feat(lum): KeycloakRealmSetupService + rôles RBAC UnionFlow + Jacoco 100%

- Ajoute KeycloakRealmSetupService : auto-initialisation des rôles realm (admin, user_manager, user_viewer, role_manager...) et assignation du rôle user_manager au service account unionflow-server au démarrage (idempotent, retries, thread séparé pour ne pas bloquer le démarrage) → Corrige le 403 sur resetPassword / changement de mot de passe premier login - UserResource : étend les @RolesAllowed avec ADMIN/SUPER_ADMIN/USER pour permettre aux appels inter-services unionflow-server d'accéder aux endpoints sans être bloqués par le RBAC LUM ; corrige sendVerificationEmail (retourne Response) - application-dev.properties : service-accounts.user-manager-clients=unionflow-server - application-prod.properties : client-id, credentials.secret, token.audience, auto-setup - application-test.properties : H2 in-memory (plus besoin de Docker pour les tests) - pom.xml : H2 scope test, Jacoco 100% enforcement (exclusions MapStruct/repos/setup), annotation processors MapStruct+Lombok explicites - .gitignore + .env ajouté (.env exclu du commit) - script/docker/.env.example : variables KEYCLOAK_ADMIN_USERNAME/PASSWORD documentées
2026-04-12 15:04:23 +00:00
parent 2ed890803c
commit 8ab1513bf5
35 changed files with 5594 additions and 19 deletions
--- a/src/test/java/dev/lions/user/manager/resource/AuditResourceTest.java
+++ b/src/test/java/dev/lions/user/manager/resource/AuditResourceTest.java
@@ -135,4 +135,99 @@ class AuditResourceTest {

