Skip to content

Commit

Permalink
Fix tests with kc 25
Browse files Browse the repository at this point in the history
Signed-off-by: Clément Dufaure <[email protected]>
  • Loading branch information
clement-dufaure committed Sep 25, 2024
1 parent 2ba33a5 commit b805f63
Show file tree
Hide file tree
Showing 4 changed files with 90 additions and 22 deletions.
5 changes: 3 additions & 2 deletions README.en.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ This [Keycloak](https://www.keycloak.org) plugin adds an identity provider allow

## Compatibility

* The version 6.2.0 of this plugin is compatible with Keycloak `24.0.0` and higher. It's configurable with UI.
* The version 6.1.0 of this plugin is compatible with Keycloak `22.0.0` and higher. (not configurable with UI)
* The version 7.0.0 of this plugin is compatible with Keycloak `25.0.0` and higher.
* The version 6.2.0 of this plugin is compatible with Keycloak `24.x.y`. It's configurable with UI.
* The version 6.1.0 of this plugin is compatible with Keycloak `22.0.0` until `24.x.y`. (not configurable with UI)
* The version 5.0.0 of this plugin is compatible with Keycloak `21.x.y`. (not configurable with UI)
* The version 4.0.0 of this plugin is compatible with Keycloak `15.0.0` until `20.0.0`. (not configurable with UI starting keycloak 19)
* The version 2.1 up to 3.0.0 of this plugin is compatible with Keycloak `9.0.2` until `15.0.0`.
Expand Down
5 changes: 3 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,8 +40,9 @@ Pour toutes questions sur l'utilisation de cette extension, n'hésitez pas à ou

## Compatibilité

- La version 6.2.0 est compatible avec Keycloak `24.0.0` et supérieur. L'ihm d'administration est fonctionnelle.
- La version 6.1.0 est compatible avec Keycloak `22.0.0` et supérieur. (non configurable par ihm)
- La version 7.0.0 est compatible avec Keycloak `25.0.0` et supérieur.
- La version 6.2.0 est compatible avec Keycloak `24.x.y`. L'ihm d'administration est fonctionnelle.
- La version 6.1.0 est compatible avec Keycloak `22.0.0` jusqu'à `24.x.y`. (non configurable par ihm)
- La version 5.0.0 est compatible avec Keycloak `21.x.y`. (non configurable par ihm)
- La version 4.0.0 est compatible avec Keycloak `15.0.0` jusqu'à `20.0.0`. (non configurable par ihm à partir de keycloak 19)
- La version 2.1 jusqu'à 3.0.0 est compatible avec Keycloak `9.0.2` jusqu'à `15.0.0`.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,9 @@ void setup() throws IOException {
httpClientProvider = mock(HttpClientProvider.class);
httpClient = mock(CloseableHttpClient.class);

when(httpClientProvider.get(config.getJwksUrl()))
.thenAnswer(answer -> new ByteArrayInputStream(publicKeysStore.toJsonByteArray()));
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());
when(httpClientProvider.getMaxConsumedResponseSize()).thenCallRealMethod();
session = givenKeycloakSession(httpClientProvider, httpClient);

provider = new AgentConnectIdentityProvider(session, config);
Expand Down Expand Up @@ -107,10 +108,16 @@ void should_throw_exception_when_no_public_key_found_in_json_web_key_set_for_asy
}

@Test
void should_validate_rs256_signed_token() {
void should_validate_rs256_signed_token() throws IOException {
var kid = "RSA-KID";
var encodedToken = givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore);

// JWKS Reload should find the publicKey added by the givenAnRSA method
var token = provider.validateToken(givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore));
// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var token = provider.validateToken(encodedToken);

assertThat(token).isNotNull();
assertThat(token.getSubject()).isEqualTo("fakeSub");
Expand All @@ -120,10 +127,17 @@ void should_validate_rs256_signed_token() {
}

@Test
void should_validate_es256_signed_token() {
void should_validate_es256_signed_token() throws IOException {
var kid = "ECDSA-KID";
// JWKS Reload should find the publicKey added by the givenAnECDSA method
var token = provider.validateToken(givenAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore));

var encodedToken = givenAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore);

// JWKS Reload should find the publicKey added by the givenAnRSA method
// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var token = provider.validateToken(encodedToken);

assertThat(token).isNotNull();
assertThat(token.getSubject()).isEqualTo("fakeSub");
Expand All @@ -148,11 +162,15 @@ void setup() throws IOException {
}

@Test
void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interface() {
void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interface() throws IOException {
var kid = "RSA-KID";
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var signedIdToken = givenAnRSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdToken);

var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
Expand All @@ -166,11 +184,15 @@ void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interf
}

@Test
void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_selected_eidas_level_from_admin_interface() {
void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_selected_eidas_level_from_admin_interface() throws IOException {
var kid = "RSA-KID";
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var signedIdTokenWithEidas1 = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithEidas1);

assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
Expand All @@ -179,11 +201,15 @@ void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_sele
}

