From 4bd0f45001c5febc31ad9338cd755d8eb85a9421 Mon Sep 17 00:00:00 2001
From: Viktor Scharf <scharf.vi@gmail.com>
Date: Fri, 4 Jul 2025 14:48:02 +0200
Subject: [PATCH] update keycloak tests

---
 .woodpecker.star                              |  7 +-
 tests/e2e/cucumber/environment/index.ts       | 11 ++-
 .../cucumber/features/keycloak/groups.feature | 67 --------------
 .../cucumber/features/keycloak/smoke.feature  | 76 ++++++++++++++++
 tests/e2e/cucumber/steps/api.ts               | 67 +++++++++++---
 tests/e2e/support/api/graph/userManagement.ts |  2 +-
 tests/e2e/support/api/index.ts                |  1 -
 tests/e2e/support/api/keycloak/group.ts       | 77 ++++++++++++++++
 tests/e2e/support/api/keycloak/index.ts       |  1 +
 tests/e2e/support/api/keycloak/user.ts        | 87 ++++++++-----------
 tests/e2e/support/api/provision/index.ts      |  1 -
 tests/e2e/support/api/provision/user.ts       | 56 ------------
 .../e2e/support/environment/userManagement.ts | 30 +------
 tests/e2e/support/store/keycloak.ts           | 20 +----
 tests/e2e/support/types.ts                    |  2 +
 .../opencloud-ci-realm.dist.json              | 11 +++
 16 files changed, 270 insertions(+), 246 deletions(-)
 delete mode 100644 tests/e2e/cucumber/features/keycloak/groups.feature
 create mode 100644 tests/e2e/cucumber/features/keycloak/smoke.feature
 create mode 100644 tests/e2e/support/api/keycloak/group.ts
 delete mode 100644 tests/e2e/support/api/provision/index.ts
 delete mode 100644 tests/e2e/support/api/provision/user.ts

diff --git a/.woodpecker.star b/.woodpecker.star
index 81437b7896..ddce3d2d8c 100644
--- a/.woodpecker.star
+++ b/.woodpecker.star
@@ -1492,11 +1492,6 @@ def keycloakService():
            }] + waitForServices("keycloak", ["keycloak:8443"])
 
 def e2eTestsOnKeycloak(ctx):
-    e2e_Keycloak_tests = [
-        "admin-settings/spaces.feature:25",
-        "admin-settings/spaces.feature:60",
-    ]
-
     steps = restoreBuildArtifactCache(ctx, "pnpm", ".pnpm-store") + \
             installPnpm() + \
             restoreBrowsersCache() + \
@@ -1560,7 +1555,7 @@ def e2eTestsOnKeycloak(ctx):
                      },
                      "commands": [
                          "cd tests/e2e",
-                         "bash run-e2e.sh %s" % " ".join(["cucumber/features/" + tests for tests in e2e_Keycloak_tests]),
+                         "bash run-e2e.sh cucumber/features/keycloak",
                      ],
                  },
              ] + \
diff --git a/tests/e2e/cucumber/environment/index.ts b/tests/e2e/cucumber/environment/index.ts
index 8e20bd6757..998fca6526 100644
--- a/tests/e2e/cucumber/environment/index.ts
+++ b/tests/e2e/cucumber/environment/index.ts
@@ -195,11 +195,14 @@ function filterTracingReports(status: string) {
 const cleanUpUser = async (createdUserStore, adminUser: User) => {
   const requests: Promise<User>[] = []
   createdUserStore.forEach((user) => {
-    requests.push(api.provision.deleteUser({ user, admin: adminUser }))
+    if (config.keycloak) {
+      requests.push(api.keycloak.deleteUser({ user }))
+    } else {
+      requests.push(api.graph.deleteUser({ user, admin: adminUser }))
+    }
   })
   await Promise.all(requests)
   createdUserStore.clear()
-  store.keycloakCreatedUser.clear()
 }
 
