79282
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '96d4f79282'
${ noResults }
python-keycloak/tests/test_keycloak_admin.py

2287 lines
81 KiB
Raw Normal View History

style: fixed docstrings everywhere
2 years ago
fix: applied tox linting check
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: completed admin unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: completed admin unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: allow query parameters for users count
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: Add update_idp
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: Add update_mapper_in_idp
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: Add update_mapper_in_idp
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: Add update_mapper_in_idp
2 years ago
feat: Add get_idp_mappers, fix #329
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: added missing tests for clients
2 years ago
test: completed admin unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: added missing tests for clients
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added missing tests for clients
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added missing tests for clients
2 years ago
fix: check client existence based on clientId Remove the necessity for supplying client name for create a new client request, also don't check existing clients based on client name as those can be duplicate BREAKING CHANGE: Renamed parameter client_name to client_id in get_client_id method Closes #351
2 years ago
test: added missing tests for clients
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: cover the cases with unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: added missing functionality to include attributes when returning realm roles according to specifications
2 years ago
chore: merge master into branch
2 years ago
feat: added missing functionality to include attributes when returning realm roles according to specifications
2 years ago
feat: add client scope-mappings realm roles operations
2 years ago
chore: merge master into branch
2 years ago
feat: add client scope-mappings realm roles operations
2 years ago
feat: add client scope-mappings client roles operations
2 years ago
chore: merge master into branch
2 years ago
feat: add client scope-mappings client roles operations
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: cover the cases with unit tests
2 years ago
feat: initial setup of CICD and linting
2 years ago
ci: add test case for token exchange setup
2 years ago
test: updated docstrings to pass checks
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: Allow fetching existing policies before calling create_client_authz_client_policy()
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: Allow fetching existing policies before calling create_client_authz_client_policy()
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: Allow fetching existing policies before calling create_client_authz_client_policy()
2 years ago
ci: add test case for token exchange setup
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: initial setup of CICD and linting
2 years ago
test: test authenticator and configurations
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test authenticator and configurations
2 years ago
test: fixed tests, updated dependencies
2 years ago
test: test authenticator and configurations
2 years ago
test: updated docstrings to pass checks
2 years ago
test: test authenticator and configurations
2 years ago
test: added tests for client scopes
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added tests for client scopes
2 years ago
feat: Add update_mapper_in_idp
2 years ago
test: added tests for client scopes
2 years ago
test: added components tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: added components tests
2 years ago
test: completed admin unit tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: completed admin unit tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: completed admin unit tests
2 years ago
test: updated docstrings to pass checks
2 years ago
test: completed admin unit tests
2 years ago
fix: raise correct exceptions
2 years ago
test: completed admin unit tests
2 years ago
feat: add unit tests
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: add unit tests
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
test: improved the tests on urls, back to 100%
2 years ago
feat: add unit tests
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
test: updated docstrings to pass checks
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
feat: add unit tests
2 years ago
fix: applied tox linting check
2 years ago
  1. """Test the keycloak admin object."""
  3. import copy
  5. import pytest
  7. import keycloak
  8. from keycloak import KeycloakAdmin
  9. from keycloak.connection import ConnectionManager
  10. from keycloak.exceptions import (
  11. KeycloakAuthenticationError,
  12. KeycloakDeleteError,
  13. KeycloakGetError,
  14. KeycloakPostError,
  15. KeycloakPutError,
  16. )
  19. def test_keycloak_version():
  20. """Test version."""
  21. assert keycloak.__version__, keycloak.__version__
  24. def test_keycloak_admin_bad_init(env):
  25. """Test keycloak admin bad init.
  27. :param env: Environment fixture
  28. :type env: KeycloakTestEnv
  29. """
  30. with pytest.raises(TypeError) as err:
  31. KeycloakAdmin(
  32. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  33. username=env.KEYCLOAK_ADMIN,
  34. password=env.KEYCLOAK_ADMIN_PASSWORD,
  35. auto_refresh_token=1,
  36. )
  37. assert err.match("Expected a list of strings")
  39. with pytest.raises(TypeError) as err:
  40. KeycloakAdmin(
  41. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  42. username=env.KEYCLOAK_ADMIN,
  43. password=env.KEYCLOAK_ADMIN_PASSWORD,
  44. auto_refresh_token=["patch"],
  45. )
  46. assert err.match("Unexpected method in auto_refresh_token")
  49. def test_keycloak_admin_init(env):
  50. """Test keycloak admin init.
  52. :param env: Environment fixture
  53. :type env: KeycloakTestEnv
  54. """
  55. admin = KeycloakAdmin(
  56. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  57. username=env.KEYCLOAK_ADMIN,
  58. password=env.KEYCLOAK_ADMIN_PASSWORD,
  59. )
  60. assert admin.server_url == f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}", admin.server_url
  61. assert admin.realm_name == "master", admin.realm_name
  62. assert isinstance(admin.connection, ConnectionManager), type(admin.connection)
  63. assert admin.client_id == "admin-cli", admin.client_id
  64. assert admin.client_secret_key is None, admin.client_secret_key
  65. assert admin.verify, admin.verify
  66. assert admin.username == env.KEYCLOAK_ADMIN, admin.username
  67. assert admin.password == env.KEYCLOAK_ADMIN_PASSWORD, admin.password
  68. assert admin.totp is None, admin.totp
  69. assert admin.token is not None, admin.token
  70. assert admin.auto_refresh_token == list(), admin.auto_refresh_token
  71. assert admin.user_realm_name is None, admin.user_realm_name
  72. assert admin.custom_headers is None, admin.custom_headers
  73. assert admin.token
  75. admin = KeycloakAdmin(
  76. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  77. username=env.KEYCLOAK_ADMIN,
  78. password=env.KEYCLOAK_ADMIN_PASSWORD,
  79. realm_name=None,
  80. user_realm_name="master",
  81. )
  82. assert admin.token
  83. admin = KeycloakAdmin(
  84. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  85. username=env.KEYCLOAK_ADMIN,
  86. password=env.KEYCLOAK_ADMIN_PASSWORD,
  87. realm_name=None,
  88. user_realm_name=None,
  89. )
  90. assert admin.token
  92. admin.create_realm(payload={"realm": "authz", "enabled": True})
  93. admin.realm_name = "authz"
  94. admin.create_client(
  95. payload={
  96. "name": "authz-client",
  97. "clientId": "authz-client",
  98. "authorizationServicesEnabled": True,
  99. "serviceAccountsEnabled": True,
  100. "clientAuthenticatorType": "client-secret",
  101. "directAccessGrantsEnabled": False,
  102. "enabled": True,
  103. "implicitFlowEnabled": False,
  104. "publicClient": False,
  105. }
  106. )
  107. secret = admin.generate_client_secrets(client_id=admin.get_client_id("authz-client"))
  108. assert KeycloakAdmin(
  109. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  110. user_realm_name="authz",
  111. client_id="authz-client",
  112. client_secret_key=secret["value"],
  113. ).token
  114. admin.delete_realm(realm_name="authz")
  116. assert (
  117. KeycloakAdmin(
  118. server_url=f"http://{env.KEYCLOAK_HOST}:{env.KEYCLOAK_PORT}",
  119. username=None,
  120. password=None,
  121. client_secret_key=None,
  122. custom_headers={"custom": "header"},
  123. ).token
  124. is None
  125. )
  128. def test_realms(admin: KeycloakAdmin):
  129. """Test realms.
  131. :param admin: Keycloak Admin client
  132. :type admin: KeycloakAdmin
  133. """
  134. # Get realms
  135. realms = admin.get_realms()
  136. assert len(realms) == 1, realms
  137. assert "master" == realms[0]["realm"]
  139. # Create a test realm
  140. res = admin.create_realm(payload={"realm": "test"})
  141. assert res == b"", res
  143. # Create the same realm, should fail
  144. with pytest.raises(KeycloakPostError) as err:
  145. res = admin.create_realm(payload={"realm": "test"})
  146. assert err.match('409: b\'{"errorMessage":"Conflict detected. See logs for details"}\'')
  148. # Create the same realm, skip_exists true
  149. res = admin.create_realm(payload={"realm": "test"}, skip_exists=True)
  150. assert res == {"msg": "Already exists"}, res
  152. # Get a single realm
  153. res = admin.get_realm(realm_name="test")
  154. assert res["realm"] == "test"
  156. # Get non-existing realm
  157. with pytest.raises(KeycloakGetError) as err:
  158. admin.get_realm(realm_name="non-existent")
  159. assert err.match('404: b\'{"error":"Realm not found."}\'')
  161. # Update realm
  162. res = admin.update_realm(realm_name="test", payload={"accountTheme": "test"})
  163. assert res == dict(), res
  165. # Check that the update worked
  166. res = admin.get_realm(realm_name="test")
  167. assert res["realm"] == "test"
  168. assert res["accountTheme"] == "test"
  170. # Update wrong payload
  171. with pytest.raises(KeycloakPutError) as err:
  172. admin.update_realm(realm_name="test", payload={"wrong": "payload"})
  173. assert err.match('400: b\'{"error":"Unrecognized field')
  175. # Check that get realms returns both realms
  176. realms = admin.get_realms()
  177. realm_names = [x["realm"] for x in realms]
  178. assert len(realms) == 2, realms
  179. assert "master" in realm_names, realm_names
  180. assert "test" in realm_names, realm_names
  182. # Delete the realm
  183. res = admin.delete_realm(realm_name="test")
  184. assert res == dict(), res
  186. # Check that the realm does not exist anymore
  187. with pytest.raises(KeycloakGetError) as err:
  188. admin.get_realm(realm_name="test")
  189. assert err.match('404: b\'{"error":"Realm not found."}\'')
  191. # Delete non-existing realm
  192. with pytest.raises(KeycloakDeleteError) as err:
  193. admin.delete_realm(realm_name="non-existent")
  194. assert err.match('404: b\'{"error":"Realm not found."}\'')
  197. def test_import_export_realms(admin: KeycloakAdmin, realm: str):
  198. """Test import and export of realms.
  200. :param admin: Keycloak Admin client
  201. :type admin: KeycloakAdmin
  202. :param realm: Keycloak realm
  203. :type realm: str
  204. """
  205. admin.realm_name = realm
  207. realm_export = admin.export_realm(export_clients=True, export_groups_and_role=True)
  208. assert realm_export != dict(), realm_export
  210. admin.delete_realm(realm_name=realm)
  211. admin.realm_name = "master"
  212. res = admin.import_realm(payload=realm_export)
  213. assert res == b"", res
  215. # Test bad import
  216. with pytest.raises(KeycloakPostError) as err:
  217. admin.import_realm(payload=dict())
  218. assert err.match('500: b\'{"error":"unknown_error"}\'')
  221. def test_users(admin: KeycloakAdmin, realm: str):
  222. """Test users.