@Test
void should_throw_exception_when_id_token_does_not_contains_acr_claim() {
void should_throw_exception_when_id_token_does_not_contains_acr_claim() throws IOException {
var kid = "RSA-KID";
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var signedIdTokenWithoutEidasLevel = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, NO_EIDAS_LEVEL_JWT, publicKeysStore);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithoutEidasLevel);

assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
Expand All @@ -192,11 +218,15 @@ void should_throw_exception_when_id_token_does_not_contains_acr_claim() {
}

@Test
void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_with_a_supported_eidas_level() {
void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_with_a_supported_eidas_level() throws IOException {
var kid = "RSA-KID";
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var signedIdTokenWithoutEidasLevel = givenAnRSASignedJWTWithRegisteredKidInJWKS(kid, UNSUPPORTED_EIDAS_LEVEL_JWT, publicKeysStore);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, signedIdTokenWithoutEidasLevel);

assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -55,18 +55,17 @@ void setup() throws IOException {
httpClientProvider = mock(HttpClientProvider.class);
httpClient = mock(CloseableHttpClient.class);

when(httpClientProvider.get(config.getJwksUrl()))
.thenAnswer(
answer -> new ByteArrayInputStream(publicKeysStore.toJsonByteArray())
);
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());
when(httpClientProvider.getMaxConsumedResponseSize()).thenCallRealMethod();
session = givenKeycloakSession(httpClientProvider, httpClient);

provider = new FranceConnectIdentityProvider(session, config);
}

@Test
void should_load_jwks_from_jwks_url_when_configuration_supports_jwks() throws IOException {
verify(httpClientProvider, times(1)).get(config.getJwksUrl());
verify(httpClientProvider, times(1)).getString(config.getJwksUrl());

var noJWKSSupportsConfig = givenConfigForIntegrationV1AndEidasLevel2();
var httpClientProvider = mock(HttpClientProvider.class);
Expand Down Expand Up @@ -158,9 +157,15 @@ void should_search_in_vault_for_secret_key_on_hs256_token_validation() {
}

@Test
void should_validate_rsa_oaep_encrypted_token_for_eidas2_and_eidas3_levels() {
void should_validate_rsa_oaep_encrypted_token_for_eidas2_and_eidas3_levels() throws IOException {
var encodedToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS("ECDSA-KID", publicKeysStore, rsaKey);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var token = provider.validateToken(
givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS("ECDSA-KID", publicKeysStore, rsaKey)
encodedToken
);

assertThat(token).isNotNull();
Expand Down Expand Up @@ -237,6 +242,10 @@ void should_extract_information_from_JWE_userinfo_endpoint_response_for_eidas2_a

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);

assertThat(brokeredIdentityContext).isNotNull();
Expand Down Expand Up @@ -264,6 +273,10 @@ void id_token_acr_claim_should_match_with_selected_eidas_level_from_admin_interf
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var jweIdToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore, rsaKey);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);

var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
Expand Down Expand Up @@ -292,6 +305,10 @@ void should_extract_information_from_JWT_userinfo_endpoint_response_for_eidas1()
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var jweIdToken = SignatureUtils.givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);

var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
Expand All @@ -317,6 +334,10 @@ void should_extract_information_from_userinfo_endpoint_response_for_json_media_t
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var jweIdToken = givenAnRSAOAEPJWEForAnECDSASignedEidas2JWTWithRegisteredKidInJWKS(kid, publicKeysStore, rsaKey);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdToken);

var brokeredIdentityContext = provider.getFederatedIdentity(tokenEndpointResponse);
Expand Down Expand Up @@ -349,6 +370,10 @@ void should_throw_exception_when_id_token_acr_claim_does_not_match_with_the_sele
givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, EIDAS1_JWT, publicKeysStore)
);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithEidas1);

assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
Expand All @@ -369,13 +394,20 @@ void should_throw_exception_when_id_token_does_not_contains_acr_claim() throws I
when(httpClient.execute(any()))
.thenAnswer(answer -> httpResponse);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var kid = "ECDSA-KID";
var opaqueAccessToken = "2b3ea2e8-2d11-49a4-a369-5fb98d9d5315";
var jweIdTokenWithoutEidasLevel = givenAnRSAOAEPJWE(
rsaKey,
givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, NO_EIDAS_LEVEL_JWT, publicKeysStore)
);

when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithoutEidasLevel);

assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
Expand Down Expand Up @@ -403,6 +435,10 @@ void should_throw_exception_when_id_token_contains_acr_claim_who_does_not_match_
givenAnECDSASignedJWTWithRegisteredKidInJWKS(kid, UNSUPPORTED_EIDAS_LEVEL_JWT, publicKeysStore)
);

// set request with uptated keystore
when(httpClientProvider.getString(config.getJwksUrl())).
thenReturn(publicKeysStore.toJsonFormat());

var tokenEndpointResponse = generateTokenEndpointResponse(opaqueAccessToken, jweIdTokenWithoutEidasLevel);

assertThatThrownBy(() -> provider.getFederatedIdentity(tokenEndpointResponse))
Expand Down

0 comments on commit b805f63

Please sign in to comment.