fit/core-reference/src/test/java/org/apache/syncope/fit/core/DynRealmITCase.java - syncope - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 package org.apache.syncope.fit.core;

 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.junit.jupiter.api.Assertions.fail;

 import com.fasterxml.jackson.databind.node.ArrayNode;
 import java.nio.charset.StandardCharsets;
 import javax.ws.rs.core.GenericType;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import org.apache.commons.io.IOUtils;
 import org.apache.syncope.client.lib.SyncopeClient;
 import org.apache.syncope.common.lib.SyncopeClientException;
 import org.apache.syncope.common.lib.request.AttrPatch;
 import org.apache.syncope.common.lib.request.GroupCR;
 import org.apache.syncope.common.lib.request.GroupUR;
 import org.apache.syncope.common.lib.request.StringPatchItem;
 import org.apache.syncope.common.lib.request.UserCR;
 import org.apache.syncope.common.lib.request.UserUR;
 import org.apache.syncope.common.lib.SyncopeConstants;
 import org.apache.syncope.common.lib.to.DynRealmTO;
 import org.apache.syncope.common.lib.to.GroupTO;
 import org.apache.syncope.common.lib.to.PagedResult;
 import org.apache.syncope.common.lib.to.ProvisioningResult;
 import org.apache.syncope.common.lib.to.RoleTO;
 import org.apache.syncope.common.lib.to.UserTO;
 import org.apache.syncope.common.lib.types.AnyTypeKind;
 import org.apache.syncope.common.lib.types.ClientExceptionType;
 import org.apache.syncope.common.lib.types.PatchOperation;
 import org.apache.syncope.common.lib.types.IdRepoEntitlement;
 import org.apache.syncope.common.rest.api.beans.AnyQuery;
 import org.apache.syncope.common.rest.api.service.DynRealmService;
 import org.apache.syncope.common.rest.api.service.GroupService;
 import org.apache.syncope.common.rest.api.service.UserService;
 import org.apache.syncope.fit.AbstractITCase;
 import org.apache.syncope.fit.ElasticsearchDetector;
 import org.eclipse.jetty.client.HttpClient;
 import org.eclipse.jetty.client.api.ContentResponse;
 import org.eclipse.jetty.client.util.InputStreamContentProvider;
 import org.eclipse.jetty.http.HttpHeader;
 import org.eclipse.jetty.http.HttpMethod;
 import org.eclipse.jetty.http.HttpStatus;
 import org.junit.jupiter.api.Test;

 public class DynRealmITCase extends AbstractITCase {

     @Test
     public void misc() {
         DynRealmTO dynRealm = null;
         try {
             dynRealm = new DynRealmTO();
             dynRealm.setKey("/name" + getUUIDString());
             dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "cool==true");

             // invalid key (starts with /)
             try {
                 dynRealmService.create(dynRealm);
                 fail("This should not happen");
             } catch (SyncopeClientException e) {
                 assertEquals(ClientExceptionType.InvalidDynRealm, e.getType());
             }
             dynRealm.setKey("name" + getUUIDString());

             Response response = dynRealmService.create(dynRealm);
             dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
             assertNotNull(dynRealm);

             PagedResult<UserTO> matching = userService.search(new AnyQuery.Builder().fiql("cool==true").build());
             assertNotNull(matching);
             assertNotEquals(0, matching.getSize());

             UserTO user = matching.getResult().get(0);

             assertTrue(user.getDynRealms().contains(dynRealm.getKey()));
         } finally {
             if (dynRealm != null) {
                 dynRealmService.delete(dynRealm.getKey());
             }
         }
     }

     @Test
     public void delegatedAdmin() {
         DynRealmTO dynRealm = null;
         RoleTO role = null;
         try {
             // 1. create dynamic realm for all users and groups having resource-ldap assigned
             dynRealm = new DynRealmTO();
             dynRealm.setKey("LDAPLovers" + getUUIDString());
             dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "$resources==resource-ldap");
             dynRealm.getDynMembershipConds().put(AnyTypeKind.GROUP.name(), "$resources==resource-ldap");

             Response response = dynRealmService.create(dynRealm);
             dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
             assertNotNull(dynRealm);