        verify(auditService).purgeOldLogs(any());
    }
+
+    @Test
+    void testSearchLogs_NullActeur_UsesRealm() {
+        List<AuditLogDTO> logs = Collections.singletonList(
+                AuditLogDTO.builder().acteurUsername("admin").typeAction(TypeActionAudit.USER_CREATE).build());
+        when(auditService.findByRealm(eq("master"), any(), any(), eq(0), eq(50))).thenReturn(logs);
+
+        List<AuditLogDTO> result = auditResource.searchLogs(null, null, null, null, null, null, 0, 50);
+
+        assertEquals(logs, result);
+        verify(auditService).findByRealm(eq("master"), any(), any(), eq(0), eq(50));
+    }
+
+    @Test
+    void testSearchLogs_BlankActeur_UsesRealm() {
+        List<AuditLogDTO> logs = Collections.emptyList();
+        when(auditService.findByRealm(eq("master"), any(), any(), eq(0), eq(20))).thenReturn(logs);
+
+        List<AuditLogDTO> result = auditResource.searchLogs("   ", null, null, null, null, null, 0, 20);
+
+        assertEquals(logs, result);
+        verify(auditService).findByRealm(eq("master"), any(), any(), eq(0), eq(20));
+    }
+
+    @Test
+    void testSearchLogs_WithPostFilter_TypeAction() {
+        AuditLogDTO matchLog = AuditLogDTO.builder()
+                .acteurUsername("admin")
+                .typeAction(TypeActionAudit.USER_CREATE)
+                .build();
+        AuditLogDTO otherLog = AuditLogDTO.builder()
+                .acteurUsername("admin")
+                .typeAction(TypeActionAudit.USER_DELETE)
+                .build();
+        when(auditService.findByActeur(eq("admin"), any(), any(), eq(0), eq(50)))
+                .thenReturn(List.of(matchLog, otherLog));
+
+        List<AuditLogDTO> result = auditResource.searchLogs("admin", null, null,
+                TypeActionAudit.USER_CREATE, null, null, 0, 50);
+
+        assertEquals(1, result.size());
+        assertEquals(TypeActionAudit.USER_CREATE, result.get(0).getTypeAction());
+    }
+
+    @Test
+    void testSearchLogs_WithPostFilter_RessourceType() {
+        AuditLogDTO matchLog = AuditLogDTO.builder()
+                .acteurUsername("admin")
+                .typeAction(TypeActionAudit.USER_CREATE)
+                .ressourceType("USER")
+                .build();
+        AuditLogDTO otherLog = AuditLogDTO.builder()
+                .acteurUsername("admin")
+                .typeAction(TypeActionAudit.USER_CREATE)
+                .ressourceType("ROLE")
+                .build();
+        when(auditService.findByActeur(eq("admin"), any(), any(), eq(0), eq(50)))
+                .thenReturn(List.of(matchLog, otherLog));
+
+        List<AuditLogDTO> result = auditResource.searchLogs("admin", null, null,
+                null, "USER", null, 0, 50);
+
+        assertEquals(1, result.size());
+        assertEquals("USER", result.get(0).getRessourceType());
+    }
+
+    @Test
+    void testSearchLogs_WithPostFilter_Succes() {
+        AuditLogDTO successLog = AuditLogDTO.builder()
+                .acteurUsername("admin")
+                .typeAction(TypeActionAudit.USER_CREATE)
+                .success(true)
+                .build();
+        AuditLogDTO failLog = AuditLogDTO.builder()
+                .acteurUsername("admin")
+                .typeAction(TypeActionAudit.USER_CREATE)
+                .success(false)
+                .build();
+        when(auditService.findByActeur(eq("admin"), any(), any(), eq(0), eq(50)))
+                .thenReturn(List.of(successLog, failLog));
+
+        List<AuditLogDTO> result = auditResource.searchLogs("admin", null, null,
+                null, null, Boolean.TRUE, 0, 50);
+
+        assertEquals(1, result.size());
+        assertTrue(result.get(0).isSuccessful());
+    }
+
+    @Test
+    void testExportLogsToCSV_Exception() {
+        when(auditService.exportToCSV(eq("master"), any(), any()))
+                .thenThrow(new RuntimeException("Export failed"));
+
+        assertThrows(RuntimeException.class, () -> auditResource.exportLogsToCSV(null, null));
+    }
 }
--- a/src/test/java/dev/lions/user/manager/resource/KeycloakHealthCheckTest.java
+++ b/src/test/java/dev/lions/user/manager/resource/KeycloakHealthCheckTest.java
@@ -0,0 +1,56 @@
+package dev.lions.user.manager.resource;
+
+import dev.lions.user.manager.client.KeycloakAdminClient;
+import org.eclipse.microprofile.health.HealthCheckResponse;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class KeycloakHealthCheckTest {
+
+    @Mock
+    KeycloakAdminClient keycloakAdminClient;
+
+    @InjectMocks
+    KeycloakHealthCheck healthCheck;
+
+    @Test
+    void testCall_Connected() {
+        when(keycloakAdminClient.isConnected()).thenReturn(true);
+
+        HealthCheckResponse response = healthCheck.call();
+
+        assertNotNull(response);
+        assertEquals(HealthCheckResponse.Status.UP, response.getStatus());
+        assertEquals("keycloak-connection", response.getName());
+    }
+
+    @Test
+    void testCall_NotConnected() {
+        when(keycloakAdminClient.isConnected()).thenReturn(false);
+
+        HealthCheckResponse response = healthCheck.call();
+
+        assertNotNull(response);
+        assertEquals(HealthCheckResponse.Status.DOWN, response.getStatus());
+        assertEquals("keycloak-connection", response.getName());
+    }
+
+    @Test
+    void testCall_Exception() {
+        when(keycloakAdminClient.isConnected()).thenThrow(new RuntimeException("Connection refused"));
+
+        HealthCheckResponse response = healthCheck.call();
+
+        assertNotNull(response);
+        assertEquals(HealthCheckResponse.Status.DOWN, response.getStatus());
+        assertEquals("keycloak-connection", response.getName());
+    }
+}
--- a/src/test/java/dev/lions/user/manager/resource/RealmAssignmentResourceTest.java
+++ b/src/test/java/dev/lions/user/manager/resource/RealmAssignmentResourceTest.java
@@ -186,4 +186,37 @@ class RealmAssignmentResourceTest {

        verify(realmAuthorizationService).setSuperAdmin("user-1", true);
    }
+
+    @Test
+    void testAssignRealmToUser_NullPrincipal() {
+        when(securityContext.getUserPrincipal()).thenReturn(null);
+        when(realmAuthorizationService.assignRealmToUser(any(RealmAssignmentDTO.class))).thenReturn(assignment);
+
+        Response response = realmAssignmentResource.assignRealmToUser(assignment);
+
+        assertEquals(201, response.getStatus());
+        // assignedBy n'est pas modifié car le principal est null
+    }
+
+    @Test
+    void testAssignRealmToUser_IllegalArgumentException() {
+        when(securityContext.getUserPrincipal()).thenReturn(principal);
+        when(principal.getName()).thenReturn("admin");
+        when(realmAuthorizationService.assignRealmToUser(any(RealmAssignmentDTO.class)))
+                .thenThrow(new IllegalArgumentException("Affectation déjà existante"));
+
+        Response response = realmAssignmentResource.assignRealmToUser(assignment);
+
+        assertEquals(409, response.getStatus());
+    }
+
+    @Test
+    void testAssignRealmToUser_GenericException() {
+        when(securityContext.getUserPrincipal()).thenReturn(principal);
+        when(principal.getName()).thenReturn("admin");
+        when(realmAuthorizationService.assignRealmToUser(any(RealmAssignmentDTO.class)))
+                .thenThrow(new RuntimeException("Erreur inattendue"));
+
+        assertThrows(RuntimeException.class, () -> realmAssignmentResource.assignRealmToUser(assignment));
+    }
 }
--- a/src/test/java/dev/lions/user/manager/resource/RealmResourceAdditionalTest.java
+++ b/src/test/java/dev/lions/user/manager/resource/RealmResourceAdditionalTest.java
@@ -56,4 +56,33 @@ class RealmResourceAdditionalTest {

