<div dir="ltr">Thank you for materials and lots of hints !! :)<div><br></div><div>"Thing is that Bill is actually working on adding Groups support to Keycloak and composite roles are going to be refactored or removed entirely and replaced by groups"</div><div>Does it gonna be done with one commit, or maybe there are some ready to use parts in the model?</div><div><br></div><div>"Is it ok for you to wait for 1.7 release?"</div><div>It will have to :)</div><div><br></div><div><div style="font-size:13px">Best Regards,</div><div style="font-size:13px"> Andrzej</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-10-27 22:11 GMT+01:00 Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 27/10/15 09:41, Andrzej Goławski
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>"For example for federation, you need realm and user DB and
you need to have realm configured with federation Provider"</div>
<div><br>
</div>
<div>In such cases you can use mocks, stubs and object
factories.</div>
<div><br>
</div>
<div>"There is not much you can test within single module"</div>
<div><br>
</div>
<div>IMHO there are still few things which would be nice to
test. Look at the first class in the module LDAP Config for
example. There are few comments suggesting refactoring it in
the feature. I find refactoring single class or classes with
heavy integration test painful and insufficient. Look at
spring framework code. There are plenty of small unit tests
which test only one thing so that it is really well tested as
a whole! I think good testing is especially important in case
of open source - where everybody adds some code. For instance
me :) For me LDAP it is a new topic, but I would like to add
some code to this part ... so I expect to make o a lot of
mistakes :D</div>
<div>"Btv. what's your plan for KEYCLOAK-1797"</div>
<div>And now the hardest part :) As I said, I'm new in this
topic (LDAP) so I decided to wrap my head around it for a
while - can you reccommend me any reading materials suitable
for beginners?</div>
</div>
</blockquote></span>
You can start with some generic Java + LDAP tutorial:
<a href="https://docs.oracle.com/javase/tutorial/jndi/ops/index.html" target="_blank">https://docs.oracle.com/javase/tutorial/jndi/ops/index.html</a><br>
<br>
Then you can take a look at Keycloak Federation and LDAP
documentation and to the code itself. And also I suggest to take a
look at Keycloak composite roles.<br>
<br>
Personally I would like to avoid doing "deep" search at every
request, but instead do the deep search just from time to time and
use the keycloak composite roles. Method <span style="background-color:#e4e4ff">RoleLDAPFederationMapper.syncRolesFromLDAP
is currently checking LDAP and it's syncing roles from LDAP into
Keycloak DB. This method is not called at every request but just
at some moments (For example during user's sync). This method can
be extended to also do the "deep" search and assign composite
roles to Keycloak based on LDAP memberships. In your example in
JIRA, the role "Group1" wil be put as composite role of "Group1.1"
in Keycloak DB. <br>
<br>
Then during normal user search, just the simple search is
performed so just the LDAP role "Group1.1" is returned from the
LDAP search as role of user TestUser. But Keycloak will treat the
user to be member of role "Group1" as well because this role is
composite role of "Group1.1" . So the final result is, that
keycloak will treat "TestUser" to be member of both "Group1" and
"Group1.1" .<br>
<br>
Thing is that Bill is actually working on adding Groups support to
Keycloak and composite roles are going to be refactored or removed
entirely and replaced by groups. So there is not very good time to
introduce this feature now, but rather wait for 1.7 release once
Group support is in.<br>
<br>
Is it ok for you to wait for 1.7 release?<span class="HOEnZb"><font color="#888888"><br>
<br>
Marek<br>
</font></span></span><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>"And in your LDAP environment, is it often that new role is
added as member to some other roles?"</div>
<div><br>
</div>
<div>No .. but it is critical in my company. </div>
<div><br>
</div>
<div>"I wonder if we need to always do "deep" search in runtime,
or if we can instead do it just at some point and rely on
Keycloak composite roles . If you always need deep search and
do something based on it, it will be good to have a flag in
configuration, which will allow to disable it (for performance
reasons)."</div>
<div><br>
</div>
<div>Thank you for the hint :) I couldn't agree more. </div>
<div><br>
</div>
<div>
<div style="font-size:13px">Best regards,</div>
<div style="font-size:13px"><br>
</div>
<div style="font-size:13px"> Andrzej</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-10-26 14:11 GMT+01:00 Marek
Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>We prefer integration tests as you usually need more
things to have available. For example for federation,
you need realm and user DB and you need to have realm
configured with federationProvider. There is not much
you can test within single module, so we have just very
simple tests in individual modules (like LDAPDnTest or
PasswordPolicyTest), but most of the stuff is tested in
testsuite. For KEYCLOAK-1797 I prefer to take a look at
<span style="background-color:#e4e4ff">LDAPRoleMappingsTest
and possibly add new test methods here.<br>
<br>
Btv. what's your plan for KEYCLOAK-1797 ? And in your
LDAP environment, is it often that new role is added
as member to some other roles? I wonder if we need to
always do "deep" search in runtime, or if we can
instead do it just at some point and rely on Keycloak
composite roles . If you always need deep search and
do something based on it, it will be good to have a
flag in configuration, which will allow to disable it
(for performance reasons).<span><font color="#888888"><br>
<br>
Marek<br>
<br>
</font></span></span>
<div>
<div>On 26/10/15 08:55, Andrzej Goławski
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi Marek,</div>
<div><br>
</div>
<div>Thanks for reply!</div>
<div>I saw those test, but personally I prefer
unit tests over integrated tests:)</div>
<div>I really recommend this: <a href="https://vimeo.com/80533536" target="_blank"></a><a href="https://vimeo.com/80533536" target="_blank">https://vimeo.com/80533536</a></div>
<div><br>
</div>
<div>Best Regards,</div>
<div> Andrzej</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-10-26 8:41 GMT+01:00
Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank"></a><a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi,<br>
<br>
most of the tests are in the
testsuite/integration or
testsuite/integration-arquillian, not in
the modules itself. For the federation and
ldap, you can take a look especially to
package org.keycloak.testsuite.federation
.<br>
<br>
Marek <br>
<div>
<div> <br>
On 25/10/15 21:51, Andrzej Goławski
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>Hi everyone!</div>
<div><br>
</div>
<div>I decided to implement
KEYCLOAK-1797 and started to look
at the code (federation/ldap). I
noticed lack of unit tests without
which refactoring may be very
error prone. I like writing test
so I can write tests for that
part. What are you thinking about
it??</div>
<div><br>
</div>
<div>
<div>Best Regards,</div>
<div> Andrzej</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-dev mailing list
<a href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br></div>