use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class ArtifactBindingCustomResolverTest method testArtifactDoesntContainSignature.
@Test
public void testArtifactDoesntContainSignature() {
ContainerAssume.assumeAuthServerUndertow();
AtomicReference<String> artifactReference = new AtomicReference<>();
new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ASSERTION_AND_RESPONSE_SIG, SAML_ASSERTION_CONSUMER_URL_SALES_POST_ASSERTION_AND_RESPONSE_SIG, POST).setProtocolBinding(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.getUri()).signWith(SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY).build().login().user(bburkeUser).build().handleArtifact(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST_ASSERTION_AND_RESPONSE_SIG).storeArtifact(artifactReference).signWith(SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY, SAML_CLIENT_SALES_POST_SIG_PUBLIC_KEY).build().execute();
String artifact = artifactReference.get();
byte[] byteArray = Base64.getDecoder().decode(artifact);
ByteArrayInputStream bis = new ByteArrayInputStream(byteArray);
bis.skip(2);
int index = bis.read();
assertThat(byteArray[0], is((byte) 0));
assertThat(byteArray[1], is((byte) 5));
String storedResponse = CustomTestingSamlArtifactResolver.list.get(index);
assertThat(storedResponse, notNullValue());
assertThat(storedResponse, containsString("samlp:Response"));
assertThat(storedResponse, not(containsString("Signature")));
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlIdPInitiatedSsoTest method testProviderIdpInitiatedLoginToApp.
@Test
public void testProviderIdpInitiatedLoginToApp() throws Exception {
SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl(REALM_PROV_NAME, "samlbroker")).login().user(PROVIDER_REALM_USER_NAME, PROVIDER_REALM_USER_PASSWORD).build().processSamlResponse(Binding.POST).transformObject(ob -> {
assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
assertThat(resp.getDestination(), is(getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales")));
assertAudience(resp, getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales"));
return ob;
}).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(Binding.POST);
assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) samlResponse.getSamlObject();
assertThat(resp.getDestination(), is(urlRealmConsumer + "/app/auth"));
assertAudience(resp, urlRealmConsumer + "/app/auth");
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlIdPInitiatedSsoTest method testConsumerIdpInitiatedLoginToApp.
@Test
public void testConsumerIdpInitiatedLoginToApp() throws Exception {
SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl(REALM_CONS_NAME, "sales")).login().idp("saml-leaf").build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(PROVIDER_REALM_USER_NAME, PROVIDER_REALM_USER_PASSWORD).build().processSamlResponse(Binding.POST).transformObject(ob -> {
assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
assertThat(resp.getDestination(), is(getSamlBrokerUrl(REALM_CONS_NAME)));
assertAudience(resp, urlRealmConsumer);
return ob;
}).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().getSamlResponse(Binding.POST);
assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) samlResponse.getSamlObject();
assertThat(resp.getDestination(), is(urlRealmConsumer + "/app/auth"));
assertAudience(resp, urlRealmConsumer + "/app/auth");
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlIdPInitiatedSsoTest method testTwoConsequentIdpInitiatedLogins.
@Test
public void testTwoConsequentIdpInitiatedLogins() throws Exception {
SAMLDocumentHolder samlResponse = new SamlClientBuilder().navigateTo(getSamlIdpInitiatedUrl(REALM_PROV_NAME, "samlbroker")).login().user(PROVIDER_REALM_USER_NAME, PROVIDER_REALM_USER_PASSWORD).build().processSamlResponse(Binding.POST).transformObject(ob -> {
assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
assertThat(resp.getDestination(), is(getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales")));
assertAudience(resp, getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales"));
return ob;
}).build().updateProfile().username(CONSUMER_CHOSEN_USERNAME).email("test@localhost").firstName("Firstname").lastName("Lastname").build().followOneRedirect().processSamlResponse(Binding.POST).transformObject(ob -> {
assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
assertThat(resp.getDestination(), is(urlRealmConsumer + "/app/auth"));
assertAudience(resp, urlRealmConsumer + "/app/auth");
return null;
}).build().navigateTo(getSamlIdpInitiatedUrl(REALM_PROV_NAME, "samlbroker-2")).login().sso(true).build().processSamlResponse(Binding.POST).transformObject(ob -> {
assertThat(ob, Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
assertThat(resp.getDestination(), is(getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales2")));
assertAudience(resp, getSamlBrokerIdpInitiatedUrl(REALM_CONS_NAME, "sales2"));
return ob;
}).build().getSamlResponse(Binding.POST);
assertThat(samlResponse.getSamlObject(), Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) samlResponse.getSamlObject();
assertThat(resp.getDestination(), is(urlRealmConsumer + "/app/auth2/saml"));
assertAudience(resp, urlRealmConsumer + "/app/auth2");
assertSingleUserSession(REALM_CONS_NAME, CONSUMER_CHOSEN_USERNAME, urlRealmConsumer + "/app/auth", urlRealmConsumer + "/app/auth2");
assertSingleUserSession(REALM_PROV_NAME, PROVIDER_REALM_USER_NAME, urlRealmConsumer + "/broker/saml-leaf/endpoint/clients/sales", urlRealmConsumer + "/broker/saml-leaf/endpoint/clients/sales2");
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlSignedBrokerTest method loginAttackChangeSignature.
private void loginAttackChangeSignature(String description, boolean producerSignDocument, boolean producerSignAssertions, boolean producerEncryptAssertions, Saml2DocumentTransformer tr, boolean shouldSucceed) throws Exception {
log.infof("producerSignDocument: %s, producerSignAssertions: %s, producerEncryptAssertions: %s", producerSignDocument, producerSignAssertions, producerEncryptAssertions);
Matcher<HttpResponse> responseFromConsumerMatcher = shouldSucceed ? bodyHC(containsString("Update Account Information")) : not(bodyHC(containsString("Update Account Information")));
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
withSignedEncryptedAssertions(() -> {
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(Binding.POST).build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).transformDocument(tr).build().execute(currentResponse -> assertThat(description, currentResponse, responseFromConsumerMatcher));
}, producerSignDocument, producerSignAssertions, producerEncryptAssertions);
}
Aggregations