  224. :param admin: Keycloak Admin client
  225. :type admin: KeycloakAdmin
  226. :param realm: Keycloak realm
  227. :type realm: str
  228. """
  229. admin.realm_name = realm
  231. # Check no users present
  232. users = admin.get_users()
  233. assert users == list(), users
  235. # Test create user
  236. user_id = admin.create_user(payload={"username": "test", "email": "test@test.test"})
  237. assert user_id is not None, user_id
  239. # Test create the same user
  240. with pytest.raises(KeycloakPostError) as err:
  241. admin.create_user(payload={"username": "test", "email": "test@test.test"})
  242. assert err.match('409: b\'{"errorMessage":"User exists with same username"}\'')
  244. # Test create the same user, exists_ok true
  245. user_id_2 = admin.create_user(
  246. payload={"username": "test", "email": "test@test.test"}, exist_ok=True
  247. )
  248. assert user_id == user_id_2
  250. # Test get user
  251. user = admin.get_user(user_id=user_id)
  252. assert user["username"] == "test", user["username"]
  253. assert user["email"] == "test@test.test", user["email"]
  255. # Test update user
  256. res = admin.update_user(user_id=user_id, payload={"firstName": "Test"})
  257. assert res == dict(), res
  258. user = admin.get_user(user_id=user_id)
  259. assert user["firstName"] == "Test"
  261. # Test update user fail
  262. with pytest.raises(KeycloakPutError) as err:
  263. admin.update_user(user_id=user_id, payload={"wrong": "payload"})
  264. assert err.match('400: b\'{"error":"Unrecognized field')
  266. # Test get users again
  267. users = admin.get_users()
  268. usernames = [x["username"] for x in users]
  269. assert "test" in usernames
  271. # Test users counts
  272. count = admin.users_count()
  273. assert count == 1, count
  275. # Test users count with query
  276. count = admin.users_count(query={"username": "notpresent"})
  277. assert count == 0
  279. # Test user groups
  280. groups = admin.get_user_groups(user_id=user["id"])
  281. assert len(groups) == 0
  283. # Test user groups bad id
  284. with pytest.raises(KeycloakGetError) as err:
  285. admin.get_user_groups(user_id="does-not-exist")
  286. assert err.match('404: b\'{"error":"User not found"}\'')
  288. # Test logout
  289. res = admin.user_logout(user_id=user["id"])
  290. assert res == dict(), res
  292. # Test logout fail
  293. with pytest.raises(KeycloakPostError) as err:
  294. admin.user_logout(user_id="non-existent-id")
  295. assert err.match('404: b\'{"error":"User not found"}\'')
  297. # Test consents
  298. res = admin.user_consents(user_id=user["id"])
  299. assert len(res) == 0, res
  301. # Test consents fail
  302. with pytest.raises(KeycloakGetError) as err:
  303. admin.user_consents(user_id="non-existent-id")
  304. assert err.match('404: b\'{"error":"User not found"}\'')
  306. # Test delete user
  307. res = admin.delete_user(user_id=user_id)
  308. assert res == dict(), res
  309. with pytest.raises(KeycloakGetError) as err:
  310. admin.get_user(user_id=user_id)
  311. err.match('404: b\'{"error":"User not found"}\'')
  313. # Test delete fail
  314. with pytest.raises(KeycloakDeleteError) as err:
  315. admin.delete_user(user_id="non-existent-id")
  316. assert err.match('404: b\'{"error":"User not found"}\'')
  319. def test_users_pagination(admin: KeycloakAdmin, realm: str):
  320. """Test user pagination.
  322. :param admin: Keycloak Admin client
  323. :type admin: KeycloakAdmin
  324. :param realm: Keycloak realm
  325. :type realm: str
  326. """
  327. admin.realm_name = realm
  329. for ind in range(admin.PAGE_SIZE + 50):
  330. username = f"user_{ind}"
  331. admin.create_user(payload={"username": username, "email": f"{username}@test.test"})
  333. users = admin.get_users()
  334. assert len(users) == admin.PAGE_SIZE + 50, len(users)
  336. users = admin.get_users(query={"first": 100})
  337. assert len(users) == 50, len(users)
  339. users = admin.get_users(query={"max": 20})
  340. assert len(users) == 20, len(users)
  343. def test_idps(admin: KeycloakAdmin, realm: str):
  344. """Test IDPs.
  346. :param admin: Keycloak Admin client
  347. :type admin: KeycloakAdmin
  348. :param realm: Keycloak realm
  349. :type realm: str
  350. """
  351. admin.realm_name = realm
  353. # Create IDP
  354. res = admin.create_idp(
  355. payload=dict(
  356. providerId="github", alias="github", config=dict(clientId="test", clientSecret="test")
  357. )
  358. )
  359. assert res == b"", res
  361. # Test create idp fail
  362. with pytest.raises(KeycloakPostError) as err:
  363. admin.create_idp(payload={"providerId": "does-not-exist", "alias": "something"})
  364. assert err.match("Invalid identity provider id"), err
  366. # Test listing
  367. idps = admin.get_idps()
  368. assert len(idps) == 1
  369. assert "github" == idps[0]["alias"]
  371. # Test IdP update
  372. res = admin.update_idp(idp_alias="github", payload=idps[0])
  374. assert res == {}, res
  376. # Test adding a mapper
  377. res = admin.add_mapper_to_idp(
  378. idp_alias="github",
  379. payload={
  380. "identityProviderAlias": "github",
  381. "identityProviderMapper": "github-user-attribute-mapper",
  382. "name": "test",
  383. },
  384. )
  385. assert res == b"", res
  387. # Test mapper fail
  388. with pytest.raises(KeycloakPostError) as err:
  389. admin.add_mapper_to_idp(idp_alias="does-no-texist", payload=dict())
  390. assert err.match('404: b\'{"error":"HTTP 404 Not Found"}\'')
  392. # Test IdP mappers listing
  393. idp_mappers = admin.get_idp_mappers(idp_alias="github")
  394. assert len(idp_mappers) == 1
  396. # Test IdP mapper update
  397. res = admin.update_mapper_in_idp(
  398. idp_alias="github",
  399. mapper_id=idp_mappers[0]["id"],
  400. # For an obscure reason, keycloak expect all fields
  401. payload={
  402. "id": idp_mappers[0]["id"],
  403. "identityProviderAlias": "github-alias",
  404. "identityProviderMapper": "github-user-attribute-mapper",
  405. "name": "test",
  406. "config": idp_mappers[0]["config"],
  407. },
  408. )
  409. assert res == dict(), res
  411. # Test delete
  412. res = admin.delete_idp(idp_alias="github")
  413. assert res == dict(), res
  415. # Test delete fail
  416. with pytest.raises(KeycloakDeleteError) as err:
  417. admin.delete_idp(idp_alias="does-not-exist")
  418. assert err.match('404: b\'{"error":"HTTP 404 Not Found"}\'')
  421. def test_user_credentials(admin: KeycloakAdmin, user: str):
  422. """Test user credentials.
  424. :param admin: Keycloak Admin client
  425. :type admin: KeycloakAdmin
  426. :param user: Keycloak user
  427. :type user: str
  428. """
  429. res = admin.set_user_password(user_id=user, password="booya", temporary=True)
  430. assert res == dict(), res
  432. # Test user password set fail
  433. with pytest.raises(KeycloakPutError) as err:
  434. admin.set_user_password(user_id="does-not-exist", password="")
  435. assert err.match('404: b\'{"error":"User not found"}\'')
  437. credentials = admin.get_credentials(user_id=user)
  438. assert len(credentials) == 1
  439. assert credentials[0]["type"] == "password", credentials
  441. # Test get credentials fail
  442. with pytest.raises(KeycloakGetError) as err:
  443. admin.get_credentials(user_id="does-not-exist")
  444. assert err.match('404: b\'{"error":"User not found"}\'')
  446. res = admin.delete_credential(user_id=user, credential_id=credentials[0]["id"])
  447. assert res == dict(), res
  449. # Test delete fail
  450. with pytest.raises(KeycloakDeleteError) as err:
  451. admin.delete_credential(user_id=user, credential_id="does-not-exist")
  452. assert err.match('404: b\'{"error":"Credential not found"}\'')
  455. def test_social_logins(admin: KeycloakAdmin, user: str):
  456. """Test social logins.
  458. :param admin: Keycloak Admin client
  459. :type admin: KeycloakAdmin
  460. :param user: Keycloak user
  461. :type user: str
  462. """
  463. res = admin.add_user_social_login(
  464. user_id=user, provider_id="gitlab", provider_userid="test", provider_username="test"
  465. )
  466. assert res == dict(), res
  467. admin.add_user_social_login(
  468. user_id=user, provider_id="github", provider_userid="test", provider_username="test"
  469. )
  470. assert res == dict(), res
  472. # Test add social login fail
  473. with pytest.raises(KeycloakPostError) as err:
  474. admin.add_user_social_login(
  475. user_id="does-not-exist",
  476. provider_id="does-not-exist",
  477. provider_userid="test",
  478. provider_username="test",
  479. )
  480. assert err.match('404: b\'{"error":"User not found"}\'')
  482. res = admin.get_user_social_logins(user_id=user)
  483. assert res == list(), res
  485. # Test get social logins fail
  486. with pytest.raises(KeycloakGetError) as err:
  487. admin.get_user_social_logins(user_id="does-not-exist")
  488. assert err.match('404: b\'{"error":"User not found"}\'')
  490. res = admin.delete_user_social_login(user_id=user, provider_id="gitlab")
  491. assert res == {}, res
  493. res = admin.delete_user_social_login(user_id=user, provider_id="github")
  494. assert res == {}, res
  496. with pytest.raises(KeycloakDeleteError) as err:
  497. admin.delete_user_social_login(user_id=user, provider_id="instagram")
  498. assert err.match('404: b\'{"error":"Link not found"}\''), err
  501. def test_server_info(admin: KeycloakAdmin):
  502. """Test server info.
  504. :param admin: Keycloak Admin client
  505. :type admin: KeycloakAdmin
  506. """
  507. info = admin.get_server_info()
  508. assert set(info.keys()) == {
  509. "systemInfo",
  510. "memoryInfo",
  511. "profileInfo",
  512. "themes",
  513. "socialProviders",
  514. "identityProviders",
  515. "providers",
  516. "protocolMapperTypes",
  517. "builtinProtocolMappers",
  518. "clientInstallations",
  519. "componentTypes",
  520. "passwordPolicies",
  521. "enums",
  522. }, info.keys()
  525. def test_groups(admin: KeycloakAdmin, user: str):
  526. """Test groups.
