Search in sources :

Example 6 with StatementAbstractType

use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.

the class KcSamlBrokerTest method emptyAttributeToRoleMapperTest.

@Test
public void emptyAttributeToRoleMapperTest() throws ParsingException, ConfigurationException, ProcessingException {
    createRolesForRealm(bc.consumerRealmName());
    createRoleMappersForConsumerRealm();
    AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
    Document doc = SAML2Request.convert(loginRep);
    SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
    Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
    Binding.POST).transformObject(ob -> {
        assertThat(ob, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType resp = (ResponseType) ob;
        Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
        AttributeStatementType attributeType = (AttributeStatementType) statements.stream().filter(statement -> statement instanceof AttributeStatementType).findFirst().orElse(new AttributeStatementType());
        AttributeType attr = new AttributeType(EMPTY_ATTRIBUTE_NAME);
        attr.addAttributeValue(null);
        attributeType.addAttribute(new AttributeStatementType.ASTChoiceType(attr));
        resp.getAssertions().get(0).getAssertion().addStatement(attributeType);
        return ob;
    }).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().getSamlResponse(// Response from consumer IdP
    Binding.POST);
    Assert.assertThat(samlResponse, Matchers.notNullValue());
    Assert.assertThat(samlResponse.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    Stream<AssertionType> assertionTypeStream = assertionsUnencrypted(samlResponse.getSamlObject());
    Stream<AttributeType> attributeStatementTypeStream = attributesUnecrypted(attributeStatements(assertionTypeStream));
    Set<String> attributeValues = attributeStatementTypeStream.filter(a -> a.getName().equals(ROLE_ATTRIBUTE_NAME)).flatMap(a -> a.getAttributeValue().stream()).map(Object::toString).collect(Collectors.toSet());
    assertThat(attributeValues, hasItems(EMPTY_ATTRIBUTE_ROLE));
}
Also used : AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Arrays(java.util.Arrays) Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC) SamlStreams.attributesUnecrypted(org.keycloak.testsuite.util.SamlStreams.attributesUnecrypted) Matchers.not(org.hamcrest.Matchers.not) ROLE_ATTRIBUTE_NAME(org.keycloak.testsuite.saml.RoleMapperTest.ROLE_ATTRIBUTE_NAME) Matchers.hasItems(org.hamcrest.Matchers.hasItems) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) Assert.assertThat(org.junit.Assert.assertThat) Document(org.w3c.dom.Document) SamlClient(org.keycloak.testsuite.util.SamlClient) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) Matchers.isSamlResponse(org.keycloak.testsuite.util.Matchers.isSamlResponse) ImmutableMap(com.google.common.collect.ImmutableMap) RealmResource(org.keycloak.admin.client.resource.RealmResource) Set(java.util.Set) Collectors(java.util.stream.Collectors) IdentityProviderResource(org.keycloak.admin.client.resource.IdentityProviderResource) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) SAMLProtocolQNames(org.keycloak.saml.processing.core.parsers.saml.protocol.SAMLProtocolQNames) SamlStreams.attributeStatements(org.keycloak.testsuite.util.SamlStreams.attributeStatements) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) IdentityProviderMapperModel(org.keycloak.models.IdentityProviderMapperModel) SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request) HashMap(java.util.HashMap) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) BrokerTestTools.getConsumerRoot(org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) IdentityProviderMapperRepresentation(org.keycloak.representations.idm.IdentityProviderMapperRepresentation) UserResource(org.keycloak.admin.client.resource.UserResource) SamlStreams.assertionsUnencrypted(org.keycloak.testsuite.util.SamlStreams.assertionsUnencrypted) RoleRepresentation(org.keycloak.representations.idm.RoleRepresentation) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) UserRepresentation(org.keycloak.representations.idm.UserRepresentation) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Matchers(org.hamcrest.Matchers) Test(org.junit.Test) UserAttributeMapper(org.keycloak.broker.saml.mappers.UserAttributeMapper) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) Element(org.w3c.dom.Element) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) Binding(org.keycloak.testsuite.util.SamlClient.Binding) IdentityProviderMapperSyncMode(org.keycloak.models.IdentityProviderMapperSyncMode) BrokerTestTools.getProviderRoot(org.keycloak.testsuite.broker.BrokerTestTools.getProviderRoot) Assert(org.junit.Assert) Collections(java.util.Collections) AttributeToRoleMapper(org.keycloak.broker.saml.mappers.AttributeToRoleMapper) Set(java.util.Set) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) Document(org.w3c.dom.Document) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 7 with StatementAbstractType

use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.

