org.keycloak.representations.idm.CredentialRepresentation Java Examples

@Test
public void testDeleteCredentials() {
    UserResource user = ApiUtil.findUserByUsernameId(testRealm(), "john-doh@localhost");
    List<CredentialRepresentation> creds = user.credentials();
    Assert.assertEquals(1, creds.size());
    CredentialRepresentation credPasswd = creds.get(0);
    Assert.assertEquals("password", credPasswd.getType());

    // Remove password
    user.removeCredential(credPasswd.getId());
    Assert.assertEquals(0, user.credentials().size());

    // Restore password
    credPasswd.setValue("password");
    user.resetPassword(credPasswd);
    Assert.assertEquals(1, user.credentials().size());
}
 

public static void resetUserPassword(UserResource userResource, String newPassword, boolean temporary) {
    CredentialRepresentation newCredential = new CredentialRepresentation();
    newCredential.setType(PASSWORD);
    newCredential.setValue(newPassword);
    newCredential.setTemporary(temporary);
    userResource.resetPassword(newCredential);
}
 

private static UserRepresentation createUser(String username, String... realmRoles) {
    UserRepresentation user = new UserRepresentation();

    user.setUsername(username);
    user.setEnabled(true);
    user.setCredentials(new ArrayList<>());
    user.setRealmRoles(Arrays.asList(realmRoles));

    CredentialRepresentation credential = new CredentialRepresentation();

    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue(username);
    credential.setTemporary(false);

    user.getCredentials().add(credential);

    return user;
}
 

private static UserRepresentation createUser(String username, String... realmRoles) {
    UserRepresentation user = new UserRepresentation();

    user.setUsername(username);
    user.setEnabled(true);
    user.setCredentials(new ArrayList<>());
    user.setRealmRoles(Arrays.asList(realmRoles));

    CredentialRepresentation credential = new CredentialRepresentation();

    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue(username);
    credential.setTemporary(false);

    user.getCredentials().add(credential);

    return user;
}
 

public static FetchOnServerWrapper<CredentialModel> fetchCredentials(String username) {
    return new FetchOnServerWrapper() {

        @Override
        public FetchOnServer getRunOnServer() {
            return (FetchOnServer) session -> {
                RealmModel realm = session.getContext().getRealm();
                UserModel user = session.users().getUserByUsername(username, realm);
                List<CredentialModel> storedCredentialsByType = session.userCredentialManager().getStoredCredentialsByType(realm, user, CredentialRepresentation.PASSWORD);
                System.out.println(storedCredentialsByType.size());
                return storedCredentialsByType.get(0);
            };
        }

        @Override
        public Class getResultClass() {
            return CredentialModel.class;
        }
    };
}
 

public TotpBean(KeycloakSession session, RealmModel realm, UserModel user, UriBuilder uriBuilder) {
    this.uriBuilder = uriBuilder;
    this.enabled = session.userCredentialManager().isConfiguredFor(realm, user, OTPCredentialModel.TYPE);
    if (enabled) {
        List<CredentialModel> otpCredentials = session.userCredentialManager().getStoredCredentialsByType(realm, user, OTPCredentialModel.TYPE);

        if (otpCredentials.isEmpty()) {
            // Credential is configured on userStorage side. Create the "fake" credential similar like we do for the new account console
            CredentialRepresentation credential = createUserStorageCredentialRepresentation(OTPCredentialModel.TYPE);
            this.otpCredentials = Collections.singletonList(RepresentationToModel.toModel(credential));
        } else {
            this.otpCredentials = otpCredentials;
        }
    } else {
        this.otpCredentials = Collections.EMPTY_LIST;
    }

    this.realm = realm;
    this.totpSecret = HmacOTP.generateSecret(20);
    this.totpSecretEncoded = TotpUtils.encode(totpSecret);
    this.totpSecretQrCode = TotpUtils.qrCode(totpSecret, realm, user);
}
 