  528. :param admin: Keycloak Admin client
  529. :type admin: KeycloakAdmin
  530. :param user: Keycloak user
  531. :type user: str
  532. """
  533. # Test get groups
  534. groups = admin.get_groups()
  535. assert len(groups) == 0
  537. # Test create group
  538. group_id = admin.create_group(payload={"name": "main-group"})
  539. assert group_id is not None, group_id
  541. # Test create subgroups
  542. subgroup_id_1 = admin.create_group(payload={"name": "subgroup-1"}, parent=group_id)
  543. subgroup_id_2 = admin.create_group(payload={"name": "subgroup-2"}, parent=group_id)
  545. # Test create group fail
  546. with pytest.raises(KeycloakPostError) as err:
  547. admin.create_group(payload={"name": "subgroup-1"}, parent=group_id)
  548. assert err.match('409: b\'{"error":"unknown_error"}\''), err
  550. # Test skip exists OK
  551. subgroup_id_1_eq = admin.create_group(
  552. payload={"name": "subgroup-1"}, parent=group_id, skip_exists=True
  553. )
  554. assert subgroup_id_1_eq is None
  556. # Test get groups again
  557. groups = admin.get_groups()
  558. assert len(groups) == 1, groups
  559. assert len(groups[0]["subGroups"]) == 2, groups["subGroups"]
  560. assert groups[0]["id"] == group_id
  561. assert {x["id"] for x in groups[0]["subGroups"]} == {subgroup_id_1, subgroup_id_2}
  563. # Test get groups query
  564. groups = admin.get_groups(query={"max": 10})
  565. assert len(groups) == 1, groups
  566. assert len(groups[0]["subGroups"]) == 2, groups["subGroups"]
  567. assert groups[0]["id"] == group_id
  568. assert {x["id"] for x in groups[0]["subGroups"]} == {subgroup_id_1, subgroup_id_2}
  570. # Test get group
  571. res = admin.get_group(group_id=subgroup_id_1)
  572. assert res["id"] == subgroup_id_1, res
  573. assert res["name"] == "subgroup-1"
  574. assert res["path"] == "/main-group/subgroup-1"
  576. # Test get group fail
  577. with pytest.raises(KeycloakGetError) as err:
  578. admin.get_group(group_id="does-not-exist")
  579. assert err.match('404: b\'{"error":"Could not find group by id"}\''), err
  581. # Create 1 more subgroup
  582. subsubgroup_id_1 = admin.create_group(payload={"name": "subsubgroup-1"}, parent=subgroup_id_2)
  583. main_group = admin.get_group(group_id=group_id)
  585. # Test nested searches
  586. res = admin.get_subgroups(group=main_group, path="/main-group/subgroup-2/subsubgroup-1")
  587. assert res is not None, res
  588. assert res["id"] == subsubgroup_id_1
  590. # Test empty search
  591. res = admin.get_subgroups(group=main_group, path="/none")
  592. assert res is None, res
  594. # Test get group by path
  595. res = admin.get_group_by_path(path="/main-group/subgroup-1")
  596. assert res is None, res
  598. res = admin.get_group_by_path(path="/main-group/subgroup-1", search_in_subgroups=True)
  599. assert res is not None, res
  600. assert res["id"] == subgroup_id_1, res
  602. res = admin.get_group_by_path(
  603. path="/main-group/subgroup-2/subsubgroup-1/test", search_in_subgroups=True
  604. )
  605. assert res is None, res
  607. res = admin.get_group_by_path(
  608. path="/main-group/subgroup-2/subsubgroup-1", search_in_subgroups=True
  609. )
  610. assert res is not None, res
  611. assert res["id"] == subsubgroup_id_1
  613. res = admin.get_group_by_path(path="/main-group")
  614. assert res is not None, res
  615. assert res["id"] == group_id, res
  617. # Test group members
  618. res = admin.get_group_members(group_id=subgroup_id_2)
  619. assert len(res) == 0, res
  621. # Test fail group members
  622. with pytest.raises(KeycloakGetError) as err:
  623. admin.get_group_members(group_id="does-not-exist")
  624. assert err.match('404: b\'{"error":"Could not find group by id"}\'')
  626. res = admin.group_user_add(user_id=user, group_id=subgroup_id_2)
  627. assert res == dict(), res
  629. res = admin.get_group_members(group_id=subgroup_id_2)
  630. assert len(res) == 1, res
  631. assert res[0]["id"] == user
  633. # Test get group members query
  634. res = admin.get_group_members(group_id=subgroup_id_2, query={"max": 10})
  635. assert len(res) == 1, res
  636. assert res[0]["id"] == user
  638. with pytest.raises(KeycloakDeleteError) as err:
  639. admin.group_user_remove(user_id="does-not-exist", group_id=subgroup_id_2)
  640. assert err.match('404: b\'{"error":"User not found"}\''), err
  642. res = admin.group_user_remove(user_id=user, group_id=subgroup_id_2)
  643. assert res == dict(), res
  645. # Test set permissions
  646. res = admin.group_set_permissions(group_id=subgroup_id_2, enabled=True)
  647. assert res["enabled"], res
  648. res = admin.group_set_permissions(group_id=subgroup_id_2, enabled=False)
  649. assert not res["enabled"], res
  650. with pytest.raises(KeycloakPutError) as err:
  651. admin.group_set_permissions(group_id=subgroup_id_2, enabled="blah")
  652. assert err.match('500: b\'{"error":"unknown_error"}\''), err
  654. # Test update group
  655. res = admin.update_group(group_id=subgroup_id_2, payload={"name": "new-subgroup-2"})
  656. assert res == dict(), res
  657. assert admin.get_group(group_id=subgroup_id_2)["name"] == "new-subgroup-2"
  659. # test update fail
  660. with pytest.raises(KeycloakPutError) as err:
  661. admin.update_group(group_id="does-not-exist", payload=dict())
  662. assert err.match('404: b\'{"error":"Could not find group by id"}\''), err
  664. # Test delete
  665. res = admin.delete_group(group_id=group_id)
  666. assert res == dict(), res
  667. assert len(admin.get_groups()) == 0
  669. # Test delete fail
  670. with pytest.raises(KeycloakDeleteError) as err:
  671. admin.delete_group(group_id="does-not-exist")
  672. assert err.match('404: b\'{"error":"Could not find group by id"}\''), err
  675. def test_clients(admin: KeycloakAdmin, realm: str):
  676. """Test clients.
  678. :param admin: Keycloak Admin client
  679. :type admin: KeycloakAdmin
  680. :param realm: Keycloak realm
  681. :type realm: str
  682. """
  683. admin.realm_name = realm
  685. # Test get clients
  686. clients = admin.get_clients()
  687. assert len(clients) == 6, clients
  688. assert {x["name"] for x in clients} == set(
  689. [
  690. "${client_admin-cli}",
  691. "${client_security-admin-console}",
  692. "${client_account-console}",
  693. "${client_broker}",
  694. "${client_account}",
  695. "${client_realm-management}",
  696. ]
  697. ), clients
  699. # Test create client
  700. client_id = admin.create_client(payload={"name": "test-client", "clientId": "test-client"})
  701. assert client_id, client_id
  703. with pytest.raises(KeycloakPostError) as err:
  704. admin.create_client(payload={"name": "test-client", "clientId": "test-client"})
  705. assert err.match('409: b\'{"errorMessage":"Client test-client already exists"}\''), err
  707. client_id_2 = admin.create_client(
  708. payload={"name": "test-client", "clientId": "test-client"}, skip_exists=True
  709. )
  710. assert client_id == client_id_2, client_id_2
  712. # Test get client
  713. res = admin.get_client(client_id=client_id)
  714. assert res["clientId"] == "test-client", res
  715. assert res["name"] == "test-client", res
  716. assert res["id"] == client_id, res
  718. with pytest.raises(KeycloakGetError) as err:
  719. admin.get_client(client_id="does-not-exist")
  720. assert err.match('404: b\'{"error":"Could not find client"}\'')
  721. assert len(admin.get_clients()) == 7
  723. # Test get client id
  724. assert admin.get_client_id(client_id="test-client") == client_id
  725. assert admin.get_client_id(client_id="does-not-exist") is None
  727. # Test update client
  728. res = admin.update_client(client_id=client_id, payload={"name": "test-client-change"})
  729. assert res == dict(), res
  731. with pytest.raises(KeycloakPutError) as err:
  732. admin.update_client(client_id="does-not-exist", payload={"name": "test-client-change"})
  733. assert err.match('404: b\'{"error":"Could not find client"}\'')
  735. # Test client mappers
  736. res = admin.get_mappers_from_client(client_id=client_id)
  737. assert len(res) == 0
  739. with pytest.raises(KeycloakPostError) as err:
  740. admin.add_mapper_to_client(client_id="does-not-exist", payload=dict())
  741. assert err.match('404: b\'{"error":"Could not find client"}\'')
  743. res = admin.add_mapper_to_client(
  744. client_id=client_id,
  745. payload={
  746. "name": "test-mapper",
  747. "protocol": "openid-connect",
  748. "protocolMapper": "oidc-usermodel-attribute-mapper",
  749. },
  750. )
  751. assert res == b""
  752. assert len(admin.get_mappers_from_client(client_id=client_id)) == 1
  754. mapper = admin.get_mappers_from_client(client_id=client_id)[0]
  755. with pytest.raises(KeycloakPutError) as err:
  756. admin.update_client_mapper(client_id=client_id, mapper_id="does-not-exist", payload=dict())
  757. assert err.match('404: b\'{"error":"Model not found"}\'')
  758. mapper["config"]["user.attribute"] = "test"
  759. res = admin.update_client_mapper(client_id=client_id, mapper_id=mapper["id"], payload=mapper)
  760. assert res == dict()
  762. res = admin.remove_client_mapper(client_id=client_id, client_mapper_id=mapper["id"])
  763. assert res == dict()
  764. with pytest.raises(KeycloakDeleteError) as err:
  765. admin.remove_client_mapper(client_id=client_id, client_mapper_id=mapper["id"])
  766. assert err.match('404: b\'{"error":"Model not found"}\'')
  768. # Test client sessions
  769. with pytest.raises(KeycloakGetError) as err:
  770. admin.get_client_all_sessions(client_id="does-not-exist")
  771. assert err.match('404: b\'{"error":"Could not find client"}\'')
  773. assert admin.get_client_all_sessions(client_id=client_id) == list()
  774. assert admin.get_client_sessions_stats() == list()
  776. # Test authz
  777. auth_client_id = admin.create_client(
  778. payload={
  779. "name": "authz-client",
  780. "clientId": "authz-client",
  781. "authorizationServicesEnabled": True,
  782. "serviceAccountsEnabled": True,
  783. }
  784. )
  785. res = admin.get_client_authz_settings(client_id=auth_client_id)
  786. assert res["allowRemoteResourceManagement"]
  787. assert res["decisionStrategy"] == "UNANIMOUS"
  788. assert len(res["policies"]) >= 0
  790. with pytest.raises(KeycloakGetError) as err:
  791. admin.get_client_authz_settings(client_id=client_id)
  792. assert err.match('500: b\'{"error":"HTTP 500 Internal Server Error"}\'')
  794. # Authz resources
  795. res = admin.get_client_authz_resources(client_id=auth_client_id)
  796. assert len(res) == 1
  797. assert res[0]["name"] == "Default Resource"
  799. with pytest.raises(KeycloakGetError) as err:
  800. admin.get_client_authz_resources(client_id=client_id)
  801. assert err.match('500: b\'{"error":"unknown_error"}\'')
  803. res = admin.create_client_authz_resource(
  804. client_id=auth_client_id, payload={"name": "test-resource"}
  805. )
  806. assert res["name"] == "test-resource", res
  807. test_resource_id = res["_id"]
  809. with pytest.raises(KeycloakPostError) as err:
  810. admin.create_client_authz_resource(
  811. client_id=auth_client_id, payload={"name": "test-resource"}
  812. )
  813. assert err.match('409: b\'{"error":"invalid_request"')
  814. assert admin.create_client_authz_resource(
  815. client_id=auth_client_id, payload={"name": "test-resource"}, skip_exists=True
  816. ) == {"msg": "Already exists"}
  818. res = admin.get_client_authz_resources(client_id=auth_client_id)
  819. assert len(res) == 2
  820. assert {x["name"] for x in res} == {"Default Resource", "test-resource"}
  822. # Authz policies
  823. res = admin.get_client_authz_policies(client_id=auth_client_id)
  824. assert len(res) == 1, res
  825. assert res[0]["name"] == "Default Policy"
  827. with pytest.raises(KeycloakGetError) as err:
  828. admin.get_client_authz_policies(client_id="does-not-exist")
  829. assert err.match('404: b\'{"error":"Could not find client"}\'')
  831. role_id = admin.get_realm_role(role_name="offline_access")["id"]
  832. res = admin.create_client_authz_role_based_policy(
  833. client_id=auth_client_id,