the class AbstractSamlAuthenticationHandler method handleLoginResponse.

protected AuthOutcome handleLoginResponse(SAMLDocumentHolder responseHolder, boolean postBinding, OnSessionCreated onCreateSession) {
    if (!sessionStore.isLoggingIn()) {
        log.warn("Adapter obtained LoginResponse, however containers session is not aware of sending any request. " + "This may be because the session cookies created by container are not properly configured " + "with SameSite settings. Refer to KEYCLOAK-14103 for more details.");
    }
    final ResponseType responseType = (ResponseType) responseHolder.getSamlObject();
    AssertionType assertion = null;
    if (!isSuccessfulSamlResponse(responseType) || responseType.getAssertions() == null || responseType.getAssertions().isEmpty()) {
        return failed(createAuthChallenge403(responseType));
    }
    try {
        assertion = AssertionUtil.getAssertion(responseHolder, responseType, deployment.getDecryptionKey());
        ConditionsValidator.Builder cvb = new ConditionsValidator.Builder(assertion.getID(), assertion.getConditions(), destinationValidator);
        try {
            cvb.clockSkewInMillis(deployment.getIDP().getAllowedClockSkew());
            cvb.addAllowedAudience(URI.create(deployment.getEntityID()));
            if (responseType.getDestination() != null) {
                // getDestination has been validated to match request URL already so it matches SAML endpoint
                cvb.addAllowedAudience(URI.create(responseType.getDestination()));
            }
        } catch (IllegalArgumentException ex) {
        // warning has been already emitted in DeploymentBuilder
        }
        if (!cvb.build().isValid()) {
            return initiateLogin();
        }
    } catch (Exception e) {
        log.error("Error extracting SAML assertion: " + e.getMessage());
        return failed(CHALLENGE_EXTRACTION_FAILURE);
    }
    Element assertionElement = null;
    if (deployment.getIDP().getSingleSignOnService().validateAssertionSignature()) {
        try {
            assertionElement = getAssertionFromResponse(responseHolder);
            if (!AssertionUtil.isSignatureValid(assertionElement, deployment.getIDP().getSignatureValidationKeyLocator())) {
                log.error("Failed to verify saml assertion signature");
                return failed(CHALLENGE_INVALID_SIGNATURE);
            }
        } catch (Exception e) {
            log.error("Error processing validation of SAML assertion: " + e.getMessage());
            return failed(CHALLENGE_EXTRACTION_FAILURE);
        }
    }
    SubjectType subject = assertion.getSubject();
    SubjectType.STSubType subType = subject.getSubType();
    NameIDType subjectNameID = subType == null ? null : (NameIDType) subType.getBaseID();
    String principalName = subjectNameID == null ? null : subjectNameID.getValue();
    Set<String> roles = new HashSet<>();
    MultivaluedHashMap<String, String> attributes = new MultivaluedHashMap<>();
    MultivaluedHashMap<String, String> friendlyAttributes = new MultivaluedHashMap<>();
    Set<StatementAbstractType> statements = assertion.getStatements();
    for (StatementAbstractType statement : statements) {
        if (statement instanceof AttributeStatementType) {
            AttributeStatementType attributeStatement = (AttributeStatementType) statement;
            List<AttributeStatementType.ASTChoiceType> attList = attributeStatement.getAttributes();
            for (AttributeStatementType.ASTChoiceType obj : attList) {
                AttributeType attr = obj.getAttribute();
                if (isRole(attr)) {
                    List<Object> attributeValues = attr.getAttributeValue();
                    if (attributeValues != null) {
                        for (Object attrValue : attributeValues) {
                            String role = getAttributeValue(attrValue);
                            log.debugv("Add role: {0}", role);
                            roles.add(role);
                        }
                    }
                } else {
                    List<Object> attributeValues = attr.getAttributeValue();
                    if (attributeValues != null) {
                        for (Object attrValue : attributeValues) {
                            String value = getAttributeValue(attrValue);
