Search in sources :

Example 41 with AssertionType

use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.

the class RoleMapperTest method testExpectedRoles.

public void testExpectedRoles(String clientId, String... expectedRoles) {
    SAMLDocumentHolder document = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), clientId, SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2, Binding.POST).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
    assertThat(document.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    Stream<AssertionType> assertions = assertionsUnencrypted(document.getSamlObject());
    Stream<AttributeType> attributes = attributesUnecrypted(attributeStatements(assertions));
    Set<String> roles = attributes.filter(a -> a.getName().equals(ROLE_ATTRIBUTE_NAME)).flatMap(a -> a.getAttributeValue().stream()).map(Object::toString).collect(Collectors.toSet());
    assertThat(roles, containsInAnyOrder(expectedRoles));
}
Also used : AttributeStatementHelper(org.keycloak.protocol.saml.mappers.AttributeStatementHelper) RoleListMapper(org.keycloak.protocol.saml.mappers.RoleListMapper) ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater) ProtocolMappersUpdater(org.keycloak.testsuite.updaters.ProtocolMappersUpdater) SamlStreams.attributesUnecrypted(org.keycloak.testsuite.util.SamlStreams.attributesUnecrypted) HashMap(java.util.HashMap) RoleNameMapper(org.keycloak.protocol.saml.mappers.RoleNameMapper) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) Assert.assertThat(org.junit.Assert.assertThat) AUTH_SERVER_SSL_REQUIRED(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED) Map(java.util.Map) After(org.junit.After) SamlStreams.assertionsUnencrypted(org.keycloak.testsuite.util.SamlStreams.assertionsUnencrypted) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) Before(org.junit.Before) AUTH_SERVER_SCHEME(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SCHEME) Matchers(org.keycloak.testsuite.util.Matchers) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) RoleScopeUpdater(org.keycloak.testsuite.updaters.RoleScopeUpdater) Set(java.util.Set) SamlProtocol(org.keycloak.protocol.saml.SamlProtocol) IOException(java.io.IOException) Test(org.junit.Test) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) Collectors(java.util.stream.Collectors) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) AUTH_SERVER_PORT(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT) Stream(java.util.stream.Stream) UserAttributeUpdater(org.keycloak.testsuite.updaters.UserAttributeUpdater) Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder) Binding(org.keycloak.testsuite.util.SamlClient.Binding) SamlStreams.attributeStatements(org.keycloak.testsuite.util.SamlStreams.attributeStatements) Collections(java.util.Collections) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)

Example 42 with AssertionType

use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.

the class AssertionUtil method getRoles.

/**
 * Given an assertion, return the list of roles it may have
 *
 * @param assertion The {@link AssertionType}
 * @param roleKeys a list of string values representing the role keys. The list can be null.
 *
 * @return
 */
public static List<String> getRoles(AssertionType assertion, List<String> roleKeys) {
    List<String> roles = new ArrayList<>();
    Set<StatementAbstractType> statements = assertion.getStatements();
    for (StatementAbstractType statement : statements) {
        if (statement instanceof AttributeStatementType) {
            AttributeStatementType attributeStatement = (AttributeStatementType) statement;
            List<ASTChoiceType> attList = attributeStatement.getAttributes();
            for (ASTChoiceType obj : attList) {
                AttributeType attr = obj.getAttribute();
                if (roleKeys != null && roleKeys.size() > 0) {
                    if (!roleKeys.contains(attr.getName()))
                        continue;
                }
                List<Object> attributeValues = attr.getAttributeValue();
                if (attributeValues != null) {
                    for (Object attrValue : attributeValues) {
                        if (attrValue instanceof String) {
                            roles.add((String) attrValue);
                        } else if (attrValue instanceof Node) {
                            Node roleNode = (Node) attrValue;
                            roles.add(roleNode.getFirstChild().getNodeValue());
                        } else
                            throw logger.unknownObjectType(attrValue);
                    }
                }
            }
        }
    }
    return roles;
}
Also used : SAML11AttributeType(org.keycloak.dom.saml.v1.assertion.SAML11AttributeType) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) SAML11AttributeStatementType(org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType) Node(org.w3c.dom.Node) ArrayList(java.util.ArrayList) ASTChoiceType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType) SAML11StatementAbstractType(org.keycloak.dom.saml.v1.assertion.SAML11StatementAbstractType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)

Example 43 with AssertionType

use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.

the class AssertionUtil method decryptAssertion.

