Example 31 with ParsingException
use of org.keycloak.saml.common.exceptions.ParsingException in project keycloak by keycloak.
the class KcSamlEncryptedIdTest method testEncryptedIdIsReadable.
@Test
public void testEncryptedIdIsReadable() throws ConfigurationException, ParsingException, ProcessingException {
createRolesForRealm(bc.consumerRealmName());
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
final AtomicReference<String> username = new AtomicReference<>();
assertThat(adminClient.realm(bc.consumerRealmName()).users().search(username.get()), hasSize(0));
SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
SamlClient.Binding.POST).transformDocument(document -> {
// Replace Subject -> NameID with EncryptedId
Node assertionElement = document.getDocumentElement().getElementsByTagNameNS(ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()).item(0);
if (assertionElement == null) {
throw new IllegalStateException("Unable to find assertion in saml response document");
}
String samlNSPrefix = assertionElement.getPrefix();
try {
QName encryptedIdElementQName = new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ENCRYPTED_ID.get(), samlNSPrefix);
QName nameIdQName = new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.NAMEID.get(), samlNSPrefix);
// Add xmlns:saml attribute to NameId element,
// this is necessary as it is decrypted as a separate doc and saml namespace is not know
// unless added to NameId element
Element nameIdElement = DocumentUtil.getElement(document, nameIdQName);
if (nameIdElement == null) {
throw new RuntimeException("Assertion doesn't contain NameId " + DocumentUtil.asString(document));
}
nameIdElement.setAttribute("xmlns:" + samlNSPrefix, ASSERTION_NSURI.get());
username.set(nameIdElement.getTextContent());
byte[] secret = RandomSecret.createRandomSecret(128 / 8);
SecretKey secretKey = new SecretKeySpec(secret, "AES");
// encrypt the Assertion element and replace it with a EncryptedAssertion element.
XMLEncryptionUtil.encryptElement(nameIdQName, document, PemUtils.decodePublicKey(ApiUtil.findActiveSigningKey(adminClient.realm(bc.consumerRealmName())).getPublicKey()), secretKey, 128, encryptedIdElementQName, true);
} catch (Exception e) {
throw new ProcessingException("failed to encrypt", e);
}
assertThat(DocumentUtil.asString(document), not(containsString(username.get())));
return document;
}).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).build().followOneRedirect().getSamlResponse(// Response from consumer IdP
SamlClient.Binding.POST);
assertThat(samlResponse, Matchers.notNullValue());
assertThat(samlResponse.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(adminClient.realm(bc.consumerRealmName()).users().search(username.get()), hasSize(1));
}
Also used :
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
QName(javax.xml.namespace.QName)
Node(org.w3c.dom.Node)
Element(org.w3c.dom.Element)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Document(org.w3c.dom.Document)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException)
ParsingException(org.keycloak.saml.common.exceptions.ParsingException)
SecretKey(javax.crypto.SecretKey)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
SecretKeySpec(javax.crypto.spec.SecretKeySpec)
ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException)
Test(org.junit.Test)
Aggregations
ParsingException (org.keycloak.saml.common.exceptions.ParsingException)31
ConfigurationException (org.keycloak.saml.common.exceptions.ConfigurationException)14
ProcessingException (org.keycloak.saml.common.exceptions.ProcessingException)14
InputStream (java.io.InputStream)11
Document (org.w3c.dom.Document)10
IOException (java.io.IOException)9
ByteArrayInputStream (java.io.ByteArrayInputStream)7
DeploymentBuilder (org.keycloak.adapters.saml.config.parsers.DeploymentBuilder)7
ResourceLoader (org.keycloak.adapters.saml.config.parsers.ResourceLoader)7
FileNotFoundException (java.io.FileNotFoundException)6
SamlDeployment (org.keycloak.adapters.saml.SamlDeployment)6
FileInputStream (java.io.FileInputStream)5
AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)5
Test (org.junit.Test)4
DefaultSamlDeployment (org.keycloak.adapters.saml.DefaultSamlDeployment)4
SamlDeploymentContext (org.keycloak.adapters.saml.SamlDeploymentContext)4
SAML2Request (org.keycloak.saml.processing.api.saml.v2.request.SAML2Request)4
Element (org.w3c.dom.Element)4
HashMap (java.util.HashMap)3
ServletException (javax.servlet.ServletException)3
