use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.
the class SAML2ITCase method loginResponseWrappingAttack.
@Test
public void loginResponseWrappingAttack() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
// Get a valid login request for the Fediz realm
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
assertNotNull(loginRequest);
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
response.setRelayState(loginRequest.getRelayState());
// Create a SAML Response using WSS4J
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
String inResponseTo = relayState.getJwtClaims().getSubject();
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
assertNotNull(responseElement);
doc.appendChild(responseElement);
// Get Assertion Element
Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
assertNotNull(assertionElement);
// Clone it, strip the Signature, modify the Subject, change Subj Conf
Element clonedAssertion = (Element) assertionElement.cloneNode(true);
clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSConstants.SIG_NS, "Signature").item(0);
clonedAssertion.removeChild(sigElement);
Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
subjNameIdElement.setTextContent("verdi");
Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
// Now insert the modified cloned Assertion into the Response after the other assertion
responseElement.insertBefore(clonedAssertion, null);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on an unsigned Assertion");
} catch (SyncopeClientException e) {
assertNotNull(e);
}
}
use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.
the class SAML2ITCase method validateLoginResponse.
@Test
public void validateLoginResponse() throws Exception {
assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
// Get a valid login request for the Fediz realm
SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
assertNotNull(loginRequest);
assertEquals("https://localhost:8443/fediz-idp/saml/up", loginRequest.getIdpServiceAddress());
assertNotNull(loginRequest.getContent());
assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
assertNotNull(loginRequest.getRelayState());
// Check a null relaystate
SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
response.setSpEntityID("http://recipient.apache.org/");
response.setUrlContext("saml2sp");
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on no Relay State");
} catch (SyncopeClientException e) {
assertTrue(e.getMessage().contains("No Relay State was provided"));
}
// Check a null Response
response.setRelayState(loginRequest.getRelayState());
try {
saml2Service.validateLoginResponse(response);
fail("Failure expected on no SAML Response");
} catch (SyncopeClientException e) {
assertTrue(e.getMessage().contains("No SAML Response was provided"));
}
// Create a SAML Response using WSS4J
JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
String inResponseTo = relayState.getJwtClaims().getSubject();
org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
Document doc = DOMUtils.newDocument();
Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
String responseStr = DOM2Writer.nodeToString(responseElement);
// Validate the SAML Response
response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
assertNotNull(loginResponse.getAccessToken());
assertEquals("puccini", loginResponse.getNameID());
}
Aggregations