        assertThrows(RuntimeException.class, () -> realmResource.getAllRealms());
    }
+
+    @Test
+    void testGetRealmClients_Success() {
+        List<String> clients = Arrays.asList("admin-cli", "account", "lions-app");
+        when(keycloakAdminClient.getRealmClients("test-realm")).thenReturn(clients);
+
+        List<String> result = realmResource.getRealmClients("test-realm");
+
+        assertNotNull(result);
+        assertEquals(3, result.size());
+        assertTrue(result.contains("admin-cli"));
+    }
+
+    @Test
+    void testGetRealmClients_Empty() {
+        when(keycloakAdminClient.getRealmClients("test-realm")).thenReturn(List.of());
+
+        List<String> result = realmResource.getRealmClients("test-realm");
+
+        assertNotNull(result);
+        assertTrue(result.isEmpty());
+    }
+
+    @Test
+    void testGetRealmClients_Exception() {
+        when(keycloakAdminClient.getRealmClients("bad-realm")).thenThrow(new RuntimeException("Not found"));
+
+        assertThrows(RuntimeException.class, () -> realmResource.getRealmClients("bad-realm"));
+    }
 }
--- a/src/test/java/dev/lions/user/manager/resource/RoleResourceTest.java
+++ b/src/test/java/dev/lions/user/manager/resource/RoleResourceTest.java
@@ -263,4 +263,108 @@ class RoleResourceTest {