 const cleanUpSpaces = async (adminUser: User) => {
@@ -228,7 +231,9 @@ const cleanUpSpaces = async (adminUser: User) => {
 const cleanUpGroup = async (adminUser: User) => {
   const requests: Promise<Group>[] = []
   store.createdGroupStore.forEach((group) => {
-    if (!group.id.startsWith('keycloak')) {
+    if (config.keycloak) {
+      requests.push(api.keycloak.deleteGroup({ group }))
+    } else {
       requests.push(api.graph.deleteGroup({ group, admin: adminUser }))
     }
   })
diff --git a/tests/e2e/cucumber/features/keycloak/groups.feature b/tests/e2e/cucumber/features/keycloak/groups.feature
deleted file mode 100644
index 3d959c8752..0000000000
--- a/tests/e2e/cucumber/features/keycloak/groups.feature
+++ /dev/null
@@ -1,67 +0,0 @@
-Feature: groups management
-  As a user
-  I want to manage all group-related operations using OpenCloud Web
-  So that I can ensure all group-related operations work correctly with Keycloak integration
-  # For synchronization-related details, see https://docs.opencloud.eu/services/proxy/#claim-updates
-
-
-  Scenario: keycloak group sync with OpenCloud
-    Given "Admin" creates following user using API
-      | id    |
-      | Alice |
-      | Brian |
-    And "Alice" creates the following files into personal space using API
-      | pathToFile          | content              |
-      | shareToSales.txt    | Keycloak group share |
-      | shareToSecurity.txt | Keycloak group share |
-
-    When "Admin" logs in
-    And "Admin" opens the "admin-settings" app
-    And "Admin" navigates to the groups management page
-    When "Admin" creates the following groups
-      | id       |
-      | security |
-      | sales    |
-    Then "Admin" should see the following group
-      | group            |
-      | security         |
-      | keycloak sales   |
-      | keycloak finance |
-
-    When "Admin" navigates to the users management page
-    And "Admin" adds the user "Brian" to the groups "security,keycloak sales" using the sidebar panel
-    And "Admin" logs out
-
-    And "Alice" logs in
-    And "Alice" shares the following resource using the sidebar panel
-      | resource            | recipient      | type  | role     | resourceType |
-      | shareToSales.txt    | keycloak sales | group | Can edit | file         |
-      | shareToSecurity.txt | security       | group | Can edit | file         |
-    And "Alice" logs out
-
-    And "Brian" logs in
-    And "Brian" navigates to the shared with me page
-    # user should have access to unsynced shares
-    When "Brian" opens the following file in texteditor
-      | resource         |
-      | shareToSales.txt |
-    And "Brian" closes the file viewer
-    And "Brian" edits the following resources
-      | resource            | content     |
-      | shareToSecurity.txt | new content |
-    And "Brian" logs out
-
-    When "Admin" logs in
-    And "Admin" opens the "admin-settings" app
-    And "Admin" navigates to the groups management page
-    # Renaming a Keycloak group results in the creation of a new group on the OpenCloud server.
-    # After renaming a group, it may take up to 5 minutes for the changes to sync, so avoid using the renamed group in the subsequent steps.
-    And "Admin" changes displayName to "a renamed group" for group "keycloak finance" using the sidebar panel
-
-    When "Admin" deletes the following group using the context menu
-      | group |
-      | sales |
-    Then "Admin" should not see the following group
-      | group |
-      | sales |
-    And "Admin" logs out
diff --git a/tests/e2e/cucumber/features/keycloak/smoke.feature b/tests/e2e/cucumber/features/keycloak/smoke.feature
new file mode 100644
index 0000000000..4de176ce29
--- /dev/null
+++ b/tests/e2e/cucumber/features/keycloak/smoke.feature
@@ -0,0 +1,76 @@
+Feature: keycloak integration
+  As a user
+  I want to use Keycloak users and groups in OpenCloud
+  So that I can verify that Keycloak-created entities are accessible and functional in OpenCloud
+
+
+  Scenario: keycloak integration
+    Given admin creates following users using keycloak API
+      | id    |
+      | Alice |
+      | Brian |
+      | Carol |
+    And admin assigns following roles to the users using keycloak API
+      | id    | role        |
+      | Alice | Space Admin |
+    # Group role assignment - all members of the group inherit the assigned role
+    And admin creates following groups using keycloak API
+      | id       | role        |
+      | sales    |             |
+      | finance  | Space Admin |
+      | security | User        |
+    And admin adds users to the group using keycloak API
+      | user  | group    |
+      | Alice | sales    |
+      | Brian | finance  |
+      | Carol | security |
+      | Carol | finance  |
+
+    When "Alice" logs in
+    Then "Alice" should have self info:
+      | key         | value             |
+      | username    | alice             |
+      | displayname | Alice Hansen      |
+      | email       | alice@example.org |
+      | groups      | sales             |
+    And "Alice" opens the "files" app
+    And "Alice" navigates to the projects space page
+    And "Alice" creates the following project spaces
+      | name      | id          |
+      | teamSpace | teamSpace.1 |
+    And "Alice" navigates to the project space "teamSpace.1"
+    And "Alice" creates the following resources
+      | resource        | type    |
+      | security-folder | folder  |
+      | finance-folder  | folder  |
+      
+    And "Alice" shares the following resource using the sidebar panel
+      | resource        | recipient | type  | role     | resourceType |
+      | finance-folder  | finance   | group | Can edit | folder       |
+      | finance-folder  | Brian     | user  | Can edit | file         |
+      | security-folder | security  | group | Can view | folder       |
+      | security-folder | Carol     | user  | Can view | file         |
+    And "Alice" logs out
+
+    And "Brian" logs in
+    And "Brian" navigates to the projects space page
+    And "Brian" creates the following project spaces
+      | name       | id           |
+      | brianSpace | brianSpace.1 |
+    And "Brian" navigates to the project space "brianSpace.1"
+    And "Brian" adds following users to the project space
+      | user     | role     | kind  |
+      | Carol    | Can edit | user  |
+      | security | Can view | group |
+    And "Brian" logs out
+
+    When "Carol" logs in
+    Then "Carol" should have self info:
+      | key         | value             |
+      | username    | carol             |
+      | displayname | Carol King        |
+      | email       | carol@example.org |
+      | groups      | finance, security |
+    And "Carol" opens the "files" app
+    And "Carol" navigates to the project space "brianSpace.1"
+    And "Carol" logs out
diff --git a/tests/e2e/cucumber/steps/api.ts b/tests/e2e/cucumber/steps/api.ts
index 3eb820d9d9..86c869be35 100644
--- a/tests/e2e/cucumber/steps/api.ts
+++ b/tests/e2e/cucumber/steps/api.ts
@@ -19,7 +19,25 @@ Given(
         email: `${uniqueId}@example.org`
       }
 
