2023-02-22 23:04:44 -08:00
|
|
|
# to run these tests:
|
|
|
|
# nix-instantiate --eval --strict . -A tests.keycloak-cli-config
|
|
|
|
|
|
|
|
{ lib
|
|
|
|
, stdenv
|
|
|
|
, pkgs
|
|
|
|
}:
|
|
|
|
|
|
|
|
let
|
2023-03-16 23:47:43 -07:00
|
|
|
configcreator = pkgs.callPackage ./../../keycloak-cli-config/configcreator.nix {};
|
2023-02-22 23:04:44 -08:00
|
|
|
|
|
|
|
default_config = {
|
|
|
|
realm = "myrealm";
|
|
|
|
domain = "mydomain.com";
|
|
|
|
};
|
|
|
|
|
|
|
|
keep_fields = fields:
|
|
|
|
lib.filterAttrs (n: v: lib.any (n_: n_ == n) fields);
|
|
|
|
in
|
|
|
|
|
|
|
|
lib.runTests {
|
|
|
|
testDefault = {
|
|
|
|
expr = configcreator default_config;
|
|
|
|
|
|
|
|
expected = {
|
|
|
|
id = "myrealm";
|
|
|
|
realm = "myrealm";
|
|
|
|
enabled = true;
|
|
|
|
clients = [];
|
|
|
|
roles = {
|
|
|
|
realm = [];
|
|
|
|
client = {};
|
|
|
|
};
|
|
|
|
groups = [];
|
|
|
|
users = [];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testUsers = {
|
|
|
|
expr = (configcreator (default_config // {
|
|
|
|
users = {
|
|
|
|
me = {
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})).users;
|
|
|
|
|
|
|
|
expected = [
|
|
|
|
{
|
|
|
|
username = "me";
|
|
|
|
enabled = true;
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
emailVerified = true;
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
testUsersWithGroups = {
|
|
|
|
expr = (configcreator (default_config // {
|
|
|
|
users = {
|
|
|
|
me = {
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
groups = [ "MyGroup" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})).users;
|
|
|
|
|
|
|
|
expected = [
|
|
|
|
{
|
|
|
|
username = "me";
|
|
|
|
enabled = true;
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
emailVerified = true;
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
groups = [ "MyGroup" ];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
testUsersWithRoles = {
|
|
|
|
expr = (configcreator (default_config // {
|
|
|
|
users = {
|
|
|
|
me = {
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
roles = [ "MyRole" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})).users;
|
|
|
|
|
|
|
|
expected = [
|
|
|
|
{
|
|
|
|
username = "me";
|
|
|
|
enabled = true;
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
emailVerified = true;
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
realmRoles = [ "MyRole" ];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
testUsersWithInitialPassword = {
|
|
|
|
expr = (configcreator (default_config // {
|
|
|
|
users = {
|
|
|
|
me = {
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
initialPassword = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})).users;
|
|
|
|
|
|
|
|
expected = [
|
|
|
|
{
|
|
|
|
username = "me";
|
|
|
|
enabled = true;
|
|
|
|
email = "me@mydomain.com";
|
|
|
|
emailVerified = true;
|
|
|
|
firstName = "me";
|
|
|
|
lastName = "stillme";
|
|
|
|
credentials = [
|
|
|
|
{
|
|
|
|
type = "password";
|
|
|
|
userLabel = "initial";
|
|
|
|
value = "$(keycloak.users.me.password)";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
testGroups = {
|
|
|
|
expr = (configcreator (default_config // {
|
|
|
|
groups = [ "MyGroup" ];
|
|
|
|
})).groups;
|
|
|
|
|
|
|
|
expected = [
|
|
|
|
{
|
|
|
|
name = "MyGroup";
|
|
|
|
path = "/MyGroup";
|
|
|
|
attributes = {};
|
|
|
|
realmRoles = [];
|
|
|
|
clientRoles = {};
|
|
|
|
subGroups = [];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
testRealmRoles = {
|
|
|
|
expr = (configcreator (default_config // {
|
|
|
|
roles = {
|
|
|
|
A = [ "B" ];
|
|
|
|
B = [ ];
|
|
|
|
};
|
|
|
|
})).roles;
|
|
|
|
|
|
|
|
expected = {
|
|
|
|
client = {};
|
|
|
|
realm = [
|
|
|
|
{
|
|
|
|
name = "A";
|
|
|
|
composite = true;
|
|
|
|
composites = {
|
|
|
|
realm = [ "B" ];
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "B";
|
|
|
|
composite = false;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testClientRoles = {
|
|
|
|
expr = (configcreator (default_config // {
|
|
|
|
clients = {
|
|
|
|
clientA = {
|
|
|
