use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class BasicSamlTest method testPropertyValueInAssertion.
// KEYCLOAK-4160
@Test
public void testPropertyValueInAssertion() throws ParsingException, ConfigurationException, ProcessingException {
SAMLDocumentHolder document = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).transformDocument(doc -> {
setDocElementAttributeValue(doc, "samlp:AuthnRequest", "ID", "${java.version}");
return doc;
}).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
assertThat(documentToString(document.getSamlDocument()), not(containsString("InResponseTo=\"" + System.getProperty("java.version") + "\"")));
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class BasicSamlTest method testSpecialCharsInRelayState.
private void testSpecialCharsInRelayState(String encodedRelayState) throws Exception {
AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST_SIG, SAML_ASSERTION_CONSUMER_URL_SALES_POST_SIG, getAuthServerSamlEndpoint(REALM_NAME));
Document doc = SAML2Request.convert(loginRep);
URI redirect = Binding.REDIRECT.createSamlUnsignedRequest(getAuthServerSamlEndpoint(REALM_NAME), null, doc).getURI();
String query = redirect.getRawQuery();
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA_SHA256;
// now add the relayState
String relayStatePart = encodedRelayState == null ? "" : ("&" + GeneralConstants.RELAY_STATE + "=" + encodedRelayState);
String sigAlgPart = "&" + GeneralConstants.SAML_SIG_ALG_REQUEST_KEY + "=" + Encode.encodeQueryParamAsIs(signatureAlgorithm.getXmlSignatureMethod());
Signature signature = signatureAlgorithm.createSignature();
byte[] sig;
signature.initSign(KeyUtils.privateKeyFromString(SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY));
signature.update(query.getBytes(GeneralConstants.SAML_CHARSET));
signature.update(relayStatePart.getBytes(GeneralConstants.SAML_CHARSET));
signature.update(sigAlgPart.getBytes(GeneralConstants.SAML_CHARSET));
sig = signature.sign();
String encodedSig = RedirectBindingUtil.base64Encode(sig);
String sigPart = "&" + GeneralConstants.SAML_SIGNATURE_REQUEST_KEY + "=" + Encode.encodeQueryParamAsIs(encodedSig);
new SamlClientBuilder().navigateTo(redirect.toString() + relayStatePart + sigAlgPart + sigPart).assertResponse(statusCodeIsHC(Status.OK)).execute();
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class BasicSamlTest method testReauthnWithForceAuthn.
private void testReauthnWithForceAuthn(Boolean reloginRequired) throws Exception {
// Ensure that the first authentication passes
SamlClient samlClient = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().execute(hr -> {
try {
SAMLDocumentHolder doc = Binding.POST.extractResponse(hr);
assertThat(doc.getSamlObject(), Matchers.isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
} catch (IOException ex) {
Logger.getLogger(BasicSamlTest.class.getName()).log(Level.SEVERE, null, ex);
}
});
List<Step> secondAuthn = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST2, SAML_ASSERTION_CONSUMER_URL_SALES_POST2, Binding.POST).transformObject(so -> {
so.setForceAuthn(reloginRequired);
return so;
}).build().assertResponse(Matchers.bodyHC(containsString(Objects.equals(reloginRequired, Boolean.TRUE) ? "Sign in" : GeneralConstants.SAML_RESPONSE_KEY))).getSteps();
samlClient.execute(secondAuthn);
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class IncludeOneTimeUseConditionTest method testOneTimeUseConditionIncluded.
private void testOneTimeUseConditionIncluded(Boolean oneTimeUseConditionShouldBeIncluded) throws IOException {
try (Closeable c = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ONETIMEUSE_CONDITION, oneTimeUseConditionShouldBeIncluded.toString()).update()) {
SAMLDocumentHolder res = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
assertThat(res.getSamlObject(), notNullValue());
assertThat(res.getSamlObject(), instanceOf(ResponseType.class));
ResponseType rt = (ResponseType) res.getSamlObject();
assertThat(rt.getAssertions(), not(empty()));
final ConditionsType conditionsType = rt.getAssertions().get(0).getAssertion().getConditions();
assertThat(conditionsType, notNullValue());
assertThat(conditionsType.getConditions(), not(empty()));
final List<ConditionAbstractType> conditions = conditionsType.getConditions();
final Collection<ConditionAbstractType> oneTimeUseConditions = Collections2.filter(conditions, input -> input instanceof OneTimeUseType);
final boolean oneTimeUseConditionAdded = !oneTimeUseConditions.isEmpty();
assertThat(oneTimeUseConditionAdded, is(oneTimeUseConditionShouldBeIncluded));
}
}
use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.
the class SamlConsentTest method rejectedConsentResponseTest.
@Test
public void rejectedConsentResponseTest() throws ParsingException, ConfigurationException, ProcessingException {
ClientRepresentation client = adminClient.realm(REALM_NAME).clients().findByClientId(SAML_CLIENT_ID_SALES_POST).get(0);
adminClient.realm(REALM_NAME).clients().get(client.getId()).update(ClientBuilder.edit(client).consentRequired(true).attribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME, "sales-post").attribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, SAML_ASSERTION_CONSUMER_URL_SALES_POST + "saml").attribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true").build());
log.debug("Log in using idp initiated login");
SAMLDocumentHolder documentHolder = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().consentRequired().approveConsent(false).build().getSamlResponse(Binding.POST);
final String samlDocumentString = IOUtil.documentToString(documentHolder.getSamlDocument());
// KEYCLOAK-4262
assertThat(samlDocumentString, containsString("<dsig:Signature"));
// KEYCLOAK-4261
assertThat(samlDocumentString, not(containsString("<samlp:LogoutResponse")));
// KEYCLOAK-4261
assertThat(samlDocumentString, containsString("<samlp:Response"));
// KEYCLOAK-4181
assertThat(samlDocumentString, containsString("<samlp:Status"));
// KEYCLOAK-4181
assertThat(samlDocumentString, containsString("<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:RequestDenied\""));
}
Aggregations