Mercurial > hg > thermostat-ng > web-gateway
view services/commands/src/test/java/com/redhat/thermostat/gateway/service/commands/channel/endpoints/RealmAuthorizerConfiguratorTest.java @ 252:1428b14f642f
[commands] Implement Keycloak support.
Reviewed-by: jkang
Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2017-September/024853.html
author | Severin Gehwolf <sgehwolf@redhat.com> |
---|---|
date | Tue, 05 Sep 2017 16:29:38 +0200 |
parents | |
children |
line wrap: on
line source
/* * Copyright 2012-2017 Red Hat, Inc. * * This file is part of Thermostat. * * Thermostat is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published * by the Free Software Foundation; either version 2, or (at your * option) any later version. * * Thermostat is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public License * along with Thermostat; see the file COPYING. If not see * <http://www.gnu.org/licenses/>. * * Linking this code with other modules is making a combined work * based on this code. Thus, the terms and conditions of the GNU * General Public License cover the whole combination. * * As a special exception, the copyright holders of this code give * you permission to link this code with independent modules to * produce an executable, regardless of the license terms of these * independent modules, and to copy and distribute the resulting * executable under terms of your choice, provided that you also * meet, for each linked independent module, the terms and conditions * of the license of that module. An independent module is a module * which is not derived from or based on this code. If you modify * this code, you may extend this exception to your version of the * library, but you are not obligated to do so. If you do not wish * to do so, delete this exception statement from your version. */ package com.redhat.thermostat.gateway.service.commands.channel.endpoints; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertSame; import static org.junit.Assert.assertTrue; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; import java.security.Principal; import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; import javax.websocket.HandshakeResponse; import javax.websocket.server.HandshakeRequest; import javax.websocket.server.ServerEndpointConfig; import org.junit.Before; import org.junit.Test; import org.keycloak.KeycloakPrincipal; import org.keycloak.KeycloakSecurityContext; import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken.Access; import com.redhat.thermostat.gateway.common.core.auth.RealmAuthorizer; import com.redhat.thermostat.gateway.common.core.auth.basic.BasicRealmAuthorizer; import com.redhat.thermostat.gateway.common.core.auth.basic.BasicWebUser; import com.redhat.thermostat.gateway.common.core.auth.keycloak.KeycloakRealmAuthorizer; import com.redhat.thermostat.gateway.common.core.config.Configuration; import com.redhat.thermostat.gateway.common.core.config.ServiceConfiguration; import com.redhat.thermostat.gateway.common.core.servlet.GlobalConstants; public class RealmAuthorizerConfiguratorTest { private ServerEndpointConfig config; private HandshakeRequest request; private HandshakeResponse response; private Configuration serviceConfig; private Set<String> roles; private Map<String, Object> userProps; @Before public void setup() { serviceConfig = mock(Configuration.class); userProps = new HashMap<>(); userProps.put(GlobalConstants.SERVICE_CONFIG_KEY, serviceConfig); config = mock(ServerEndpointConfig.class); when(config.getUserProperties()).thenReturn(userProps); request = mock(HandshakeRequest.class); response = mock(HandshakeResponse.class); roles = new HashSet<>(); roles.add("ping-commands"); roles.add("ignored"); roles.add("r-foo-realm"); } @Test public void testBasicAuthAuthorizer() { setupConfig(ServiceConfiguration.ConfigurationKey.SECURITY_BASIC, Boolean.TRUE); BasicWebUser userPrincipal = new BasicWebUser("ignored", new char[] {}, roles); setupPrincipal(userPrincipal); RealmAuthorizerConfigurator configurator = new RealmAuthorizerConfigurator(); configurator.modifyHandshake(config, request, response); RealmAuthorizer authorizer = (RealmAuthorizer)userProps.get(RealmAuthorizer.class.getName()); assertNotNull(authorizer); assertTrue(authorizer instanceof BasicRealmAuthorizer); verifyRoles(authorizer); } @Test public void testKeycloakAuthAuthorizer() { setupConfig(ServiceConfiguration.ConfigurationKey.SECURITY_KEYCLOAK, Boolean.TRUE); KeycloakPrincipal<KeycloakSecurityContext> keycloakPrincipal = setupKeycloakPrincipal(); setupPrincipal(keycloakPrincipal); RealmAuthorizerConfigurator configurator = new RealmAuthorizerConfigurator(); configurator.modifyHandshake(config, request, response); RealmAuthorizer authorizer = (RealmAuthorizer)userProps.get(RealmAuthorizer.class.getName()); assertNotNull(authorizer); assertTrue("Actual: " + authorizer.getClass(), authorizer instanceof KeycloakRealmAuthorizer); verifyRoles(authorizer); } @Test public void testDenyAllForUnknown() { // empty config when(serviceConfig.asMap()).thenReturn(Collections.<String, Object>emptyMap()); RealmAuthorizerConfigurator configurator = new RealmAuthorizerConfigurator(); configurator.modifyHandshake(config, request, response); RealmAuthorizer authorizer = (RealmAuthorizer)userProps.get(RealmAuthorizer.class.getName()); assertNotNull(authorizer); assertSame(RealmAuthorizer.DENY_ALL_AUTHORIZER, authorizer); } private KeycloakPrincipal<KeycloakSecurityContext> setupKeycloakPrincipal() { @SuppressWarnings("unchecked") KeycloakPrincipal<KeycloakSecurityContext> p = mock(KeycloakPrincipal.class); KeycloakSecurityContext secContext = mock(KeycloakSecurityContext.class); AccessToken accessToken = mock(AccessToken.class); Access access = mock(Access.class); when(access.getRoles()).thenReturn(roles); when(accessToken.getRealmAccess()).thenReturn(access); when(secContext.getToken()).thenReturn(accessToken); when(p.getKeycloakSecurityContext()).thenReturn(secContext); return p; } private void verifyRoles(RealmAuthorizer authorizer) { Set<String> realmPingActions = new HashSet<>(); realmPingActions.add("commands"); assertEquals(realmPingActions, authorizer.getRealmsWithAction("ping")); Set<String> readableRealms = new HashSet<>(); readableRealms.add("foo-realm"); assertEquals(readableRealms, authorizer.getReadableRealms()); } private void setupConfig(ServiceConfiguration.ConfigurationKey key, Boolean value) { Map<String, Object> configImpl = new HashMap<>(); configImpl.put(key.name(), value.toString()); when(serviceConfig.asMap()).thenReturn(configImpl); } private void setupPrincipal(Principal p) { when(request.getUserPrincipal()).thenReturn(p); } }