-      await api.provision.createUser({ user, admin })
+      await api.graph.createUser({ user, admin })
+    }
+  }
+)
+
+Given(
+  'admin creates following user(s) using keycloak API',
+  async function (this: World, stepTable: DataTable): Promise<void> {
+    for (const info of stepTable.hashes()) {
+      const uniqueId = `${info.id}-${this.uniquePrefix}`
+      // use a unique user name
+      const user = {
+        ...this.usersEnvironment.getUser({ key: info.id }),
+        id: info.id,
+        username: uniqueId,
+        email: `${uniqueId}@example.org`
+      }
+
+      await api.keycloak.createUser({ user })
     }
   }
 )
@@ -30,16 +48,17 @@ Given(
     const admin = this.usersEnvironment.getUser({ key: stepUser })
     for await (const info of stepTable.hashes()) {
       const user = this.usersEnvironment.getCreatedUser({ key: info.id })
-      /**
-         The OpenCloud API request for assigning roles allows only one role per user,
-         whereas the Keycloak API request can assign multiple roles to a user.
-         If multiple roles are assigned to a user in Keycloak,
-         OpenCloud map the highest priority role among Keycloak assigned roles.
-         Therefore, we need to unassign the previous role before
-         assigning a new one when using the Keycloak API.
-      */
-      await api.provision.unAssignRole({ admin, user })
-      await api.provision.assignRole({ admin, user, role: info.role })
+      await api.graph.assignRole(admin, user.uuid, info.role)
+    }
+  }
+)
+
+Given(
+  'admin assigns following roles to the user(s) using keycloak API',
+  async function (this: World, stepTable: DataTable): Promise<void> {
+    for await (const info of stepTable.hashes()) {
+      const user = this.usersEnvironment.getCreatedUser({ key: info.id })
+      await api.keycloak.assignRole({ uuid: user.keycloakUuid, role: info.role })
     }
   }
 )
@@ -61,6 +80,21 @@ Given(
   }
 )
 
