Example 61 with SAMLDocumentHolder
use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.
the class KcSamlLogoutTest method testProviderInitiatedLogoutCorrectlyLogsOutConsumerClients.
@Test
public void testProviderInitiatedLogoutCorrectlyLogsOutConsumerClients() throws Exception {
try (SamlMessageReceiver logoutReceiver = new SamlMessageReceiver(8082);
ClientAttributeUpdater cauConsumer = ClientAttributeUpdater.forClient(adminClient, bc.consumerRealmName(), AbstractSamlTest.SAML_CLIENT_ID_SALES_POST).setFrontchannelLogout(false).setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, logoutReceiver.getUrl()).update();
ClientAttributeUpdater cauProvider = ClientAttributeUpdater.forClient(adminClient, bc.providerRealmName(), bc.getIDPClientIdInProviderRealm()).setFrontchannelLogout(true).update()) {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
final AtomicReference<NameIDType> nameIdRef = new AtomicReference<>();
final AtomicReference<String> sessionIndexRef = new AtomicReference<>();
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
SamlClient.Binding.POST).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().processSamlResponse(SamlClient.Binding.POST).transformObject(saml2Object -> {
assertThat(saml2Object, Matchers.notNullValue());
assertThat(saml2Object, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
return null;
}).build().authnRequest(getProviderSamlEndpoint(bc.providerRealmName()), PROVIDER_SAML_CLIENT_ID, PROVIDER_SAML_CLIENT_ID + "saml", POST).build().followOneRedirect().processSamlResponse(POST).transformObject(saml2Object -> {
assertThat(saml2Object, isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType loginResp1 = (ResponseType) saml2Object;
final AssertionType firstAssertion = loginResp1.getAssertions().get(0).getAssertion();
assertThat(firstAssertion, Matchers.notNullValue());
assertThat(firstAssertion.getSubject().getSubType().getBaseID(), instanceOf(NameIDType.class));
NameIDType nameId = (NameIDType) firstAssertion.getSubject().getSubType().getBaseID();
AuthnStatementType firstAssertionStatement = (AuthnStatementType) firstAssertion.getStatements().iterator().next();
nameIdRef.set(nameId);
sessionIndexRef.set(firstAssertionStatement.getSessionIndex());
return null;
}).build().logoutRequest(getProviderSamlEndpoint(bc.providerRealmName()), PROVIDER_SAML_CLIENT_ID, POST).nameId(nameIdRef::get).sessionIndex(sessionIndexRef::get).build().processSamlResponse(POST).transformObject(saml2Object -> {
assertThat(saml2Object, isSamlLogoutRequest(getConsumerRoot() + "/auth/realms/" + REALM_CONS_NAME + "/broker/" + IDP_SAML_ALIAS + "/endpoint"));
return saml2Object;
}).build().executeAndTransform(response -> {
SAMLDocumentHolder saml2ObjectHolder = POST.extractResponse(response);
assertThat(saml2ObjectHolder.getSamlObject(), isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
return null;
});
// Check whether logoutReceiver contains correct LogoutRequest
assertThat(logoutReceiver.isMessageReceived(), is(true));
SAMLDocumentHolder message = logoutReceiver.getSamlDocumentHolder();
assertThat(message.getSamlObject(), isSamlLogoutRequest(logoutReceiver.getUrl()));
}
}
Also used :
CoreMatchers.is(org.hamcrest.CoreMatchers.is)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater)
IDP_SAML_ALIAS(org.keycloak.testsuite.broker.BrokerTestConstants.IDP_SAML_ALIAS)
SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request)
IdentityProviderAttributeUpdater(org.keycloak.testsuite.updaters.IdentityProviderAttributeUpdater)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
SamlConfigAttributes(org.keycloak.protocol.saml.SamlConfigAttributes)
POST(org.keycloak.testsuite.util.SamlClient.Binding.POST)
Matchers.isSamlLogoutRequest(org.keycloak.testsuite.util.Matchers.isSamlLogoutRequest)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
CoreMatchers.instanceOf(org.hamcrest.CoreMatchers.instanceOf)
BrokerTestTools.getConsumerRoot(org.keycloak.testsuite.broker.BrokerTestTools.getConsumerRoot)
SAMLIdentityProviderConfig(org.keycloak.broker.saml.SAMLIdentityProviderConfig)
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
Document(org.w3c.dom.Document)
