<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 27/10/15 23:51, Andrzej Goławski
wrote:<br>
</div>
<blockquote
cite="mid:CAA0ckM59zhMcsrdRvC_FcLTU4r_rS+BB=p9_aFYNWZ+yUSpXLA@mail.gmail.com"
type="cite">
<div dir="ltr">Thank you for materials and lots of hints !! :)
<div><br>
</div>
<div>"Thing is that Bill is actually working on adding Groups
support to Keycloak and composite roles are going to be
refactored or removed entirely and replaced by groups"</div>
<div>Does it gonna be done with one commit, or maybe there are
some ready to use parts in the model?</div>
</div>
</blockquote>
AFAIK 1.7 with the ready to use Groups support should be around end
of November or start of December. So I would rather wait for it,
because if we do something regarding KEYCLOAK-1797 now, it would
likely need to be rewritten later.<br>
<br>
Marek<br>
<blockquote
cite="mid:CAA0ckM59zhMcsrdRvC_FcLTU4r_rS+BB=p9_aFYNWZ+yUSpXLA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>"Is it ok for you to wait for 1.7 release?"</div>
<div>It will have to :)</div>
<div><br>
</div>
<div>
<div style="font-size:13px">Best Regards,</div>
<div style="font-size:13px"> Andrzej</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-10-27 22:11 GMT+01:00 Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><span class="">
<div>On 27/10/15 09:41, Andrzej Goławski wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>"For example for federation, you need realm and
user DB and you need to have realm configured with
federation Provider"</div>
<div><br>
</div>
<div>In such cases you can use mocks, stubs and
object factories.</div>
<div><br>
</div>
<div>"There is not much you can test within single
module"</div>
<div><br>
</div>
<div>IMHO there are still few things which would be
nice to test. Look at the first class in the
module LDAP Config for example. There are few
comments suggesting refactoring it in the feature.
I find refactoring single class or classes with
heavy integration test painful and insufficient.
Look at spring framework code. There are plenty of
small unit tests which test only one thing so that
it is really well tested as a whole! I think good
testing is especially important in case of open
source - where everybody adds some code. For
instance me :) For me LDAP it is a new topic, but
I would like to add some code to this part ... so
I expect to make o a lot of mistakes :D</div>
<div>"Btv. what's your plan for KEYCLOAK-1797"</div>
<div>And now the hardest part :) As I said, I'm new
in this topic (LDAP) so I decided to wrap my head
around it for a while - can you reccommend me any
reading materials suitable for beginners?</div>
</div>
</blockquote>
</span> You can start with some generic Java + LDAP
tutorial: <a moz-do-not-send="true"
href="https://docs.oracle.com/javase/tutorial/jndi/ops/index.html"
target="_blank">https://docs.oracle.com/javase/tutorial/jndi/ops/index.html</a><br>
<br>
Then you can take a look at Keycloak Federation and LDAP
documentation and to the code itself. And also I suggest
to take a look at Keycloak composite roles.<br>
<br>
Personally I would like to avoid doing "deep" search at
every request, but instead do the deep search just from
time to time and use the keycloak composite roles. Method
<span style="background-color:#e4e4ff">RoleLDAPFederationMapper.syncRolesFromLDAP
is currently checking LDAP and it's syncing roles from
LDAP into Keycloak DB. This method is not called at
every request but just at some moments (For example
during user's sync). This method can be extended to also
do the "deep" search and assign composite roles to
Keycloak based on LDAP memberships. In your example in
JIRA, the role "Group1" wil be put as composite role of
"Group1.1" in Keycloak DB. <br>
<br>
Then during normal user search, just the simple search
is performed so just the LDAP role "Group1.1" is
returned from the LDAP search as role of user TestUser.
But Keycloak will treat the user to be member of role
"Group1" as well because this role is composite role of
"Group1.1" . So the final result is, that keycloak will
treat "TestUser" to be member of both "Group1" and
"Group1.1" .<br>
<br>
Thing is that Bill is actually working on adding Groups
support to Keycloak and composite roles are going to be
refactored or removed entirely and replaced by groups.
