1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/tests/unit/plugins/modules/test_keycloak_user_federation.py
fgruenbauer 2942eda8e0
keycloak_user_federation: add mapper removal (#8695)
* add unwanted mapper removal

* check for mapper updates in already fetched data to remove unnecessary API calls

* added mock answers and updated request count to match the added delete and fetch after_comp calls

* fix sanity issues

* add changelog fragment

* removed automatic field numbering from format

* replace filter expression with list comprehension

Co-authored-by: Felix Fontein <felix@fontein.de>

* add module name, link to issue and link to PR to changelog

Co-authored-by: Felix Fontein <felix@fontein.de>

* Use list comprehension.

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
2024-08-12 07:55:17 +02:00

628 lines
23 KiB
Python

# -*- coding: utf-8 -*-
# Copyright (c) 2021, Ansible Project
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
from __future__ import absolute_import, division, print_function
__metaclass__ = type
from contextlib import contextmanager
from ansible_collections.community.general.tests.unit.compat import unittest
from ansible_collections.community.general.tests.unit.compat.mock import patch
from ansible_collections.community.general.tests.unit.plugins.modules.utils import AnsibleExitJson, ModuleTestCase, set_module_args
from ansible_collections.community.general.plugins.modules import keycloak_user_federation
from itertools import count
from ansible.module_utils.six import StringIO
@contextmanager
def patch_keycloak_api(get_components=None, get_component=None, create_component=None, update_component=None, delete_component=None):
"""Mock context manager for patching the methods in KeycloakAPI
"""
obj = keycloak_user_federation.KeycloakAPI
with patch.object(obj, 'get_components', side_effect=get_components) \
as mock_get_components:
with patch.object(obj, 'get_component', side_effect=get_component) \
as mock_get_component:
with patch.object(obj, 'create_component', side_effect=create_component) \
as mock_create_component:
with patch.object(obj, 'update_component', side_effect=update_component) \
as mock_update_component:
with patch.object(obj, 'delete_component', side_effect=delete_component) \
as mock_delete_component:
yield mock_get_components, mock_get_component, mock_create_component, mock_update_component, mock_delete_component
def get_response(object_with_future_response, method, get_id_call_count):
if callable(object_with_future_response):
return object_with_future_response()
if isinstance(object_with_future_response, dict):
return get_response(
object_with_future_response[method], method, get_id_call_count)
if isinstance(object_with_future_response, list):
call_number = next(get_id_call_count)
return get_response(
object_with_future_response[call_number], method, get_id_call_count)
return object_with_future_response
def build_mocked_request(get_id_user_count, response_dict):
def _mocked_requests(*args, **kwargs):
url = args[0]
method = kwargs['method']
future_response = response_dict.get(url, None)
return get_response(future_response, method, get_id_user_count)
return _mocked_requests
def create_wrapper(text_as_string):
"""Allow to mock many times a call to one address.
Without this function, the StringIO is empty for the second call.
"""
def _create_wrapper():
return StringIO(text_as_string)
return _create_wrapper
def mock_good_connection():
token_response = {
'http://keycloak.url/auth/realms/master/protocol/openid-connect/token': create_wrapper('{"access_token": "alongtoken"}'), }
return patch(
'ansible_collections.community.general.plugins.module_utils.identity.keycloak.keycloak.open_url',
side_effect=build_mocked_request(count(), token_response),
autospec=True
)
class TestKeycloakUserFederation(ModuleTestCase):
def setUp(self):
super(TestKeycloakUserFederation, self).setUp()
