Examples with SamlClientBuilder org.keycloak.testsuite.util.SamlClientBuilder used on opensource projects

Example 1 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class LDAPSamlIdPInitiatedVaryingLetterCaseTest method testIdpInitiated.

private void testIdpInitiated(String userName, boolean isFirstBrokerLogin) throws Exception {
    final URI destination = getAuthServerBrokerSamlEndpoint(TEST_REALM_NAME, IDP_SAML_ALIAS, EXT_SSO);
    ResponseType response = prepareResponseForIdPInitiatedFlow(destination, userName);
    final SamlClientBuilder builder = new SamlClientBuilder().submitSamlDocument(destination, response, Binding.POST).targetAttributeSamlResponse().build();
    if (isFirstBrokerLogin) {
        builder.followOneRedirect().followOneRedirect();
    }
    builder.processSamlResponse(Binding.POST).transformObject(so -> {
        assertThat(so, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        return null;
    }).build().navigateTo(oauth.getLoginFormUrl()).assertResponse(Matchers.bodyHC(containsString("AUTH_RESPONSE"))).execute();
    assertThat(testRealm().users().search(USER_NAME_LDAP, Boolean.TRUE), hasSize(1));
}

Example 2 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class BasicSamlTest method testSpecialCharsInRelayState.

private void testSpecialCharsInRelayState(String encodedRelayState) throws Exception {
    AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST_SIG, SAML_ASSERTION_CONSUMER_URL_SALES_POST_SIG, getAuthServerSamlEndpoint(REALM_NAME));
    Document doc = SAML2Request.convert(loginRep);
    URI redirect = Binding.REDIRECT.createSamlUnsignedRequest(getAuthServerSamlEndpoint(REALM_NAME), null, doc).getURI();
    String query = redirect.getRawQuery();
    SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA_SHA256;
    // now add the relayState
    String relayStatePart = encodedRelayState == null ? "" : ("&" + GeneralConstants.RELAY_STATE + "=" + encodedRelayState);
    String sigAlgPart = "&" + GeneralConstants.SAML_SIG_ALG_REQUEST_KEY + "=" + Encode.encodeQueryParamAsIs(signatureAlgorithm.getXmlSignatureMethod());
    Signature signature = signatureAlgorithm.createSignature();
    byte[] sig;
    signature.initSign(KeyUtils.privateKeyFromString(SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY));
    signature.update(query.getBytes(GeneralConstants.SAML_CHARSET));
    signature.update(relayStatePart.getBytes(GeneralConstants.SAML_CHARSET));
    signature.update(sigAlgPart.getBytes(GeneralConstants.SAML_CHARSET));
    sig = signature.sign();
    String encodedSig = RedirectBindingUtil.base64Encode(sig);
    String sigPart = "&" + GeneralConstants.SAML_SIGNATURE_REQUEST_KEY + "=" + Encode.encodeQueryParamAsIs(encodedSig);
    new SamlClientBuilder().navigateTo(redirect.toString() + relayStatePart + sigAlgPart + sigPart).assertResponse(statusCodeIsHC(Status.OK)).execute();
}

Example 3 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class BasicSamlTest method testReauthnWithForceAuthn.

private void testReauthnWithForceAuthn(Boolean reloginRequired) throws Exception {
    // Ensure that the first authentication passes
    SamlClient samlClient = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().execute(hr -> {
        try {
            SAMLDocumentHolder doc = Binding.POST.extractResponse(hr);
            assertThat(doc.getSamlObject(), Matchers.isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        } catch (IOException ex) {
            Logger.getLogger(BasicSamlTest.class.getName()).log(Level.SEVERE, null, ex);
        }
    });
    List<Step> secondAuthn = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST2, SAML_ASSERTION_CONSUMER_URL_SALES_POST2, Binding.POST).transformObject(so -> {
        so.setForceAuthn(reloginRequired);
        return so;
    }).build().assertResponse(Matchers.bodyHC(containsString(Objects.equals(reloginRequired, Boolean.TRUE) ? "Sign in" : GeneralConstants.SAML_RESPONSE_KEY))).getSteps();
    samlClient.execute(secondAuthn);
}

Example 4 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class IncludeOneTimeUseConditionTest method testOneTimeUseConditionIncluded.

private void testOneTimeUseConditionIncluded(Boolean oneTimeUseConditionShouldBeIncluded) throws IOException {
    try (Closeable c = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ONETIMEUSE_CONDITION, oneTimeUseConditionShouldBeIncluded.toString()).update()) {
        SAMLDocumentHolder res = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
        assertThat(res.getSamlObject(), notNullValue());
        assertThat(res.getSamlObject(), instanceOf(ResponseType.class));
        ResponseType rt = (ResponseType) res.getSamlObject();
        assertThat(rt.getAssertions(), not(empty()));
        final ConditionsType conditionsType = rt.getAssertions().get(0).getAssertion().getConditions();
        assertThat(conditionsType, notNullValue());
        assertThat(conditionsType.getConditions(), not(empty()));
        final List<ConditionAbstractType> conditions = conditionsType.getConditions();
        final Collection<ConditionAbstractType> oneTimeUseConditions = Collections2.filter(conditions, input -> input instanceof OneTimeUseType);
        final boolean oneTimeUseConditionAdded = !oneTimeUseConditions.isEmpty();
        assertThat(oneTimeUseConditionAdded, is(oneTimeUseConditionShouldBeIncluded));
    }
}

Example 5 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class SamlConsentTest method rejectedConsentResponseTest.

@Test
public void rejectedConsentResponseTest() throws ParsingException, ConfigurationException, ProcessingException {
    ClientRepresentation client = adminClient.realm(REALM_NAME).clients().findByClientId(SAML_CLIENT_ID_SALES_POST).get(0);
    adminClient.realm(REALM_NAME).clients().get(client.getId()).update(ClientBuilder.edit(client).consentRequired(true).attribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME, "sales-post").attribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, SAML_ASSERTION_CONSUMER_URL_SALES_POST + "saml").attribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true").build());
    log.debug("Log in using idp initiated login");
    SAMLDocumentHolder documentHolder = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().consentRequired().approveConsent(false).build().getSamlResponse(Binding.POST);
    final String samlDocumentString = IOUtil.documentToString(documentHolder.getSamlDocument());
    // KEYCLOAK-4262
    assertThat(samlDocumentString, containsString("<dsig:Signature"));
    // KEYCLOAK-4261
    assertThat(samlDocumentString, not(containsString("<samlp:LogoutResponse")));
    // KEYCLOAK-4261
    assertThat(samlDocumentString, containsString("<samlp:Response"));
    // KEYCLOAK-4181
    assertThat(samlDocumentString, containsString("<samlp:Status"));
    // KEYCLOAK-4181
    assertThat(samlDocumentString, containsString("<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:RequestDenied\""));
}