             // 2. create role for such dynamic realm
             role = new RoleTO();
             role.setKey("Administer LDAP" + getUUIDString());
             role.getEntitlements().add(IdRepoEntitlement.USER_SEARCH);
             role.getEntitlements().add(IdRepoEntitlement.USER_READ);
             role.getEntitlements().add(IdRepoEntitlement.USER_UPDATE);
             role.getEntitlements().add(IdRepoEntitlement.GROUP_READ);
             role.getEntitlements().add(IdRepoEntitlement.GROUP_UPDATE);
             role.getDynRealms().add(dynRealm.getKey());

             role = createRole(role);
             assertNotNull(role);

             // 3. create new user and assign the new role
             UserCR dynRealmAdmin = UserITCase.getUniqueSample("dynRealmAdmin@apache.org");
             dynRealmAdmin.setPassword("password123");
             dynRealmAdmin.getRoles().add(role.getKey());
             assertNotNull(createUser(dynRealmAdmin).getEntity());

             // 4. create new user and group, assign resource-ldap
             UserCR userCR = UserITCase.getUniqueSample("dynRealmUser@apache.org");
             userCR.setRealm("/even/two");
             userCR.getResources().clear();
             userCR.getResources().add(RESOURCE_NAME_LDAP);
             UserTO user = createUser(userCR).getEntity();
             assertNotNull(user);
             final String userKey = user.getKey();

             GroupCR groupCR = GroupITCase.getSample("dynRealmGroup");
             groupCR.setRealm("/odd");
             groupCR.getResources().clear();
             groupCR.getResources().add(RESOURCE_NAME_LDAP);
             GroupTO group = createGroup(groupCR).getEntity();
             assertNotNull(group);
             final String groupKey = group.getKey();

             if (ElasticsearchDetector.isElasticSearchEnabled(adminClient.platform())) {
                 try {
                     Thread.sleep(2000);
                 } catch (InterruptedException ex) {
                     // ignore
                 }
             }

             // 5. verify that the new user and group are found when searching by dynamic realm
             PagedResult<UserTO> matchingUsers = userService.search(new AnyQuery.Builder().realm("/").fiql(
                     SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
             assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));

             PagedResult<GroupTO> matchingGroups = groupService.search(new AnyQuery.Builder().realm("/").fiql(
                     SyncopeClient.getGroupSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
             assertTrue(matchingGroups.getResult().stream().anyMatch(object -> object.getKey().equals(groupKey)));

             // 6. prepare to act as delegated admin
             SyncopeClient delegatedClient = clientFactory.create(dynRealmAdmin.getUsername(), "password123");
             UserService delegatedUserService = delegatedClient.getService(UserService.class);
             GroupService delegatedGroupService = delegatedClient.getService(GroupService.class);

             // 7. verify delegated administration
             // USER_READ
             assertNotNull(delegatedUserService.read(userKey));

             // GROUP_READ
             assertNotNull(delegatedGroupService.read(groupKey));

             // USER_SEARCH
             matchingUsers = delegatedUserService.search(new AnyQuery.Builder().realm("/").build());
             assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));

             // USER_UPDATE
             UserUR userUR = new UserUR();
             userUR.setKey(userKey);
             userUR.getResources().add(new StringPatchItem.Builder().
                     value(RESOURCE_NAME_LDAP).operation(PatchOperation.DELETE).build());
             // this will fail because unassigning resource-ldap would result in removing the user from the dynamic realm
             try {
                 delegatedUserService.update(userUR);
                 fail("This should not happen");
             } catch (SyncopeClientException e) {
                 assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
             }
             // this will succeed instead
             userUR.getResources().clear();
             userUR.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_NOPROPAGATION).build());
             user = delegatedUserService.update(userUR).
                     readEntity(new GenericType<ProvisioningResult<UserTO>>() {
                     }).getEntity();
             assertNotNull(user);
             assertTrue(user.getResources().contains(RESOURCE_NAME_NOPROPAGATION));