  834. payload={"name": "test-authz-rb-policy", "roles": [{"id": role_id}]},
  835. )
  836. assert res["name"] == "test-authz-rb-policy", res
  838. with pytest.raises(KeycloakPostError) as err:
  839. admin.create_client_authz_role_based_policy(
  840. client_id=auth_client_id,
  841. payload={"name": "test-authz-rb-policy", "roles": [{"id": role_id}]},
  842. )
  843. assert err.match('409: b\'{"error":"Policy with name')
  844. assert admin.create_client_authz_role_based_policy(
  845. client_id=auth_client_id,
  846. payload={"name": "test-authz-rb-policy", "roles": [{"id": role_id}]},
  847. skip_exists=True,
  848. ) == {"msg": "Already exists"}
  849. assert len(admin.get_client_authz_policies(client_id=auth_client_id)) == 2
  851. # Test authz permissions
  852. res = admin.get_client_authz_permissions(client_id=auth_client_id)
  853. assert len(res) == 1, res
  854. assert res[0]["name"] == "Default Permission"
  856. with pytest.raises(KeycloakGetError) as err:
  857. admin.get_client_authz_permissions(client_id="does-not-exist")
  858. assert err.match('404: b\'{"error":"Could not find client"}\'')
  860. res = admin.create_client_authz_resource_based_permission(
  861. client_id=auth_client_id,
  862. payload={"name": "test-permission-rb", "resources": [test_resource_id]},
  863. )
  864. assert res, res
  865. assert res["name"] == "test-permission-rb"
  866. assert res["resources"] == [test_resource_id]
  868. with pytest.raises(KeycloakPostError) as err:
  869. admin.create_client_authz_resource_based_permission(
  870. client_id=auth_client_id,
  871. payload={"name": "test-permission-rb", "resources": [test_resource_id]},
  872. )
  873. assert err.match('409: b\'{"error":"Policy with name')
  874. assert admin.create_client_authz_resource_based_permission(
  875. client_id=auth_client_id,
  876. payload={"name": "test-permission-rb", "resources": [test_resource_id]},
  877. skip_exists=True,
  878. ) == {"msg": "Already exists"}
  879. assert len(admin.get_client_authz_permissions(client_id=auth_client_id)) == 2
  881. # Test authz scopes
  882. res = admin.get_client_authz_scopes(client_id=auth_client_id)
  883. assert len(res) == 0, res
  885. with pytest.raises(KeycloakGetError) as err:
  886. admin.get_client_authz_scopes(client_id=client_id)
  887. assert err.match('500: b\'{"error":"unknown_error"}\'')
  889. # Test service account user
  890. res = admin.get_client_service_account_user(client_id=auth_client_id)
  891. assert res["username"] == "service-account-authz-client", res
  893. with pytest.raises(KeycloakGetError) as err:
  894. admin.get_client_service_account_user(client_id=client_id)
  895. assert err.match('400: b\'{"error":"unknown_error"}\'')
  897. # Test delete client
  898. res = admin.delete_client(client_id=auth_client_id)
  899. assert res == dict(), res
  900. with pytest.raises(KeycloakDeleteError) as err:
  901. admin.delete_client(client_id=auth_client_id)
  902. assert err.match('404: b\'{"error":"Could not find client"}\'')
  904. # Test client credentials
  905. admin.create_client(
  906. payload={
  907. "name": "test-confidential",
  908. "enabled": True,
  909. "protocol": "openid-connect",
  910. "publicClient": False,
  911. "redirectUris": ["http://localhost/*"],
  912. "webOrigins": ["+"],
  913. "clientId": "test-confidential",
  914. "secret": "test-secret",
  915. "clientAuthenticatorType": "client-secret",
  916. }
  917. )
  918. with pytest.raises(KeycloakGetError) as err:
  919. admin.get_client_secrets(client_id="does-not-exist")
  920. assert err.match('404: b\'{"error":"Could not find client"}\'')
  922. secrets = admin.get_client_secrets(
  923. client_id=admin.get_client_id(client_id="test-confidential")
  924. )
  925. assert secrets == {"type": "secret", "value": "test-secret"}
  927. with pytest.raises(KeycloakPostError) as err:
  928. admin.generate_client_secrets(client_id="does-not-exist")
  929. assert err.match('404: b\'{"error":"Could not find client"}\'')
  931. res = admin.generate_client_secrets(
  932. client_id=admin.get_client_id(client_id="test-confidential")
  933. )
  934. assert res
  935. assert (
  936. admin.get_client_secrets(client_id=admin.get_client_id(client_id="test-confidential"))
  937. == res
  938. )
  941. def test_realm_roles(admin: KeycloakAdmin, realm: str):
  942. """Test realm roles.
  944. :param admin: Keycloak Admin client
  945. :type admin: KeycloakAdmin
  946. :param realm: Keycloak realm
  947. :type realm: str
  948. """
  949. admin.realm_name = realm
  951. # Test get realm roles
  952. roles = admin.get_realm_roles()
  953. assert len(roles) == 3, roles
  954. role_names = [x["name"] for x in roles]
  955. assert "uma_authorization" in role_names, role_names
  956. assert "offline_access" in role_names, role_names
  958. # Test empty members
  959. with pytest.raises(KeycloakGetError) as err:
  960. admin.get_realm_role_members(role_name="does-not-exist")
  961. assert err.match('404: b\'{"error":"Could not find role"}\'')
  962. members = admin.get_realm_role_members(role_name="offline_access")
  963. assert members == list(), members
  965. # Test create realm role
  966. role_id = admin.create_realm_role(payload={"name": "test-realm-role"}, skip_exists=True)
  967. assert role_id, role_id
  968. with pytest.raises(KeycloakPostError) as err:
  969. admin.create_realm_role(payload={"name": "test-realm-role"})
  970. assert err.match('409: b\'{"errorMessage":"Role with name test-realm-role already exists"}\'')
  971. role_id_2 = admin.create_realm_role(payload={"name": "test-realm-role"}, skip_exists=True)
  972. assert role_id == role_id_2
  974. # Test update realm role
  975. res = admin.update_realm_role(
  976. role_name="test-realm-role", payload={"name": "test-realm-role-update"}
  977. )
  978. assert res == dict(), res
  979. with pytest.raises(KeycloakPutError) as err:
  980. admin.update_realm_role(
  981. role_name="test-realm-role", payload={"name": "test-realm-role-update"}
  982. )
  983. assert err.match('404: b\'{"error":"Could not find role"}\''), err
  985. # Test realm role user assignment
  986. user_id = admin.create_user(payload={"username": "role-testing", "email": "test@test.test"})
  987. with pytest.raises(KeycloakPostError) as err:
  988. admin.assign_realm_roles(user_id=user_id, roles=["bad"])
  989. assert err.match('500: b\'{"error":"unknown_error"}\'')
  990. res = admin.assign_realm_roles(
  991. user_id=user_id,
  992. roles=[
  993. admin.get_realm_role(role_name="offline_access"),
  994. admin.get_realm_role(role_name="test-realm-role-update"),
  995. ],
  996. )
  997. assert res == dict(), res
  998. assert admin.get_user(user_id=user_id)["username"] in [
  999. x["username"] for x in admin.get_realm_role_members(role_name="offline_access")
  1000. ]
  1001. assert admin.get_user(user_id=user_id)["username"] in [
  1002. x["username"] for x in admin.get_realm_role_members(role_name="test-realm-role-update")
  1003. ]
  1005. roles = admin.get_realm_roles_of_user(user_id=user_id)
  1006. assert len(roles) == 3
  1007. assert "offline_access" in [x["name"] for x in roles]
  1008. assert "test-realm-role-update" in [x["name"] for x in roles]
  1010. with pytest.raises(KeycloakDeleteError) as err:
  1011. admin.delete_realm_roles_of_user(user_id=user_id, roles=["bad"])
  1012. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1013. res = admin.delete_realm_roles_of_user(
  1014. user_id=user_id, roles=[admin.get_realm_role(role_name="offline_access")]
  1015. )
  1016. assert res == dict(), res
  1017. assert admin.get_realm_role_members(role_name="offline_access") == list()
  1018. roles = admin.get_realm_roles_of_user(user_id=user_id)
  1019. assert len(roles) == 2
  1020. assert "offline_access" not in [x["name"] for x in roles]
  1021. assert "test-realm-role-update" in [x["name"] for x in roles]
  1023. roles = admin.get_available_realm_roles_of_user(user_id=user_id)
  1024. assert len(roles) == 2
  1025. assert "offline_access" in [x["name"] for x in roles]
  1026. assert "uma_authorization" in [x["name"] for x in roles]
  1028. # Test realm role group assignment
  1029. group_id = admin.create_group(payload={"name": "test-group"})
  1030. with pytest.raises(KeycloakPostError) as err:
  1031. admin.assign_group_realm_roles(group_id=group_id, roles=["bad"])
  1032. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1033. res = admin.assign_group_realm_roles(
  1034. group_id=group_id,
  1035. roles=[
  1036. admin.get_realm_role(role_name="offline_access"),
  1037. admin.get_realm_role(role_name="test-realm-role-update"),
  1038. ],
  1039. )
  1040. assert res == dict(), res
  1042. roles = admin.get_group_realm_roles(group_id=group_id)
  1043. assert len(roles) == 2
  1044. assert "offline_access" in [x["name"] for x in roles]
  1045. assert "test-realm-role-update" in [x["name"] for x in roles]
  1047. with pytest.raises(KeycloakDeleteError) as err:
  1048. admin.delete_group_realm_roles(group_id=group_id, roles=["bad"])
  1049. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1050. res = admin.delete_group_realm_roles(
  1051. group_id=group_id, roles=[admin.get_realm_role(role_name="offline_access")]
  1052. )
  1053. assert res == dict(), res
  1054. roles = admin.get_group_realm_roles(group_id=group_id)
  1055. assert len(roles) == 1
  1056. assert "test-realm-role-update" in [x["name"] for x in roles]
  1058. # Test composite realm roles
  1059. composite_role = admin.create_realm_role(payload={"name": "test-composite-role"})
  1060. with pytest.raises(KeycloakPostError) as err:
  1061. admin.add_composite_realm_roles_to_role(role_name=composite_role, roles=["bad"])
  1062. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1063. res = admin.add_composite_realm_roles_to_role(
  1064. role_name=composite_role, roles=[admin.get_realm_role(role_name="test-realm-role-update")]
  1065. )
  1066. assert res == dict(), res
  1068. res = admin.get_composite_realm_roles_of_role(role_name=composite_role)
  1069. assert len(res) == 1
  1070. assert "test-realm-role-update" in res[0]["name"]
  1071. with pytest.raises(KeycloakGetError) as err:
  1072. admin.get_composite_realm_roles_of_role(role_name="bad")
  1073. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1075. res = admin.get_composite_realm_roles_of_user(user_id=user_id)
  1076. assert len(res) == 4
  1077. assert "offline_access" in {x["name"] for x in res}
  1078. assert "test-realm-role-update" in {x["name"] for x in res}
  1079. assert "uma_authorization" in {x["name"] for x in res}
  1080. with pytest.raises(KeycloakGetError) as err:
  1081. admin.get_composite_realm_roles_of_user(user_id="bad")
  1082. assert err.match('404: b\'{"error":"User not found"}\'')
  1084. with pytest.raises(KeycloakDeleteError) as err:
  1085. admin.remove_composite_realm_roles_to_role(role_name=composite_role, roles=["bad"])
  1086. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1087. res = admin.remove_composite_realm_roles_to_role(
  1088. role_name=composite_role, roles=[admin.get_realm_role(role_name="test-realm-role-update")]
  1089. )
  1090. assert res == dict(), res
  1092. res = admin.get_composite_realm_roles_of_role(role_name=composite_role)
  1093. assert len(res) == 0
  1095. # Test delete realm role
  1096. res = admin.delete_realm_role(role_name=composite_role)
  1097. assert res == dict(), res
  1098. with pytest.raises(KeycloakDeleteError) as err:
  1099. admin.delete_realm_role(role_name=composite_role)
  1100. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1103. @pytest.mark.parametrize(
  1104. "testcase, arg_brief_repr, includes_attributes",
  1105. [
  1106. ("brief True", {"brief_representation": True}, False),
  1107. ("brief False", {"brief_representation": False}, True),
  1108. ("default", {}, False),
  1109. ],
  1110. )
  1111. def test_role_attributes(
  1112. admin: KeycloakAdmin,
  1113. realm: str,
  1114. client: str,
  1115. arg_brief_repr: dict,
  1116. includes_attributes: bool,
  1117. testcase: str,
  1118. ):
  1119. """Test getting role attributes for bulk calls.