+Given(
+  'admin creates following group(s) using keycloak API',
+  async function (this: World, stepTable: DataTable): Promise<void> {
+    for (const info of stepTable.hashes()) {
+      const uniqueId = `${info.id}-${this.uniquePrefix}`
+      const group = {
+        ...this.usersEnvironment.getGroup({ key: info.id }),
+        id: info.id,
+        displayName: uniqueId
+      }
+      await api.keycloak.createGroup({ group, role: info.role })
+    }
+  }
+)
+
 Given(
   '{string} adds user(s) to the group(s) using API',
   async function (this: World, stepUser: string, stepTable: DataTable): Promise<void> {
@@ -74,6 +108,17 @@ Given(
   }
 )
 
+Given(
+  'admin adds user(s) to the group(s) using keycloak API',
+  async function (this: World, stepTable: DataTable): Promise<void> {
+    for (const info of stepTable.hashes()) {
+      const user = this.usersEnvironment.getCreatedUser({ key: info.user })
+      const group = this.usersEnvironment.getCreatedGroup({ key: info.group })
+      await api.keycloak.addUserToGroup({ user, group })
+    }
+  }
+)
+
 Given(
   '{string} creates the following folder(s) in personal space using API',
   async function (this: World, stepUser: string, stepTable: DataTable): Promise<void> {
diff --git a/tests/e2e/support/api/graph/userManagement.ts b/tests/e2e/support/api/graph/userManagement.ts
index 12beb5b19e..e9c4549282 100644
--- a/tests/e2e/support/api/graph/userManagement.ts
+++ b/tests/e2e/support/api/graph/userManagement.ts
@@ -133,7 +133,7 @@ export const addUserToGroup = async ({
     body: body,
     user: admin
   })
-  checkResponseStatus(response, 'Failed while adding an user to the group')
+  checkResponseStatus(response, 'Failed while adding a user to the group')
 }
 