SamlClient(org.keycloak.testsuite.util.SamlClient)
MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
Matchers.isSamlResponse(org.keycloak.testsuite.util.Matchers.isSamlResponse)
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants)
Matchers(org.hamcrest.Matchers)
Test(org.junit.Test)
SamlProtocol(org.keycloak.protocol.saml.SamlProtocol)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation)
List(java.util.List)
UserAttributeUpdater(org.keycloak.testsuite.updaters.UserAttributeUpdater)
REALM_CONS_NAME(org.keycloak.testsuite.broker.BrokerTestConstants.REALM_CONS_NAME)
Closeable(java.io.Closeable)
ATTRIBUTE_TO_MAP_NAME(org.keycloak.testsuite.broker.KcOidcBrokerConfiguration.ATTRIBUTE_TO_MAP_NAME)
ClientBuilder(org.keycloak.testsuite.util.ClientBuilder)
Matchers.isSamlStatusResponse(org.keycloak.testsuite.util.Matchers.isSamlStatusResponse)
SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver)
BrokerTestTools.getProviderRoot(org.keycloak.testsuite.broker.BrokerTestTools.getProviderRoot)
SamlPrincipalType(org.keycloak.protocol.saml.SamlPrincipalType)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
AssertionType(org.keycloak.dom.saml.v2.assertion.AssertionType)
Document(org.w3c.dom.Document)
SamlMessageReceiver(org.keycloak.testsuite.util.saml.SamlMessageReceiver)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
ClientAttributeUpdater(org.keycloak.testsuite.updaters.ClientAttributeUpdater)
AuthnStatementType(org.keycloak.dom.saml.v2.assertion.AuthnStatementType)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType)
NameIDType(org.keycloak.dom.saml.v2.assertion.NameIDType)
AbstractSamlTest(org.keycloak.testsuite.saml.AbstractSamlTest)
Test(org.junit.Test)
Example 62 with SAMLDocumentHolder
use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactSuccessfulAfterFirstUnsuccessfulRequest.
@Test
public void testArtifactSuccessfulAfterFirstUnsuccessfulRequest() {
SamlClientBuilder clientBuilder = new SamlClientBuilder();
AtomicReference<String> artifact = new AtomicReference<>();
SAMLDocumentHolder response = clientBuilder.authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), // Wrong issuer
SAML_CLIENT_ID_SALES_POST2).storeArtifact(artifact).build().assertResponse(r -> assertThat(r, bodyHC(containsString(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get())))).handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).useArtifact(artifact).build().executeAndTransform(ARTIFACT_RESPONSE::extractResponse);
assertThat(response.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
Also used :
ARTIFACT_RESPONSE(org.keycloak.testsuite.util.SamlClient.Binding.ARTIFACT_RESPONSE)
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
AtomicReference(java.util.concurrent.atomic.AtomicReference)
Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString)
Matchers.containsString(org.hamcrest.Matchers.containsString)
Test(org.junit.Test)
Example 63 with SAMLDocumentHolder
use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactBindingTimesOutAfterCodeToTokenLifespan.
/**
********************** LOGIN TESTS ***********************
*/
@Test
public void testArtifactBindingTimesOutAfterCodeToTokenLifespan() throws Exception {
getCleanup().addCleanup(new RealmAttributeUpdater(adminClient.realm(REALM_NAME)).setAccessCodeLifespan(1).update());
SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).setBeforeStepChecks(// Move in time before resolving the artifact
() -> setTimeOffset(1000)).build().doNotFollowRedirects().executeAndTransform(this::getArtifactResponse);
assertThat(response.getSamlObject(), instanceOf(ArtifactResponseType.class));
ArtifactResponseType artifactResponse = (ArtifactResponseType) response.getSamlObject();
assertThat(artifactResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(artifactResponse.getAny(), nullValue());
}
Also used :
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
RealmAttributeUpdater(org.keycloak.testsuite.updaters.RealmAttributeUpdater)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
Test(org.junit.Test)
Example 64 with SAMLDocumentHolder
use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactBindingWithResponseAndAssertionSignature.
@Test
public void testArtifactBindingWithResponseAndAssertionSignature() throws Exception {
SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ASSERTION_AND_RESPONSE_SIG, SAML_ASSERTION_CONSUMER_URL_SALES_POST_ASSERTION_AND_RESPONSE_SIG, POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).signWith(SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ASSERTION_AND_RESPONSE_SIG).signWith(SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY).build().doNotFollowRedirects().executeAndTransform(this::getArtifactResponse);
assertThat(response.getSamlObject(), instanceOf(ArtifactResponseType.class));
ArtifactResponseType artifactResponse = (ArtifactResponseType) response.getSamlObject();
assertThat(artifactResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(artifactResponse.getAny(), instanceOf(ResponseType.class));
ResponseType samlResponse = (ResponseType) artifactResponse.getAny();
assertThat(samlResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(samlResponse.getAssertions().get(0).getAssertion().getSignature(), not(nullValue()));
SamlDeployment deployment = SamlUtils.getSamlDeploymentForClient("sales-post-assertion-and-response-sig");
// Checks the signature of the response as well as the signature of the assertion
SamlProtocolUtils.verifyDocumentSignature(response.getSamlDocument(), deployment.getIDP().getSignatureValidationKeyLocator());
}
Also used :
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
SamlDeployment(org.keycloak.adapters.saml.SamlDeployment)
NameIDMappingResponseType(org.keycloak.dom.saml.v2.protocol.NameIDMappingResponseType)
ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)
ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
Test(org.junit.Test)
Example 65 with SAMLDocumentHolder
use of org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactBindingIsNotUsedForLogoutWhenLogoutUrlNotSetPostTest.
@Test
public void testArtifactBindingIsNotUsedForLogoutWhenLogoutUrlNotSetPostTest() {
getCleanup().addCleanup(ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING, "true").setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE, "http://url").setFrontchannelLogout(true).update());
SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_POST_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).build().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, POST).build().doNotFollowRedirects().executeAndTransform(POST::extractResponse);
assertThat(response.getSamlObject(), instanceOf(StatusResponseType.class));
StatusResponseType logoutResponse = (StatusResponseType) response.getSamlObject();
assertThat(logoutResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(logoutResponse.getSignature(), nullValue());
assertThat(logoutResponse, not(instanceOf(ResponseType.class)));
assertThat(logoutResponse, not(instanceOf(ArtifactResponseType.class)));
assertThat(logoutResponse, not(instanceOf(NameIDMappingResponseType.class)));
assertThat(logoutResponse, instanceOf(StatusResponseType.class));
}
Also used :
SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)
POST(org.keycloak.testsuite.util.SamlClient.Binding.POST)
SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder)
StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType)
Test(org.junit.Test)
Aggregations
SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)83
Test (org.junit.Test)70
SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)62
ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)35
StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)29
Document (org.w3c.dom.Document)20
IOException (java.io.IOException)19
JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)18
ArtifactResponseType (org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)17
AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)14
URI (java.net.URI)12
List (java.util.List)12
Response (javax.ws.rs.core.Response)12
Matchers.containsString (org.hamcrest.Matchers.containsString)12
ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)12
Matchers (org.keycloak.testsuite.util.Matchers)12
SamlClient (org.keycloak.testsuite.util.SamlClient)12
Matchers.is (org.hamcrest.Matchers.is)11
Assert.assertThat (org.junit.Assert.assertThat)11
Matchers.notNullValue (org.hamcrest.Matchers.notNullValue)10