  1121. :param admin: Keycloak admin
  1122. :type admin: KeycloakAdmin
  1123. :param realm: Keycloak realm
  1124. :type realm: str
  1125. :param client: Keycloak client
  1126. :type client: str
  1127. :param arg_brief_repr: Brief representation
  1128. :type arg_brief_repr: dict
  1129. :param includes_attributes: Indicator whether to include attributes
  1130. :type includes_attributes: bool
  1131. :param testcase: Test case
  1132. :type testcase: str
  1133. """
  1134. # setup
  1135. attribute_role = "test-realm-role-w-attr"
  1136. test_attrs = {"attr1": ["val1"], "attr2": ["val2-1", "val2-2"]}
  1137. role_id = admin.create_realm_role(
  1138. payload={"name": attribute_role, "attributes": test_attrs},
  1139. skip_exists=True,
  1140. )
  1141. assert role_id, role_id
  1143. cli_role_id = admin.create_client_role(
  1144. client,
  1145. payload={"name": attribute_role, "attributes": test_attrs},
  1146. skip_exists=True,
  1147. )
  1148. assert cli_role_id, cli_role_id
  1150. if not includes_attributes:
  1151. test_attrs = None
  1153. # tests
  1154. roles = admin.get_realm_roles(**arg_brief_repr)
  1155. roles_filtered = [role for role in roles if role["name"] == role_id]
  1156. assert roles_filtered, roles_filtered
  1157. role = roles_filtered[0]
  1158. assert role.get("attributes") == test_attrs, testcase
  1160. roles = admin.get_client_roles(client, **arg_brief_repr)
  1161. roles_filtered = [role for role in roles if role["name"] == cli_role_id]
  1162. assert roles_filtered, roles_filtered
  1163. role = roles_filtered[0]
  1164. assert role.get("attributes") == test_attrs, testcase
  1166. # cleanup
  1167. res = admin.delete_realm_role(role_name=attribute_role)
  1168. assert res == dict(), res
  1170. res = admin.delete_client_role(client, role_name=attribute_role)
  1171. assert res == dict(), res
  1174. def test_client_scope_realm_roles(admin: KeycloakAdmin, realm: str):
  1175. """Test client realm roles.
  1177. :param admin: Keycloak admin
  1178. :type admin: KeycloakAdmin
  1179. :param realm: Keycloak realm
  1180. :type realm: str
  1181. """
  1182. admin.realm_name = realm
  1184. # Test get realm roles
  1185. roles = admin.get_realm_roles()
  1186. assert len(roles) == 3, roles
  1187. role_names = [x["name"] for x in roles]
  1188. assert "uma_authorization" in role_names, role_names
  1189. assert "offline_access" in role_names, role_names
  1191. # create realm role for test
  1192. role_id = admin.create_realm_role(payload={"name": "test-realm-role"}, skip_exists=True)
  1193. assert role_id, role_id
  1195. # Test realm role client assignment
  1196. client_id = admin.create_client(
  1197. payload={"name": "role-testing-client", "clientId": "role-testing-client"}
  1198. )
  1199. with pytest.raises(KeycloakPostError) as err:
  1200. admin.assign_realm_roles_to_client_scope(client_id=client_id, roles=["bad"])
  1201. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1202. res = admin.assign_realm_roles_to_client_scope(
  1203. client_id=client_id,
  1204. roles=[
  1205. admin.get_realm_role(role_name="offline_access"),
  1206. admin.get_realm_role(role_name="test-realm-role"),
  1207. ],
  1208. )
  1209. assert res == dict(), res
  1211. roles = admin.get_realm_roles_of_client_scope(client_id=client_id)
  1212. assert len(roles) == 2
  1213. client_role_names = [x["name"] for x in roles]
  1214. assert "offline_access" in client_role_names, client_role_names
  1215. assert "test-realm-role" in client_role_names, client_role_names
  1216. assert "uma_authorization" not in client_role_names, client_role_names
  1218. # Test remove realm role of client
  1219. with pytest.raises(KeycloakDeleteError) as err:
  1220. admin.delete_realm_roles_of_client_scope(client_id=client_id, roles=["bad"])
  1221. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1222. res = admin.delete_realm_roles_of_client_scope(
  1223. client_id=client_id, roles=[admin.get_realm_role(role_name="offline_access")]
  1224. )
  1225. assert res == dict(), res
  1226. roles = admin.get_realm_roles_of_client_scope(client_id=client_id)
  1227. assert len(roles) == 1
  1228. assert "test-realm-role" in [x["name"] for x in roles]
  1230. res = admin.delete_realm_roles_of_client_scope(
  1231. client_id=client_id, roles=[admin.get_realm_role(role_name="test-realm-role")]
  1232. )
  1233. assert res == dict(), res
  1234. roles = admin.get_realm_roles_of_client_scope(client_id=client_id)
  1235. assert len(roles) == 0
  1238. def test_client_scope_client_roles(admin: KeycloakAdmin, realm: str, client: str):
  1239. """Test client assignment of other client roles.
  1241. :param admin: Keycloak admin
  1242. :type admin: KeycloakAdmin
  1243. :param realm: Keycloak realm
  1244. :type realm: str
  1245. :param client: Keycloak client
  1246. :type client: str
  1247. """
  1248. admin.realm_name = realm
  1250. client_id = admin.create_client(
  1251. payload={"name": "role-testing-client", "clientId": "role-testing-client"}
  1252. )
  1254. # Test get client roles
  1255. roles = admin.get_client_roles_of_client_scope(client_id, client)
  1256. assert len(roles) == 0, roles
  1258. # create client role for test
  1259. client_role_id = admin.create_client_role(
  1260. client_role_id=client, payload={"name": "client-role-test"}, skip_exists=True
  1261. )
  1262. assert client_role_id, client_role_id
  1264. # Test client role assignment to other client
  1265. with pytest.raises(KeycloakPostError) as err:
  1266. admin.assign_client_roles_to_client_scope(
  1267. client_id=client_id, client_roles_owner_id=client, roles=["bad"]
  1268. )
  1269. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1270. res = admin.assign_client_roles_to_client_scope(
  1271. client_id=client_id,
  1272. client_roles_owner_id=client,
  1273. roles=[admin.get_client_role(client_id=client, role_name="client-role-test")],
  1274. )
  1275. assert res == dict(), res
  1277. roles = admin.get_client_roles_of_client_scope(
  1278. client_id=client_id, client_roles_owner_id=client
  1279. )
  1280. assert len(roles) == 1
  1281. client_role_names = [x["name"] for x in roles]
  1282. assert "client-role-test" in client_role_names, client_role_names
  1284. # Test remove realm role of client
  1285. with pytest.raises(KeycloakDeleteError) as err:
  1286. admin.delete_client_roles_of_client_scope(
  1287. client_id=client_id, client_roles_owner_id=client, roles=["bad"]
  1288. )
  1289. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1290. res = admin.delete_client_roles_of_client_scope(
  1291. client_id=client_id,
  1292. client_roles_owner_id=client,
  1293. roles=[admin.get_client_role(client_id=client, role_name="client-role-test")],
  1294. )
  1295. assert res == dict(), res
  1296. roles = admin.get_client_roles_of_client_scope(
  1297. client_id=client_id, client_roles_owner_id=client
  1298. )
  1299. assert len(roles) == 0
  1302. def test_client_roles(admin: KeycloakAdmin, client: str):
  1303. """Test client roles.
  1305. :param admin: Keycloak Admin client
  1306. :type admin: KeycloakAdmin
  1307. :param client: Keycloak client
  1308. :type client: str
  1309. """
  1310. # Test get client roles
  1311. res = admin.get_client_roles(client_id=client)
  1312. assert len(res) == 0
  1313. with pytest.raises(KeycloakGetError) as err:
  1314. admin.get_client_roles(client_id="bad")
  1315. assert err.match('404: b\'{"error":"Could not find client"}\'')
  1317. # Test create client role
  1318. client_role_id = admin.create_client_role(
  1319. client_role_id=client, payload={"name": "client-role-test"}, skip_exists=True
  1320. )
  1321. with pytest.raises(KeycloakPostError) as err:
  1322. admin.create_client_role(client_role_id=client, payload={"name": "client-role-test"})
  1323. assert err.match('409: b\'{"errorMessage":"Role with name client-role-test already exists"}\'')
  1324. client_role_id_2 = admin.create_client_role(
  1325. client_role_id=client, payload={"name": "client-role-test"}, skip_exists=True
  1326. )
  1327. assert client_role_id == client_role_id_2
  1329. # Test get client role
  1330. res = admin.get_client_role(client_id=client, role_name="client-role-test")
  1331. assert res["name"] == client_role_id
  1332. with pytest.raises(KeycloakGetError) as err:
  1333. admin.get_client_role(client_id=client, role_name="bad")
  1334. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1336. res_ = admin.get_client_role_id(client_id=client, role_name="client-role-test")
  1337. assert res_ == res["id"]
  1338. with pytest.raises(KeycloakGetError) as err:
  1339. admin.get_client_role_id(client_id=client, role_name="bad")
  1340. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1341. assert len(admin.get_client_roles(client_id=client)) == 1
  1343. # Test update client role
  1344. res = admin.update_client_role(
  1345. client_role_id=client,
  1346. role_name="client-role-test",
  1347. payload={"name": "client-role-test-update"},
  1348. )
  1349. assert res == dict()
  1350. with pytest.raises(KeycloakPutError) as err:
  1351. res = admin.update_client_role(
  1352. client_role_id=client,
  1353. role_name="client-role-test",
  1354. payload={"name": "client-role-test-update"},
  1355. )
  1356. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1358. # Test user with client role
  1359. res = admin.get_client_role_members(client_id=client, role_name="client-role-test-update")
  1360. assert len(res) == 0
  1361. with pytest.raises(KeycloakGetError) as err:
  1362. admin.get_client_role_members(client_id=client, role_name="bad")
  1363. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1365. user_id = admin.create_user(payload={"username": "test", "email": "test@test.test"})
  1366. with pytest.raises(KeycloakPostError) as err:
  1367. admin.assign_client_role(user_id=user_id, client_id=client, roles=["bad"])
  1368. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1369. res = admin.assign_client_role(
  1370. user_id=user_id,
  1371. client_id=client,
  1372. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1373. )
  1374. assert res == dict()
  1375. assert (
  1376. len(admin.get_client_role_members(client_id=client, role_name="client-role-test-update"))
  1377. == 1
  1378. )
  1380. roles = admin.get_client_roles_of_user(user_id=user_id, client_id=client)
  1381. assert len(roles) == 1, roles
  1382. with pytest.raises(KeycloakGetError) as err:
  1383. admin.get_client_roles_of_user(user_id=user_id, client_id="bad")
  1384. assert err.match('404: b\'{"error":"Client not found"}\'')
  1386. roles = admin.get_composite_client_roles_of_user(user_id=user_id, client_id=client)
  1387. assert len(roles) == 1, roles
  1388. with pytest.raises(KeycloakGetError) as err:
  1389. admin.get_composite_client_roles_of_user(user_id=user_id, client_id="bad")
  1390. assert err.match('404: b\'{"error":"Client not found"}\'')
  1392. roles = admin.get_available_client_roles_of_user(user_id=user_id, client_id=client)
  1393. assert len(roles) == 0, roles
  1394. with pytest.raises(KeycloakGetError) as err:
  1395. admin.get_composite_client_roles_of_user(user_id=user_id, client_id="bad")
  1396. assert err.match('404: b\'{"error":"Client not found"}\'')
  1398. with pytest.raises(KeycloakDeleteError) as err:
  1399. admin.delete_client_roles_of_user(user_id=user_id, client_id=client, roles=["bad"])
  1400. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1401. admin.delete_client_roles_of_user(
  1402. user_id=user_id,
  1403. client_id=client,
  1404. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1405. )
  1406. assert len(admin.get_client_roles_of_user(user_id=user_id, client_id=client)) == 0
  1408. # Test groups and client roles
  1409. res = admin.get_client_role_groups(client_id=client, role_name="client-role-test-update")
  1410. assert len(res) == 0
  1411. with pytest.raises(KeycloakGetError) as err:
  1412. admin.get_client_role_groups(client_id=client, role_name="bad")
  1413. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1415. group_id = admin.create_group(payload={"name": "test-group"})
  1416. res = admin.get_group_client_roles(group_id=group_id, client_id=client)
  1417. assert len(res) == 0
  1418. with pytest.raises(KeycloakGetError) as err:
  1419. admin.get_group_client_roles(group_id=group_id, client_id="bad")
  1420. assert err.match('404: b\'{"error":"Client not found"}\'')
  1422. with pytest.raises(KeycloakPostError) as err:
  1423. admin.assign_group_client_roles(group_id=group_id, client_id=client, roles=["bad"])
  1424. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1425. res = admin.assign_group_client_roles(
  1426. group_id=group_id,
  1427. client_id=client,
  1428. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1429. )
  1430. assert res == dict()
  1431. assert (
  1432. len(admin.get_client_role_groups(client_id=client, role_name="client-role-test-update"))
  1433. == 1
  1434. )
  1435. assert len(admin.get_group_client_roles(group_id=group_id, client_id=client)) == 1
  1437. with pytest.raises(KeycloakDeleteError) as err:
  1438. admin.delete_group_client_roles(group_id=group_id, client_id=client, roles=["bad"])
  1439. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1440. res = admin.delete_group_client_roles(
  1441. group_id=group_id,
  1442. client_id=client,
  1443. roles=[admin.get_client_role(client_id=client, role_name="client-role-test-update")],
  1444. )
  1445. assert res == dict()
  1447. # Test composite client roles
  1448. with pytest.raises(KeycloakPostError) as err:
  1449. admin.add_composite_client_roles_to_role(
  1450. client_role_id=client, role_name="client-role-test-update", roles=["bad"]
  1451. )
  1452. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1453. res = admin.add_composite_client_roles_to_role(
  1454. client_role_id=client,
  1455. role_name="client-role-test-update",
  1456. roles=[admin.get_realm_role(role_name="offline_access")],
  1457. )
  1458. assert res == dict()
  1459. assert admin.get_client_role(client_id=client, role_name="client-role-test-update")[
  1460. "composite"
  1461. ]
  1463. # Test delete of client role
  1464. res = admin.delete_client_role(client_role_id=client, role_name="client-role-test-update")
  1465. assert res == dict()
  1466. with pytest.raises(KeycloakDeleteError) as err:
  1467. admin.delete_client_role(client_role_id=client, role_name="client-role-test-update")
  1468. assert err.match('404: b\'{"error":"Could not find role"}\'')
  1471. def test_enable_token_exchange(admin: KeycloakAdmin, realm: str):
  1472. """Test enable token exchange.
