use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlBrokerAllowedClockSkewTest method loginClientExpiredResponseFromIdPWithClockSkew.
@Test
public void loginClientExpiredResponseFromIdPWithClockSkew() throws Exception {
try (Closeable idpUpdater = new IdentityProviderAttributeUpdater(identityProviderResource).setAttribute(SAMLIdentityProviderConfig.ALLOWED_CLOCK_SKEW, "60").update()) {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST, getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, SamlClient.Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
SamlClient.Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().addStep(// offset to the past but inside the clock skew
() -> KcSamlBrokerAllowedClockSkewTest.this.setTimeOffset(-30)).processSamlResponse(// Response from producer IdP expired but valid with the clock skew
SamlClient.Binding.POST).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().getSamlResponse(// Response from consumer IdP
SamlClient.Binding.POST);
Assert.assertThat(samlResponse, Matchers.notNullValue());
Assert.assertThat(samlResponse.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlBrokerTest method loginInResponseToMissing.
// KEYCLOAK-17935
@Test
public void loginInResponseToMissing() throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).transformDocument(this::removeInResponseTo).build().execute(// Response from consumer IdP
hr -> assertThat(hr, statusCodeIsHC(Response.Status.BAD_REQUEST)));
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlBrokerTest method loginClientWithDotsInName.
// KEYCLOAK-6106
@Test
public void loginClientWithDotsInName() throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().getSamlResponse(// Response from consumer IdP
Binding.POST);
Assert.assertThat(samlResponse, Matchers.notNullValue());
Assert.assertThat(samlResponse.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlBrokerTest method loginInResponseToMismatch.
// KEYCLOAK-17935
@Test
public void loginInResponseToMismatch() throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).transformDocument(this::tamperInResponseTo).build().execute(// Response from consumer IdP
hr -> assertThat(hr, statusCodeIsHC(Response.Status.BAD_REQUEST)));
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class KcSamlBrokerTest method emptyAttributeToRoleMapperTest.
@Test
public void emptyAttributeToRoleMapperTest() throws ParsingException, ConfigurationException, ProcessingException {
createRolesForRealm(bc.consumerRealmName());
createRoleMappersForConsumerRealm();
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(AbstractSamlTest.SAML_CLIENT_ID_SALES_POST + ".dot/ted", getConsumerRoot() + "/sales-post/saml", null);
Document doc = SAML2Request.convert(loginRep);
SAMLDocumentHolder samlResponse = new SamlClientBuilder().authnRequest(getConsumerSamlEndpoint(bc.consumerRealmName()), doc, Binding.POST).build().login().idp(bc.getIDPAlias()).build().processSamlResponse(// AuthnRequest to producer IdP
Binding.POST).targetAttributeSamlRequest().build().login().user(bc.getUserLogin(), bc.getUserPassword()).build().processSamlResponse(// Response from producer IdP
Binding.POST).transformObject(ob -> {
assertThat(ob, org.keycloak.testsuite.util.Matchers.isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
ResponseType resp = (ResponseType) ob;
Set<StatementAbstractType> statements = resp.getAssertions().get(0).getAssertion().getStatements();
AttributeStatementType attributeType = (AttributeStatementType) statements.stream().filter(statement -> statement instanceof AttributeStatementType).findFirst().orElse(new AttributeStatementType());
AttributeType attr = new AttributeType(EMPTY_ATTRIBUTE_NAME);
attr.addAttributeValue(null);
attributeType.addAttribute(new AttributeStatementType.ASTChoiceType(attr));
resp.getAssertions().get(0).getAssertion().addStatement(attributeType);
return ob;
}).build().updateProfile().firstName("a").lastName("b").email(bc.getUserEmail()).username(bc.getUserLogin()).build().followOneRedirect().getSamlResponse(// Response from consumer IdP
Binding.POST);
Assert.assertThat(samlResponse, Matchers.notNullValue());
Assert.assertThat(samlResponse.getSamlObject(), isSamlResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
Stream<AssertionType> assertionTypeStream = assertionsUnencrypted(samlResponse.getSamlObject());
Stream<AttributeType> attributeStatementTypeStream = attributesUnecrypted(attributeStatements(assertionTypeStream));
Set<String> attributeValues = attributeStatementTypeStream.filter(a -> a.getName().equals(ROLE_ATTRIBUTE_NAME)).flatMap(a -> a.getAttributeValue().stream()).map(Object::toString).collect(Collectors.toSet());
assertThat(attributeValues, hasItems(EMPTY_ATTRIBUTE_ROLE));
}
Aggregations