public static void createCredentials(UserRepresentation userRep, KeycloakSession session, RealmModel realm, UserModel user, boolean adminRequest) {
    convertDeprecatedCredentialsFormat(userRep);
    if (userRep.getCredentials() != null) {
        for (CredentialRepresentation cred : userRep.getCredentials()) {
            if (cred.getId() != null && session.userCredentialManager().getStoredCredentialById(realm, user, cred.getId()) != null) {
                continue;
            }
            if (cred.getValue() != null && !cred.getValue().isEmpty()) {
                RealmModel origRealm = session.getContext().getRealm();
                try {
                    session.getContext().setRealm(realm);
                    session.userCredentialManager().updateCredential(realm, user, UserCredentialModel.password(cred.getValue(), false));
                } catch (ModelException ex) {
                    throw new PasswordPolicyNotMetException(ex.getMessage(), user.getUsername(), ex);
                } finally {
                    session.getContext().setRealm(origRealm);
                }
            } else {
                session.userCredentialManager().createCredentialThroughProvider(realm, user, toModel(cred));
            }
        }
    }
}
 

@Test
public void resetUserInvalidPassword() {
    String userId = createUser("user1", "user1@localhost");

    try {
        CredentialRepresentation cred = new CredentialRepresentation();
        cred.setType(CredentialRepresentation.PASSWORD);
        cred.setValue(" ");
        cred.setTemporary(false);
        realm.users().get(userId).resetPassword(cred);
        fail("Expected failure");
    } catch (ClientErrorException e) {
        assertEquals(400, e.getResponse().getStatus());
        e.getResponse().close();
        assertAdminEvents.assertEmpty();
    }
}
 

private String addUserAndResetPassword(String username, String password) {
    // Save user and assert he is saved in the new storage
    UserRepresentation user = new UserRepresentation();
    user.setEnabled(true);
    user.setUsername(username);
    Response response = testRealmResource().users().create(user);
    String userId = ApiUtil.getCreatedId(response);

    Assert.assertEquals(backwardsCompProviderId, new StorageId(userId).getProviderId());

    // Update his password
    CredentialRepresentation passwordRep = new CredentialRepresentation();
    passwordRep.setType(CredentialModel.PASSWORD);
    passwordRep.setValue(password);
    passwordRep.setTemporary(false);

    testRealmResource().users().get(userId).resetPassword(passwordRep);

    return userId;
}
 

@Test
public void testGetAndMoveCredentials() {
    importTestRealms();

    UserResource user = ApiUtil.findUserByUsernameId(testRealm(), "user-with-two-configured-otp");
    List<CredentialRepresentation> creds = user.credentials();
    List<String> expectedCredIds = Arrays.asList(creds.get(0).getId(), creds.get(1).getId(), creds.get(2).getId());

    // Check actual user credentials
    assertSameIds(expectedCredIds, user.credentials());

    // Move first credential after second one
    user.moveCredentialAfter(expectedCredIds.get(0), expectedCredIds.get(1));
    List<String> newOrderCredIds = Arrays.asList(expectedCredIds.get(1), expectedCredIds.get(0), expectedCredIds.get(2));
    assertSameIds(newOrderCredIds, user.credentials());

    // Move last credential in first position
    user.moveCredentialToFirst(expectedCredIds.get(2));
    newOrderCredIds = Arrays.asList(expectedCredIds.get(2), expectedCredIds.get(1), expectedCredIds.get(0));
    assertSameIds(newOrderCredIds, user.credentials());

    // Restore initial state
    user.moveCredentialToFirst(expectedCredIds.get(1));
    user.moveCredentialToFirst(expectedCredIds.get(0));
    assertSameIds(expectedCredIds, user.credentials());
}
 

@Test
public void failManagePassword() {
    UserResource serviceAccount = adminClient.realm("test").users().get(userId);
    UserRepresentation representation = serviceAccount.toRepresentation();

    CredentialRepresentation password = new CredentialRepresentation();
    password.setValue("password");
    password.setType(CredentialRepresentation.PASSWORD);
    password.setTemporary(false);

    representation.setCredentials(Arrays.asList(password));

    this.expectedException.expect(Matchers.allOf(Matchers.instanceOf(ClientErrorException.class), 
            Matchers.hasProperty("response", Matchers.hasProperty("status", Matchers.is(400)))));
    this.expectedException.reportMissingExceptionWithMessage("Should fail, should not be possible to manage credentials for service accounts");

