From 6725a87f8f243a37557976b6d4886904d55dfdb7 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Thu, 17 Nov 2022 17:26:40 +0100 Subject: [PATCH] Added `protocol-mapper` module with `GCubeContextMapper` and related unit tests --- pom.xml | 1 + protocol-mapper/CHANGELOG.md | 6 + protocol-mapper/FUNDING.md | 26 ++ protocol-mapper/LICENSE.md | 311 ++++++++++++++++++ protocol-mapper/README.md | 53 +++ protocol-mapper/pom.xml | 48 +++ .../oidc/mapper/GCubeContextMapper.java | 96 ++++++ .../org.keycloak.protocol.ProtocolMapper | 1 + .../oidc/mapper/GCubeContextMapperTest.java | 145 ++++++++ .../oidc/mapper/NoDuplicateMapperTest.java | 25 ++ protocol-mapper/src/test/resources/log4j.xml | 24 ++ 11 files changed, 736 insertions(+) create mode 100644 protocol-mapper/CHANGELOG.md create mode 100644 protocol-mapper/FUNDING.md create mode 100644 protocol-mapper/LICENSE.md create mode 100644 protocol-mapper/README.md create mode 100644 protocol-mapper/pom.xml create mode 100644 protocol-mapper/src/main/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapper.java create mode 100644 protocol-mapper/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper create mode 100644 protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapperTest.java create mode 100644 protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/NoDuplicateMapperTest.java create mode 100644 protocol-mapper/src/test/resources/log4j.xml diff --git a/pom.xml b/pom.xml index 6bb3510..11cc4a8 100644 --- a/pom.xml +++ b/pom.xml @@ -32,6 +32,7 @@ keycloak-d4science-script keycloak-d4science-theme ldap-storage-mapper + protocol-mapper diff --git a/protocol-mapper/CHANGELOG.md b/protocol-mapper/CHANGELOG.md new file mode 100644 index 0000000..e508305 --- /dev/null +++ b/protocol-mapper/CHANGELOG.md @@ -0,0 +1,6 @@ +This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +# Changelog for "identity-provider-mapper" + +## [v2.1.0-SNAPSHOT] +- Added new module to make the protocol mappers available diff --git a/protocol-mapper/FUNDING.md b/protocol-mapper/FUNDING.md new file mode 100644 index 0000000..6fa9eac --- /dev/null +++ b/protocol-mapper/FUNDING.md @@ -0,0 +1,26 @@ +# Acknowledgments + +The projects leading to this software have received funding from a series of European Union programmes including: + +- the Sixth Framework Programme for Research and Technological Development + - [DILIGENT](https://cordis.europa.eu/project/id/004260) (grant no. 004260). +- the Seventh Framework Programme for research, technological development and demonstration + - [D4Science](https://cordis.europa.eu/project/id/212488) (grant no. 212488); + - [D4Science-II](https://cordis.europa.eu/project/id/239019) (grant no.239019); + - [ENVRI](https://cordis.europa.eu/project/id/283465) (grant no. 283465); + - [iMarine](https://cordis.europa.eu/project/id/283644) (grant no. 283644); + - [EUBrazilOpenBio](https://cordis.europa.eu/project/id/288754) (grant no. 288754). +- the H2020 research and innovation programme + - [SoBigData](https://cordis.europa.eu/project/id/654024) (grant no. 654024); + - [PARTHENOS](https://cordis.europa.eu/project/id/654119) (grant no. 654119); + - [EGI-Engage](https://cordis.europa.eu/project/id/654142) (grant no. 654142); + - [ENVRI PLUS](https://cordis.europa.eu/project/id/654182) (grant no. 654182); + - [BlueBRIDGE](https://cordis.europa.eu/project/id/675680) (grant no. 675680); + - [PerformFISH](https://cordis.europa.eu/project/id/727610) (grant no. 727610); + - [AGINFRA PLUS](https://cordis.europa.eu/project/id/731001) (grant no. 731001); + - [DESIRA](https://cordis.europa.eu/project/id/818194) (grant no. 818194); + - [ARIADNEplus](https://cordis.europa.eu/project/id/823914) (grant no. 823914); + - [RISIS 2](https://cordis.europa.eu/project/id/824091) (grant no. 824091); + - [EOSC-Pillar](https://cordis.europa.eu/project/id/857650) (grant no. 857650); + - [Blue Cloud](https://cordis.europa.eu/project/id/862409) (grant no. 862409); + - [SoBigData-PlusPlus](https://cordis.europa.eu/project/id/871042) (grant no. 871042); \ No newline at end of file diff --git a/protocol-mapper/LICENSE.md b/protocol-mapper/LICENSE.md new file mode 100644 index 0000000..1932b4c --- /dev/null +++ b/protocol-mapper/LICENSE.md @@ -0,0 +1,311 @@ +#European Union Public Licence V.1.1 + +##*EUPL © the European Community 2007* + + +This **European Union Public Licence** (the **“EUPL”**) applies to the Work or Software +(as defined below) which is provided under the terms of this Licence. Any