self.module = keycloak_user_federation
def test_create_when_absent(self):
"""Add a new user federation"""
module_args = {
'auth_keycloak_url': 'http://keycloak.url/auth',
'auth_realm': 'master',
'auth_username': 'admin',
'auth_password': 'admin',
'realm': 'realm-name',
'name': 'kerberos',
'state': 'present',
'provider_id': 'kerberos',
'provider_type': 'org.keycloak.storage.UserStorageProvider',
'config': {
'priority': 0,
'enabled': True,
'cachePolicy': 'DEFAULT',
'kerberosRealm': 'REALM',
'serverPrincipal': 'princ',
'keyTab': 'keytab',
'allowPasswordAuthentication': False,
'updateProfileFirstLogin': False,
},
}
return_value_component_create = [
{
"id": "ebb7d999-60cc-4dfe-ab79-48f7bbd9d4d9",
"name": "kerberos",
"providerId": "kerberos",
"providerType": "org.keycloak.storage.UserStorageProvider",
"parentId": "kerberos",
"config": {
"serverPrincipal": [
"princ"
],
"allowPasswordAuthentication": [
"false"
],
"keyTab": [
"keytab"
],
"cachePolicy": [
"DEFAULT"
],
"updateProfileFirstLogin": [
"false"
],
"kerberosRealm": [
"REALM"
],
"priority": [
"0"
],
"enabled": [
"true"
]
}
}
]
# get before_comp, get default_mapper, get after_mapper
return_value_components_get = [
[], [], []
]
changed = True
set_module_args(module_args)
# Run the module
with mock_good_connection():
with patch_keycloak_api(get_components=return_value_components_get, create_component=return_value_component_create) \
as (mock_get_components, mock_get_component, mock_create_component, mock_update_component, mock_delete_component):
with self.assertRaises(AnsibleExitJson) as exec_info:
self.module.main()
self.assertEqual(len(mock_get_components.mock_calls), 3)
self.assertEqual(len(mock_get_component.mock_calls), 0)
self.assertEqual(len(mock_create_component.mock_calls), 1)
self.assertEqual(len(mock_update_component.mock_calls), 0)
self.assertEqual(len(mock_delete_component.mock_calls), 0)
# Verify that the module's changed status matches what is expected
self.assertIs(exec_info.exception.args[0]['changed'], changed)
def test_create_when_present(self):
"""Update existing user federation"""
module_args = {
'auth_keycloak_url': 'http://keycloak.url/auth',
'auth_realm': 'master',
'auth_username': 'admin',
'auth_password': 'admin',
'realm': 'realm-name',
'name': 'kerberos',
'state': 'present',
'provider_id': 'kerberos',
'provider_type': 'org.keycloak.storage.UserStorageProvider',
'config': {
'priority': 0,
'enabled': True,
'cachePolicy': 'DEFAULT',
'kerberosRealm': 'REALM',
'serverPrincipal': 'princ',
'keyTab': 'keytab',
'allowPasswordAuthentication': False,
'updateProfileFirstLogin': False,
},
}
return_value_components_get = [
[
{
"id": "ebb7d999-60cc-4dfe-ab79-48f7bbd9d4d9",
"name": "kerberos",
"providerId": "kerberos",
"providerType": "org.keycloak.storage.UserStorageProvider",
"parentId": "kerberos",
"config": {
"serverPrincipal": [
"princ"
],
"allowPasswordAuthentication": [
"false"
],
"keyTab": [
"keytab"
],
"cachePolicy": [
"DEFAULT"
],
"updateProfileFirstLogin": [
"false"
],
"kerberosRealm": [
"REALM"
],
"priority": [
"0"
],
"enabled": [
"false"
]
}
}
],
[],
[]
]
return_value_component_get = [
{
"id": "ebb7d999-60cc-4dfe-ab79-48f7bbd9d4d9",
"name": "kerberos",
"providerId": "kerberos",
"providerType": "org.keycloak.storage.UserStorageProvider",
"parentId": "kerberos",
"config": {
"serverPrincipal": [
"princ"
],
"allowPasswordAuthentication": [
"false"
],
"keyTab": [
"keytab"
],
"cachePolicy": [
"DEFAULT"
],
"updateProfileFirstLogin": [
"false"
],
"kerberosRealm": [
"REALM"
],
"priority": [
"0"
],
"enabled": [
"true"
]
}
}
]
return_value_component_update = [
None
]
changed = True
set_module_args(module_args)
# Run the module
with mock_good_connection():
with patch_keycloak_api(get_components=return_value_components_get, get_component=return_value_component_get,
update_component=return_value_component_update) \