             // GROUP_UPDATE
             GroupUR groupUR = new GroupUR();
             groupUR.setKey(groupKey);
             groupUR.getPlainAttrs().add(new AttrPatch.Builder(attr("icon", "modified")).build());
             group = delegatedGroupService.update(groupUR).readEntity(new GenericType<ProvisioningResult<GroupTO>>() {
             }).getEntity();
             assertNotNull(group);
             assertEquals("modified", group.getPlainAttr("icon").get().getValues().get(0));
         } finally {
             if (role != null) {
                 roleService.delete(role.getKey());
             }
             if (dynRealm != null) {
                 dynRealmService.delete(dynRealm.getKey());
             }
         }
     }

     private static ArrayNode fetchDynRealmsFromElasticsearch(final String userKey) throws Exception {
         String body =
                 '{'
                 + "    \"query\": {"
                 + "        \"match\": {\"_id\": \"" + userKey + "\"}"
                 + "    }"
                 + '}';

         HttpClient httpClient = new HttpClient();
         httpClient.start();
         ContentResponse response = httpClient.newRequest("http://localhost:9200/master_user/_search").
                 method(HttpMethod.GET).
                 header(HttpHeader.CONTENT_TYPE, MediaType.APPLICATION_JSON).
                 content(new InputStreamContentProvider(IOUtils.toInputStream(body, StandardCharsets.UTF_8))).
                 send();
         assertEquals(HttpStatus.OK_200, response.getStatus());

         return (ArrayNode) OBJECT_MAPPER.readTree(response.getContent()).
                 get("hits").get("hits").get(0).get("_source").get("dynRealms");
     }

     @Test
     public void issueSYNCOPE1480() throws Exception {
         String ctype = getUUIDString();

         DynRealmTO dynRealm = null;
         try {
             // 1. create new dyn realm matching a very specific attribute value
             dynRealm = new DynRealmTO();
             dynRealm.setKey("name" + getUUIDString());
             dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "ctype==" + ctype);
             dynRealmService.create(dynRealm);

             Response response = dynRealmService.create(dynRealm);
             dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
             assertNotNull(dynRealm);

             // 2. no dyn realm members
             PagedResult<UserTO> matching = userService.search(new AnyQuery.Builder().realm("/").fiql(
                     SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
             assertEquals(0, matching.getSize());

             // 3. create user with that attribute value
             UserCR userCR = UserITCase.getUniqueSample("syncope1480@syncope.apache.org");
             userCR.getPlainAttr("ctype").get().getValues().set(0, ctype);
             UserTO user = createUser(userCR).getEntity();
             assertNotNull(user.getKey());

             // 4a. check that Elasticsearch index was updated correctly
             if (ElasticsearchDetector.isElasticSearchEnabled(adminClient.platform())) {
                 try {
                     Thread.sleep(2000);
                 } catch (InterruptedException ex) {
                     // ignore
                 }

                 ArrayNode dynRealms = fetchDynRealmsFromElasticsearch(user.getKey());
                 assertEquals(1, dynRealms.size());
                 assertEquals(dynRealm.getKey(), dynRealms.get(0).asText());
             }

             // 4b. now there is 1 realm member
             matching = userService.search(new AnyQuery.Builder().realm(SyncopeConstants.ROOT_REALM).fiql(
                     SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
             assertEquals(1, matching.getSize());

             // 5. change dyn realm condition
             dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "ctype==ANY");
             dynRealmService.update(dynRealm);

             // 6a. check that Elasticsearch index was updated correctly
             if (ElasticsearchDetector.isElasticSearchEnabled(adminClient.platform())) {
                 try {
                     Thread.sleep(2000);
                 } catch (InterruptedException ex) {
                     // ignore
                 }

                 ArrayNode dynRealms = fetchDynRealmsFromElasticsearch(user.getKey());
                 assertTrue(dynRealms.isEmpty());
             }

             // 6b. no more dyn realm members
             matching = userService.search(new AnyQuery.Builder().realm(SyncopeConstants.ROOT_REALM).fiql(
                     SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
             assertEquals(0, matching.getSize());
         } finally {
             if (dynRealm != null) {
                 dynRealmService.delete(dynRealm.getKey());
             }
         }
     }
 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/
	package org.apache.syncope.fit.core;

	import static org.junit.jupiter.api.Assertions.assertEquals;
	import static org.junit.jupiter.api.Assertions.assertNotEquals;
	import static org.junit.jupiter.api.Assertions.assertNotNull;
	import static org.junit.jupiter.api.Assertions.assertTrue;
	import static org.junit.jupiter.api.Assertions.fail;