  1474. :param admin: Keycloak Admin client
  1475. :type admin: KeycloakAdmin
  1476. :param realm: Keycloak realm
  1477. :type realm: str
  1478. :raises AssertionError: In case of bad configuration
  1479. """
  1480. # Test enabling token exchange between two confidential clients
  1481. admin.realm_name = realm
  1483. # Create test clients
  1484. source_client_id = admin.create_client(
  1485. payload={"name": "Source Client", "clientId": "source-client"}
  1486. )
  1487. target_client_id = admin.create_client(
  1488. payload={"name": "Target Client", "clientId": "target-client"}
  1489. )
  1490. for c in admin.get_clients():
  1491. if c["clientId"] == "realm-management":
  1492. realm_management_id = c["id"]
  1493. break
  1494. else:
  1495. raise AssertionError("Missing realm management client")
  1497. # Enable permissions on the Superset client
  1498. admin.update_client_management_permissions(
  1499. payload={"enabled": True}, client_id=target_client_id
  1500. )
  1502. # Fetch various IDs and strings needed when creating the permission
  1503. token_exchange_permission_id = admin.get_client_management_permissions(
  1504. client_id=target_client_id
  1505. )["scopePermissions"]["token-exchange"]
  1506. scopes = admin.get_client_authz_policy_scopes(
  1507. client_id=realm_management_id, policy_id=token_exchange_permission_id
  1508. )
  1510. for s in scopes:
  1511. if s["name"] == "token-exchange":
  1512. token_exchange_scope_id = s["id"]
  1513. break
  1514. else:
  1515. raise AssertionError("Missing token-exchange scope")
  1517. resources = admin.get_client_authz_policy_resources(
  1518. client_id=realm_management_id, policy_id=token_exchange_permission_id
  1519. )
  1520. for r in resources:
  1521. if r["name"] == f"client.resource.{target_client_id}":
  1522. token_exchange_resource_id = r["_id"]
  1523. break
  1524. else:
  1525. raise AssertionError("Missing client resource")
  1527. # Create a client policy for source client
  1528. policy_name = "Exchange source client token with target client token"
  1529. client_policy_id = admin.create_client_authz_client_policy(
  1530. payload={
  1531. "type": "client",
  1532. "logic": "POSITIVE",
  1533. "decisionStrategy": "UNANIMOUS",
  1534. "name": policy_name,
  1535. "clients": [source_client_id],
  1536. },
  1537. client_id=realm_management_id,
  1538. )["id"]
  1539. policies = admin.get_client_authz_client_policies(client_id=realm_management_id)
  1540. for policy in policies:
  1541. if policy["name"] == policy_name:
  1542. assert policy["clients"] == [source_client_id]
  1543. break
  1544. else:
  1545. raise AssertionError("Missing client policy")
  1547. # Update permissions on the target client to reference this policy
  1548. permission_name = admin.get_client_authz_scope_permission(
  1549. client_id=realm_management_id, scope_id=token_exchange_permission_id
  1550. )["name"]
  1551. admin.update_client_authz_scope_permission(
  1552. payload={
  1553. "id": token_exchange_permission_id,
  1554. "name": permission_name,
  1555. "type": "scope",
  1556. "logic": "POSITIVE",
  1557. "decisionStrategy": "UNANIMOUS",
  1558. "resources": [token_exchange_resource_id],
  1559. "scopes": [token_exchange_scope_id],
  1560. "policies": [client_policy_id],
  1561. },
  1562. client_id=realm_management_id,
  1563. scope_id=token_exchange_permission_id,
  1564. )
  1567. def test_email(admin: KeycloakAdmin, user: str):
  1568. """Test email.
  1570. :param admin: Keycloak Admin client
  1571. :type admin: KeycloakAdmin
  1572. :param user: Keycloak user
  1573. :type user: str
  1574. """
  1575. # Emails will fail as we don't have SMTP test setup
  1576. with pytest.raises(KeycloakPutError) as err:
  1577. admin.send_update_account(user_id=user, payload=dict())
  1578. assert err.match('500: b\'{"error":"unknown_error"}\'')
  1580. admin.update_user(user_id=user, payload={"enabled": True})
  1581. with pytest.raises(KeycloakPutError) as err:
  1582. admin.send_verify_email(user_id=user)
  1583. assert err.match('500: b\'{"errorMessage":"Failed to send execute actions email"}\'')
  1586. def test_get_sessions(admin: KeycloakAdmin):
  1587. """Test get sessions.
  1589. :param admin: Keycloak Admin client
  1590. :type admin: KeycloakAdmin
  1591. """
  1592. sessions = admin.get_sessions(user_id=admin.get_user_id(username=admin.username))
  1593. assert len(sessions) >= 1
  1594. with pytest.raises(KeycloakGetError) as err:
  1595. admin.get_sessions(user_id="bad")
  1596. assert err.match('404: b\'{"error":"User not found"}\'')
  1599. def test_get_client_installation_provider(admin: KeycloakAdmin, client: str):
  1600. """Test get client installation provider.
  1602. :param admin: Keycloak Admin client
  1603. :type admin: KeycloakAdmin
  1604. :param client: Keycloak client
  1605. :type client: str
  1606. """
  1607. with pytest.raises(KeycloakGetError) as err:
  1608. admin.get_client_installation_provider(client_id=client, provider_id="bad")
  1609. assert err.match('404: b\'{"error":"Unknown Provider"}\'')
  1611. installation = admin.get_client_installation_provider(
  1612. client_id=client, provider_id="keycloak-oidc-keycloak-json"
  1613. )
  1614. assert set(installation.keys()) == {
  1615. "auth-server-url",
  1616. "confidential-port",
  1617. "credentials",
  1618. "realm",
  1619. "resource",
  1620. "ssl-required",
  1621. }
  1624. def test_auth_flows(admin: KeycloakAdmin, realm: str):
  1625. """Test auth flows.