So there is not very good time to introduce this feature
now, but rather wait for 1.7 release once Group support
is in.<br>
<br>
Is it ok for you to wait for 1.7 release?<span
class="HOEnZb"><font color="#888888"><br>
<br>
Marek<br>
</font></span></span>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>"And in your LDAP environment, is it often
that new role is added as member to some other
roles?"</div>
<div><br>
</div>
<div>No .. but it is critical in my company. </div>
<div><br>
</div>
<div>"I wonder if we need to always do "deep"
search in runtime, or if we can instead do it
just at some point and rely on Keycloak
composite roles . If you always need deep search
and do something based on it, it will be good to
have a flag in configuration, which will allow
to disable it (for performance reasons)."</div>
<div><br>
</div>
<div>Thank you for the hint :) I couldn't agree
more. </div>
<div><br>
</div>
<div>
<div style="font-size:13px">Best regards,</div>
<div style="font-size:13px"><br>
</div>
<div style="font-size:13px"> Andrzej</div>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-10-26 14:11
GMT+01:00 Marek Posolda <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>We prefer integration tests as you
usually need more things to have
available. For example for federation, you
need realm and user DB and you need to
have realm configured with
federationProvider. There is not much you
can test within single module, so we have
just very simple tests in individual
modules (like LDAPDnTest or
PasswordPolicyTest), but most of the stuff
is tested in testsuite. For KEYCLOAK-1797
I prefer to take a look at <span
style="background-color:#e4e4ff">LDAPRoleMappingsTest
and possibly add new test methods here.<br>
<br>
Btv. what's your plan for KEYCLOAK-1797
? And in your LDAP environment, is it
often that new role is added as member
to some other roles? I wonder if we need
to always do "deep" search in runtime,
or if we can instead do it just at some
point and rely on Keycloak composite
roles . If you always need deep search
and do something based on it, it will be
good to have a flag in configuration,
which will allow to disable it (for
performance reasons).<span><font
color="#888888"><br>
<br>
Marek<br>
<br>
</font></span></span>
<div>
<div>On 26/10/15 08:55, Andrzej Goławski
wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi Marek,</div>
<div><br>
</div>
<div>Thanks for reply!</div>
<div>I saw those test, but
personally I prefer unit tests
over integrated tests:)</div>
<div>I really recommend this: <a
moz-do-not-send="true"
href="https://vimeo.com/80533536"
target="_blank"><a class="moz-txt-link-freetext" href="https://vimeo.com/80533536">https://vimeo.com/80533536</a></a></div>
<div><br>
</div>
<div>Best Regards,</div>
<div> Andrzej</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2015-10-26
8:41 GMT+01:00 Marek Posolda <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mposolda@redhat.com"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mposolda@redhat.com">mposolda@redhat.com</a></a>></span>:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<div>Hi,<br>
<a class="moz-txt-link-freetext" href="https://www.linkedin.com/comm/profile/view?id=AAsAAAIX5nMBKyxtfQeuzKzJrFFz_psQoQwK6og&midToken=AQF7PTojMnRaJA&trk=eml-network_updates_digest-network_profile_updates-9-otherprofile%7Eprof&trkEmail=eml-network_updates_digest-network_profile_updates-9-otherprofile%7Eprof-null-4x6itt%7Eig9h49l1%7E1n">https://www.linkedin.com/comm/profile/view?id=AAsAAAIX5nMBKyxtfQeuzKzJrFFz_psQoQwK6og&midToken=AQF7PTojMnRaJA&trk=eml-network_updates_digest-network_profile_updates-9-otherprofile%7Eprof&trkEmail=eml-network_updates_digest-network_profile_updates-9-otherprofile%7Eprof-null-4x6itt%7Eig9h49l1%7E1n</a><br>
most of the tests are in the
testsuite/integration or
testsuite/integration-arquillian,
not in the modules itself.
For the federation and ldap,
you can take a look
especially to package
org.keycloak.testsuite.federation
.<br>
<br>
Marek <br>
<div>
<div> <br>
On 25/10/15 21:51,
Andrzej Goławski wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">
<div>Hi everyone!</div>
<div><br>
</div>
<div>I decided to
implement
KEYCLOAK-1797 and
started to look at
the code
(federation/ldap). I
noticed lack of unit
tests without which
refactoring may be
very error prone. I
like writing test so
I can write tests
for that part. What
are you thinking
about it??</div>
<div><br>
</div>
<div>
<div>Best Regards,</div>
<div> Andrzej</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
keycloak-dev mailing list
<a moz-do-not-send="true" href="mailto:keycloak-dev@lists.jboss.org" target="_blank">keycloak-dev@lists.jboss.org</a>
<a moz-do-not-send="true" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>