        assertEquals(composites, result);
    }
+
+    @Test
+    void testCreateRealmRole_GenericException() {
+        RoleDTO input = RoleDTO.builder().name("role").build();
+        when(roleService.createRealmRole(any(), eq(REALM)))
+                .thenThrow(new RuntimeException("Internal error"));
+
+        assertThrows(RuntimeException.class, () -> roleResource.createRealmRole(input, REALM));
+    }
+
+    @Test
+    void testUpdateRealmRole_NotFound() {
+        when(roleService.getRoleByName("role", REALM, TypeRole.REALM_ROLE, null))
+                .thenReturn(Optional.empty());
+
+        RoleDTO input = RoleDTO.builder().description("updated").build();
+        assertThrows(RuntimeException.class, () -> roleResource.updateRealmRole("role", input, REALM));
+    }
+
+    @Test
+    void testDeleteRealmRole_NotFound() {
+        when(roleService.getRoleByName("role", REALM, TypeRole.REALM_ROLE, null))
+                .thenReturn(Optional.empty());
+
+        assertThrows(RuntimeException.class, () -> roleResource.deleteRealmRole("role", REALM));
+    }
+
+    @Test
+    void testCreateClientRole_IllegalArgumentException() {
+        RoleDTO input = RoleDTO.builder().name("role").build();
+        when(roleService.createClientRole(any(RoleDTO.class), eq(CLIENT_ID), eq(REALM)))
+                .thenThrow(new IllegalArgumentException("Conflict"));
+
+        Response response = roleResource.createClientRole(CLIENT_ID, input, REALM);
+
+        assertEquals(409, response.getStatus());
+    }
+
+    @Test
+    void testCreateClientRole_GenericException() {
+        RoleDTO input = RoleDTO.builder().name("role").build();
+        when(roleService.createClientRole(any(RoleDTO.class), eq(CLIENT_ID), eq(REALM)))
+                .thenThrow(new RuntimeException("Internal error"));
+
+        assertThrows(RuntimeException.class, () -> roleResource.createClientRole(CLIENT_ID, input, REALM));
+    }
+
+    @Test
+    void testGetClientRole_NotFound() {
+        when(roleService.getRoleByName("role", REALM, TypeRole.CLIENT_ROLE, CLIENT_ID))
+                .thenReturn(Optional.empty());
+
+        assertThrows(RuntimeException.class, () -> roleResource.getClientRole(CLIENT_ID, "role", REALM));
+    }
+
+    @Test
+    void testDeleteClientRole_NotFound() {
+        when(roleService.getRoleByName("role", REALM, TypeRole.CLIENT_ROLE, CLIENT_ID))
+                .thenReturn(Optional.empty());
+
+        assertThrows(RuntimeException.class, () -> roleResource.deleteClientRole(CLIENT_ID, "role", REALM));
+    }
+
+    @Test
+    void testAddComposites_ParentNotFound() {
+        when(roleService.getRoleByName("role", REALM, TypeRole.REALM_ROLE, null))
+                .thenReturn(Optional.empty());
+
+        RoleAssignmentRequestDTO request = RoleAssignmentRequestDTO.builder()
+                .roleNames(Collections.singletonList("composite"))
+                .build();
+
+        assertThrows(RuntimeException.class, () -> roleResource.addComposites("role", REALM, request));
+    }
+
+    @Test
+    void testAddComposites_ChildNotFound_FilteredOut() {
+        RoleDTO parentRole = RoleDTO.builder().id("parent-1").name("role").build();
+
+        when(roleService.getRoleByName("role", REALM, TypeRole.REALM_ROLE, null))
+                .thenReturn(Optional.of(parentRole));
+        when(roleService.getRoleByName("nonexistent", REALM, TypeRole.REALM_ROLE, null))
+                .thenReturn(Optional.empty()); // will be filtered out (null id)
+        doNothing().when(roleService).addCompositeRoles(eq("parent-1"), anyList(), eq(REALM),
+                eq(TypeRole.REALM_ROLE), isNull());
+
+        RoleAssignmentRequestDTO request = RoleAssignmentRequestDTO.builder()
+                .roleNames(Collections.singletonList("nonexistent"))
+                .build();
+
+        roleResource.addComposites("role", REALM, request);
+
+        // addCompositeRoles called with empty list (filtered out)
+        verify(roleService).addCompositeRoles(eq("parent-1"), eq(Collections.emptyList()), eq(REALM),
+                eq(TypeRole.REALM_ROLE), isNull());
+    }
+
+    @Test
+    void testGetComposites_RoleNotFound() {
+        when(roleService.getRoleByName("role", REALM, TypeRole.REALM_ROLE, null))
+                .thenReturn(Optional.empty());
+
+        assertThrows(RuntimeException.class, () -> roleResource.getComposites("role", REALM));
+    }
 }
--- a/src/test/java/dev/lions/user/manager/resource/SyncResourceTest.java
+++ b/src/test/java/dev/lions/user/manager/resource/SyncResourceTest.java
@@ -2,6 +2,8 @@ package dev.lions.user.manager.resource;

 import dev.lions.user.manager.api.SyncResourceApi;
 import dev.lions.user.manager.dto.sync.HealthStatusDTO;
+import dev.lions.user.manager.dto.sync.SyncConsistencyDTO;
+import dev.lions.user.manager.dto.sync.SyncHistoryDTO;
 import dev.lions.user.manager.dto.sync.SyncResultDTO;
 import dev.lions.user.manager.service.SyncService;
 import org.junit.jupiter.api.Test;
@@ -79,4 +81,83 @@ class SyncResourceTest {
        assertTrue(result.isSuccess());
        assertEquals(5, result.getRealmRolesCount());
    }
+
+    @Test
+    void testSyncRolesError() {
+        when(syncService.syncRolesFromRealm(REALM)).thenThrow(new RuntimeException("Roles sync failed"));
+
+        SyncResultDTO result = syncResource.syncRoles(REALM, null);
+
+        assertFalse(result.isSuccess());
+        assertEquals("Roles sync failed", result.getErrorMessage());
+    }
+
+    @Test
+    void testPing() {
+        String response = syncResource.ping();
+
+        assertNotNull(response);
+        assertTrue(response.contains("pong"));
+        assertTrue(response.contains("SyncResource"));
+    }
+
+    @Test
+    void testCheckDataConsistency_Success() {
+        when(syncService.checkDataConsistency(REALM)).thenReturn(Map.of(
+            "realmName", REALM,
+            "status", "OK",
+            "usersKeycloakCount", 10,
+            "usersLocalCount", 10
+        ));
+
+        var result = syncResource.checkDataConsistency(REALM);
+
+        assertNotNull(result);
+        assertEquals(REALM, result.getRealmName());
+        assertEquals("OK", result.getStatus());
+        assertEquals(10, result.getUsersKeycloakCount());
+    }
+
+    @Test
+    void testCheckDataConsistency_Exception() {
+        when(syncService.checkDataConsistency(REALM)).thenThrow(new RuntimeException("DB error"));
+
+        var result = syncResource.checkDataConsistency(REALM);
+
+        assertNotNull(result);
+        assertEquals("ERROR", result.getStatus());
+        assertEquals(REALM, result.getRealmName());
+        assertEquals("DB error", result.getError());
+    }
+
+    @Test
+    void testGetLastSyncStatus() {
+        var result = syncResource.getLastSyncStatus(REALM);
+
+        assertNotNull(result);
+        assertEquals(REALM, result.getRealmName());
+        assertEquals("NEVER_SYNCED", result.getStatus());
+    }
+
+    @Test
+    void testForceSyncRealm_Success() {
+        when(syncService.forceSyncRealm(REALM)).thenReturn(Map.of());
+
+        var result = syncResource.forceSyncRealm(REALM);
+
+        assertNotNull(result);
+        assertEquals("SUCCESS", result.getStatus());
+        assertEquals(REALM, result.getRealmName());
+    }
+
+    @Test
+    void testForceSyncRealm_Exception() {
+        doThrow(new RuntimeException("Force sync failed")).when(syncService).forceSyncRealm(REALM);
+
+        var result = syncResource.forceSyncRealm(REALM);
+
+        assertNotNull(result);
+        assertEquals("FAILED", result.getStatus());
+        assertEquals(REALM, result.getRealmName());
+    }
 }
--- a/src/test/java/dev/lions/user/manager/resource/UserResourceTest.java
+++ b/src/test/java/dev/lions/user/manager/resource/UserResourceTest.java
@@ -1,5 +1,6 @@
 package dev.lions.user.manager.resource;