 export const assignRole = async (admin: User, id: string, role: string): Promise<void> => {
diff --git a/tests/e2e/support/api/index.ts b/tests/e2e/support/api/index.ts
index 6e42ffff91..64a07b5b58 100644
--- a/tests/e2e/support/api/index.ts
+++ b/tests/e2e/support/api/index.ts
@@ -3,7 +3,6 @@ export * as graph from './graph'
 export * as dav from './davSpaces'
 export * as share from './share'
 export * as keycloak from './keycloak'
-export * as provision from './provision'
 export * as settings from './userSettings'
 export * as token from './token'
 export * as external from './external'
diff --git a/tests/e2e/support/api/keycloak/group.ts b/tests/e2e/support/api/keycloak/group.ts
new file mode 100644
index 0000000000..73fba60e1a
--- /dev/null
+++ b/tests/e2e/support/api/keycloak/group.ts
@@ -0,0 +1,77 @@
+import join from 'join-path'
+import { request, realmBasePath } from './utils'
+import { checkResponseStatus } from '../http'
+import { Group, User } from '../../types'
+import { UsersEnvironment } from '../../environment'
+import { getAdminUser, getRealmRole, openCloudKeycloakUserRoles } from './user'
+
+export const createGroup = async ({
+  group,
+  role
+}: {
+  group: Group
+  role?: string
+}): Promise<Group> => {
+  const creationRes = await request({
+    method: 'POST',
+    path: join(realmBasePath, 'groups'),
+    body: { name: group.displayName },
+    user: getAdminUser(),
+    header: { 'Content-Type': 'application/json' }
+  })
+  checkResponseStatus(creationRes, 'Failed while creating group')
+  const groupId = creationRes.headers()['location'].split('/').pop()
+  const usersEnvironment = new UsersEnvironment()
+  usersEnvironment.storeCreatedGroup({ group: { ...group, keycloakUuid: groupId } })
+
+  if (role) {
+    const roleData = await getRealmRole(openCloudKeycloakUserRoles[role])
+    const roleAssignmentRes = await request({
+      method: 'POST',
+      path: join(realmBasePath, 'groups', groupId, 'role-mappings/realm'),
+      body: [
+        {
+          id: roleData.id,
+          name: roleData.name,
+          description: '',
+          composite: false,
+          clientRole: false,
+          containerId: 'openCloud'
+        }
+      ],
+      user: getAdminUser(),
+      header: { 'Content-Type': 'application/json' }
+    })
+    checkResponseStatus(roleAssignmentRes, `Failed while assigning role ${role} to group`)
+  }
+  return group
+}
+
+export const addUserToGroup = async ({
+  user,
+  group
+}: {
+  user: User
+  group: Group
+}): Promise<void> => {
+  const response = await request({
+    method: 'PUT',
+    path: join(realmBasePath, 'users', user.keycloakUuid, 'groups', group.keycloakUuid),
+    body: {},
+    user: getAdminUser(),
+    header: { 'Content-Type': 'application/json' }
+  })
+  checkResponseStatus(response, 'Failed while adding a user to the group')
+}
+
+export const deleteGroup = async ({ group }: { group: Group }): Promise<Group> => {
+  const response = await request({
+    method: 'DELETE',
+    path: join(realmBasePath, 'groups', group.keycloakUuid),
+    body: {},
+    user: getAdminUser(),
+    header: { 'Content-Type': 'application/json' }
+  })
+  checkResponseStatus(response, 'Failed while adding a user to the group')
+  return group
+}
diff --git a/tests/e2e/support/api/keycloak/index.ts b/tests/e2e/support/api/keycloak/index.ts
index 8e6647e9eb..a28b084ca6 100644
--- a/tests/e2e/support/api/keycloak/index.ts
+++ b/tests/e2e/support/api/keycloak/index.ts
@@ -1,3 +1,4 @@
 export * from './user'
 export * from './utils'
 export * from './openCloudUserToken'
+export * from './group'
diff --git a/tests/e2e/support/api/keycloak/user.ts b/tests/e2e/support/api/keycloak/user.ts
index d779af1f33..1556010e4b 100644
--- a/tests/e2e/support/api/keycloak/user.ts
+++ b/tests/e2e/support/api/keycloak/user.ts
@@ -9,15 +9,21 @@ import { state } from '../../../cucumber/environment/shared'
 import { initializeUser } from '../../utils/tokenHelper'
 import { setAccessTokenForKeycloakOpenCloudUser } from './openCloudUserToken'
 
-const openCloudKeycloakUserRoles: Record<string, string> = {
+export const openCloudKeycloakUserRoles: Record<string, string> = {
   Admin: 'opencloudAdmin',
   'Space Admin': 'opencloudSpaceAdmin',
   User: 'opencloudUser',
   'User Light': 'opencloudGuest'
 }
 
-export const createUser = async ({ user, admin }: { user: User; admin: User }): Promise<User> => {
+export const getAdminUser = (): User => {
+  const usersEnvironment = new UsersEnvironment()
+  return usersEnvironment.getUser({ key: 'admin' })
+}
+
+export const createUser = async ({ user }: { user: User }): Promise<User> => {
   const fullName = user.displayName.split(' ')
+
   const body = {
     username: user.username,
     credentials: [{ value: user.password, type: 'password' }],
@@ -25,11 +31,6 @@ export const createUser = async ({ user, admin }: { user: User; admin: User }):
     lastName: fullName[1] ?? '',
     email: user.email,
     emailVerified: true,
-    // NOTE: setting realmRoles doesn't work while creating user.
-    // Issue in Keycloak:
-    //  - https://github.com/keycloak/keycloak/issues/9354
-    //  - https://github.com/keycloak/keycloak/issues/16449
-    // realmRoles: ['openCloudUser', 'offline_access'],
     enabled: true
   }
 