    serviceAccount.update(representation);
}
 

@Test
public void createUserWithInvalidPolicyPassword() {
    RealmRepresentation rep = realm.toRepresentation();
    String passwordPolicy = rep.getPasswordPolicy();
    rep.setPasswordPolicy("length(8)");
    realm.update(rep);
    UserRepresentation user = new UserRepresentation();
    user.setUsername("user4");
    user.setEmail("user4@localhost");
    CredentialRepresentation rawPassword = new CredentialRepresentation();
    rawPassword.setValue("ABCD");
    rawPassword.setType(CredentialRepresentation.PASSWORD);
    user.setCredentials(Arrays.asList(rawPassword));
    Response response = realm.users().create(user);
    assertEquals(400, response.getStatus());
    ErrorRepresentation error = response.readEntity(ErrorRepresentation.class);
    Assert.assertEquals("Password policy not met", error.getErrorMessage());
    rep.setPasswordPolicy(passwordPolicy);
    realm.update(rep);
    response.close();
}
 

/**
 * This method will do the user password update.
 *
 * @param userId String
 * @param password String
 * @return boolean true/false
 */
@Override
public boolean doPasswordUpdate(String userId, String password) {
  boolean response = false;
  try {
    String fedUserId = getFederatedUserId(userId);
    UserResource resource =
        keycloak.realm(KeyCloakConnectionProvider.SSO_REALM).users().get(fedUserId);
    CredentialRepresentation newCredential = new CredentialRepresentation();
    newCredential.setValue(password);
    newCredential.setType(CredentialRepresentation.PASSWORD);
    newCredential.setTemporary(true);
    resource.resetPassword(newCredential);
    response = true;
  } catch (Exception ex) {
    ProjectLogger.log(ex.getMessage(), ex);
  }
  return response;
}
 

private static UserRepresentation createUser(String username, String... realmRoles) {
    UserRepresentation user = new UserRepresentation();

    user.setUsername(username);
    user.setEnabled(true);
    user.setCredentials(new ArrayList<>());
    user.setRealmRoles(Arrays.asList(realmRoles));

    CredentialRepresentation credential = new CredentialRepresentation();

    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue(username);
    credential.setTemporary(false);

    user.getCredentials().add(credential);

    return user;
}
 

private static UserRepresentation createUser(String username, String... realmRoles) {
    UserRepresentation user = new UserRepresentation();

    user.setUsername(username);
    user.setEnabled(true);
    user.setCredentials(new ArrayList<>());
    user.setRealmRoles(Arrays.asList(realmRoles));

    CredentialRepresentation credential = new CredentialRepresentation();

    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue(username);
    credential.setTemporary(false);

    user.getCredentials().add(credential);

    return user;
}
 

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void createUserWithRawCredentials() {
    UserRepresentation user = new UserRepresentation();
    user.setUsername("user_rawpw");
    user.setEmail("email.raw@localhost");

    CredentialRepresentation rawPassword = new CredentialRepresentation();
    rawPassword.setValue("ABCD");
    rawPassword.setType(CredentialRepresentation.PASSWORD);
    user.setCredentials(Arrays.asList(rawPassword));

    createUser(user);

    CredentialModel credential = fetchCredentials("user_rawpw");
    assertNotNull("Expecting credential", credential);
    PasswordCredentialModel pcm = PasswordCredentialModel.createFromCredentialModel(credential);
    assertEquals(PasswordPolicy.HASH_ALGORITHM_DEFAULT, pcm.getPasswordCredentialData().getAlgorithm());
    assertEquals(PasswordPolicy.HASH_ITERATIONS_DEFAULT, pcm.getPasswordCredentialData().getHashIterations());
    assertNotEquals("ABCD", pcm.getPasswordSecretData().getValue());
    assertEquals(CredentialRepresentation.PASSWORD, credential.getType());
}
 

private static UserRepresentation createUser(String username, String... realmRoles) {
    UserRepresentation user = new UserRepresentation();

    user.setUsername(username);
    user.setEnabled(true);
    user.setCredentials(new ArrayList<>());
    user.setRealmRoles(Arrays.asList(realmRoles));
    user.setEmail(username + "@gmail.com");

    CredentialRepresentation credential = new CredentialRepresentation();

