Search in sources :

Example 1 with SAML2ErrorResponseBuilder

use of org.keycloak.saml.SAML2ErrorResponseBuilder in project keycloak by keycloak.

the class SAMLLoginResponseHandlingTest method testErrorHandlingUnsigned.

@Test
public void testErrorHandlingUnsigned() throws Exception {
    SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(employeeSigServletPage.toString() + "saml").issuer("http://localhost:" + System.getProperty("auth.server.http.port", "8180") + "/realms/demo").status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
    Document document = builder.buildDocument();
    new SamlClientBuilder().addStep((client, currentURI, currentResponse, context) -> SamlClient.Binding.REDIRECT.createSamlUnsignedResponse(URI.create(employeeSigServletPage.toString() + "/saml"), null, document)).execute(closeableHttpResponse -> Assert.assertThat(closeableHttpResponse, bodyHC(containsString("INVALID_SIGNATURE"))));
}
Also used : AttributeStatementHelper(org.keycloak.protocol.saml.mappers.AttributeStatementHelper) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) WaitUtils.waitUntilElement(org.keycloak.testsuite.util.WaitUtils.waitUntilElement) RoleListMapper(org.keycloak.protocol.saml.mappers.RoleListMapper) Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC) X500SAMLProfileConstants(org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants) HashMap(java.util.HashMap) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) Matchers.bodyHC(org.keycloak.testsuite.util.Matchers.bodyHC) AdapterActionsFilter(org.keycloak.testsuite.adapter.filter.AdapterActionsFilter) Page(org.jboss.arquillian.graphene.page.Page) REALM_PUBLIC_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PUBLIC_KEY) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) REALM_PRIVATE_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PRIVATE_KEY) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) LinkedHashMap(java.util.LinkedHashMap) Assert.assertThat(org.junit.Assert.assertThat) EmployeeSigServlet(org.keycloak.testsuite.adapter.page.EmployeeSigServlet) Document(org.w3c.dom.Document) Map(java.util.Map) SamlClient(org.keycloak.testsuite.util.SamlClient) ContainerConstants(org.keycloak.testsuite.utils.arquillian.ContainerConstants) URI(java.net.URI) ClientResource(org.keycloak.admin.client.resource.ClientResource) ApiUtil(org.keycloak.testsuite.admin.ApiUtil) WaitUtils(org.keycloak.testsuite.util.WaitUtils) WebArchive(org.jboss.shrinkwrap.api.spec.WebArchive) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) Matchers(org.keycloak.testsuite.util.Matchers) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) By(org.openqa.selenium.By) Set(java.util.Set) Test(org.junit.Test) Employee2Servlet(org.keycloak.testsuite.adapter.page.Employee2Servlet) WaitUtils.waitForPageToLoad(org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) URLAssert.assertCurrentUrlStartsWith(org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith) Response(javax.ws.rs.core.Response) Deployment(org.jboss.arquillian.container.test.api.Deployment) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) AppServerContainer(org.keycloak.testsuite.arquillian.annotation.AppServerContainer) ApiUtil.getCreatedId(org.keycloak.testsuite.admin.ApiUtil.getCreatedId) Assert(org.junit.Assert) PublicKeyLocator(org.keycloak.adapters.rotation.PublicKeyLocator) Matchers.containsString(org.hamcrest.Matchers.containsString) UIUtils.getRawPageSource(org.keycloak.testsuite.util.UIUtils.getRawPageSource) SAML2ErrorResponseBuilder(org.keycloak.saml.SAML2ErrorResponseBuilder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SAML2ErrorResponseBuilder(org.keycloak.saml.SAML2ErrorResponseBuilder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Document(org.w3c.dom.Document) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 2 with SAML2ErrorResponseBuilder

use of org.keycloak.saml.SAML2ErrorResponseBuilder in project keycloak by keycloak.

the class SAMLLoginResponseHandlingTest method testErrorHandlingSigned.