/**
 * This method modifies the given responseType, and replaces the encrypted assertion with a decrypted version.
 * @param responseType a response containg an encrypted assertion
 * @return the assertion element as it was decrypted. This can be used in signature verification.
 */
public static Element decryptAssertion(SAMLDocumentHolder holder, ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException {
    Document doc = holder.getSamlDocument();
    Element enc = DocumentUtil.getElement(doc, new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get()));
    if (enc == null) {
        throw new ProcessingException("No encrypted assertion found.");
    }
    String oldID = enc.getAttribute(JBossSAMLConstants.ID.get());
    Document newDoc = DocumentUtil.createDocument();
    Node importedNode = newDoc.importNode(enc, true);
    newDoc.appendChild(importedNode);
    Element decryptedDocumentElement = XMLEncryptionUtil.decryptElementInDocument(newDoc, privateKey);
    SAMLParser parser = SAMLParser.getInstance();
    JAXPValidationUtil.checkSchemaValidation(decryptedDocumentElement);
    AssertionType assertion = (AssertionType) parser.parse(parser.createEventReader(DocumentUtil.getNodeAsStream(decryptedDocumentElement)));
    responseType.replaceAssertion(oldID, new ResponseType.RTChoiceType(assertion));
    return decryptedDocumentElement;
}
Also used : QName(javax.xml.namespace.QName) Element(org.w3c.dom.Element) Node(org.w3c.dom.Node) SAMLParser(org.keycloak.saml.processing.core.parsers.saml.SAMLParser) EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType) SAML11AssertionType(org.keycloak.dom.saml.v1.assertion.SAML11AssertionType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) Document(org.w3c.dom.Document) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)

Example 44 with AssertionType

use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.

the class AssertionUtil method getExpiration.

/**
 * Extract the expiration time from an {@link AssertionType}
 *
 * @param assertion
 *
 * @return
 */
public static XMLGregorianCalendar getExpiration(AssertionType assertion) {
    XMLGregorianCalendar expiry = null;
    ConditionsType conditionsType = assertion.getConditions();
    if (conditionsType != null) {
        expiry = conditionsType.getNotOnOrAfter();
    }
    return expiry;
}
Also used : XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) SAML11ConditionsType(org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType)

Example 45 with AssertionType

use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.

the class AssertionUtil method getSubTypeElement.

private static STSubType getSubTypeElement(final ResponseType responseType) {
    final List<ResponseType.RTChoiceType> assertions = responseType.getAssertions();
    if (assertions.isEmpty()) {
        return null;
    }
    final AssertionType assertion = assertions.get(0).getAssertion();
    if (assertion.getSubject() == null) {
        return null;
    }
    return assertion.getSubject().getSubType();
}
Also used : EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType) SAML11AssertionType(org.keycloak.dom.saml.v1.assertion.SAML11AssertionType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)

Aggregations

AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)43 Test (org.junit.Test)24 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)21 NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)20 EncryptedAssertionType (org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType)15 AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)13 AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)13 Element (org.w3c.dom.Element)12 List (java.util.List)11 XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)11 AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)10 Document (org.w3c.dom.Document)10 AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)9 ConditionsType (org.keycloak.dom.saml.v2.assertion.ConditionsType)9 SubjectType (org.keycloak.dom.saml.v2.assertion.SubjectType)9 StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)8 ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)8 HashMap (java.util.HashMap)7 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)7 SAML2Object (org.keycloak.dom.saml.v2.SAML2Object)6