                            if (attr.getName() != null) {
                                attributes.add(attr.getName(), value);
                            }
                            if (attr.getFriendlyName() != null) {
                                friendlyAttributes.add(attr.getFriendlyName(), value);
                            }
                        }
                    }
                }
            }
        }
    }
    if (deployment.getPrincipalNamePolicy() == SamlDeployment.PrincipalNamePolicy.FROM_ATTRIBUTE) {
        if (deployment.getPrincipalAttributeName() != null) {
            String attribute = attributes.getFirst(deployment.getPrincipalAttributeName());
            if (attribute != null)
                principalName = attribute;
            else {
                attribute = friendlyAttributes.getFirst(deployment.getPrincipalAttributeName());
                if (attribute != null)
                    principalName = attribute;
            }
        }
    }
    // use the configured role mappings provider to map roles if necessary.
    if (deployment.getRoleMappingsProvider() != null) {
        roles = deployment.getRoleMappingsProvider().map(principalName, roles);
    }
    // roles should also be there as regular attributes
    // this mainly required for elytron and its ABAC nature
    attributes.put(DEFAULT_ROLE_ATTRIBUTE_NAME, new ArrayList<>(roles));
    AuthnStatementType authn = null;
    for (Object statement : assertion.getStatements()) {
        if (statement instanceof AuthnStatementType) {
            authn = (AuthnStatementType) statement;
            break;
        }
    }
    URI nameFormat = subjectNameID == null ? null : subjectNameID.getFormat();
    String nameFormatString = nameFormat == null ? JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get() : nameFormat.toString();
    if (deployment.isKeepDOMAssertion() && assertionElement == null) {
        // obtain the assertion from the response to add the DOM document to the principal
        assertionElement = getAssertionFromResponseNoException(responseHolder);
    }
    final SamlPrincipal principal = new SamlPrincipal(assertion, deployment.isKeepDOMAssertion() ? getAssertionDocumentFromElement(assertionElement) : null, principalName, principalName, nameFormatString, attributes, friendlyAttributes);
    final String sessionIndex = authn == null ? null : authn.getSessionIndex();
    final XMLGregorianCalendar sessionNotOnOrAfter = authn == null ? null : authn.getSessionNotOnOrAfter();
    SamlSession account = new SamlSession(principal, roles, sessionIndex, sessionNotOnOrAfter);
    sessionStore.saveAccount(account);
    onCreateSession.onSessionCreated(account);
    // redirect to original request, it will be restored
    String redirectUri = sessionStore.getRedirectUri();
    if (redirectUri != null) {
        facade.getResponse().setHeader("Location", redirectUri);
        facade.getResponse().setStatus(302);
        facade.getResponse().end();
    } else {
        log.debug("IDP initiated invocation");
    }
    log.debug("AUTHENTICATED authn");
    return AuthOutcome.AUTHENTICATED;
}
Also used : SAML2AuthnRequestBuilder(org.keycloak.saml.SAML2AuthnRequestBuilder) KeycloakUriBuilder(org.keycloak.common.util.KeycloakUriBuilder) BaseSAML2BindingBuilder(org.keycloak.saml.BaseSAML2BindingBuilder) Element(org.w3c.dom.Element) URI(java.net.URI) MultivaluedHashMap(org.keycloak.common.util.MultivaluedHashMap) AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType) SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) SamlSession(org.keycloak.adapters.saml.SamlSession) VerificationException(org.keycloak.common.VerificationException) SignatureException(java.security.SignatureException) KeyManagementException(java.security.KeyManagementException) InvalidKeyException(java.security.InvalidKeyException) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IOException(java.io.IOException) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType) XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) SamlPrincipal(org.keycloak.adapters.saml.SamlPrincipal) SAML2Object(org.keycloak.dom.saml.v2.SAML2Object) ConditionsValidator(org.keycloak.saml.validators.ConditionsValidator) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)

