Search in sources :

Example 6 with SAML2SPService

use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.

the class SAML2ITCase method loginResponseWrappingAttack.

@Test
public void loginResponseWrappingAttack() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    response.setRelayState(loginRequest.getRelayState());
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    assertNotNull(responseElement);
    doc.appendChild(responseElement);
    // Get Assertion Element
    Element assertionElement = (Element) responseElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Assertion").item(0);
    assertNotNull(assertionElement);
    // Clone it, strip the Signature, modify the Subject, change Subj Conf
    Element clonedAssertion = (Element) assertionElement.cloneNode(true);
    clonedAssertion.setAttributeNS(null, "ID", "_12345623562");
    Element sigElement = (Element) clonedAssertion.getElementsByTagNameNS(WSConstants.SIG_NS, "Signature").item(0);
    clonedAssertion.removeChild(sigElement);
    Element subjElement = (Element) clonedAssertion.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "Subject").item(0);
    Element subjNameIdElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "NameID").item(0);
    subjNameIdElement.setTextContent("verdi");
    Element subjConfElement = (Element) subjElement.getElementsByTagNameNS(SAMLConstants.SAML20_NS, "SubjectConfirmation").item(0);
    subjConfElement.setAttributeNS(null, "Method", SAML2Constants.CONF_SENDER_VOUCHES);
    // Now insert the modified cloned Assertion into the Response after the other assertion
    responseElement.insertBefore(clonedAssertion, null);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on an unsigned Assertion");
    } catch (SyncopeClientException e) {
        assertNotNull(e);
    }
}
Also used : SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Document(org.w3c.dom.Document) Test(org.junit.jupiter.api.Test)

Example 7 with SAML2SPService

use of org.apache.syncope.common.rest.api.service.SAML2SPService in project syncope by apache.

the class SAML2ITCase method validateLoginResponse.

@Test
public void validateLoginResponse() throws Exception {
    assumeTrue(SAML2SPDetector.isSAML2SPAvailable());
    // Get a valid login request for the Fediz realm
    SAML2SPService saml2Service = anonymous.getService(SAML2SPService.class);
    SAML2RequestTO loginRequest = saml2Service.createLoginRequest(ADDRESS, "urn:org:apache:cxf:fediz:idp:realm-A");
    assertNotNull(loginRequest);
    assertEquals("https://localhost:8443/fediz-idp/saml/up", loginRequest.getIdpServiceAddress());
    assertNotNull(loginRequest.getContent());
    assertTrue(BASE64.matcher(loginRequest.getContent()).matches());
    assertNotNull(loginRequest.getRelayState());
    // Check a null relaystate
    SAML2ReceivedResponseTO response = new SAML2ReceivedResponseTO();
    response.setSpEntityID("http://recipient.apache.org/");
    response.setUrlContext("saml2sp");
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no Relay State");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No Relay State was provided"));
    }
    // Check a null Response
    response.setRelayState(loginRequest.getRelayState());
    try {
        saml2Service.validateLoginResponse(response);
        fail("Failure expected on no SAML Response");
    } catch (SyncopeClientException e) {
        assertTrue(e.getMessage().contains("No SAML Response was provided"));
    }
    // Create a SAML Response using WSS4J
    JwsJwtCompactConsumer relayState = new JwsJwtCompactConsumer(response.getRelayState());
    String inResponseTo = relayState.getJwtClaims().getSubject();
    org.opensaml.saml.saml2.core.Response samlResponse = createResponse(inResponseTo);
    Document doc = DOMUtils.newDocument();
    Element responseElement = OpenSAMLUtil.toDom(samlResponse, doc);
    String responseStr = DOM2Writer.nodeToString(responseElement);
    // Validate the SAML Response
    response.setSamlResponse(Base64.getEncoder().encodeToString(responseStr.getBytes()));
    SAML2LoginResponseTO loginResponse = saml2Service.validateLoginResponse(response);
    assertNotNull(loginResponse.getAccessToken());
    assertEquals("puccini", loginResponse.getNameID());
}
Also used : SAML2RequestTO(org.apache.syncope.common.lib.to.SAML2RequestTO) SAML2LoginResponseTO(org.apache.syncope.common.lib.to.SAML2LoginResponseTO) Element(org.w3c.dom.Element) SyncopeClientException(org.apache.syncope.common.lib.SyncopeClientException) Document(org.w3c.dom.Document) SAML2SPService(org.apache.syncope.common.rest.api.service.SAML2SPService) SAML2ReceivedResponseTO(org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO) JwsJwtCompactConsumer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer) Test(org.junit.jupiter.api.Test)

Aggregations

SAML2SPService (org.apache.syncope.common.rest.api.service.SAML2SPService)7 Test (org.junit.jupiter.api.Test)6 Document (org.w3c.dom.Document)6 Element (org.w3c.dom.Element)6 SyncopeClientException (org.apache.syncope.common.lib.SyncopeClientException)5 SAML2ReceivedResponseTO (org.apache.syncope.common.lib.to.SAML2ReceivedResponseTO)5 JwsJwtCompactConsumer (org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer)3 SAML2RequestTO (org.apache.syncope.common.lib.to.SAML2RequestTO)3 InputStream (java.io.InputStream)2 Response (javax.ws.rs.core.Response)2 SAML2LoginResponseTO (org.apache.syncope.common.lib.to.SAML2LoginResponseTO)2 IOException (java.io.IOException)1 InputStreamReader (java.io.InputStreamReader)1 KeyStore (java.security.KeyStore)1 X509Certificate (java.security.cert.X509Certificate)1 ServletException (javax.servlet.ServletException)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 QName (javax.xml.namespace.QName)1 SyncopeClient (org.apache.syncope.client.lib.SyncopeClient)1 XMLSignature (org.apache.xml.security.signature.XMLSignature)1