    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue(username);
    credential.setTemporary(false);

    user.getCredentials().add(credential);

    return user;
}
 

@Test
public void testCredentialsForUserWithoutPassword() throws IOException {
    // This is just to call REST to ensure tokenUtil will authenticate user and create the tokens.
    // We won't be able to authenticate later as user won't have password
    List<AccountCredentialResource.CredentialContainer> credentials = getCredentials();

    // Remove password from the user now
    UserResource user = ApiUtil.findUserByUsernameId(testRealm(), "test-user@localhost");
    for (CredentialRepresentation credential : user.credentials()) {
        if (PasswordCredentialModel.TYPE.equals(credential.getType())) {
            user.removeCredential(credential.getId());
        }
    }

    // Get credentials. Ensure user doesn't have password credential and create action is UPDATE_PASSWORD
    credentials = getCredentials();
    AccountCredentialResource.CredentialContainer password = credentials.get(0);
    assertCredentialContainerExpected(password, PasswordCredentialModel.TYPE, CredentialTypeMetadata.Category.BASIC_AUTHENTICATION.toString(),
            "password-display-name", "password-help-text", "kcAuthenticatorPasswordClass",
            UserModel.RequiredAction.UPDATE_PASSWORD.toString(), null, false, 0);

    // Re-add the password to the user
    ApiUtil.resetUserPassword(user, "password", false);

}
 

@Test
public void createUserWithTempolaryCredentials() {
    UserRepresentation user = new UserRepresentation();
    user.setUsername("user_temppw");
    user.setEmail("email.temppw@localhost");

    CredentialRepresentation password = new CredentialRepresentation();
    password.setValue("password");
    password.setType(CredentialRepresentation.PASSWORD);
    password.setTemporary(true);
    user.setCredentials(Arrays.asList(password));

    String userId = createUser(user);

    UserRepresentation userRep = realm.users().get(userId).toRepresentation();
    Assert.assertEquals(1, userRep.getRequiredActions().size());
    Assert.assertEquals(UserModel.RequiredAction.UPDATE_PASSWORD.toString(), userRep.getRequiredActions().get(0));
}
 

/**
 * This method adds additional passwords to the user.
 */
public UserBuilder addPassword(String password) {
    if (rep.getCredentials() == null) {
        rep.setCredentials(new LinkedList<>());
    }

    CredentialRepresentation credential = new CredentialRepresentation();
    credential.setType(CredentialRepresentation.PASSWORD);
    credential.setValue(password);

    rep.getCredentials().add(credential);
    return this;
}
 

@Override
public UserRepresentation createUser(UsersResource users, UserRepresentation user) {
    // Add some additional attributes to user
    if (CREATE_OBJECTS) {
        Map<String, List<String>> attrs = new HashMap<>();
        attrs.put("attr1", Collections.singletonList("val1"));
        attrs.put("attr2", Collections.singletonList("val2"));
        user.setAttributes(attrs);
    }

    UserRepresentation userRep = super.createUser(users, user);

    // Add password
    if (CREATE_OBJECTS) {
        CredentialRepresentation password = new CredentialRepresentation();
        password.setType(CredentialRepresentation.PASSWORD);
        password.setValue("password");
        password.setTemporary(false);
        users.get(userRep.getId()).resetPassword(password);
    }

    // Add social link
    if (CREATE_SOCIAL_LINKS) {
        createSocialLink("facebook", users, userRep.getId());
    }

    return userRep;
}
 

private void assertRegisteredCredentials(String userId, String aaguid, String attestationStatementFormat) {
    List<CredentialRepresentation> credentials = getCredentials(userId);
    credentials.stream().forEach(i -> {
        if (WebAuthnCredentialModel.TYPE_TWOFACTOR.equals(i.getType())) {
            try {
                WebAuthnCredentialData data = JsonSerialization.readValue(i.getCredentialData(), WebAuthnCredentialData.class);
                assertEquals(aaguid, data.getAaguid());
                assertEquals(attestationStatementFormat, data.getAttestationStatementFormat());
            } catch (IOException e) {
                Assert.fail();
            }
        }
    });
}
 