Example 8 with StatementAbstractType

use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.

the class SAML2Response method createResponseType.

/**
 * Create a ResponseType
 *
 * <b>NOTE:</b>: The PicketLink STS is used to issue/update the assertion
 *
 * If you want to control over the assertion being issued, then use
 * {@link #createResponseType(String, SPInfoHolder, IDPInfoHolder, IssuerInfoHolder, AssertionType)}
 *
 * @param ID id of the response
 * @param sp holder with the information about the Service Provider
 * @param idp holder with the information on the Identity Provider
 * @param issuerInfo holder with information on the issuer
 *
 * @return
 *
 * @throws ConfigurationException
 * @throws ProcessingException
 */
public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo) throws ProcessingException {
    String responseDestinationURI = sp.getResponseDestinationURI();
    XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
    // Create assertion -> subject
    SubjectType subjectType = new SubjectType();
    // subject -> nameid
    NameIDType nameIDType = new NameIDType();
    nameIDType.setFormat(idp.getNameIDFormat() == null ? null : URI.create(idp.getNameIDFormat()));
    nameIDType.setValue(idp.getNameIDFormatValue());
    SubjectType.STSubType subType = new SubjectType.STSubType();
    subType.addBaseID(nameIDType);
    subjectType.setSubType(subType);
    SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
    subjectConfirmation.setMethod(idp.getSubjectConfirmationMethod());
    SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
    subjectConfirmationData.setInResponseTo(sp.getRequestID());
    subjectConfirmationData.setRecipient(responseDestinationURI);
    // subjectConfirmationData.setNotBefore(issueInstant);
    subjectConfirmationData.setNotOnOrAfter(issueInstant);
    subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
    subjectType.addConfirmation(subjectConfirmation);
    AssertionType assertionType;
    NameIDType issuerID = issuerInfo.getIssuer();
    issueInstant = XMLTimeUtil.getIssueInstant();
    ConditionsType conditions = null;
    List<StatementAbstractType> statements = new LinkedList<>();
    // generate an id for the new assertion.
    String assertionID = IDGenerator.create("ID_");
    assertionType = SAMLAssertionFactory.createAssertion(assertionID, issuerID, issueInstant, conditions, subjectType, statements);
    try {
        AssertionUtil.createTimedConditions(assertionType, ASSERTION_VALIDITY, CLOCK_SKEW);
    } catch (ConfigurationException e) {
        throw logger.processingError(e);
    } catch (IssueInstantMissingException e) {
        throw logger.processingError(e);
    }
    ResponseType responseType = createResponseType(ID, issuerInfo, assertionType);
    // InResponseTo ID
    responseType.setInResponseTo(sp.getRequestID());
    // Destination
    responseType.setDestination(responseDestinationURI);
    return responseType;
}
Also used : EncryptedAssertionType(org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType) AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType) LinkedList(java.util.LinkedList) IssueInstantMissingException(org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType) XMLGregorianCalendar(javax.xml.datatype.XMLGregorianCalendar) SubjectType(org.keycloak.dom.saml.v2.assertion.SubjectType) SubjectConfirmationDataType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType) SubjectConfirmationType(org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)

Example 9 with StatementAbstractType

use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.

the class SAMLLoginResponseHandlingTest method testNilAttributeValueAttribute.

@Test
public void testNilAttributeValueAttribute() {
    beginAuthenticationAndLogin(employee2ServletPage, SamlClient.Binding.POST).processSamlResponse(// Update response with Nil attribute
    SamlClient.Binding.POST).transformObject(ob -> {
        assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        ResponseType resp = (ResponseType) ob;
        Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
        AttributeStatementType attributeType = (AttributeStatementType) statements.stream().filter(statement -> statement instanceof AttributeStatementType).findFirst().orElse(new AttributeStatementType());
        AttributeType attr = new AttributeType("attribute-with-null-attribute-value");
        attr.addAttributeValue(null);
        attributeType.addAttribute(new AttributeStatementType.ASTChoiceType(attr));
        resp.getAssertions().get(0).getAssertion().addStatement(attributeType);
        return ob;
    }).build().navigateTo(employee2ServletPage.getUriBuilder().clone().path("getAttributes").build()).execute(response -> {
        Assert.assertThat(response, statusCodeIsHC(Response.Status.OK));
        Assert.assertThat(response, bodyHC(containsString("attribute-with-null-attribute-value: <br />")));
    });
}
Also used : AttributeStatementHelper(org.keycloak.protocol.saml.mappers.AttributeStatementHelper) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) WaitUtils.waitUntilElement(org.keycloak.testsuite.util.WaitUtils.waitUntilElement) RoleListMapper(org.keycloak.protocol.saml.mappers.RoleListMapper) Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC) X500SAMLProfileConstants(org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants) HashMap(java.util.HashMap) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) Matchers.bodyHC(org.keycloak.testsuite.util.Matchers.bodyHC) AdapterActionsFilter(org.keycloak.testsuite.adapter.filter.AdapterActionsFilter) Page(org.jboss.arquillian.graphene.page.Page) REALM_PUBLIC_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PUBLIC_KEY) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) REALM_PRIVATE_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PRIVATE_KEY) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) LinkedHashMap(java.util.LinkedHashMap) Assert.assertThat(org.junit.Assert.assertThat) EmployeeSigServlet(org.keycloak.testsuite.adapter.page.EmployeeSigServlet) Document(org.w3c.dom.Document) Map(java.util.Map) SamlClient(org.keycloak.testsuite.util.SamlClient) ContainerConstants(org.keycloak.testsuite.utils.arquillian.ContainerConstants) URI(java.net.URI) ClientResource(org.keycloak.admin.client.resource.ClientResource) ApiUtil(org.keycloak.testsuite.admin.ApiUtil) WaitUtils(org.keycloak.testsuite.util.WaitUtils) WebArchive(org.jboss.shrinkwrap.api.spec.WebArchive) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) Matchers(org.keycloak.testsuite.util.Matchers) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) By(org.openqa.selenium.By) Set(java.util.Set) Test(org.junit.Test) Employee2Servlet(org.keycloak.testsuite.adapter.page.Employee2Servlet) WaitUtils.waitForPageToLoad(org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) URLAssert.assertCurrentUrlStartsWith(org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith) Response(javax.ws.rs.core.Response) Deployment(org.jboss.arquillian.container.test.api.Deployment) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) AppServerContainer(org.keycloak.testsuite.arquillian.annotation.AppServerContainer) ApiUtil.getCreatedId(org.keycloak.testsuite.admin.ApiUtil.getCreatedId) Assert(org.junit.Assert) PublicKeyLocator(org.keycloak.adapters.rotation.PublicKeyLocator) Matchers.containsString(org.hamcrest.Matchers.containsString) UIUtils.getRawPageSource(org.keycloak.testsuite.util.UIUtils.getRawPageSource) SAML2ErrorResponseBuilder(org.keycloak.saml.SAML2ErrorResponseBuilder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Set(java.util.Set) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 10 with StatementAbstractType