use of +the Work, other than as authorised under this Licence is prohibited (to the +extent such use is covered by a right of the copyright holder of the Work). + +The Original Work is provided under the terms of this Licence when the Licensor +(as defined below) has placed the following notice immediately following the +copyright notice for the Original Work: + +**Licensed under the EUPL V.1.1** + +or has expressed by any other mean his willingness to license under the EUPL. + + + +##1. Definitions + +In this Licence, the following terms have the following meaning: + +- The Licence: this Licence. + +- The Original Work or the Software: the software distributed and/or + communicated by the Licensor under this Licence, available as Source Code and + also as Executable Code as the case may be. + +- Derivative Works: the works or software that could be created by the Licensee, + based upon the Original Work or modifications thereof. This Licence does not + define the extent of modification or dependence on the Original Work required + in order to classify a work as a Derivative Work; this extent is determined by + copyright law applicable in the country mentioned in Article 15. + +- The Work: the Original Work and/or its Derivative Works. + +- The Source Code: the human-readable form of the Work which is the most + convenient for people to study and modify. + +- The Executable Code: any code which has generally been compiled and which is + meant to be interpreted by a computer as a program. + +- The Licensor: the natural or legal person that distributes and/or communicates + the Work under the Licence. + +- Contributor(s): any natural or legal person who modifies the Work under the + Licence, or otherwise contributes to the creation of a Derivative Work. + +- The Licensee or “You”: any natural or legal person who makes any usage of the + Software under the terms of the Licence. + +- Distribution and/or Communication: any act of selling, giving, lending, + renting, distributing, communicating, transmitting, or otherwise making + available, on-line or off-line, copies of the Work or providing access to its + essential functionalities at the disposal of any other natural or legal + person. + + + +##2. Scope of the rights granted by the Licence + +The Licensor hereby grants You a world-wide, royalty-free, non-exclusive, +sub-licensable licence to do the following, for the duration of copyright vested +in the Original Work: + +- use the Work in any circumstance and for all usage, reproduce the Work, modify +- the Original Work, and make Derivative Works based upon the Work, communicate +- to the public, including the right to make available or display the Work or +- copies thereof to the public and perform publicly, as the case may be, the +- Work, distribute the Work or copies thereof, lend and rent the Work or copies +- thereof, sub-license rights in the Work or copies thereof. + +Those rights can be exercised on any media, supports and formats, whether now +known or later invented, as far as the applicable law permits so. + +In the countries where moral rights apply, the Licensor waives his right to +exercise his moral right to the extent allowed by law in order to make effective +the licence of the economic rights here above listed. + +The Licensor grants to the Licensee royalty-free, non exclusive usage rights to +any patents held by the Licensor, to the extent necessary to make use of the +rights granted on the Work under this Licence. + + + +##3. Communication of the Source Code + +The Licensor may provide the Work either in its Source Code form, or as +Executable Code. If the Work is provided as Executable Code, the Licensor +provides in addition a machine-readable copy of the Source Code of the Work +along with each copy of the Work that the Licensor distributes or indicates, in +a notice following the copyright notice attached to the Work, a repository where +the Source Code is easily and freely accessible for as long as the Licensor +continues to distribute and/or communicate the Work. + + + +##4. Limitations on copyright + +Nothing in this Licence is intended to deprive the Licensee of the benefits from +any exception or limitation to the exclusive rights of the rights owners in the +Original Work or Software, of the exhaustion of those rights or of other +applicable limitations thereto. + + + +##5. Obligations of the Licensee + +The grant of the rights mentioned above is subject to some restrictions and +obligations imposed on the Licensee. Those obligations are the following: + +Attribution right: the Licensee shall keep intact all copyright, patent or +trademarks notices and all notices that refer to the Licence and to the +disclaimer of warranties. The Licensee must include a copy of such notices and a +copy of the Licence with every copy of the Work he/she distributes and/or +communicates. The Licensee must cause any Derivative Work to carry prominent +notices stating that the Work has been modified and the date of modification. + +Copyleft clause: If the Licensee distributes and/or communicates copies of the +Original Works or Derivative Works based upon the Original Work, this +Distribution and/or Communication will be done under the terms of this Licence +or of a later version of this Licence unless the Original Work is expressly +distributed only under this version of the Licence. The Licensee (becoming +Licensor) cannot offer or impose any additional terms or conditions on the Work +or Derivative Work that alter or restrict the terms of the Licence. + +Compatibility clause: If the Licensee Distributes and/or Communicates Derivative +Works or copies thereof based upon both the Original Work and another work +licensed under a Compatible Licence, this Distribution and/or Communication can +be done under the terms of this Compatible Licence. For the sake of this clause, +“Compatible Licence” refers to the licences listed in the appendix attached to +this Licence. Should the Licensee’s obligations under the Compatible Licence +conflict with his/her obligations under this Licence, the obligations of the +Compatible Licence shall prevail. + +Provision of Source Code: When distributing and/or communicating copies of the +Work, the Licensee will provide a machine-readable copy of the Source Code or +indicate a repository where this Source will be easily and freely available for +as long as the Licensee continues to distribute and/or communicate the Work. + +Legal Protection: This Licence does not grant permission to use the trade names, +trademarks, service marks, or names of the Licensor, except as required for +reasonable and customary use in describing the origin of the Work and +reproducing the content of the copyright notice. + + + +##6. Chain of Authorship + +The original Licensor warrants that the copyright in the Original Work granted +hereunder is owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each Contributor warrants that the copyright in the modifications he/she brings +to the Work are owned by him/her or licensed to him/her and that he/she has the +power and authority to grant the Licence. + +Each time You accept the Licence, the original Licensor and subsequent +Contributors grant You a licence to their contributions to the Work, under the +terms of this Licence. + + + +##7. Disclaimer of Warranty + +The Work is a work in progress, which is continuously improved by numerous +contributors. It is not a finished work and may therefore contain defects or +“bugs” inherent to this type of software development. + +For the above reason, the Work is provided under the Licence on an “as is” basis +and without warranties of any kind concerning the Work, including without +limitation merchantability, fitness for a particular purpose, absence of defects +or errors, accuracy, non-infringement of intellectual property rights other than +copyright as stated in Article 6 of this Licence. + +This disclaimer of warranty is an essential part of the Licence and a condition +for the grant of any rights to the Work. + + + +##8. Disclaimer of Liability + +Except in the cases of wilful misconduct or damages directly caused to natural +persons, the Licensor will in no event be liable for any direct or indirect, +material or moral, damages of any kind, arising out of the Licence or of the use +of the Work, including without limitation, damages for loss of goodwill, work +stoppage, computer failure or malfunction, loss of data or any commercial +damage, even if the Licensor has been advised of the possibility of such +damage. However, the Licensor will be liable under statutory product liability +laws as far such laws apply to the Work. + + + +##9. Additional agreements + +While distributing the Original Work or Derivative Works, You may choose to +conclude an additional agreement to offer, and charge a fee for, acceptance of +support, warranty, indemnity, or other liability obligations and/or services +consistent with this