Search in sources :

Example 71 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class ArtifactBindingTest method testArtifactBindingWithEncryptedAssertion.

@Test
public void testArtifactBindingWithEncryptedAssertion() throws Exception {
    SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ENC, SAML_ASSERTION_CONSUMER_URL_SALES_POST_ENC, POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).signWith(SAML_CLIENT_SALES_POST_ENC_PRIVATE_KEY, SAML_CLIENT_SALES_POST_ENC_PUBLIC_KEY).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ENC).signWith(SAML_CLIENT_SALES_POST_ENC_PRIVATE_KEY, SAML_CLIENT_SALES_POST_ENC_PUBLIC_KEY).build().doNotFollowRedirects().executeAndTransform(ARTIFACT_RESPONSE::extractResponse);
    assertThat(response.getSamlObject(), instanceOf(ResponseType.class));
    ResponseType loginResponse = (ResponseType) response.getSamlObject();
    assertThat(loginResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    assertThat(loginResponse.getAssertions().get(0).getAssertion(), nullValue());
    assertThat(loginResponse.getAssertions().get(0).getEncryptedAssertion(), not(nullValue()));
    SamlDeployment deployment = SamlUtils.getSamlDeploymentForClient("sales-post-enc");
    AssertionUtil.decryptAssertion(response, loginResponse, deployment.getDecryptionKey());
    assertThat(loginResponse.getAssertions().get(0).getAssertion(), not(nullValue()));
    assertThat(loginResponse.getAssertions().get(0).getEncryptedAssertion(), nullValue());
    assertThat(loginResponse.getAssertions().get(0).getAssertion().getIssuer().getValue(), equalTo(getAuthServerRealmBase(REALM_NAME).toString()));
}
Also used : ARTIFACT_RESPONSE(org.keycloak.testsuite.util.SamlClient.Binding.ARTIFACT_RESPONSE) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) SamlDeployment(org.keycloak.adapters.saml.SamlDeployment) NameIDMappingResponseType(org.keycloak.dom.saml.v2.protocol.NameIDMappingResponseType) ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType) StatusResponseType(org.keycloak.dom.saml.v2.protocol.StatusResponseType) Test(org.junit.Test)

Example 72 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class ArtifactBindingTest method testArtifactSuccessfulAfterFirstUnsuccessfulRequest.

@Test
public void testArtifactSuccessfulAfterFirstUnsuccessfulRequest() {
    SamlClientBuilder clientBuilder = new SamlClientBuilder();
    AtomicReference<String> artifact = new AtomicReference<>();
    SAMLDocumentHolder response = clientBuilder.authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), // Wrong issuer
    SAML_CLIENT_ID_SALES_POST2).storeArtifact(artifact).build().assertResponse(r -> assertThat(r, bodyHC(containsString(JBossSAMLURIConstants.STATUS_REQUEST_DENIED.get())))).handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).useArtifact(artifact).build().executeAndTransform(ARTIFACT_RESPONSE::extractResponse);
    assertThat(response.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
Also used : ARTIFACT_RESPONSE(org.keycloak.testsuite.util.SamlClient.Binding.ARTIFACT_RESPONSE) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) AtomicReference(java.util.concurrent.atomic.AtomicReference) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Matchers.containsString(org.hamcrest.Matchers.containsString) Test(org.junit.Test)

Example 73 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class ArtifactBindingTest method testArtifactBindingLogoutSingleClientCheckArtifact.

/**
 ********************** LOGOUT TESTS ***********************
 */
@Test
public void testArtifactBindingLogoutSingleClientCheckArtifact() throws NoSuchAlgorithmException {
    getCleanup().addCleanup(ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING, "true").setAttribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true").setAttribute(SamlProtocol.SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE, "http://url").setFrontchannelLogout(true).update());
    String response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).build().logoutRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SamlClient.Binding.POST).build().doNotFollowRedirects().executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
    assertThat(response, containsString(GeneralConstants.SAML_ARTIFACT_KEY));
    Pattern artifactPattern = Pattern.compile("NAME=\"SAMLart\" VALUE=\"((?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=))");
    Matcher m = artifactPattern.matcher(response);
    assertThat(true, is(m.find()));
    String artifactB64 = m.group(1);
    assertThat(artifactB64, not(isEmptyOrNullString()));
    byte[] artifact = Base64.getDecoder().decode(artifactB64);
    assertThat(artifact.length, is(44));
    assertThat(artifact[0], is((byte) 0));
    assertThat(artifact[1], is((byte) 4));
    assertThat(artifact[2], is((byte) 0));
    assertThat(artifact[3], is((byte) 0));
    MessageDigest sha1Digester = MessageDigest.getInstance("SHA-1");
    byte[] source = sha1Digester.digest(getAuthServerRealmBase(REALM_NAME).toString().getBytes(Charsets.UTF_8));
    for (int i = 0; i < 20; i++) {
        assertThat(source[i], is(artifact[i + 4]));
    }
}
Also used : Pattern(java.util.regex.Pattern) Matcher(java.util.regex.Matcher) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Matchers.containsString(org.hamcrest.Matchers.containsString) MessageDigest(java.security.MessageDigest) Test(org.junit.Test)