use of org.keycloak.dom.saml.v2.assertion.StatementAbstractType in project keycloak by keycloak.

the class AssertionUtil method getRoles.

/**
 * Given an assertion, return the list of roles it may have
 *
 * @param assertion The {@link AssertionType}
 * @param roleKeys a list of string values representing the role keys. The list can be null.
 *
 * @return
 */
public static List<String> getRoles(AssertionType assertion, List<String> roleKeys) {
    List<String> roles = new ArrayList<>();
    Set<StatementAbstractType> statements = assertion.getStatements();
    for (StatementAbstractType statement : statements) {
        if (statement instanceof AttributeStatementType) {
            AttributeStatementType attributeStatement = (AttributeStatementType) statement;
            List<ASTChoiceType> attList = attributeStatement.getAttributes();
            for (ASTChoiceType obj : attList) {
                AttributeType attr = obj.getAttribute();
                if (roleKeys != null && roleKeys.size() > 0) {
                    if (!roleKeys.contains(attr.getName()))
                        continue;
                }
                List<Object> attributeValues = attr.getAttributeValue();
                if (attributeValues != null) {
                    for (Object attrValue : attributeValues) {
                        if (attrValue instanceof String) {
                            roles.add((String) attrValue);
                        } else if (attrValue instanceof Node) {
                            Node roleNode = (Node) attrValue;
                            roles.add(roleNode.getFirstChild().getNodeValue());
                        } else
                            throw logger.unknownObjectType(attrValue);
                    }
                }
            }
        }
    }
    return roles;
}
Also used : SAML11AttributeType(org.keycloak.dom.saml.v1.assertion.SAML11AttributeType) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) SAML11AttributeStatementType(org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType) Node(org.w3c.dom.Node) ArrayList(java.util.ArrayList) ASTChoiceType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType) SAML11StatementAbstractType(org.keycloak.dom.saml.v1.assertion.SAML11StatementAbstractType) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType)

Aggregations

StatementAbstractType (org.keycloak.dom.saml.v2.assertion.StatementAbstractType)15 Test (org.junit.Test)9 AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)9 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)9 AssertionType (org.keycloak.dom.saml.v2.assertion.AssertionType)8 AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)8 Set (java.util.Set)7 Assert.assertThat (org.junit.Assert.assertThat)7 AuthnStatementType (org.keycloak.dom.saml.v2.assertion.AuthnStatementType)7 JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)7 SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)7 Matchers (org.keycloak.testsuite.util.Matchers)6 URI (java.net.URI)5 Matchers.is (org.hamcrest.Matchers.is)5 Matchers.notNullValue (org.hamcrest.Matchers.notNullValue)5 Response (javax.ws.rs.core.Response)4 IOException (java.io.IOException)3 List (java.util.List)3 Map (java.util.Map)3 Collectors (java.util.stream.Collectors)3