Example 41 with AssertionType
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class RoleMapperTest method testExpectedRoles.
public void testExpectedRoles(String clientId, String... expectedRoles) {
SAMLDocumentHolder document = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), clientId, SAML_ASSERTION_CONSUMER_URL_EMPLOYEE_2, Binding.POST).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
assertThat(document.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
Stream<AssertionType> assertions = assertionsUnencrypted(document.getSamlObject());
Stream<AttributeType> attributes = attributesUnecrypted(attributeStatements(assertions));
Set<String> roles = attributes.filter(a -> a.getName().equals(ROLE_ATTRIBUTE_NAME)).flatMap(a -> a.getAttributeValue().stream()).map(Object::toString).collect(Collectors.toSet());
assertThat(roles, containsInAnyOrder(expectedRoles));
}
Also used :
AttributeStatementHelper(org.keycloak.protocol.saml.mappers.AttributeStatementHelper)
RoleListMapper(org.keycloak.protocol.saml.mappers.RoleListMapper)
ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater)
ProtocolMappersUpdater(org.keycloak.testsuite.updaters.ProtocolMappersUpdater)
SamlStreams.attributesUnecrypted(org.keycloak.testsuite.util.SamlStreams.attributesUnecrypted)
HashMap(java.util.HashMap)
RoleNameMapper(org.keycloak.protocol.saml.mappers.RoleNameMapper)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
Assert.assertThat(org.junit.Assert.assertThat)
AUTH_SERVER_SSL_REQUIRED(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SSL_REQUIRED)
Map(java.util.Map)
After(org.junit.After)
SamlStreams.assertionsUnencrypted(org.keycloak.testsuite.util.SamlStreams.assertionsUnencrypted)
RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
Before(org.junit.Before)
AUTH_SERVER_SCHEME(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_SCHEME)
Matchers(org.keycloak.testsuite.util.Matchers)
JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants)
RoleScopeUpdater(org.keycloak.testsuite.updaters.RoleScopeUpdater)
Set(java.util.Set)
SamlProtocol(org.keycloak.protocol.saml.SamlProtocol)
IOException(java.io.IOException)
Test(org.junit.Test)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
Collectors(java.util.stream.Collectors)
ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation)
AUTH_SERVER_PORT(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT)
Stream(java.util.stream.Stream)
UserAttributeUpdater(org.keycloak.testsuite.updaters.UserAttributeUpdater)
Matchers.containsInAnyOrder(org.hamcrest.Matchers.containsInAnyOrder)
Binding(org.keycloak.testsuite.util.SamlClient.Binding)
SamlStreams.attributeStatements(org.keycloak.testsuite.util.SamlStreams.attributeStatements)
Collections(java.util.Collections)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
Example 42 with AssertionType
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class AssertionUtil method getRoles.
/**
* Given an assertion, return the list of roles it may have
*
* @param assertion The {@link AssertionType}
* @param roleKeys a list of string values representing the role keys. The list can be null.
*
* @return
*/
public static List<String> getRoles(AssertionType assertion, List<String> roleKeys) {
List<String> roles = new ArrayList<>();
Set<StatementAbstractType> statements = assertion.getStatements();
for (StatementAbstractType statement : statements) {
if (statement instanceof AttributeStatementType) {
AttributeStatementType attributeStatement = (AttributeStatementType) statement;
List<ASTChoiceType> attList = attributeStatement.getAttributes();
for (ASTChoiceType obj : attList) {
AttributeType attr = obj.getAttribute();
if (roleKeys != null && roleKeys.size() > 0) {
if (!roleKeys.contains(attr.getName()))
continue;
}
List<Object> attributeValues = attr.getAttributeValue();
if (attributeValues != null) {
for (Object attrValue : attributeValues) {
if (attrValue instanceof String) {
roles.add((String) attrValue);
} else if (attrValue instanceof Node) {
Node roleNode = (Node) attrValue;
roles.add(roleNode.getFirstChild().getNodeValue());
} else
throw logger.unknownObjectType(attrValue);
}
}
}
}
}
return roles;
}
Also used :
SAML11AttributeType(org.keycloak.dom.saml.v1.assertion.SAML11AttributeType)
AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType)
AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType)
SAML11AttributeStatementType(org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType)
Node(org.w3c.dom.Node)
ArrayList(java.util.ArrayList)
ASTChoiceType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType)
SAML11StatementAbstractType(org.keycloak.dom.saml.v1.assertion.SAML11StatementAbstractType)
StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)
Example 43 with AssertionType
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class AssertionUtil method decryptAssertion.