as (mock_get_components, mock_get_component, mock_create_component, mock_update_component, mock_delete_component):
with self.assertRaises(AnsibleExitJson) as exec_info:
self.module.main()
self.assertEqual(len(mock_get_components.mock_calls), 3)
self.assertEqual(len(mock_get_component.mock_calls), 1)
self.assertEqual(len(mock_create_component.mock_calls), 0)
self.assertEqual(len(mock_update_component.mock_calls), 1)
self.assertEqual(len(mock_delete_component.mock_calls), 0)
# Verify that the module's changed status matches what is expected
self.assertIs(exec_info.exception.args[0]['changed'], changed)
def test_create_with_mappers(self):
"""Add a new user federation with mappers"""
module_args = {
'auth_keycloak_url': 'http://keycloak.url/auth',
'auth_realm': 'master',
'auth_username': 'admin',
'auth_password': 'admin',
'realm': 'realm-name',
'name': 'ldap',
'state': 'present',
'provider_id': 'ldap',
'provider_type': 'org.keycloak.storage.UserStorageProvider',
'config': {
'priority': 0,
'enabled': True,
'cachePolicy': 'DEFAULT',
'batchSizeForSync': 1000,
'editMode': 'READ_ONLY',
'importEnabled': True,
'syncRegistrations': False,
'vendor': 'other',
'usernameLDAPAttribute': 'uid',
'rdnLDAPAttribute': 'uid',
'uuidLDAPAttribute': 'entryUUID',
'userObjectClasses': 'inetOrgPerson, organizationalPerson',
'connectionUrl': 'ldaps://ldap.example.com:636',
'usersDn': 'ou=Users,dc=example,dc=com',
'authType': 'none',
'searchScope': 1,
'validatePasswordPolicy': False,
'trustEmail': False,
'useTruststoreSpi': 'ldapsOnly',
'connectionPooling': True,
'pagination': True,
'allowKerberosAuthentication': False,
'krbPrincipalAttribute': 'krbPrincipalName',
'debug': False,
'useKerberosForPasswordAuthentication': False,
},
'mappers': [
{
'name': 'full name',
'providerId': 'full-name-ldap-mapper',
'providerType': 'org.keycloak.storage.ldap.mappers.LDAPStorageMapper',
'config': {
'ldap.full.name.attribute': 'cn',
'read.only': True,
'write.only': False,
}
}
]
}
return_value_components_get = [
[],
# exemplary default mapper created by keylocak
[
{
"config": {
"always.read.value.from.ldap": "false",
"is.mandatory.in.ldap": "false",
"ldap.attribute": "mail",
"read.only": "true",
"user.model.attribute": "email"
},
"id": "77e1763f-c51a-4286-bade-75577d64803c",
"name": "email",
"parentId": "e5f48aa3-b56b-4983-a8ad-2c7b8b5e77cb",
"providerId": "user-attribute-ldap-mapper",
"providerType": "org.keycloak.storage.ldap.mappers.LDAPStorageMapper"
},
],
[
{
"id": "2dfadafd-8b34-495f-a98b-153e71a22311",
"name": "full name",
"providerId": "full-name-ldap-mapper",
"providerType": "org.keycloak.storage.ldap.mappers.LDAPStorageMapper",
"parentId": "eb691537-b73c-4cd8-b481-6031c26499d8",
"config": {
"ldap.full.name.attribute": [
"cn"
],
"read.only": [
"true"
],
"write.only": [
"false"
]
}
}
]
]
return_value_component_delete = [
None
]
return_value_component_create = [
{
"id": "eb691537-b73c-4cd8-b481-6031c26499d8",
"name": "ldap",
"providerId": "ldap",
"providerType": "org.keycloak.storage.UserStorageProvider",
"parentId": "ldap",
"config": {
"pagination": [
"true"
],
"connectionPooling": [
"true"
],
"usersDn": [
"ou=Users,dc=example,dc=com"
],
"cachePolicy": [
"DEFAULT"
],
"useKerberosForPasswordAuthentication": [
"false"
],
"importEnabled": [
"true"
],
"enabled": [
"true"
],
"krbPrincipalAttribute": [
"krb5PrincipalName"
],
"usernameLDAPAttribute": [
"uid"
],
"vendor": [
"other"
],
"uuidLDAPAttribute": [
"entryUUID"
],
"connectionUrl": [
"ldaps://ldap.example.com:636"
],
"allowKerberosAuthentication": [
"false"
],
"syncRegistrations": [
"false"
],
"authType": [
"none"
],
"debug": [
"false"
],
"searchScope": [
"1"
],
"useTruststoreSpi": [
"ldapsOnly"
],
"trustEmail": [
"false"
],
"priority": [
"0"
],
"userObjectClasses": [
"inetOrgPerson, organizationalPerson"
],
"rdnLDAPAttribute": [
"uid"
],
"editMode": [
"READ_ONLY"
],
"validatePasswordPolicy": [
"false"
],
"batchSizeForSync": [
"1000"
]
}
},
{