	import com.fasterxml.jackson.databind.node.ArrayNode;
	import java.nio.charset.StandardCharsets;
	import javax.ws.rs.core.GenericType;
	import javax.ws.rs.core.MediaType;
	import javax.ws.rs.core.Response;
	import org.apache.commons.io.IOUtils;
	import org.apache.syncope.client.lib.SyncopeClient;
	import org.apache.syncope.common.lib.SyncopeClientException;
	import org.apache.syncope.common.lib.request.AttrPatch;
	import org.apache.syncope.common.lib.request.GroupCR;
	import org.apache.syncope.common.lib.request.GroupUR;
	import org.apache.syncope.common.lib.request.StringPatchItem;
	import org.apache.syncope.common.lib.request.UserCR;
	import org.apache.syncope.common.lib.request.UserUR;
	import org.apache.syncope.common.lib.SyncopeConstants;
	import org.apache.syncope.common.lib.to.DynRealmTO;
	import org.apache.syncope.common.lib.to.GroupTO;
	import org.apache.syncope.common.lib.to.PagedResult;
	import org.apache.syncope.common.lib.to.ProvisioningResult;
	import org.apache.syncope.common.lib.to.RoleTO;
	import org.apache.syncope.common.lib.to.UserTO;
	import org.apache.syncope.common.lib.types.AnyTypeKind;
	import org.apache.syncope.common.lib.types.ClientExceptionType;
	import org.apache.syncope.common.lib.types.PatchOperation;
	import org.apache.syncope.common.lib.types.IdRepoEntitlement;
	import org.apache.syncope.common.rest.api.beans.AnyQuery;
	import org.apache.syncope.common.rest.api.service.DynRealmService;
	import org.apache.syncope.common.rest.api.service.GroupService;
	import org.apache.syncope.common.rest.api.service.UserService;
	import org.apache.syncope.fit.AbstractITCase;
	import org.apache.syncope.fit.ElasticsearchDetector;
	import org.eclipse.jetty.client.HttpClient;
	import org.eclipse.jetty.client.api.ContentResponse;
	import org.eclipse.jetty.client.util.InputStreamContentProvider;
	import org.eclipse.jetty.http.HttpHeader;
	import org.eclipse.jetty.http.HttpMethod;
	import org.eclipse.jetty.http.HttpStatus;
	import org.junit.jupiter.api.Test;

	public class DynRealmITCase extends AbstractITCase {

	@Test
	public void misc() {
	DynRealmTO dynRealm = null;
	try {
	dynRealm = new DynRealmTO();
	dynRealm.setKey("/name" + getUUIDString());
	dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "cool==true");

	// invalid key (starts with /)
	try {
	dynRealmService.create(dynRealm);
	fail("This should not happen");
	} catch (SyncopeClientException e) {
	assertEquals(ClientExceptionType.InvalidDynRealm, e.getType());
	}
	dynRealm.setKey("name" + getUUIDString());

	Response response = dynRealmService.create(dynRealm);
	dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
	assertNotNull(dynRealm);

	PagedResult<UserTO> matching = userService.search(new AnyQuery.Builder().fiql("cool==true").build());
	assertNotNull(matching);
	assertNotEquals(0, matching.getSize());

	UserTO user = matching.getResult().get(0);

	assertTrue(user.getDynRealms().contains(dynRealm.getKey()));
	} finally {
	if (dynRealm != null) {
	dynRealmService.delete(dynRealm.getKey());
	}
	}
	}

	@Test
	public void delegatedAdmin() {
	DynRealmTO dynRealm = null;
	RoleTO role = null;
	try {
	// 1. create dynamic realm for all users and groups having resource-ldap assigned
	dynRealm = new DynRealmTO();
	dynRealm.setKey("LDAPLovers" + getUUIDString());
	dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "$resources==resource-ldap");
	dynRealm.getDynMembershipConds().put(AnyTypeKind.GROUP.name(), "$resources==resource-ldap");

	Response response = dynRealmService.create(dynRealm);
	dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
	assertNotNull(dynRealm);