+import dev.lions.user.manager.dto.importexport.ImportResultDTO;
 import dev.lions.user.manager.dto.user.*;
 import dev.lions.user.manager.service.UserService;
 import jakarta.ws.rs.core.Response;
@@ -15,6 +16,7 @@ import java.util.Optional;

 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.*;

@ExtendWith(MockitoExtension.class)
@@ -164,9 +166,11 @@ class UserResourceTest {
    void testSendVerificationEmail() {
        doNothing().when(userService).sendVerificationEmail("1", REALM);

-        userResource.sendVerificationEmail("1", REALM);
+        Response response = userResource.sendVerificationEmail("1", REALM);

        verify(userService).sendVerificationEmail("1", REALM);
+        assertNotNull(response);
+        assertEquals(202, response.getStatus());
    }

    @Test
@@ -189,4 +193,51 @@ class UserResourceTest {
        assertEquals(1, result.size());
        assertEquals("session-1", result.get(0));
    }
+
+    @Test
+    void testCreateUser_IllegalArgumentException() {
+        UserDTO newUser = UserDTO.builder().username("existinguser").email("existing@test.com").build();
+        when(userService.createUser(any(), eq(REALM))).thenThrow(new IllegalArgumentException("Username exists"));
+
+        Response response = userResource.createUser(newUser, REALM);
+
+        assertEquals(409, response.getStatus());
+    }
+
+    @Test
+    void testCreateUser_RuntimeException() {
+        UserDTO newUser = UserDTO.builder().username("user").email("user@test.com").build();
+        when(userService.createUser(any(), eq(REALM))).thenThrow(new RuntimeException("Connection error"));
+
+        assertThrows(RuntimeException.class, () -> userResource.createUser(newUser, REALM));
+    }
+
+    @Test
+    void testExportUsersToCSV() {
+        String csvContent = "username,email,prenom,nom\ntest,test@test.com,Test,User";
+        when(userService.exportUsersToCSV(any())).thenReturn(csvContent);
+
+        Response response = userResource.exportUsersToCSV(REALM);
+
+        assertEquals(200, response.getStatus());
+        assertEquals(csvContent, response.getEntity());
+    }
+
+    @Test
+    void testImportUsersFromCSV() {
+        String csvContent = "username,email,prenom,nom\ntest,test@test.com,Test,User";
+        ImportResultDTO importResult = ImportResultDTO.builder()
+            .successCount(1)
+            .errorCount(0)
+            .totalLines(2)
+            .errors(Collections.emptyList())
+            .build();
+        when(userService.importUsersFromCSV(csvContent, REALM)).thenReturn(importResult);
+
+        ImportResultDTO result = userResource.importUsersFromCSV(REALM, csvContent);
+
+        assertNotNull(result);
+        assertEquals(1, result.getSuccessCount());
+        assertEquals(0, result.getErrorCount());
+    }
 }