@@ -38,7 +39,7 @@ export const createUser = async ({ user, admin }: { user: User; admin: User }):
     method: 'POST',
     path: join(realmBasePath, 'users'),
     body,
-    user: admin,
+    user: getAdminUser(),
     header: { 'Content-Type': 'application/json' }
   })
   checkResponseStatus(creationRes, 'Failed while creating user')
@@ -46,17 +47,6 @@ export const createUser = async ({ user, admin }: { user: User; admin: User }):
   // created user id
   const keycloakUUID = getUserIdFromResponse(creationRes)
 
-  // assign realmRoles to user
-  const defaultNewUserRole = 'User'
-  const roleRes = await assignRole({ admin, uuid: keycloakUUID, role: defaultNewUserRole })
-  checkResponseStatus(roleRes, 'Failed while assigning roles to user')
-
-  const usersEnvironment = new UsersEnvironment()
-  // stored keycloak user information on storage
-  usersEnvironment.storeCreatedKeycloakUser({
-    user: { ...user, uuid: keycloakUUID, role: defaultNewUserRole }
-  })
-
   // login to initialize the user in OpenCloud Web
   await initializeUser({
     browser: state.browser,
@@ -64,74 +54,65 @@ export const createUser = async ({ user, admin }: { user: User; admin: User }):
     waitForSelector: '#web-content'
   })
 
-  // store OpenCloud user information
+  const usersEnvironment = new UsersEnvironment()
   usersEnvironment.storeCreatedUser({
-    user: { ...user, uuid: await getUserId({ user, admin }), role: defaultNewUserRole }
+    user: {
+      ...user,
+      uuid: await getUserId({ user, admin: getAdminUser() }),
+      keycloakUuid: keycloakUUID
+    }
   })
+
   await setAccessTokenForKeycloakOpenCloudUser(user)
   return user
 }
 
-export const assignRole = async ({
-  admin,
-  uuid,
-  role
-}: {
-  admin: User
-  uuid: string
-  role: string
-}) => {
-  // can assign multiple realm role at once
+export const assignRole = async ({ uuid, role }: { uuid: string; role: string }) => {
   return request({
     method: 'POST',
     path: join(realmBasePath, 'users', uuid, 'role-mappings', 'realm'),
     body: [
-      await getRealmRole(openCloudKeycloakUserRoles[role], admin),
-      await getRealmRole('offline_access', admin)
+      await getRealmRole(openCloudKeycloakUserRoles[role]),
+      await getRealmRole('offline_access')
     ],
-    user: admin,
+    user: getAdminUser(),
     header: { 'Content-Type': 'application/json' }
   })
 }
 
-export const unAssignRole = async ({
-  admin,
-  uuid,
-  role
-}: {
-  admin: User
-  uuid: string
-  role: string
-}) => {
+export const unAssignRole = async ({ uuid, role }: { uuid: string; role: string }) => {
   // can't unassign multiple realm roles at once
   const response = await request({
     method: 'DELETE',
     path: join(realmBasePath, 'users', uuid, 'role-mappings', 'realm'),
-    body: [await getRealmRole(openCloudKeycloakUserRoles[role], admin)],
-    user: admin,
+    body: [await getRealmRole(openCloudKeycloakUserRoles[role])],
+    user: getAdminUser(),
     header: { 'Content-Type': 'application/json' }
   })
   checkResponseStatus(response, 'Can not delete existing role ')
   return response
 }
 
-export const deleteUser = async ({ user, admin }: { user: User; admin: User }): Promise<User> => {
+export const deleteUser = async ({ user }: { user: User }): Promise<User> => {
   // first delete OpenCloud user
   // deletes the user data
-  await graphDeleteUser({ user, admin })
+  await graphDeleteUser({ user, admin: getAdminUser() })
 
   const usersEnvironment = new UsersEnvironment()
-  const keyclockUser = usersEnvironment.getCreatedKeycloakUser({ key: user.id })
   const response = await request({
     method: 'DELETE',
-    path: join(realmBasePath, 'users', keyclockUser.uuid),
-    user: admin
+    path: join(
+      realmBasePath,
+      'users',
+      usersEnvironment.getCreatedUser({ key: user.id }).keycloakUuid
+    ),
+    user: getAdminUser()
   })
   checkResponseStatus(response, 'Failed to delete keycloak user: ' + user.id)
   if (response.ok) {
     try {
       const usersEnvironment = new UsersEnvironment()
-      usersEnvironment.removeCreatedKeycloakUser({ key: user.id })
+      usersEnvironment.removeCreatedUser({ key: user.id })
     } catch (e) {
       console.error('Error removing Keycloak user:', e)
     }
@@ -139,7 +120,7 @@ export const deleteUser = async ({ user, admin }: { user: User; admin: User }):
   return user
 }
 