	// 2. create role for such dynamic realm
	role = new RoleTO();
	role.setKey("Administer LDAP" + getUUIDString());
	role.getEntitlements().add(IdRepoEntitlement.USER_SEARCH);
	role.getEntitlements().add(IdRepoEntitlement.USER_READ);
	role.getEntitlements().add(IdRepoEntitlement.USER_UPDATE);
	role.getEntitlements().add(IdRepoEntitlement.GROUP_READ);
	role.getEntitlements().add(IdRepoEntitlement.GROUP_UPDATE);
	role.getDynRealms().add(dynRealm.getKey());

	role = createRole(role);
	assertNotNull(role);

	// 3. create new user and assign the new role
	UserCR dynRealmAdmin = UserITCase.getUniqueSample("dynRealmAdmin@apache.org");
	dynRealmAdmin.setPassword("password123");
	dynRealmAdmin.getRoles().add(role.getKey());
	assertNotNull(createUser(dynRealmAdmin).getEntity());

	// 4. create new user and group, assign resource-ldap
	UserCR userCR = UserITCase.getUniqueSample("dynRealmUser@apache.org");
	userCR.setRealm("/even/two");
	userCR.getResources().clear();
	userCR.getResources().add(RESOURCE_NAME_LDAP);
	UserTO user = createUser(userCR).getEntity();
	assertNotNull(user);
	final String userKey = user.getKey();

	GroupCR groupCR = GroupITCase.getSample("dynRealmGroup");
	groupCR.setRealm("/odd");
	groupCR.getResources().clear();
	groupCR.getResources().add(RESOURCE_NAME_LDAP);
	GroupTO group = createGroup(groupCR).getEntity();
	assertNotNull(group);
	final String groupKey = group.getKey();

	if (ElasticsearchDetector.isElasticSearchEnabled(adminClient.platform())) {
	try {
	Thread.sleep(2000);
	} catch (InterruptedException ex) {
	// ignore
	}
	}

	// 5. verify that the new user and group are found when searching by dynamic realm
	PagedResult<UserTO> matchingUsers = userService.search(new AnyQuery.Builder().realm("/").fiql(
	SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
	assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));

	PagedResult<GroupTO> matchingGroups = groupService.search(new AnyQuery.Builder().realm("/").fiql(
	SyncopeClient.getGroupSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
	assertTrue(matchingGroups.getResult().stream().anyMatch(object -> object.getKey().equals(groupKey)));

	// 6. prepare to act as delegated admin
	SyncopeClient delegatedClient = clientFactory.create(dynRealmAdmin.getUsername(), "password123");
	UserService delegatedUserService = delegatedClient.getService(UserService.class);
	GroupService delegatedGroupService = delegatedClient.getService(GroupService.class);

	// 7. verify delegated administration
	// USER_READ
	assertNotNull(delegatedUserService.read(userKey));

	// GROUP_READ
	assertNotNull(delegatedGroupService.read(groupKey));

	// USER_SEARCH
	matchingUsers = delegatedUserService.search(new AnyQuery.Builder().realm("/").build());
	assertTrue(matchingUsers.getResult().stream().anyMatch(object -> object.getKey().equals(userKey)));

	// USER_UPDATE
	UserUR userUR = new UserUR();
	userUR.setKey(userKey);
	userUR.getResources().add(new StringPatchItem.Builder().
	value(RESOURCE_NAME_LDAP).operation(PatchOperation.DELETE).build());
	// this will fail because unassigning resource-ldap would result in removing the user from the dynamic realm
	try {
	delegatedUserService.update(userUR);
	fail("This should not happen");
	} catch (SyncopeClientException e) {
	assertEquals(ClientExceptionType.DelegatedAdministration, e.getType());
	}
	// this will succeed instead
	userUR.getResources().clear();
	userUR.getResources().add(new StringPatchItem.Builder().value(RESOURCE_NAME_NOPROPAGATION).build());
	user = delegatedUserService.update(userUR).
	readEntity(new GenericType<ProvisioningResult<UserTO>>() {
	}).getEntity();
	assertNotNull(user);
	assertTrue(user.getResources().contains(RESOURCE_NAME_NOPROPAGATION));