Licence. However, in accepting such obligations, You may +act only on your own behalf and on your sole responsibility, not on behalf of +the original Licensor or any other Contributor, and only if You agree to +indemnify, defend, and hold each Contributor harmless for any liability incurred +by, or claims asserted against such Contributor by the fact You have accepted +any such warranty or additional liability. + + + +##10. Acceptance of the Licence + +The provisions of this Licence can be accepted by clicking on an icon “I agree” +placed under the bottom of a window displaying the text of this Licence or by +affirming consent in any other similar way, in accordance with the rules of +applicable law. Clicking on that icon indicates your clear and irrevocable +acceptance of this Licence and all of its terms and conditions. + +Similarly, you irrevocably accept this Licence and all of its terms and +conditions by exercising any rights granted to You by Article 2 of this Licence, +such as the use of the Work, the creation by You of a Derivative Work or the +Distribution and/or Communication by You of the Work or copies thereof. + + + +##11. Information to the public + +In case of any Distribution and/or Communication of the Work by means of +electronic communication by You (for example, by offering to download the Work +from a remote location) the distribution channel or media (for example, a +website) must at least provide to the public the information requested by the +applicable law regarding the Licensor, the Licence and the way it may be +accessible, concluded, stored and reproduced by the Licensee. + + + +##12. Termination of the Licence + +The Licence and the rights granted hereunder will terminate automatically upon +any breach by the Licensee of the terms of the Licence. + +Such a termination will not terminate the licences of any person who has +received the Work from the Licensee under the Licence, provided such persons +remain in full compliance with the Licence. + + + +##13. Miscellaneous + +Without prejudice of Article 9 above, the Licence represents the complete +agreement between the Parties as to the Work licensed hereunder. + +If any provision of the Licence is invalid or unenforceable under applicable +law, this will not affect the validity or enforceability of the Licence as a +whole. Such provision will be construed and/or reformed so as necessary to make +it valid and enforceable. + +The European Commission may publish other linguistic versions and/or new +versions of this Licence, so far this is required and reasonable, without +reducing the scope of the rights granted by the Licence. New versions of the +Licence will be published with a unique version number. + +All linguistic versions of this Licence, approved by the European Commission, +have identical value. Parties can take advantage of the linguistic version of +their choice. + + + +##14. Jurisdiction + +Any litigation resulting from the interpretation of this License, arising +between the European Commission, as a Licensor, and any Licensee, will be +subject to the jurisdiction of the Court of Justice of the European Communities, +as laid down in article 238 of the Treaty establishing the European Community. + +Any litigation arising between Parties, other than the European Commission, and +resulting from the interpretation of this License, will be subject to the +exclusive jurisdiction of the competent court where the Licensor resides or +conducts its primary business. + + + +##15. Applicable Law + +This Licence shall be governed by the law of the European Union country where +the Licensor resides or has his registered office. + +This licence shall be governed by the Belgian law if: + +- a litigation arises between the European Commission, as a Licensor, and any +- Licensee; the Licensor, other than the European Commission, has no residence +- or registered office inside a European Union country. + + +--- + + +##Appendix + + +**“Compatible Licences”** according to article 5 EUPL are: + + +- GNU General Public License (GNU GPL) v. 2 + +- Open Software License (OSL) v. 2.1, v. 3.0 + +- Common Public License v. 1.0 + +- Eclipse Public License v. 1.0 + +- Cecill v. 2.0 diff --git a/protocol-mapper/README.md b/protocol-mapper/README.md new file mode 100644 index 0000000..630c53b --- /dev/null +++ b/protocol-mapper/README.md @@ -0,0 +1,53 @@ +# Identity Provider Mapper + +**Protocol Mapper** extends the [Keycloak](https://www.keycloak.org)'s OIDC