@Test
public void testErrorHandlingSigned() throws Exception {
    SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(employeeSigServletPage.toString() + "saml").issuer("http://localhost:" + System.getProperty("auth.server.http.port", "8180") + "/realms/demo").status(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get());
    Document document = builder.buildDocument();
    new SamlClientBuilder().addStep((client, currentURI, currentResponse, context) -> SamlClient.Binding.REDIRECT.createSamlSignedResponse(URI.create(employeeSigServletPage.toString() + "/saml"), null, document, REALM_PRIVATE_KEY, REALM_PUBLIC_KEY)).execute(closeableHttpResponse -> Assert.assertThat(closeableHttpResponse, bodyHC(containsString("ERROR_STATUS"))));
}
Also used : AttributeStatementHelper(org.keycloak.protocol.saml.mappers.AttributeStatementHelper) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) WaitUtils.waitUntilElement(org.keycloak.testsuite.util.WaitUtils.waitUntilElement) RoleListMapper(org.keycloak.protocol.saml.mappers.RoleListMapper) Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC) X500SAMLProfileConstants(org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants) HashMap(java.util.HashMap) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) Matchers.bodyHC(org.keycloak.testsuite.util.Matchers.bodyHC) AdapterActionsFilter(org.keycloak.testsuite.adapter.filter.AdapterActionsFilter) Page(org.jboss.arquillian.graphene.page.Page) REALM_PUBLIC_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PUBLIC_KEY) AttributeType(org.keycloak.dom.saml.v2.assertion.AttributeType) REALM_PRIVATE_KEY(org.keycloak.testsuite.saml.AbstractSamlTest.REALM_PRIVATE_KEY) AttributeStatementType(org.keycloak.dom.saml.v2.assertion.AttributeStatementType) LinkedHashMap(java.util.LinkedHashMap) Assert.assertThat(org.junit.Assert.assertThat) EmployeeSigServlet(org.keycloak.testsuite.adapter.page.EmployeeSigServlet) Document(org.w3c.dom.Document) Map(java.util.Map) SamlClient(org.keycloak.testsuite.util.SamlClient) ContainerConstants(org.keycloak.testsuite.utils.arquillian.ContainerConstants) URI(java.net.URI) ClientResource(org.keycloak.admin.client.resource.ClientResource) ApiUtil(org.keycloak.testsuite.admin.ApiUtil) WaitUtils(org.keycloak.testsuite.util.WaitUtils) WebArchive(org.jboss.shrinkwrap.api.spec.WebArchive) ProtocolMappersResource(org.keycloak.admin.client.resource.ProtocolMappersResource) Matchers(org.keycloak.testsuite.util.Matchers) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) By(org.openqa.selenium.By) Set(java.util.Set) Test(org.junit.Test) Employee2Servlet(org.keycloak.testsuite.adapter.page.Employee2Servlet) WaitUtils.waitForPageToLoad(org.keycloak.testsuite.util.WaitUtils.waitForPageToLoad) ProtocolMapperRepresentation(org.keycloak.representations.idm.ProtocolMapperRepresentation) URLAssert.assertCurrentUrlStartsWith(org.keycloak.testsuite.util.URLAssert.assertCurrentUrlStartsWith) Response(javax.ws.rs.core.Response) Deployment(org.jboss.arquillian.container.test.api.Deployment) StatementAbstractType(org.keycloak.dom.saml.v2.assertion.StatementAbstractType) AppServerContainer(org.keycloak.testsuite.arquillian.annotation.AppServerContainer) ApiUtil.getCreatedId(org.keycloak.testsuite.admin.ApiUtil.getCreatedId) Assert(org.junit.Assert) PublicKeyLocator(org.keycloak.adapters.rotation.PublicKeyLocator) Matchers.containsString(org.hamcrest.Matchers.containsString) UIUtils.getRawPageSource(org.keycloak.testsuite.util.UIUtils.getRawPageSource) SAML2ErrorResponseBuilder(org.keycloak.saml.SAML2ErrorResponseBuilder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SAML2ErrorResponseBuilder(org.keycloak.saml.SAML2ErrorResponseBuilder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Document(org.w3c.dom.Document) AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest) Test(org.junit.Test)

Example 3 with SAML2ErrorResponseBuilder

use of org.keycloak.saml.SAML2ErrorResponseBuilder in project keycloak by keycloak.

the class SamlProtocol method samlErrorMessage.

private Response samlErrorMessage(AuthenticationSessionModel authSession, SamlClient samlClient, boolean isPostBinding, String destination, JBossSAMLURIConstants statusDetail, String relayState) {
    JaxrsSAML2BindingBuilder binding = new JaxrsSAML2BindingBuilder(session).relayState(relayState);
    SAML2ErrorResponseBuilder builder = new SAML2ErrorResponseBuilder().destination(destination).issuer(getResponseIssuer(realm)).status(statusDetail.get());
    KeyManager keyManager = session.keys();
    if (samlClient.requiresRealmSignature()) {
        KeyManager.ActiveRsaKey keys = keyManager.getActiveRsaKey(realm);
        String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(keys.getKid(), keys.getCertificate());
        String canonicalization = samlClient.getCanonicalizationMethod();
        if (canonicalization != null) {
            binding.canonicalizationMethod(canonicalization);
        }
        binding.signatureAlgorithm(samlClient.getSignatureAlgorithm()).signWith(keyName, keys.getPrivateKey(), keys.getPublicKey(), keys.getCertificate()).signDocument();
    }
    try {
        // There is no support for encrypting status messages in SAML.
        // Only assertions, attributes, base ID and name ID can be encrypted
        // See Chapter 6 of saml-core-2.0-os.pdf
        Document document = builder.buildDocument();
        return buildErrorResponse(isPostBinding, destination, binding, document);
    } catch (Exception e) {
        return ErrorPage.error(session, authSession, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE);
    }
}
Also used : SAML2ErrorResponseBuilder(org.keycloak.saml.SAML2ErrorResponseBuilder) Document(org.w3c.dom.Document) KeyManager(org.keycloak.models.KeyManager) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) IOException(java.io.IOException)

Aggregations

SAML2ErrorResponseBuilder (org.keycloak.saml.SAML2ErrorResponseBuilder)3 Document (org.w3c.dom.Document)3 URI (java.net.URI)2 HashMap (java.util.HashMap)2 LinkedHashMap (java.util.LinkedHashMap)2 Map (java.util.Map)2 Set (java.util.Set)2 Response (javax.ws.rs.core.Response)2 Matchers.containsString (org.hamcrest.Matchers.containsString)2 Deployment (org.jboss.arquillian.container.test.api.Deployment)2 Page (org.jboss.arquillian.graphene.page.Page)2 WebArchive (org.jboss.shrinkwrap.api.spec.WebArchive)2 Assert (org.junit.Assert)2 Assert.assertThat (org.junit.Assert.assertThat)2 Test (org.junit.Test)2 PublicKeyLocator (org.keycloak.adapters.rotation.PublicKeyLocator)2 ClientResource (org.keycloak.admin.client.resource.ClientResource)2 ProtocolMappersResource (org.keycloak.admin.client.resource.ProtocolMappersResource)2 AttributeStatementType (org.keycloak.dom.saml.v2.assertion.AttributeStatementType)2 AttributeType (org.keycloak.dom.saml.v2.assertion.AttributeType)2