<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 27/10/15 09:41, Andrzej Goławski
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAA0ckM5FaUMgwBggK84yJXTLwWffn3jJXA8Wz+5Rk5LbY7ENbg@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>"For example for federation, you need realm and user DB and
          you need to have realm configured with federation Provider"</div>
        <div><br>
        </div>
        <div>In such cases you can use mocks, stubs and object
          factories.</div>
        <div><br>
        </div>
        <div>"There is not much you can test within single module"</div>
        <div><br>
        </div>
        <div>IMHO there are still few things which would be nice to
          test. Look at the first class in the module LDAP Config for
          example. There are few comments suggesting refactoring it in
          the feature. I find refactoring single class or classes with
          heavy integration test painful and insufficient. Look at
          spring framework code. There are plenty of small unit tests
          which test only one thing so that it is really well tested as
          a whole! I think good testing is especially important in case
          of open source -  where everybody adds some code. For instance
          me :) For me LDAP it is a new topic, but I would like to add
          some code to this part ... so I expect to make o a lot of
          mistakes :D</div>
        <div>"Btv. what's your plan for KEYCLOAK-1797"</div>
        <div>And now the hardest  part :) As I said, I'm new in this
          topic (LDAP) so I decided to wrap my head around it for a
          while - can you reccommend me any reading materials suitable
          for beginners?</div>
      </div>
    </blockquote>
    You can start with some generic Java + LDAP tutorial:
    <a class="moz-txt-link-freetext" href="https://docs.oracle.com/javase/tutorial/jndi/ops/index.html">https://docs.oracle.com/javase/tutorial/jndi/ops/index.html</a><br>
    <br>
    Then you can take a look at Keycloak Federation and LDAP
    documentation and to the code itself. And also I suggest to take a
    look at Keycloak composite roles.<br>
    <br>
    Personally I would like to avoid doing "deep" search at every
    request, but instead do the deep search just from time to time and
    use the keycloak composite roles. Method <span
      style="background-color:#e4e4ff;">RoleLDAPFederationMapper.syncRolesFromLDAP
      is currently checking LDAP and it's syncing roles from LDAP into
      Keycloak DB. This method is not called at every request but just
      at some moments (For example during user's sync). This method can
      be extended to also do the "deep" search and assign composite
      roles to Keycloak based on LDAP memberships. In your example in
      JIRA, the role "Group1" wil be put as composite role of "Group1.1"
      in Keycloak DB. <br>
      <br>
      Then during normal user search, just the simple search is
      performed so just the LDAP role "Group1.1" is returned from the
      LDAP search as role of user TestUser. But Keycloak will treat the
      user to be member of role "Group1" as well because this role is
      composite role of "Group1.1" . So the final result is, that
      keycloak will treat "TestUser" to be member of both "Group1" and
      "Group1.1" .<br>
      <br>
      Thing is that Bill is actually working on adding Groups support to
      Keycloak and composite roles are going to be refactored or removed
      entirely and replaced by groups. So there is not very good time to
      introduce this feature now, but rather wait for 1.7 release once
      Group support is in.<br>
      <br>
      Is it ok for you to wait for 1.7 release?<br>
      <br>
      Marek<br>
    </span>
    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    <blockquote
cite="mid:CAA0ckM5FaUMgwBggK84yJXTLwWffn3jJXA8Wz+5Rk5LbY7ENbg@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>"And in your LDAP environment, is it often that new role is
          added as member to some other roles?"</div>
        <div><br>
        </div>
        <div>No .. but it is critical in my company. </div>
        <div><br>
        </div>
        <div>"I wonder if we need to always do "deep" search in runtime,
          or if we can instead do it just at some point and rely on
          Keycloak composite roles . If you always need deep search and
          do something based on it, it will be good to have a flag in
          configuration, which will allow to disable it (for performance
          reasons)."</div>
        <div><br>
        </div>
        <div>Thank you for the hint :) I couldn't agree more. </div>
        <div><br>
        </div>
        <div>
          <div style="font-size:13px">Best regards,</div>
          <div style="font-size:13px"><br>
          </div>
          <div style="font-size:13px"> Andrzej</div>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">2015-10-26 14:11 GMT+01:00 Marek
          Posolda <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <div>We prefer integration tests as you usually need more
                things to have available. For example for federation,
                you need realm and user DB and you need to have realm
                configured with federationProvider. There is not much
                you can test within single module, so we have just very
                simple tests in individual modules (like LDAPDnTest or
                PasswordPolicyTest), but most of the stuff is tested in
                testsuite. For KEYCLOAK-1797 I prefer to take a look at
                <span style="background-color:#e4e4ff">LDAPRoleMappingsTest

                  and possibly add new test methods here.<br>
                  <br>
                  Btv. what's your plan for KEYCLOAK-1797 ? And in your
                  LDAP environment, is it often that new role is added
                  as member to some other roles? I wonder if we need to
                  always do "deep" search in runtime, or if we can
                  instead do it just at some point and rely on Keycloak
                  composite roles . If you always need deep search and
                  do something based on it, it will be good to have a
                  flag in configuration, which will allow to disable it
                  (for performance reasons).<span class="HOEnZb"><font
                      color="#888888"><br>
                      <br>
                      Marek<br>
                      <br>
                    </font></span></span>
                <div>
                  <div class="h5">On 26/10/15 08:55, Andrzej Goławski
                    wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div class="h5">
                  <blockquote type="cite">
                    <div dir="ltr">
                      <div>Hi Marek,</div>
                      <div><br>
                      </div>
                      <div>Thanks for reply!</div>
                      <div>I saw those test, but personally I prefer
                        unit tests over integrated tests:)</div>
                      <div>I really recommend this: <a
                          moz-do-not-send="true"
                          href="https://vimeo.com/80533536"
                          target="_blank"><a class="moz-txt-link-freetext" href="https://vimeo.com/80533536">https://vimeo.com/80533536</a></a></div>
                      <div><br>
                      </div>
                      <div>Best Regards,</div>
                      <div> Andrzej</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">2015-10-26 8:41 GMT+01:00
                        Marek Posolda <span dir="ltr">&lt;<a
                            moz-do-not-send="true"
                            href="mailto:mposolda@redhat.com"
                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>&gt;</span>:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div text="#000000" bgcolor="#FFFFFF">
                            <div>Hi,<br>
                              <br>
                              most of the tests are in the
                              testsuite/integration or
                              testsuite/integration-arquillian, not in
                              the modules itself. For the federation and
                              ldap, you can take a look especially to
                              package org.keycloak.testsuite.federation
                              .<br>
                              <br>
                              Marek <br>
                              <div>
                                <div> <br>
                                  On 25/10/15 21:51, Andrzej Goławski
                                  wrote:<br>
                                </div>
                              </div>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <div>
                                  <div dir="ltr">
                                    <div>Hi everyone!</div>
                                    <div><br>
                                    </div>
                                    <div>I decided to implement
                                      KEYCLOAK-1797 and started to look
                                      at the code (federation/ldap). I
                                      noticed lack of unit tests without
                                      which refactoring may be very
                                      error prone. I like writing test
                                      so I can write tests for that
                                      part. What are you thinking about
                                      it??</div>
                                    <div><br>
                                    </div>
                                    <div>
                                      <div>Best Regards,</div>
                                      <div> Andrzej</div>
                                    </div>
                                  </div>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                </div>
                              </div>
                              <pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
                            </blockquote>
                            <br>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>