Example 74 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class ArtifactBindingTest method testArtifactBindingTimesOutAfterCodeToTokenLifespan.

/**
 ********************** LOGIN TESTS ***********************
 */
@Test
public void testArtifactBindingTimesOutAfterCodeToTokenLifespan() throws Exception {
    getCleanup().addCleanup(new RealmAttributeUpdater(adminClient.realm(REALM_NAME)).setAccessCodeLifespan(1).update());
    SAMLDocumentHolder response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST).setBeforeStepChecks(// Move in time before resolving the artifact
    () -> setTimeOffset(1000)).build().doNotFollowRedirects().executeAndTransform(this::getArtifactResponse);
    assertThat(response.getSamlObject(), instanceOf(ArtifactResponseType.class));
    ArtifactResponseType artifactResponse = (ArtifactResponseType) response.getSamlObject();
    assertThat(artifactResponse, isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
    assertThat(artifactResponse.getAny(), nullValue());
}
Also used : SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) RealmAttributeUpdater(org.keycloak.testsuite.updaters.RealmAttributeUpdater) ArtifactResponseType(org.keycloak.dom.saml.v2.protocol.ArtifactResponseType) Test(org.junit.Test)

Example 75 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class ArtifactBindingTest method testArtifactBindingLoginCheckArtifactWithPost.

@Test
public void testArtifactBindingLoginCheckArtifactWithPost() throws NoSuchAlgorithmException {
    String response = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, SamlClient.Binding.POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).build().login().user(bburkeUser).build().doNotFollowRedirects().executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
    assertThat(response, containsString(GeneralConstants.SAML_ARTIFACT_KEY));
    Pattern artifactPattern = Pattern.compile("NAME=\"SAMLart\" VALUE=\"((?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=))");
    Matcher m = artifactPattern.matcher(response);
    assertThat(m.find(), is(true));
    String artifactB64 = m.group(1);
    assertThat(artifactB64, not(isEmptyOrNullString()));
    byte[] artifact = Base64.getDecoder().decode(artifactB64);
    assertThat(artifact.length, is(44));
    assertThat(artifact[0], is((byte) 0));
    assertThat(artifact[1], is((byte) 4));
    assertThat(artifact[2], is((byte) 0));
    assertThat(artifact[3], is((byte) 0));
    MessageDigest sha1Digester = MessageDigest.getInstance("SHA-1");
    byte[] source = sha1Digester.digest(getAuthServerRealmBase(REALM_NAME).toString().getBytes(Charsets.UTF_8));
    for (int i = 0; i < 20; i++) {
        assertThat(source[i], is(artifact[i + 4]));
    }
}
Also used : Pattern(java.util.regex.Pattern) Matcher(java.util.regex.Matcher) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Matchers.isEmptyOrNullString(org.hamcrest.Matchers.isEmptyOrNullString) Matchers.containsString(org.hamcrest.Matchers.containsString) MessageDigest(java.security.MessageDigest) Test(org.junit.Test)

Aggregations

SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)108 Test (org.junit.Test)99 SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)65 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)42 Document (org.w3c.dom.Document)38 AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)35 AbstractSamlTest (org.keycloak.testsuite.saml.AbstractSamlTest)30 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)28 Matchers.containsString (org.hamcrest.Matchers.containsString)26 JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)23 Closeable (java.io.Closeable)21 URI (java.net.URI)20 IOException (java.io.IOException)19 SamlClient (org.keycloak.testsuite.util.SamlClient)18 ArtifactResponseType (org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)17 Element (org.w3c.dom.Element)17 List (java.util.List)16 Response (javax.ws.rs.core.Response)15 Matchers.is (org.hamcrest.Matchers.is)14 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)14