-export const getRealmRole = async (role: string, admin: User): Promise<KeycloakRealmRole> => {
+export const getRealmRole = async (role: string): Promise<KeycloakRealmRole> => {
   if (keycloakRealmRoles.get(role)) {
     return keycloakRealmRoles.get(role)
   }
@@ -147,7 +128,7 @@ export const getRealmRole = async (role: string, admin: User): Promise<KeycloakR
   const response = await request({
     method: 'GET',
     path: join(realmBasePath, 'roles'),
-    user: admin
+    user: getAdminUser()
   })
   checkResponseStatus(response, 'Failed while fetching realm roles')
   const roles = (await response.json()) as KeycloakRealmRole[]
diff --git a/tests/e2e/support/api/provision/index.ts b/tests/e2e/support/api/provision/index.ts
deleted file mode 100644
index c3a9c65bfc..0000000000
--- a/tests/e2e/support/api/provision/index.ts
+++ /dev/null
@@ -1 +0,0 @@
-export * from './user'
diff --git a/tests/e2e/support/api/provision/user.ts b/tests/e2e/support/api/provision/user.ts
deleted file mode 100644
index 21060f8da6..0000000000
--- a/tests/e2e/support/api/provision/user.ts
+++ /dev/null
@@ -1,56 +0,0 @@
-import { User } from '../../types'
-import {
-  createUser as graphCreateUser,
-  deleteUser as graphDeleteUser,
-  assignRole as graphAssignRole,
-  getUserId
-} from '../graph'
-import {
-  createUser as keycloakCreateUser,
-  deleteUser as keycloakDeleteUser,
-  assignRole as keycloakAssignRole,
-  unAssignRole as keycloakUnAssignRole
-} from '../keycloak'
-import { config } from '../../../config'
-import { UsersEnvironment } from '../../environment'
-
-export const createUser = async ({ user, admin }: { user: User; admin: User }): Promise<User> => {
-  if (config.keycloak) {
-    return await keycloakCreateUser({ user, admin })
-  }
-  return await graphCreateUser({ user, admin })
-}
-
-export const deleteUser = async ({ user, admin }: { user: User; admin: User }): Promise<User> => {
-  if (config.keycloak) {
-    return await keycloakDeleteUser({ user, admin })
-  }
-  return await graphDeleteUser({ user, admin })
-}
-
-export const assignRole = async ({
-  admin,
-  user,
-  role
-}: {
-  admin: User
-  user: User
-  role: string
-}): Promise<void> => {
-  if (config.keycloak) {
-    const usersEnvironment = new UsersEnvironment()
-    const createdUser = usersEnvironment.getCreatedKeycloakUser({ key: user.id })
-    await keycloakAssignRole({ admin, uuid: createdUser.uuid, role })
-  } else {
-    const id = await getUserId({ user, admin })
-    await graphAssignRole(admin, id, role)
-  }
-}
-
-export const unAssignRole = async ({ admin, user }: { admin: User; user: User }): Promise<void> => {
-  if (config.keycloak) {
-    const usersEnvironment = new UsersEnvironment()
-    const createdUser = usersEnvironment.getCreatedKeycloakUser({ key: user.id })
-    await keycloakUnAssignRole({ admin, uuid: createdUser.uuid, role: createdUser.role })
-  }
-}
diff --git a/tests/e2e/support/environment/userManagement.ts b/tests/e2e/support/environment/userManagement.ts
index c3f1a8df37..8888651f29 100644
--- a/tests/e2e/support/environment/userManagement.ts
+++ b/tests/e2e/support/environment/userManagement.ts
@@ -4,9 +4,7 @@ import {
   dummyGroupStore,
   createdUserStore,
   createdGroupStore,
-  keycloakCreatedUser,
-  federatedUserStore,
-  dummyKeycloakGroupStore
+  federatedUserStore
 } from '../store'
 import { config } from '../../config'
 