protocol mapper SPI to map the token audience to the value read from a custom `X-GCube-Context` HTTP header. + +## Structure of the project + +The source code is present in `src` folder. + +## Built With + +* [OpenJDK](https://openjdk.java.net/) - The JDK used +* [Maven](https://maven.apache.org/) - Dependency Management + +## Documentation + +This is one of the modules that composes the EAR deployment defined in the "brother" module [keycloak-d4science-spi](../keycloak-d4science-spi-ear/README.md). + +To build the JAR artifact it is sufficient to type + + mvn clean package + +### Installation + +#### Qurkus based Keycloak + +In order to deploy the module it is sufficient to copy into the `[keycloak-home]/providers` folder. + +## Change log + +See [CHANGELOG.md](CHANGELOG.md). + +## Authors + +* **Marco Lettere** ([Nubisware S.r.l.](http://www.nubisware.com)) +* **Mauro Mugnaini** ([Nubisware S.r.l.](http://www.nubisware.com)) + +## How to Cite this Software +[Intentionally left blank] + +## License + +This project is licensed under the EUPL V.1.1 License - see the [LICENSE.md](LICENSE.md) file for details. + +## About the gCube Framework +This software is part of the [gCubeFramework](https://www.gcube-system.org/ "gCubeFramework"): an +open-source software toolkit used for building and operating Hybrid Data +Infrastructures enabling the dynamic deployment of Virtual Research Environments +by favouring the realisation of reuse oriented policies. + +The projects leading to this software have received funding from a series of European Union programmes see [FUNDING.md](FUNDING.md) + +## Acknowledgments +[Intentionally left blank] \ No newline at end of file diff --git a/protocol-mapper/pom.xml b/protocol-mapper/pom.xml new file mode 100644 index 0000000..57a72c1 --- /dev/null +++ b/protocol-mapper/pom.xml @@ -0,0 +1,48 @@ + + + 4.0.0 + + + org.gcube.iam + keycloak-d4science-spi-parent + 2.1.0-SNAPSHOT + + + protocol-mapper + jar + + + scm:git:https://code-repo.d4science.org/gCubeSystem/${project.parent.artifactId}.git + scm:git:https://code-repo.d4science.org/gCubeSystem/${project.parent.artifactId}.git + https://code-repo.d4science.org/gCubeSystem/${project.parent.artifactId} + + + + 5.8.2 + 3.22.0 + 4.5.1 + + + + + org.keycloak + keycloak-saml-core + provided + + + org.assertj + assertj-core + ${assertj-core.version} + test + + + org.mockito + mockito-core + ${org-mockito.version} + test + + + + + + \ No newline at end of file diff --git a/protocol-mapper/src/main/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapper.java b/protocol-mapper/src/main/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapper.java new file mode 100644 index 0000000..643356a --- /dev/null +++ b/protocol-mapper/src/main/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapper.java @@ -0,0 +1,96 @@ +package org.gcube.keycloak.protocol.oidc.mapper; + +import java.util.ArrayList; +import java.util.List; + +import org.jboss.logging.Logger; +import org.keycloak.models.ClientSessionContext; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.ProtocolMapperModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper; +import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper; +import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; +import org.keycloak.provider.ProviderConfigProperty; +import org.keycloak.representations.AccessToken; +import org.keycloak.representations.IDToken; + +public class GCubeContextMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper { + + private static final Logger logger = Logger.getLogger(GCubeContextMapper.class); + + private static final List configProperties = new ArrayList<>(); + + // Assuring that the mapper is executed as last + private static final int PRIORITY = Integer.MAX_VALUE; + private static final String DISPLAY_TYPE = "OIDC GCube Context Mapper"; + private static final String PROVIDER_ID = "oidc-gcube-context-mapper"; + + public static final String HEADER_NAME = "X-GCube-Context"; + + + static { + OIDCAttributeMapperHelper.addTokenClaimNameConfig(configProperties); + OIDCAttributeMapperHelper.addIncludeInTokensConfig(configProperties, GCubeContextMapper.class); + } + + @Override + public String getDisplayCategory() { + return TOKEN_MAPPER_CATEGORY; + } + + @Override + public int getPriority() { + return PRIORITY; + } + + @Override + public String getDisplayType() { + return DISPLAY_TYPE; + } + + @Override + public String getHelpText() { + return "Reads GCube context from " + HEADER_NAME + " header and sets it as the configured token claim"; + } + + @Override + public List getConfigProperties() { + return configProperties; + } + + @Override + public String getId() { + return PROVIDER_ID; + } + + @Override + protected void setClaim(final IDToken token, + final ProtocolMapperModel mappingModel, + final UserSessionModel userSession, + final KeycloakSession keycloakSession, + final ClientSessionContext clientSessionCtx) { + + // Since only the OIDCAccessTokenMapper interface is implemented, we are almost sure that + // the token object is an AccessToken but adding a specific check anyway + if (token instanceof AccessToken) { + logger.debugf("Looking for the '%s' header", HEADER_NAME); + String requestedD4SContext = keycloakSession.getContext().getRequestHeaders().getHeaderString(HEADER_NAME); + + if (requestedD4SContext != null && !"".equals(requestedD4SContext)) { + logger.debugf("Checking resource access for the requested context: %s", requestedD4SContext); + + if (((AccessToken) token).getResourceAccess().containsKey(requestedD4SContext)) { + logger.debugf("Mapping it as the configured claim: %s", + mappingModel.getConfig().get(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME)); + + OIDCAttributeMapperHelper.mapClaim(token, mappingModel, requestedD4SContext); + } else { + logger.warnf("Requested context '%s' is not accessible to the client: %s", requestedD4SContext, + clientSessionCtx.getClientSession().getClient().getName()); + } + } + } + } + +} \ No newline at end of file diff --git a/protocol-mapper/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper b/protocol-mapper/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper new file mode 100644 index 0000000..a1a6017 --- /dev/null +++ b/protocol-mapper/src/main/resources/META-INF/services/org.keycloak.protocol.ProtocolMapper @@ -0,0 +1 @@ +org.gcube.keycloak.protocol.oidc.mapper.GCubeContextMapper \ No newline at end of file diff --git a/protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapperTest.java b/protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapperTest.java new file mode 100644 index 0000000..c4cb833 --- /dev/null +++ b/protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/GCubeContextMapperTest.java @@ -0,0 +1,145 @@ +package org.gcube.keycloak.protocol.oidc.mapper; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.when; + +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.stream.Collectors; + +import javax.ws.rs.core.HttpHeaders; + +import org.assertj.core.util.Maps; +import org.junit.Test; +import org.keycloak.models.AuthenticatedClientSessionModel; +import org.keycloak.models.ClientModel; +import org.keycloak.models.ClientSessionContext; +import org.keycloak.models.KeycloakContext; +import org.keycloak.models.KeycloakSession; +import org.keycloak.models.ProtocolMapperModel; +import org.keycloak.models.UserModel; +import org.keycloak.models.UserSessionModel; +import org.keycloak.protocol.oidc.mappers.FullNameMapper; +import org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper; +import org.keycloak.provider.ProviderConfigProperty; +import org.keycloak.representations.AccessToken; +import org.mockito.Mockito; + +/** + * Original code repo: https://github.com/mschwartau/keycloak-custom-protocol-mapper-example + */ +public class GCubeContextMapperTest { + + static final String CLAIM_NAME = "haandlerIdClaimNameExample"; + static final String HEADER_VALUE = "ginostilla"; + + @Test + public void shouldTokenMapperDisplayCategory() { + final String tokenMapperDisplayCategory = new FullNameMapper().getDisplayCategory(); + assertThat(new GCubeContextMapper().getDisplayCategory()).isEqualTo(tokenMapperDisplayCategory); + } + + @Test + public void shouldHaveDisplayType() { + assertThat(new GCubeContextMapper().getDisplayType()).isNotBlank(); + } + + @Test + public void shouldHaveHelpText() { + assertThat(new GCubeContextMapper().getHelpText()).isNotBlank(); + } + + @Test + public void shouldHaveIdId() { + assertThat(new GCubeContextMapper().getId()).isNotBlank(); + } + + @Test + public void shouldHaveProperties() { + final List configPropertyNames = new GCubeContextMapper().getConfigProperties().stream() + .map(ProviderConfigProperty::getName) + .collect(Collectors.toList()); + + assertThat(configPropertyNames).containsExactly(OIDCAttributeMapperHelper.TOKEN_CLAIM_NAME, + OIDCAttributeMapperHelper.INCLUDE_IN_ACCESS_TOKEN); + } + + @Test + public void shouldAddClaim() { + final UserSessionModel session = givenUserSession(); + final KeycloakSession keycloakSession = givenKeycloakSession(true); + final AccessToken accessToken = transformAccessToken(session, keycloakSession, true); + assertThat(accessToken.getOtherClaims().get(CLAIM_NAME)).isEqualTo(HEADER_VALUE); + } + + @Test + public void shouldNotAddClaim() { + final UserSessionModel session = givenUserSession(); + final KeycloakSession keycloakSession = givenKeycloakSession(false); + final AccessToken accessToken = transformAccessToken(session, keycloakSession, true); + assertThat(accessToken.getOtherClaims().get(CLAIM_NAME)).isNull(); + } + + @Test + public void shouldNotAddClaimAndLogWarning() { + final UserSessionModel session = givenUserSession(); + final KeycloakSession keycloakSession = givenKeycloakSession(true); + final AccessToken accessToken = transformAccessToken(session, keycloakSession, false); + assertThat(accessToken.getOtherClaims().get(CLAIM_NAME)).isNull(); + } + + private UserSessionModel givenUserSession() { + UserSessionModel userSession = Mockito.mock(UserSessionModel.class); + UserModel user = Mockito.mock(UserModel.class); + when(userSession.getUser()).thenReturn(user); + return userSession; + } + + private KeycloakSession givenKeycloakSession(boolean withHeader) { + KeycloakSession keycloakSession = Mockito.mock(KeycloakSession.class); + KeycloakContext context = Mockito.mock(KeycloakContext.class); + when(keycloakSession.getContext()).thenReturn(context); + HttpHeaders headers = Mockito.mock(HttpHeaders.class); + when(context.getRequestHeaders()).thenReturn(headers); + + if (withHeader) { + when(headers.getHeaderString(GCubeContextMapper.HEADER_NAME)).thenReturn(HEADER_VALUE); + } else { + when(headers.getHeaderString(GCubeContextMapper.HEADER_NAME)).thenReturn(""); + } + return keycloakSession; + } + + private AccessToken transformAccessToken(UserSessionModel userSessionModel, KeycloakSession keycloakSession, + boolean withResourceAccess) { + + final ProtocolMapperModel mappingModel = new ProtocolMapperModel(); + mappingModel.setConfig(createConfig()); + AccessToken at = new AccessToken(); + if (withResourceAccess) { + at.setResourceAccess(Maps.newHashMap(HEADER_VALUE, null)); + } + + return new GCubeContextMapper().transformAccessToken(at, mappingModel, keycloakSession, + userSessionModel, givenClientSessionContext()); + } + + private ClientSessionContext givenClientSessionContext() { + ClientModel clientModel = Mockito.mock(ClientModel.class); + when(clientModel.getName()).thenReturn("test-client-id"); + AuthenticatedClientSessionModel acsm = Mockito.mock(AuthenticatedClientSessionModel.class); + when(acsm.getClient()).thenReturn(clientModel); + ClientSessionContext csc = Mockito.mock(ClientSessionContext.class); + when(csc.getClientSession()).thenReturn(acsm); + return csc; + } + + private Map createConfig() { + final Map result = new HashMap<>(); + result.put("access.token.claim", "true"); + result.put("claim.name", CLAIM_NAME); + return result; + } + +} \ No newline at end of file diff --git a/protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/NoDuplicateMapperTest.java b/protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/NoDuplicateMapperTest.java new file mode 100644 index 0000000..926a4b5 --- /dev/null +++ b/protocol-mapper/src/test/java/org/gcube/keycloak/protocol/oidc/mapper/NoDuplicateMapperTest.java @@ -0,0 +1,25 @@ +package org.gcube.keycloak.protocol.oidc.mapper; + +import static org.assertj.core.api.Assertions.assertThat; + +import java.util.Collection; +import java.util.ServiceLoader; +import java.util.stream.Collectors; +import java.util.stream.StreamSupport; + +import org.junit.Test; +import org.keycloak.protocol.ProtocolMapper; + +/** + * Original code repo: https://github.com/mschwartau/keycloak-custom-protocol-mapper-example + */ +public class NoDuplicateMapperTest { + + @Test + public void shouldNotHaveMappersWithDuplicateIds() { + final ServiceLoader serviceLoader = ServiceLoader.load(ProtocolMapper.class); + final Collection mapperIds = StreamSupport.stream(serviceLoader.spliterator(), false).map(elem -> elem.getId()).collect(Collectors.toList()); + + assertThat(mapperIds).doesNotHaveDuplicates(); + } +} diff --git a/protocol-mapper/src/test/resources/log4j.xml b/protocol-mapper/src/test/resources/log4j.xml new file mode 100644 index 0000000..9ff69e5 --- /dev/null +++ b/protocol-mapper/src/test/resources/log4j.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + + + + + + + \ No newline at end of file