	// GROUP_UPDATE
	GroupUR groupUR = new GroupUR();
	groupUR.setKey(groupKey);
	groupUR.getPlainAttrs().add(new AttrPatch.Builder(attr("icon", "modified")).build());
	group = delegatedGroupService.update(groupUR).readEntity(new GenericType<ProvisioningResult<GroupTO>>() {
	}).getEntity();
	assertNotNull(group);
	assertEquals("modified", group.getPlainAttr("icon").get().getValues().get(0));
	} finally {
	if (role != null) {
	roleService.delete(role.getKey());
	}
	if (dynRealm != null) {
	dynRealmService.delete(dynRealm.getKey());
	}
	}
	}

	private static ArrayNode fetchDynRealmsFromElasticsearch(final String userKey) throws Exception {
	String body =
	'{'
	+ " \"query\": {"
	+ " \"match\": {\"_id\": \"" + userKey + "\"}"
	+ " }"
	+ '}';

	HttpClient httpClient = new HttpClient();
	httpClient.start();
	ContentResponse response = httpClient.newRequest("http://localhost:9200/master_user/_search").
	method(HttpMethod.GET).
	header(HttpHeader.CONTENT_TYPE, MediaType.APPLICATION_JSON).
	content(new InputStreamContentProvider(IOUtils.toInputStream(body, StandardCharsets.UTF_8))).
	send();
	assertEquals(HttpStatus.OK_200, response.getStatus());

	return (ArrayNode) OBJECT_MAPPER.readTree(response.getContent()).
	get("hits").get("hits").get(0).get("_source").get("dynRealms");
	}

	@Test
	public void issueSYNCOPE1480() throws Exception {
	String ctype = getUUIDString();

	DynRealmTO dynRealm = null;
	try {
	// 1. create new dyn realm matching a very specific attribute value
	dynRealm = new DynRealmTO();
	dynRealm.setKey("name" + getUUIDString());
	dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "ctype==" + ctype);
	dynRealmService.create(dynRealm);

	Response response = dynRealmService.create(dynRealm);
	dynRealm = getObject(response.getLocation(), DynRealmService.class, DynRealmTO.class);
	assertNotNull(dynRealm);

	// 2. no dyn realm members
	PagedResult<UserTO> matching = userService.search(new AnyQuery.Builder().realm("/").fiql(
	SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
	assertEquals(0, matching.getSize());

	// 3. create user with that attribute value
	UserCR userCR = UserITCase.getUniqueSample("syncope1480@syncope.apache.org");
	userCR.getPlainAttr("ctype").get().getValues().set(0, ctype);
	UserTO user = createUser(userCR).getEntity();
	assertNotNull(user.getKey());

	// 4a. check that Elasticsearch index was updated correctly
	if (ElasticsearchDetector.isElasticSearchEnabled(adminClient.platform())) {
	try {
	Thread.sleep(2000);
	} catch (InterruptedException ex) {
	// ignore
	}

	ArrayNode dynRealms = fetchDynRealmsFromElasticsearch(user.getKey());
	assertEquals(1, dynRealms.size());
	assertEquals(dynRealm.getKey(), dynRealms.get(0).asText());
	}

	// 4b. now there is 1 realm member
	matching = userService.search(new AnyQuery.Builder().realm(SyncopeConstants.ROOT_REALM).fiql(
	SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
	assertEquals(1, matching.getSize());

	// 5. change dyn realm condition
	dynRealm.getDynMembershipConds().put(AnyTypeKind.USER.name(), "ctype==ANY");
	dynRealmService.update(dynRealm);

	// 6a. check that Elasticsearch index was updated correctly
	if (ElasticsearchDetector.isElasticSearchEnabled(adminClient.platform())) {
	try {
	Thread.sleep(2000);
	} catch (InterruptedException ex) {
	// ignore
	}

	ArrayNode dynRealms = fetchDynRealmsFromElasticsearch(user.getKey());
	assertTrue(dynRealms.isEmpty());
	}

	// 6b. no more dyn realm members
	matching = userService.search(new AnyQuery.Builder().realm(SyncopeConstants.ROOT_REALM).fiql(
	SyncopeClient.getUserSearchConditionBuilder().inDynRealms(dynRealm.getKey()).query()).build());
	assertEquals(0, matching.getSize());
	} finally {
	if (dynRealm != null) {
	dynRealmService.delete(dynRealm.getKey());
	}
	}
	}
	}