@@ -74,7 +72,7 @@ export class UsersEnvironment {
 
   getGroup({ key }: { key: string }): Group {
     const groupKey = key.toLowerCase()
-    const store = groupKey.startsWith('keycloak') ? dummyKeycloakGroupStore : dummyGroupStore
+    const store = dummyGroupStore
 
     if (!store.has(groupKey)) {
       throw new Error(`group with key '${groupKey}' not found`)
@@ -107,28 +105,4 @@ export class UsersEnvironment {
 
     return group
   }
-
-  storeCreatedKeycloakUser({ user }: { user: User }): User {
-    if (keycloakCreatedUser.has(user.id)) {
-      throw new Error(`Keycloak user '${user.id}' already exists`)
-    }
-    keycloakCreatedUser.set(user.id, user)
-    return user
-  }
-
-  getCreatedKeycloakUser({ key }: { key: string }): User {
-    if (!keycloakCreatedUser.has(key)) {
-      throw new Error(`Keycloak user with key '${key}' not found`)
-    }
-
-    return keycloakCreatedUser.get(key)
-  }
-
-  removeCreatedKeycloakUser({ key }: { key: string }): boolean {
-    if (!keycloakCreatedUser.has(key)) {
-      throw new Error(`Keycloak user with key '${key}' not found`)
-    }
-
-    return keycloakCreatedUser.delete(key)
-  }
 }
diff --git a/tests/e2e/support/store/keycloak.ts b/tests/e2e/support/store/keycloak.ts
index ba35b8c5cf..87ea8e115d 100644
--- a/tests/e2e/support/store/keycloak.ts
+++ b/tests/e2e/support/store/keycloak.ts
@@ -1,21 +1,3 @@
-import { KeycloakRealmRole, User, Group } from '../types'
+import { KeycloakRealmRole } from '../types'
 
 export const keycloakRealmRoles = new Map<string, KeycloakRealmRole>()
-export const keycloakCreatedUser = new Map<string, User>()
-
-export const dummyKeycloakGroupStore = new Map<string, Group>([
-  [
-    'keycloak sales',
-    {
-      id: 'keycloak sales',
-      displayName: 'keycloak sales department'
-    }
-  ],
-  [
-    'keycloak finance',
-    {
-      id: 'keycloak finance',
-      displayName: 'keycloak finance department'
-    }
-  ]
-])
diff --git a/tests/e2e/support/types.ts b/tests/e2e/support/types.ts
index 1ab9c422d3..21c9c508bf 100644
--- a/tests/e2e/support/types.ts
+++ b/tests/e2e/support/types.ts
@@ -32,6 +32,7 @@ export interface User {
   password: string
   email: string
   role?: string
+  keycloakUuid?: string
 }
 
 export interface File {
@@ -48,6 +49,7 @@ export interface Group {
   id: string
   displayName: string
   groupTypes?: string[]
+  keycloakUuid?: string
 }
 
 export interface Token {
diff --git a/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json b/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json
index 0cd66cdadc..e81312e9d4 100644
--- a/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json
+++ b/tests/woodpecker/opencloud_keycloak/opencloud-ci-realm.dist.json
@@ -1960,6 +1960,17 @@
                 "drop.non.existing.groups.during.sync": ["true"]
               }
             },
+            {
+              "id": "96bc2621-a714-4f15-ac1d-bc32df94382d",
+              "name": "display name",
+              "providerId": "full-name-ldap-mapper",
+              "subComponents": {},
+              "config": {
+                "read.only": ["false"],
+                "write.only": ["true"],
+                "ldap.full.name.attribute": ["displayName"]
+              }
+            },
             {
               "id": "cab8b569-0f50-4e13-b2a5-d24ee513cd8b",
               "name": "first name",