use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactBindingWithEncryptedAssertion.
@Test
public void testArtifactBindingWithEncryptedAssertion() throws Exception {
SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ENC, SAML_ASSERTION_CONSUMER_URL_SALES_POST_ENC, POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).signWith(SAML_CLIENT_SALES_POST_ENC_PRIVATE_KEY, SAML_CLIENT_SALES_POST_ENC_PUBLIC_KEY).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ENC).signWith(SAML_CLIENT_SALES_POST_ENC_PRIVATE_KEY, SAML_CLIENT_SALES_POST_ENC_PUBLIC_KEY).build().doNotFollowRedirects().executeAndTransform(ARTIFACT_RESPONSE::extractResponse);
assertThat(response.getSamlObject(), instanceOf(ResponseType.class));
ResponseType loginResponse = (ResponseType) response.getSamlObject();
assertThat(loginResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(loginResponse.getAssertions().get(0).getAssertion(), nullValue());
assertThat(loginResponse.getAssertions().get(0).getEncryptedAssertion(), not(nullValue()));
SamlDeployment deployment = SamlUtils.getSamlDeploymentForClient("sales-post-enc");
AssertionUtil.decryptAssertion(response, loginResponse, deployment.getDecryptionKey());
assertThat(loginResponse.getAssertions().get(0).getAssertion(), not(nullValue()));
assertThat(loginResponse.getAssertions().get(0).getEncryptedAssertion(), nullValue());
assertThat(loginResponse.getAssertions().get(0).getAssertion().getIssuer().getValue(), equalTo(getAuthServerRealmBase(REALM_NAME).toString()));
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactSuccessfulAfterFirstUnsuccessfulRequest.
@Test
public void testArtifactSuccessfulAfterFirstUnsuccessfulRequest() {
SamlClientBuilder clientBuilder = new SamlClientBuilder();
AtomicReference<String> artifact = new AtomicReference<>();
SAMLDocumentHolder response = clientBuilder.authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), // Wrong issuer
SAML_CLIENT_ID_SALES_POST2).storeArtifact(artifact).build().assertResponse(r -> assertThat(r, bodyHC(containsString(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get())))).handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).useArtifact(artifact).build().executeAndTransform(ARTIFACT_RESPONSE::extractResponse);
assertThat(response.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactBindingLogoutSingleClientCheckArtifact.
/**
********************** LOGOUT TESTS ***********************
*/
@Test
public void testArtifactBindingLogoutSingleClientCheckArtifact() throws NoSuchAlgorithmException {
getCleanup().addCleanup(ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING, "true").setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true").setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE, "http://url").setFrontchannelLogout(true).update());
String response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).build().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.POST).build().doNotFollowRedirects().executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
assertThat(response, containsString(GeneralConstants.SAML_ARTIFACT_KEY));
Pattern artifactPattern = Pattern.compile("NAME=\"SAMLart\" VALUE=\"((?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=))");
Matcher m = artifactPattern.matcher(response);
assertThat(true, is(m.find()));
String artifactB64 = m.group(1);
assertThat(artifactB64, not(isEmptyOrNullString()));
byte[] artifact = Base64.getDecoder().decode(artifactB64);
assertThat(artifact.length, is(44));
assertThat(artifact[0], is((byte) 0));
assertThat(artifact[1], is((byte) 4));
assertThat(artifact[2], is((byte) 0));
assertThat(artifact[3], is((byte) 0));
MessageDigest sha1Digester = MessageDigest.getInstance("SHA-1");
byte[] source = sha1Digester.digest(getAuthServerRealmBase(REALM_NAME).toString().getBytes(Charsets.UTF_8));
for (int i = 0; i < 20; i++) {
assertThat(source[i], is(artifact[i + 4]));
}
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactBindingTimesOutAfterCodeToTokenLifespan.
/**
********************** LOGIN TESTS ***********************
*/
@Test
public void testArtifactBindingTimesOutAfterCodeToTokenLifespan() throws Exception {
getCleanup().addCleanup(new RealmAttributeUpdater(adminClient.realm(REALM_NAME)).setAccessCodeLifespan(1).update());
SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).setBeforeStepChecks(// Move in time before resolving the artifact
() -> setTimeOffset(1000)).build().doNotFollowRedirects().executeAndTransform(this::getArtifactResponse);
assertThat(response.getSamlObject(), instanceOf(ArtifactResponseType.class));
ArtifactResponseType artifactResponse = (ArtifactResponseType) response.getSamlObject();
assertThat(artifactResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
assertThat(artifactResponse.getAny(), nullValue());
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class ArtifactBindingTest method testArtifactBindingLoginCheckArtifactWithPost.
@Test
public void testArtifactBindingLoginCheckArtifactWithPost() throws NoSuchAlgorithmException {
String response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().doNotFollowRedirects().executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
assertThat(response, containsString(GeneralConstants.SAML_ARTIFACT_KEY));
Pattern artifactPattern = Pattern.compile("NAME=\"SAMLart\" VALUE=\"((?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=))");
Matcher m = artifactPattern.matcher(response);
assertThat(m.find(), is(true));
String artifactB64 = m.group(1);
assertThat(artifactB64, not(isEmptyOrNullString()));
byte[] artifact = Base64.getDecoder().decode(artifactB64);
assertThat(artifact.length, is(44));
assertThat(artifact[0], is((byte) 0));
assertThat(artifact[1], is((byte) 4));
assertThat(artifact[2], is((byte) 0));
assertThat(artifact[3], is((byte) 0));
MessageDigest sha1Digester = MessageDigest.getInstance("SHA-1");
byte[] source = sha1Digester.digest(getAuthServerRealmBase(REALM_NAME).toString().getBytes(Charsets.UTF_8));
for (int i = 0; i < 20; i++) {
assertThat(source[i], is(artifact[i + 4]));
}
}
Aggregations