# to run these tests:
# nix-instantiate --eval --strict . -A tests.keycloak-cli-config
{ lib
, stdenv
, pkgs
}:
let
configcreator = pkgs.callPackage ./../keycloak-cli-config/configcreator.nix { };
default_config = {
realm = "myrealm";
domain = "mydomain.com";
};
keep_fields = fields:
lib.filterAttrs (n: v: lib.any (n_: n_ == n) fields);
in
lib.runTests {
testDefault = {
expr = configcreator default_config;
expected = {
id = "myrealm";
realm = "myrealm";
enabled = true;
clients = [];
roles = {
realm = [];
client = {};
};
groups = [];
users = [];
};
};
testUsers = {
expr = (configcreator (default_config // {
users = {
me = {
email = "me@mydomain.com";
firstName = "me";
lastName = "stillme";
};
};
})).users;
expected = [
{
username = "me";
enabled = true;
email = "me@mydomain.com";
emailVerified = true;
firstName = "me";
lastName = "stillme";
}
];
};
testUsersWithGroups = {
expr = (configcreator (default_config // {
users = {
me = {
email = "me@mydomain.com";
firstName = "me";
lastName = "stillme";
groups = [ "MyGroup" ];
};
};
})).users;
expected = [
{
username = "me";
enabled = true;
email = "me@mydomain.com";
emailVerified = true;
firstName = "me";
lastName = "stillme";
groups = [ "MyGroup" ];
}
];
};
testUsersWithRoles = {
expr = (configcreator (default_config // {
users = {
me = {
email = "me@mydomain.com";
firstName = "me";
lastName = "stillme";
roles = [ "MyRole" ];
};
};
})).users;
expected = [
{
username = "me";
enabled = true;
email = "me@mydomain.com";
emailVerified = true;
firstName = "me";
lastName = "stillme";
realmRoles = [ "MyRole" ];
}
];
};
testUsersWithInitialPassword = {
expr = (configcreator (default_config // {
users = {
me = {
email = "me@mydomain.com";
firstName = "me";
lastName = "stillme";
initialPassword = true;
};
};
})).users;
expected = [
{
username = "me";
enabled = true;
email = "me@mydomain.com";
emailVerified = true;
firstName = "me";
lastName = "stillme";
credentials = [
{
type = "password";
userLabel = "initial";
value = "$(keycloak.users.me.password)";
}
];
}
];
};
testGroups = {
expr = (configcreator (default_config // {
groups = [ "MyGroup" ];
})).groups;
expected = [
{
name = "MyGroup";
path = "/MyGroup";
attributes = {};
realmRoles = [];
clientRoles = {};
subGroups = [];
}
];
};
testRealmRoles = {
expr = (configcreator (default_config // {
roles = {
A = [ "B" ];
B = [ ];
};
})).roles;
expected = {
client = {};
realm = [
{
name = "A";
composite = true;
composites = {
realm = [ "B" ];
};
}
{
name = "B";
composite = false;
}
];
};
};
testClientRoles = {
expr = (configcreator (default_config // {
clients = {
clientA = {
roles = [ "cA" ];
};
};
})).roles;
expected = {
client = {
clientA = [
{
name = "cA";
clientRole = true;
}
];
};
realm = [];
};
};
testClient = {
expr = map (keep_fields [
"clientId"
"rootUrl"
"redirectUris"
"webOrigins"
"authorizationSettings"
]) (configcreator (default_config // {
clients = {
clientA = {};
};
})).clients;
expected = [
{
clientId = "clientA";
rootUrl = "https://clientA.mydomain.com";
redirectUris = ["https://clientA.mydomain.com/oauth2/callback"];
webOrigins = ["https://clientA.mydomain.com"];
authorizationSettings = {
policyEnforcementMode = "ENFORCING";
resources = [];
policies = [];
};
}
];
};
testClientAuthorization = with builtins; {
expr = (head (configcreator (default_config // {
clients = {
clientA = {
resourcesUris = {
adminPath = ["/admin/*"];
userPath = ["/*"];
};
access = {
admin = {
roles = [ "admin" ];
resources = [ "adminPath" ];
};
user = {
roles = [ "user" ];
resources = [ "userPath" ];
};
};
};
};
})).clients).authorizationSettings;
expected = {
policyEnforcementMode = "ENFORCING";
resources = [
{
name = "adminPath";
type = "urn:clientA:resources:adminPath";
ownerManagedAccess = false;
uris = ["/admin/*"];
}
{
name = "userPath";
type = "urn:clientA:resources:userPath";
ownerManagedAccess = false;
uris = ["/*"];
}
];
policies = [
{
name = "admin has access";
type = "role";
logic = "POSITIVE";
decisionStrategy = "UNANIMOUS";
config = {
roles = ''[{"id":"admin","required":true}]'';
};
}
{
name = "user has access";
type = "role";
logic = "POSITIVE";
decisionStrategy = "UNANIMOUS";
config = {
roles = ''[{"id":"user","required":true}]'';
};
}
{
name = "admin has access to adminPath";
type = "resource";
logic = "POSITIVE";
decisionStrategy = "UNANIMOUS";
config = {
resources = ''["adminPath"]'';
applyPolicies = ''["admin has access"]'';
};
}
{
name = "user has access to userPath";
type = "resource";
logic = "POSITIVE";
decisionStrategy = "UNANIMOUS";
config = {
resources = ''["userPath"]'';
applyPolicies = ''["user has access"]'';
};
}
];
};
};
testClientAudience =
let
audienceProtocolMapper = config:
with builtins;
let
protocolMappers = (head config.clients).protocolMappers;
protocolMapperByName = name: protocolMappers: head (filter (x: x.name == name) protocolMappers);
in
protocolMapperByName "Audience" protocolMappers;
in
{
expr = audienceProtocolMapper (configcreator (default_config // {
clients = {
clientA = {};
};
}));
expected = {
name = "Audience";
protocol = "openid-connect";
protocolMapper = "oidc-audience-mapper";
config = {
"included.client.audience" = "clientA";
"id.token.claim" = "false";
"access.token.claim" = "true";
"included.custom.audience" = "clientA";
};
};
};
}