  1627. :param admin: Keycloak Admin client
  1628. :type admin: KeycloakAdmin
  1629. :param realm: Keycloak realm
  1630. :type realm: str
  1631. """
  1632. admin.realm_name = realm
  1634. res = admin.get_authentication_flows()
  1635. assert len(res) == 8, res
  1636. assert set(res[0].keys()) == {
  1637. "alias",
  1638. "authenticationExecutions",
  1639. "builtIn",
  1640. "description",
  1641. "id",
  1642. "providerId",
  1643. "topLevel",
  1644. }
  1645. assert {x["alias"] for x in res} == {
  1646. "reset credentials",
  1647. "browser",
  1648. "http challenge",
  1649. "registration",
  1650. "docker auth",
  1651. "direct grant",
  1652. "first broker login",
  1653. "clients",
  1654. }
  1656. with pytest.raises(KeycloakGetError) as err:
  1657. admin.get_authentication_flow_for_id(flow_id="bad")
  1658. assert err.match('404: b\'{"error":"Could not find flow with id"}\'')
  1659. browser_flow_id = [x for x in res if x["alias"] == "browser"][0]["id"]
  1660. res = admin.get_authentication_flow_for_id(flow_id=browser_flow_id)
  1661. assert res["alias"] == "browser"
  1663. # Test copying
  1664. with pytest.raises(KeycloakPostError) as err:
  1665. admin.copy_authentication_flow(payload=dict(), flow_alias="bad")
  1666. assert err.match("404: b''")
  1668. res = admin.copy_authentication_flow(payload={"newName": "test-browser"}, flow_alias="browser")
  1669. assert res == b"", res
  1670. assert len(admin.get_authentication_flows()) == 9
  1672. # Test create
  1673. res = admin.create_authentication_flow(
  1674. payload={"alias": "test-create", "providerId": "basic-flow"}
  1675. )
  1676. assert res == b""
  1677. with pytest.raises(KeycloakPostError) as err:
  1678. admin.create_authentication_flow(payload={"alias": "test-create", "builtIn": False})
  1679. assert err.match('409: b\'{"errorMessage":"Flow test-create already exists"}\'')
  1680. assert admin.create_authentication_flow(
  1681. payload={"alias": "test-create"}, skip_exists=True
  1682. ) == {"msg": "Already exists"}
  1684. # Test flow executions
  1685. res = admin.get_authentication_flow_executions(flow_alias="browser")
  1686. assert len(res) == 8, res
  1687. with pytest.raises(KeycloakGetError) as err:
  1688. admin.get_authentication_flow_executions(flow_alias="bad")
  1689. assert err.match("404: b''")
  1690. exec_id = res[0]["id"]
  1692. res = admin.get_authentication_flow_execution(execution_id=exec_id)
  1693. assert set(res.keys()) == {
  1694. "alternative",
  1695. "authenticator",
  1696. "authenticatorFlow",
  1697. "conditional",
  1698. "disabled",
  1699. "enabled",
  1700. "id",
  1701. "parentFlow",
  1702. "priority",
  1703. "required",
  1704. "requirement",
  1705. }, res
  1706. with pytest.raises(KeycloakGetError) as err:
  1707. admin.get_authentication_flow_execution(execution_id="bad")
  1708. assert err.match('404: b\'{"error":"Illegal execution"}\'')
  1710. with pytest.raises(KeycloakPostError) as err:
  1711. admin.create_authentication_flow_execution(payload=dict(), flow_alias="browser")
  1712. assert err.match('400: b\'{"error":"It is illegal to add execution to a built in flow"}\'')
  1714. res = admin.create_authentication_flow_execution(
  1715. payload={"provider": "auth-cookie"}, flow_alias="test-create"
  1716. )
  1717. assert res == b""
  1718. assert len(admin.get_authentication_flow_executions(flow_alias="test-create")) == 1
  1720. with pytest.raises(KeycloakPutError) as err:
  1721. admin.update_authentication_flow_executions(
  1722. payload={"required": "yes"}, flow_alias="test-create"
  1723. )
  1724. assert err.match('400: b\'{"error":"Unrecognized field')
  1725. payload = admin.get_authentication_flow_executions(flow_alias="test-create")[0]
  1726. payload["displayName"] = "test"
  1727. res = admin.update_authentication_flow_executions(payload=payload, flow_alias="test-create")
  1728. assert res
  1730. exec_id = admin.get_authentication_flow_executions(flow_alias="test-create")[0]["id"]
  1731. res = admin.delete_authentication_flow_execution(execution_id=exec_id)
  1732. assert res == dict()
  1733. with pytest.raises(KeycloakDeleteError) as err:
  1734. admin.delete_authentication_flow_execution(execution_id=exec_id)
  1735. assert err.match('404: b\'{"error":"Illegal execution"}\'')
  1737. # Test subflows
  1738. res = admin.create_authentication_flow_subflow(
  1739. payload={
  1740. "alias": "test-subflow",
  1741. "provider": "basic-flow",
  1742. "type": "something",
  1743. "description": "something",
  1744. },
  1745. flow_alias="test-browser",
  1746. )
  1747. assert res == b""
  1748. with pytest.raises(KeycloakPostError) as err:
  1749. admin.create_authentication_flow_subflow(
  1750. payload={"alias": "test-subflow", "providerId": "basic-flow"},
  1751. flow_alias="test-browser",
  1752. )
  1753. assert err.match('409: b\'{"errorMessage":"New flow alias name already exists"}\'')
  1754. res = admin.create_authentication_flow_subflow(
  1755. payload={
  1756. "alias": "test-subflow",
  1757. "provider": "basic-flow",
  1758. "type": "something",
  1759. "description": "something",
  1760. },
  1761. flow_alias="test-create",
  1762. skip_exists=True,
  1763. )
  1764. assert res == {"msg": "Already exists"}
  1766. # Test delete auth flow
  1767. flow_id = [x for x in admin.get_authentication_flows() if x["alias"] == "test-browser"][0][
  1768. "id"
  1769. ]
  1770. res = admin.delete_authentication_flow(flow_id=flow_id)
  1771. assert res == dict()
  1772. with pytest.raises(KeycloakDeleteError) as err:
  1773. admin.delete_authentication_flow(flow_id=flow_id)
  1774. assert err.match('404: b\'{"error":"Could not find flow with id"}\'')
  1777. def test_authentication_configs(admin: KeycloakAdmin, realm: str):
  1778. """Test authentication configs.
  1780. :param admin: Keycloak Admin client
  1781. :type admin: KeycloakAdmin
  1782. :param realm: Keycloak realm
  1783. :type realm: str
  1784. """
  1785. admin.realm_name = realm
  1787. # Test list of auth providers
  1788. res = admin.get_authenticator_providers()
  1789. assert len(res) == 38
  1791. res = admin.get_authenticator_provider_config_description(provider_id="auth-cookie")
  1792. assert res == {
  1793. "helpText": "Validates the SSO cookie set by the auth server.",
  1794. "name": "Cookie",
  1795. "properties": [],
  1796. "providerId": "auth-cookie",
  1797. }
  1799. # Test authenticator config
  1800. # Currently unable to find a sustainable way to fetch the config id,
  1801. # therefore testing only failures
  1802. with pytest.raises(KeycloakGetError) as err:
  1803. admin.get_authenticator_config(config_id="bad")
  1804. assert err.match('404: b\'{"error":"Could not find authenticator config"}\'')
  1806. with pytest.raises(KeycloakPutError) as err:
  1807. admin.update_authenticator_config(payload=dict(), config_id="bad")
  1808. assert err.match('404: b\'{"error":"Could not find authenticator config"}\'')
  1810. with pytest.raises(KeycloakDeleteError) as err:
  1811. admin.delete_authenticator_config(config_id="bad")
  1812. assert err.match('404: b\'{"error":"Could not find authenticator config"}\'')
  1815. def test_sync_users(admin: KeycloakAdmin, realm: str):
  1816. """Test sync users.
  1818. :param admin: Keycloak Admin client
  1819. :type admin: KeycloakAdmin
  1820. :param realm: Keycloak realm
  1821. :type realm: str
  1822. """
  1823. admin.realm_name = realm
  1825. # Only testing the error message
  1826. with pytest.raises(KeycloakPostError) as err:
  1827. admin.sync_users(storage_id="does-not-exist", action="triggerFullSync")
  1828. assert err.match('404: b\'{"error":"Could not find component"}\'')
  1831. def test_client_scopes(admin: KeycloakAdmin, realm: str):
  1832. """Test client scopes.
  1834. :param admin: Keycloak Admin client
  1835. :type admin: KeycloakAdmin
  1836. :param realm: Keycloak realm
  1837. :type realm: str
  1838. """
  1839. admin.realm_name = realm
  1841. # Test get client scopes
  1842. res = admin.get_client_scopes()
  1843. scope_names = {x["name"] for x in res}
  1844. assert len(res) == 10
  1845. assert "email" in scope_names
  1846. assert "profile" in scope_names
  1847. assert "offline_access" in scope_names
  1849. with pytest.raises(KeycloakGetError) as err:
  1850. admin.get_client_scope(client_scope_id="does-not-exist")
  1851. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1853. scope = admin.get_client_scope(client_scope_id=res[0]["id"])
  1854. assert res[0] == scope
  1856. scope = admin.get_client_scope_by_name(client_scope_name=res[0]["name"])
  1857. assert res[0] == scope
  1859. # Test create client scope
  1860. res = admin.create_client_scope(payload={"name": "test-scope"}, skip_exists=True)
  1861. assert res
  1862. res2 = admin.create_client_scope(payload={"name": "test-scope"}, skip_exists=True)
  1863. assert res == res2
  1864. with pytest.raises(KeycloakPostError) as err:
  1865. admin.create_client_scope(payload={"name": "test-scope"}, skip_exists=False)
  1866. assert err.match('409: b\'{"errorMessage":"Client Scope test-scope already exists"}\'')
  1868. # Test update client scope
  1869. with pytest.raises(KeycloakPutError) as err:
  1870. admin.update_client_scope(client_scope_id="does-not-exist", payload=dict())
  1871. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1873. res_update = admin.update_client_scope(
  1874. client_scope_id=res, payload={"name": "test-scope-update"}
  1875. )
  1876. assert res_update == dict()
  1877. admin.get_client_scope(client_scope_id=res)["name"] == "test-scope-update"
  1879. # Test get mappers
  1880. mappers = admin.get_mappers_from_client_scope(client_scope_id=res)
  1881. assert mappers == list()
  1883. # Test add mapper
  1884. with pytest.raises(KeycloakPostError) as err:
  1885. admin.add_mapper_to_client_scope(client_scope_id=res, payload=dict())
  1886. assert err.match('404: b\'{"error":"ProtocolMapper provider not found"}\'')
  1888. res_add = admin.add_mapper_to_client_scope(
  1889. client_scope_id=res,
  1890. payload={
  1891. "name": "test-mapper",
  1892. "protocol": "openid-connect",
  1893. "protocolMapper": "oidc-usermodel-attribute-mapper",
  1894. },
  1895. )
  1896. assert res_add == b""
  1897. assert len(admin.get_mappers_from_client_scope(client_scope_id=res)) == 1
  1899. # Test update mapper
  1900. test_mapper = admin.get_mappers_from_client_scope(client_scope_id=res)[0]
  1901. with pytest.raises(KeycloakPutError) as err:
  1902. admin.update_mapper_in_client_scope(
  1903. client_scope_id="does-not-exist", protocol_mapper_id=test_mapper["id"], payload=dict()
  1904. )
  1905. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1906. test_mapper["config"]["user.attribute"] = "test"
  1907. res_update = admin.update_mapper_in_client_scope(
  1908. client_scope_id=res, protocol_mapper_id=test_mapper["id"], payload=test_mapper
  1909. )
  1910. assert res_update == dict()
  1911. assert (
  1912. admin.get_mappers_from_client_scope(client_scope_id=res)[0]["config"]["user.attribute"]
  1913. == "test"
  1914. )
  1916. # Test delete mapper
  1917. res_del = admin.delete_mapper_from_client_scope(
  1918. client_scope_id=res, protocol_mapper_id=test_mapper["id"]
  1919. )
  1920. assert res_del == dict()
  1921. with pytest.raises(KeycloakDeleteError) as err:
  1922. admin.delete_mapper_from_client_scope(
  1923. client_scope_id=res, protocol_mapper_id=test_mapper["id"]
  1924. )
  1925. assert err.match('404: b\'{"error":"Model not found"}\'')
  1927. # Test default default scopes
  1928. res_defaults = admin.get_default_default_client_scopes()
  1929. assert len(res_defaults) == 6
  1931. with pytest.raises(KeycloakPutError) as err:
  1932. admin.add_default_default_client_scope(scope_id="does-not-exist")
  1933. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1935. res_add = admin.add_default_default_client_scope(scope_id=res)
  1936. assert res_add == dict()
  1937. assert len(admin.get_default_default_client_scopes()) == 7
  1939. with pytest.raises(KeycloakDeleteError) as err:
  1940. admin.delete_default_default_client_scope(scope_id="does-not-exist")
  1941. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1943. res_del = admin.delete_default_default_client_scope(scope_id=res)
  1944. assert res_del == dict()
  1945. assert len(admin.get_default_default_client_scopes()) == 6
  1947. # Test default optional scopes
  1948. res_defaults = admin.get_default_optional_client_scopes()
  1949. assert len(res_defaults) == 4
  1951. with pytest.raises(KeycloakPutError) as err:
  1952. admin.add_default_optional_client_scope(scope_id="does-not-exist")
  1953. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1955. res_add = admin.add_default_optional_client_scope(scope_id=res)
  1956. assert res_add == dict()
  1957. assert len(admin.get_default_optional_client_scopes()) == 5
  1959. with pytest.raises(KeycloakDeleteError) as err:
  1960. admin.delete_default_optional_client_scope(scope_id="does-not-exist")
  1961. assert err.match('404: b\'{"error":"Client scope not found"}\'')
  1963. res_del = admin.delete_default_optional_client_scope(scope_id=res)
  1964. assert res_del == dict()
  1965. assert len(admin.get_default_optional_client_scopes()) == 4
  1967. # Test client scope delete
  1968. res_del = admin.delete_client_scope(client_scope_id=res)
  1969. assert res_del == dict()
  1970. with pytest.raises(KeycloakDeleteError) as err:
  1971. admin.delete_client_scope(client_scope_id=res)
  1972. assert err.match('404: b\'{"error":"Could not find client scope"}\'')
  1975. def test_components(admin: KeycloakAdmin, realm: str):
  1976. """Test components.