@Test
public void testCRUDCredentialOfDifferentUser() throws IOException {
    // Get credential ID of the OTP credential of the different user thant currently logged user
    UserResource user = ApiUtil.findUserByUsernameId(testRealm(), "user-with-one-configured-otp");
    CredentialRepresentation otpCredential = user.credentials().stream()
            .filter(credentialRep -> OTPCredentialModel.TYPE.equals(credentialRep.getType()))
            .findFirst()
            .get();

    // Test that current user can't update the credential, which belongs to the different user
    SimpleHttp.Response response = SimpleHttp
            .doPut(getAccountUrl("credentials/" + otpCredential.getId() + "/label"), httpClient)
            .auth(tokenUtil.getToken())
            .json("new-label")
            .asResponse();
    assertEquals(404, response.getStatus());

    // Test that current user can't delete the credential, which belongs to the different user
    response = SimpleHttp
            .doDelete(getAccountUrl("credentials/" + otpCredential.getId()), httpClient)
            .acceptJson()
            .auth(tokenUtil.getToken())
            .asResponse();
    assertEquals(404, response.getStatus());

    // Assert credential was not updated or removed
    CredentialRepresentation otpCredentialLoaded = user.credentials().stream()
            .filter(credentialRep -> OTPCredentialModel.TYPE.equals(credentialRep.getType()))
            .findFirst()
            .get();
    Assert.assertTrue(ObjectUtil.isEqualOrBothNull(otpCredential.getUserLabel(), otpCredentialLoaded.getUserLabel()));
}
 

@Test
public void removeTotpAsDifferentUser() {
    UserResource user1 = ApiUtil.findUserByUsernameId(testRealm(), "user-with-one-configured-otp");
    CredentialRepresentation otpCredential = user1.credentials().stream()
            .filter(credentialRep -> OTPCredentialModel.TYPE.equals(credentialRep.getType()))
            .findFirst()
            .get();

    // Login as evil user (test-user@localhost) and setup TOTP
    totpPage.open();
    loginPage.login("test-user@localhost", "password");
    Assert.assertTrue(totpPage.isCurrent());

    totpPageSetup();

    totpPage.configure(totp.generateTOTP(totpPage.getTotpSecret()));

    Assert.assertEquals("Mobile authenticator configured.", profilePage.getSuccess());

    String currentStateChecker = driver.findElement(By.id("stateChecker")).getAttribute("value");


    // Try to delete TOTP of "user-with-one-configured-otp" by replace ID of the TOTP credential in the request
    String currentURL = driver.getCurrentUrl();

    String formParameters = "stateChecker=" + currentStateChecker
            + "&submitAction=Delete"
            + "&credentialId=" + otpCredential.getId();

    URLUtils.sendPOSTRequestWithWebDriver(currentURL, formParameters);

    // Assert credential of "user-with-one-configured-otp" was NOT deleted and is still present for the user
    Assert.assertTrue(user1.credentials().stream()
            .anyMatch(credentialRepresentation -> credentialRepresentation.getType().equals(OTPCredentialModel.TYPE)));

    // Remove TOTP for "test-user" and logout
    totpPage.removeTotp();
    totpPage.logout();
}
 

public void resetUserPassword(UserResource userResource, String newPassword) {
    CredentialRepresentation newCredential = new CredentialRepresentation();
    newCredential.setType(PASSWORD);
    newCredential.setValue(newPassword);
    newCredential.setTemporary(false);
    userResource.resetPassword(newCredential);
}
 

private void assertPasswordConfiguredThroughLDAPOnly(UserResource user) {
    // Assert password not stored locally
    List<CredentialRepresentation> storedCredentials = user.credentials();
    for (CredentialRepresentation credential : storedCredentials) {
        Assert.assertFalse(PasswordCredentialModel.TYPE.equals(credential.getType()));
    }

    // Assert password is stored in the LDAP
    List<String> userStorageCredentials = user.getConfiguredUserStorageCredentialTypes();
    Assert.assertTrue(userStorageCredentials.contains(PasswordCredentialModel.TYPE));
}
 

@Test
public void loginShouldFailAfterPasswordDeleted() {
    String userName = "credential-tester";
    String userPass = "s3cr37";
    String userId = createUser(REALM_NAME, userName, userPass);
    getCleanup(REALM_NAME).addUserId(userId);