"id": "2dfadafd-8b34-495f-a98b-153e71a22311",
"name": "full name",
"providerId": "full-name-ldap-mapper",
"providerType": "org.keycloak.storage.ldap.mappers.LDAPStorageMapper",
"parentId": "eb691537-b73c-4cd8-b481-6031c26499d8",
"config": {
"ldap.full.name.attribute": [
"cn"
],
"read.only": [
"true"
],
"write.only": [
"false"
]
}
}
]
changed = True
set_module_args(module_args)
# Run the module
with mock_good_connection():
with patch_keycloak_api(get_components=return_value_components_get, create_component=return_value_component_create) \
as (mock_get_components, mock_get_component, mock_create_component, mock_update_component, mock_delete_component):
with self.assertRaises(AnsibleExitJson) as exec_info:
self.module.main()
self.assertEqual(len(mock_get_components.mock_calls), 3)
self.assertEqual(len(mock_get_component.mock_calls), 0)
self.assertEqual(len(mock_create_component.mock_calls), 2)
self.assertEqual(len(mock_update_component.mock_calls), 0)
self.assertEqual(len(mock_delete_component.mock_calls), 1)
# Verify that the module's changed status matches what is expected
self.assertIs(exec_info.exception.args[0]['changed'], changed)
def test_delete_when_absent(self):
"""Remove an absent user federation"""
module_args = {
'auth_keycloak_url': 'http://keycloak.url/auth',
'auth_realm': 'master',
'auth_username': 'admin',
'auth_password': 'admin',
'realm': 'realm-name',
'name': 'kerberos',
'state': 'absent',
}
return_value_components_get = [
[]
]
changed = False
set_module_args(module_args)
# Run the module
with mock_good_connection():
with patch_keycloak_api(get_components=return_value_components_get) \
as (mock_get_components, mock_get_component, mock_create_component, mock_update_component, mock_delete_component):
with self.assertRaises(AnsibleExitJson) as exec_info:
self.module.main()
self.assertEqual(len(mock_get_components.mock_calls), 1)
self.assertEqual(len(mock_get_component.mock_calls), 0)
self.assertEqual(len(mock_create_component.mock_calls), 0)
self.assertEqual(len(mock_update_component.mock_calls), 0)
self.assertEqual(len(mock_delete_component.mock_calls), 0)
# Verify that the module's changed status matches what is expected
self.assertIs(exec_info.exception.args[0]['changed'], changed)
def test_delete_when_present(self):
"""Remove an existing user federation"""
module_args = {
'auth_keycloak_url': 'http://keycloak.url/auth',
'auth_realm': 'master',
'auth_username': 'admin',
'auth_password': 'admin',
'realm': 'realm-name',
'name': 'kerberos',
'state': 'absent',
}
return_value_components_get = [
[
{
"id": "ebb7d999-60cc-4dfe-ab79-48f7bbd9d4d9",
"name": "kerberos",
"providerId": "kerberos",
"providerType": "org.keycloak.storage.UserStorageProvider",
"parentId": "kerberos",
"config": {
"serverPrincipal": [
"princ"
],
"allowPasswordAuthentication": [
"false"
],
"keyTab": [
"keytab"
],
"cachePolicy": [
"DEFAULT"
],
"updateProfileFirstLogin": [
"false"
],
"kerberosRealm": [
"REALM"
],
"priority": [
"0"
],
"enabled": [
"false"
]
}
}
],
[]
]
return_value_component_delete = [
None
]
changed = True
set_module_args(module_args)
# Run the module
with mock_good_connection():
with patch_keycloak_api(get_components=return_value_components_get, delete_component=return_value_component_delete) \
as (mock_get_components, mock_get_component, mock_create_component, mock_update_component, mock_delete_component):
with self.assertRaises(AnsibleExitJson) as exec_info:
self.module.main()
self.assertEqual(len(mock_get_components.mock_calls), 2)
self.assertEqual(len(mock_get_component.mock_calls), 0)
self.assertEqual(len(mock_create_component.mock_calls), 0)
self.assertEqual(len(mock_update_component.mock_calls), 0)
self.assertEqual(len(mock_delete_component.mock_calls), 1)
# Verify that the module's changed status matches what is expected
self.assertIs(exec_info.exception.args[0]['changed'], changed)
if __name__ == '__main__':
unittest.main()