|
roles = [ "cA" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})).roles;
|
|
|
|
|
|
|
|
expected = {
|
|
|
|
client = {
|
|
|
|
clientA = [
|
|
|
|
{
|
|
|
|
name = "cA";
|
|
|
|
clientRole = true;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
realm = [];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testClient = {
|
|
|
|
expr = map (keep_fields [
|
|
|
|
"clientId"
|
|
|
|
"rootUrl"
|
|
|
|
"redirectUris"
|
|
|
|
"webOrigins"
|
|
|
|
"authorizationSettings"
|
|
|
|
]) (configcreator (default_config // {
|
|
|
|
clients = {
|
|
|
|
clientA = {};
|
|
|
|
};
|
|
|
|
})).clients;
|
|
|
|
expected = [
|
|
|
|
{
|
|
|
|
clientId = "clientA";
|
|
|
|
rootUrl = "https://clientA.mydomain.com";
|
|
|
|
redirectUris = ["https://clientA.mydomain.com/oauth2/callback"];
|
|
|
|
webOrigins = ["https://clientA.mydomain.com"];
|
|
|
|
authorizationSettings = {
|
|
|
|
policyEnforcementMode = "ENFORCING";
|
|
|
|
resources = [];
|
|
|
|
policies = [];
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
testClientAuthorization = with builtins; {
|
|
|
|
expr = (head (configcreator (default_config // {
|
|
|
|
clients = {
|
|
|
|
clientA = {
|
|
|
|
resourcesUris = {
|
|
|
|
adminPath = ["/admin/*"];
|
|
|
|
userPath = ["/*"];
|
|
|
|
};
|
|
|
|
access = {
|
|
|
|
admin = {
|
|
|
|
roles = [ "admin" ];
|
|
|
|
resources = [ "adminPath" ];
|
|
|
|
};
|
|
|
|
user = {
|
|
|
|
roles = [ "user" ];
|
|
|
|
resources = [ "userPath" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
})).clients).authorizationSettings;
|
|
|
|
expected = {
|
|
|
|
policyEnforcementMode = "ENFORCING";
|
|
|
|
resources = [
|
|
|
|
{
|
|
|
|
name = "adminPath";
|
|
|
|
type = "urn:clientA:resources:adminPath";
|
|
|
|
ownerManagedAccess = false;
|
|
|
|
uris = ["/admin/*"];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "userPath";
|
|
|
|
type = "urn:clientA:resources:userPath";
|
|
|
|
ownerManagedAccess = false;
|
|
|
|
uris = ["/*"];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
policies = [
|
|
|
|
{
|
|
|
|
name = "admin has access";
|
|
|
|
type = "role";
|
|
|
|
logic = "POSITIVE";
|
|
|
|
decisionStrategy = "UNANIMOUS";
|
|
|
|
config = {
|
|
|
|
roles = ''[{"id":"admin","required":true}]'';
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "user has access";
|
|
|
|
type = "role";
|
|
|
|
logic = "POSITIVE";
|
|
|
|
decisionStrategy = "UNANIMOUS";
|
|
|
|
config = {
|
|
|
|
roles = ''[{"id":"user","required":true}]'';
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "admin has access to adminPath";
|
|
|
|
type = "resource";
|
|
|
|
logic = "POSITIVE";
|
|
|
|
decisionStrategy = "UNANIMOUS";
|
|
|
|
config = {
|
|
|
|
resources = ''["adminPath"]'';
|
|
|
|
applyPolicies = ''["admin has access"]'';
|
|
|
|
};
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "user has access to userPath";
|
|
|
|
type = "resource";
|
|
|
|
logic = "POSITIVE";
|
|
|
|
decisionStrategy = "UNANIMOUS";
|
|
|
|
config = {
|
|
|
|
resources = ''["userPath"]'';
|
|
|
|
applyPolicies = ''["user has access"]'';
|
|
|
|
};
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testClientAudience =
|
|
|
|
let
|
|
|
|
audienceProtocolMapper = config:
|
|
|
|
with builtins;
|
|
|
|
let
|
|
|
|
protocolMappers = (head config.clients).protocolMappers;
|
|
|
|
protocolMapperByName = name: protocolMappers: head (filter (x: x.name == name) protocolMappers);
|
|
|
|
in
|
|
|
|
protocolMapperByName "Audience" protocolMappers;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
expr = audienceProtocolMapper (configcreator (default_config // {
|
|
|
|
clients = {
|
|
|
|
clientA = {};
|
|
|
|
};
|
|
|
|
}));
|
|
|
|
expected = {
|
|
|
|
name = "Audience";
|
|
|
|
protocol = "openid-connect";
|
|
|
|
protocolMapper = "oidc-audience-mapper";
|
|
|
|
config = {
|
|
|
|
"included.client.audience" = "clientA";
|
|
|
|
"id.token.claim" = "false";
|
|
|
|
"access.token.claim" = "true";
|
|
|
|
"included.custom.audience" = "clientA";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|