    String accountUrl = RealmsResource.accountUrl(UriBuilder.fromUri(getAuthServerRoot())).build(REALM_NAME).toString();
    driver.navigate().to(accountUrl);
    assertEquals("Test user should be on the login page.", "Log In", PageUtils.getPageTitle(driver));
    loginPage.login(userName, userPass);
    assertTrue("Test user should be successfully logged in.", driver.getTitle().contains("Account Management"));
    accountPage.logOut();

    Optional<CredentialRepresentation> passwordCredential =
            realm.users().get(userId).credentials().stream()
                    .filter(c -> CredentialRepresentation.PASSWORD.equals(c.getType()))
                    .findFirst();
    assertTrue("Test user should have a password credential set.", passwordCredential.isPresent());
    realm.users().get(userId).removeCredential(passwordCredential.get().getId());

    driver.navigate().to(accountUrl);
    assertEquals("Test user should be on the login page.", "Log In", PageUtils.getPageTitle(driver));
    loginPage.login(userName, userPass);
    assertTrue("Test user should fail to log in after password was deleted.",
            driver.getCurrentUrl().contains(String.format("/realms/%s/login-actions/authenticate", REALM_NAME)));
}
 

private CredentialModel fetchCredentials(String username) {
    return testingClient.server("test").fetch(session -> {
        RealmModel realm = session.getContext().getRealm();
        UserModel user = session.users().getUserByUsername(username, realm);
        return session.userCredentialManager().getStoredCredentialsByType(realm, user, CredentialRepresentation.PASSWORD).get(0);
    }, CredentialModel.class);
}
 

@Test
@AuthServerContainerExclude(AuthServer.REMOTE)
public void updateUserWithRawCredentials() {
    UserRepresentation user = new UserRepresentation();
    user.setUsername("user_rawpw");
    user.setEmail("email.raw@localhost");

    CredentialRepresentation rawPassword = new CredentialRepresentation();
    rawPassword.setValue("ABCD");
    rawPassword.setType(CredentialRepresentation.PASSWORD);
    user.setCredentials(Arrays.asList(rawPassword));

    String id = createUser(user);

    PasswordCredentialModel credential = PasswordCredentialModel
            .createFromCredentialModel(fetchCredentials("user_rawpw"));
    assertNotNull("Expecting credential", credential);
    assertEquals(PasswordPolicy.HASH_ALGORITHM_DEFAULT, credential.getPasswordCredentialData().getAlgorithm());
    assertEquals(PasswordPolicy.HASH_ITERATIONS_DEFAULT, credential.getPasswordCredentialData().getHashIterations());
    assertNotEquals("ABCD", credential.getPasswordSecretData().getValue());
    assertEquals(CredentialRepresentation.PASSWORD, credential.getType());

    UserResource userResource = realm.users().get(id);
    UserRepresentation userRep = userResource.toRepresentation();

    CredentialRepresentation rawPasswordForUpdate = new CredentialRepresentation();
    rawPasswordForUpdate.setValue("EFGH");
    rawPasswordForUpdate.setType(CredentialRepresentation.PASSWORD);
    userRep.setCredentials(Arrays.asList(rawPasswordForUpdate));

    updateUser(userResource, userRep);

    PasswordCredentialModel updatedCredential = PasswordCredentialModel
            .createFromCredentialModel(fetchCredentials("user_rawpw"));
    assertNotNull("Expecting credential", updatedCredential);
    assertEquals(PasswordPolicy.HASH_ALGORITHM_DEFAULT, updatedCredential.getPasswordCredentialData().getAlgorithm());
    assertEquals(PasswordPolicy.HASH_ITERATIONS_DEFAULT, updatedCredential.getPasswordCredentialData().getHashIterations());
    assertNotEquals("EFGH", updatedCredential.getPasswordSecretData().getValue());
    assertEquals(CredentialRepresentation.PASSWORD, updatedCredential.getType());
}
 

private SigningInPage.UserCredential getNewestUserCredential(SigningInPage.CredentialType credentialType) {
    List<CredentialRepresentation> credentials = testUserResource().credentials();
    SigningInPage.UserCredential userCredential =
            credentialType.getUserCredential(credentials.get(credentials.size() - 1).getId());
    assertTrue(userCredential.isPresent());
    return userCredential;
}