  1978. :param admin: Keycloak Admin client
  1979. :type admin: KeycloakAdmin
  1980. :param realm: Keycloak realm
  1981. :type realm: str
  1982. """
  1983. admin.realm_name = realm
  1985. # Test get components
  1986. res = admin.get_components()
  1987. assert len(res) == 12
  1989. with pytest.raises(KeycloakGetError) as err:
  1990. admin.get_component(component_id="does-not-exist")
  1991. assert err.match('404: b\'{"error":"Could not find component"}\'')
  1993. res_get = admin.get_component(component_id=res[0]["id"])
  1994. assert res_get == res[0]
  1996. # Test create component
  1997. with pytest.raises(KeycloakPostError) as err:
  1998. admin.create_component(payload={"bad": "dict"})
  1999. assert err.match('400: b\'{"error":"Unrecognized field')
  2001. res = admin.create_component(
  2002. payload={
  2003. "name": "Test Component",
  2004. "providerId": "max-clients",
  2005. "providerType": "org.keycloak.services.clientregistration."
  2006. + "policy.ClientRegistrationPolicy",
  2007. "config": {"max-clients": ["1000"]},
  2008. }
  2009. )
  2010. assert res
  2011. assert admin.get_component(component_id=res)["name"] == "Test Component"
  2013. # Test update component
  2014. component = admin.get_component(component_id=res)
  2015. component["name"] = "Test Component Update"
  2017. with pytest.raises(KeycloakPutError) as err:
  2018. admin.update_component(component_id="does-not-exist", payload=dict())
  2019. assert err.match('404: b\'{"error":"Could not find component"}\'')
  2020. res_upd = admin.update_component(component_id=res, payload=component)
  2021. assert res_upd == dict()
  2022. assert admin.get_component(component_id=res)["name"] == "Test Component Update"
  2024. # Test delete component
  2025. res_del = admin.delete_component(component_id=res)
  2026. assert res_del == dict()
  2027. with pytest.raises(KeycloakDeleteError) as err:
  2028. admin.delete_component(component_id=res)
  2029. assert err.match('404: b\'{"error":"Could not find component"}\'')
  2032. def test_keys(admin: KeycloakAdmin, realm: str):
  2033. """Test keys.
  2035. :param admin: Keycloak Admin client
  2036. :type admin: KeycloakAdmin
  2037. :param realm: Keycloak realm
  2038. :type realm: str
  2039. """
  2040. admin.realm_name = realm
  2041. assert set(admin.get_keys()["active"].keys()) == {"AES", "HS256", "RS256", "RSA-OAEP"}
  2042. assert {k["algorithm"] for k in admin.get_keys()["keys"]} == {
  2043. "HS256",
  2044. "RSA-OAEP",
  2045. "AES",
  2046. "RS256",
  2047. }
  2050. def test_events(admin: KeycloakAdmin, realm: str):
  2051. """Test events.
  2053. :param admin: Keycloak Admin client
  2054. :type admin: KeycloakAdmin
  2055. :param realm: Keycloak realm
  2056. :type realm: str
  2057. """
  2058. admin.realm_name = realm
  2060. events = admin.get_events()
  2061. assert events == list()
  2063. with pytest.raises(KeycloakPutError) as err:
  2064. admin.set_events(payload={"bad": "conf"})
  2065. assert err.match('400: b\'{"error":"Unrecognized field')
  2067. res = admin.set_events(payload={"adminEventsDetailsEnabled": True, "adminEventsEnabled": True})
  2068. assert res == dict()
  2070. admin.create_client(payload={"name": "test", "clientId": "test"})
  2072. events = admin.get_events()
  2073. assert events == list()
  2076. def test_auto_refresh(admin: KeycloakAdmin, realm: str):
  2077. """Test auto refresh token.
  2079. :param admin: Keycloak Admin client
  2080. :type admin: KeycloakAdmin
  2081. :param realm: Keycloak realm
  2082. :type realm: str
  2083. """
  2084. # Test get refresh
  2085. admin.auto_refresh_token = list()
  2086. admin.connection = ConnectionManager(
  2087. base_url=admin.server_url,
  2088. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  2089. timeout=60,
  2090. verify=admin.verify,
  2091. )
  2093. with pytest.raises(KeycloakAuthenticationError) as err:
  2094. admin.get_realm(realm_name=realm)
  2095. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  2097. admin.auto_refresh_token = ["get"]
  2098. del admin.token["refresh_token"]
  2099. assert admin.get_realm(realm_name=realm)
  2101. # Test bad refresh token
  2102. admin.connection = ConnectionManager(
  2103. base_url=admin.server_url,
  2104. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  2105. timeout=60,
  2106. verify=admin.verify,
  2107. )
  2108. admin.token["refresh_token"] = "bad"
  2109. with pytest.raises(KeycloakPostError) as err:
  2110. admin.get_realm(realm_name="test-refresh")
  2111. assert err.match(
  2112. '400: b\'{"error":"invalid_grant","error_description":"Invalid refresh token"}\''
  2113. )
  2114. admin.realm_name = "master"
  2115. admin.get_token()
  2116. admin.realm_name = realm
  2118. # Test post refresh
  2119. admin.connection = ConnectionManager(
  2120. base_url=admin.server_url,
  2121. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  2122. timeout=60,
  2123. verify=admin.verify,
  2124. )
  2125. with pytest.raises(KeycloakAuthenticationError) as err:
  2126. admin.create_realm(payload={"realm": "test-refresh"})
  2127. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  2129. admin.auto_refresh_token = ["get", "post"]
  2130. admin.realm_name = "master"
  2131. admin.user_logout(user_id=admin.get_user_id(username=admin.username))
  2132. assert admin.create_realm(payload={"realm": "test-refresh"}) == b""
  2133. admin.realm_name = realm
  2135. # Test update refresh
  2136. admin.connection = ConnectionManager(
  2137. base_url=admin.server_url,
  2138. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  2139. timeout=60,
  2140. verify=admin.verify,
  2141. )
  2142. with pytest.raises(KeycloakAuthenticationError) as err:
  2143. admin.update_realm(realm_name="test-refresh", payload={"accountTheme": "test"})
  2144. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  2146. admin.auto_refresh_token = ["get", "post", "put"]
  2147. assert (
  2148. admin.update_realm(realm_name="test-refresh", payload={"accountTheme": "test"}) == dict()
  2149. )
  2151. # Test delete refresh
  2152. admin.connection = ConnectionManager(
  2153. base_url=admin.server_url,
  2154. headers={"Authorization": "Bearer bad", "Content-Type": "application/json"},
  2155. timeout=60,
  2156. verify=admin.verify,
  2157. )
  2158. with pytest.raises(KeycloakAuthenticationError) as err:
  2159. admin.delete_realm(realm_name="test-refresh")
  2160. assert err.match('401: b\'{"error":"HTTP 401 Unauthorized"}\'')
  2162. admin.auto_refresh_token = ["get", "post", "put", "delete"]
  2163. assert admin.delete_realm(realm_name="test-refresh") == dict()
  2166. def test_get_required_actions(admin: KeycloakAdmin, realm: str):
  2167. """Test required actions.
  2169. :param admin: Keycloak Admin client
  2170. :type admin: KeycloakAdmin
  2171. :param realm: Keycloak realm
  2172. :type realm: str
  2173. """
  2174. admin.realm_name = realm
  2175. ractions = admin.get_required_actions()
  2176. assert isinstance(ractions, list)
  2177. for ra in ractions:
  2178. for key in [
  2179. "alias",
  2180. "name",
  2181. "providerId",
  2182. "enabled",
  2183. "defaultAction",
  2184. "priority",
  2185. "config",
  2186. ]:
  2187. assert key in ra
  2190. def test_get_required_action_by_alias(admin: KeycloakAdmin, realm: str):
  2191. """Test get required action by alias.
  2193. :param admin: Keycloak Admin client
  2194. :type admin: KeycloakAdmin
  2195. :param realm: Keycloak realm
  2196. :type realm: str
  2197. """
  2198. admin.realm_name = realm
  2199. ractions = admin.get_required_actions()
  2200. ra = admin.get_required_action_by_alias("UPDATE_PASSWORD")
  2201. assert ra in ractions
  2202. assert ra["alias"] == "UPDATE_PASSWORD"
  2203. assert admin.get_required_action_by_alias("does-not-exist") is None
  2206. def test_update_required_action(admin: KeycloakAdmin, realm: str):
  2207. """Test update required action.
  2209. :param admin: Keycloak Admin client
  2210. :type admin: KeycloakAdmin
  2211. :param realm: Keycloak realm
  2212. :type realm: str
  2213. """
  2214. admin.realm_name = realm
  2215. ra = admin.get_required_action_by_alias("UPDATE_PASSWORD")
  2216. old = copy.deepcopy(ra)
  2217. ra["enabled"] = False
  2218. admin.update_required_action("UPDATE_PASSWORD", ra)
  2219. newra = admin.get_required_action_by_alias("UPDATE_PASSWORD")
  2220. assert old != newra
  2221. assert newra["enabled"] is False
  2224. def test_get_composite_client_roles_of_group(
  2225. admin: KeycloakAdmin, realm: str, client: str, group: str, composite_client_role: str
  2226. ):
  2227. """Test get composite client roles of group.
  2229. :param admin: Keycloak Admin client
  2230. :type admin: KeycloakAdmin
  2231. :param realm: Keycloak realm
  2232. :type realm: str
  2233. :param client: Keycloak client
  2234. :type client: str
  2235. :param group: Keycloak group
  2236. :type group: str
  2237. :param composite_client_role: Composite client role
  2238. :type composite_client_role: str
  2239. """
  2240. admin.realm_name = realm
  2241. role = admin.get_client_role(client, composite_client_role)
  2242. admin.assign_group_client_roles(group_id=group, client_id=client, roles=[role])
  2243. result = admin.get_composite_client_roles_of_group(client, group)
  2244. assert role["id"] in [x["id"] for x in result]
  2247. def test_get_role_client_level_children(
  2248. admin: KeycloakAdmin, realm: str, client: str, composite_client_role: str, client_role: str
  2249. ):
  2250. """Test get children of composite client role.
  2252. :param admin: Keycloak Admin client
  2253. :type admin: KeycloakAdmin
  2254. :param realm: Keycloak realm
  2255. :type realm: str
  2256. :param client: Keycloak client
  2257. :type client: str
  2258. :param composite_client_role: Composite client role
  2259. :type composite_client_role: str
  2260. :param client_role: Client role
  2261. :type client_role: str
  2262. """
  2263. admin.realm_name = realm
  2264. child = admin.get_client_role(client, client_role)
  2265. parent = admin.get_client_role(client, composite_client_role)
  2266. res = admin.get_role_client_level_children(client, parent["id"])
  2267. assert child["id"] in [x["id"] for x in res]
  2270. def test_upload_certificate(admin: KeycloakAdmin, realm: str, client: str, selfsigned_cert: tuple):
  2271. """Test upload certificate.
  2273. :param admin: Keycloak Admin client
  2274. :type admin: KeycloakAdmin
  2275. :param realm: Keycloak realm
  2276. :type realm: str
  2277. :param client: Keycloak client
  2278. :type client: str
  2279. :param selfsigned_cert: Selfsigned certificates
  2280. :type selfsigned_cert: tuple
  2281. """
  2282. admin.realm_name = realm
  2283. cert, _ = selfsigned_cert
  2284. cert = cert.decode("utf-8").strip()
  2285. admin.upload_certificate(client, cert)
  2286. cl = admin.get_client(client)
  2287. assert cl["attributes"]["jwt.credential.certificate"] == "".join(cert.splitlines()[1:-1])