/**
* This method modifies the given responseType, and replaces the encrypted assertion with a decrypted version.
* @param responseType a response containg an encrypted assertion
* @return the assertion element as it was decrypted. This can be used in signature verification.
*/
public static Element decryptAssertion(SAMLDocumentHolder holder, ResponseType responseType, PrivateKey privateKey) throws ParsingException, ProcessingException, ConfigurationException {
Document doc = holder.getSamlDocument();
Element enc = DocumentUtil.getElement(doc, new QName(JBossSAMLConstants.ENCRYPTED_ASSERTION.get()));
if (enc == null) {
throw new ProcessingException("No encrypted assertion found.");
}
String oldID = enc.getAttribute(JBossSAMLConstants.ID.get());
Document newDoc = DocumentUtil.createDocument();
Node importedNode = newDoc.importNode(enc, true);
newDoc.appendChild(importedNode);
Element decryptedDocumentElement = XMLEncryptionUtil.decryptElementInDocument(newDoc, privateKey);
SAMLParser parser = SAMLParser.getInstance();
JAXPValidationUtil.checkSchemaValidation(decryptedDocumentElement);
AssertionType assertion = (AssertionType) parser.parse(parser.createEventReader(DocumentUtil.getNodeAsStream(decryptedDocumentElement)));
responseType.replaceAssertion(oldID, new ResponseType.RTChoiceType(assertion));
return decryptedDocumentElement;
}
Also used :
QName(javax.xml.namespace.QName)
Element(org.w3c.dom.Element)
Node(org.w3c.dom.Node)
SAMLParser(org.keycloak.saml.processing.core.parsers.saml.SAMLParser)
EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType)
SAML11AssertionType(org.keycloak.dom.saml.v1.assertion.SAML11AssertionType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
Document(org.w3c.dom.Document)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
Example 44 with AssertionType
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class AssertionUtil method getExpiration.
/**
* Extract the expiration time from an {@link AssertionType}
*
* @param assertion
*
* @return
*/
public static XMLGregorianCalendar getExpiration(AssertionType assertion) {
XMLGregorianCalendar expiry = null;
ConditionsType conditionsType = assertion.getConditions();
if (conditionsType != null) {
expiry = conditionsType.getNotOnOrAfter();
}
return expiry;
}
Also used :
XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar)
ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType)
SAML11ConditionsType(org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType)
Example 45 with AssertionType
use of org.keycloak.dom.saml.v2.assertion.AssertionType in project keycloak by keycloak.
the class AssertionUtil method getSubTypeElement.
private static STSubType getSubTypeElement(final ResponseType responseType) {
final List<ResponseType.RTChoiceType> assertions = responseType.getAssertions();
if (assertions.isEmpty()) {
return null;
}
final AssertionType assertion = assertions.get(0).getAssertion();
if (assertion.getSubject() == null) {
return null;
}
return assertion.getSubject().getSubType();
}
Also used :
EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType)
SAML11AssertionType(org.keycloak.dom.saml.v1.assertion.SAML11AssertionType)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
Aggregations
AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)43
Test (org.junit.Test)24
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)21
NameIDType (org.keycloak.dom.saml.v2.assertion.NameIDType)20
EncryptedAssertionType (org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType)15
AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)13
AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)13
Element (org.w3c.dom.Element)12
List (java.util.List)11
XMLGregorianCalendar (javax.xml.datatype.XMLGregorianCalendar)11
AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)10
Document (org.w3c.dom.Document)10
AudienceRestrictionType (org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType)9
ConditionsType (org.keycloak.dom.saml.v2.assertion.ConditionsType)9
SubjectType (org.keycloak.dom.saml.v2.assertion.SubjectType)9
StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)8
ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)8
HashMap (java.util.HashMap)7
StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)7
SAML2Object (org.keycloak.dom.saml.v2.SAML2Object)6
