Search in sources :

Example 36 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class BasicSamlTest method testPropertyValueInAssertion.

// KEYCLOAK-4160
@Test
public void testPropertyValueInAssertion() throws ParsingException, ConfigurationException, ProcessingException {
    SAMLDocumentHolder document = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).transformDocument(doc -> {
        setDocElementAttributeValue(doc, "samlp:AuthnRequest", "ID", "${java.version}");
        return doc;
    }).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
    assertThat(documentToString(document.getSamlDocument()), not(containsString("InResponseTo=\"" + System.getProperty("java.version") + "\"")));
}
Also used : Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC) EntityUtils(org.apache.http.util.EntityUtils) Document(org.w3c.dom.Document) Matchers.nullValue(org.hamcrest.Matchers.nullValue) SamlClient(org.keycloak.testsuite.util.SamlClient) RedirectStrategyWithSwitchableFollowRedirect(org.keycloak.testsuite.util.SamlClient.RedirectStrategyWithSwitchableFollowRedirect) UriBuilder(javax.ws.rs.core.UriBuilder) URI(java.net.URI) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) NAMEID_FORMAT_TRANSIENT(org.keycloak.saml.common.constants.JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT) Matchers.notNullValue(org.hamcrest.Matchers.notNullValue) Matchers(org.keycloak.testsuite.util.Matchers) Signature(java.security.Signature) SamlProtocol(org.keycloak.protocol.saml.SamlProtocol) Logger(java.util.logging.Logger) DocumentUtil(org.keycloak.saml.common.util.DocumentUtil) Objects(java.util.Objects) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) List(java.util.List) Response(javax.ws.rs.core.Response) Matchers.is(org.hamcrest.Matchers.is) Matchers.containsString(org.hamcrest.Matchers.containsString) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) PROTOCOL_NSURI(org.keycloak.saml.common.constants.JBossSAMLURIConstants.PROTOCOL_NSURI) RealmsResource(org.keycloak.services.resources.RealmsResource) Encode(org.jboss.resteasy.util.Encode) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request) GeneralConstants(org.keycloak.saml.common.constants.GeneralConstants) CoreMatchers.not(org.hamcrest.CoreMatchers.not) IOUtil.setDocElementAttributeValue(org.keycloak.testsuite.utils.io.IOUtil.setDocElementAttributeValue) HttpUriRequest(org.apache.http.client.methods.HttpUriRequest) Attr(org.w3c.dom.Attr) Level(java.util.logging.Level) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) SignatureAlgorithm(org.keycloak.saml.SignatureAlgorithm) AuthServer(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer) Status(javax.ws.rs.core.Response.Status) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) RedirectBindingUtil(org.keycloak.saml.processing.web.util.RedirectBindingUtil) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Test(org.junit.Test) IOException(java.io.IOException) KeyUtils(org.keycloak.testsuite.util.KeyUtils) AUTH_SERVER_PORT(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT) Element(org.w3c.dom.Element) Step(org.keycloak.testsuite.util.SamlClient.Step) Matcher(org.hamcrest.Matcher) Binding(org.keycloak.testsuite.util.SamlClient.Binding) HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder) IOUtil.documentToString(org.keycloak.testsuite.utils.io.IOUtil.documentToString) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Test(org.junit.Test)

Example 37 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class BasicSamlTest method testSpecialCharsInRelayState.

private void testSpecialCharsInRelayState(String encodedRelayState) throws Exception {
    AuthnRequestType loginRep = SamlClient.createLoginRequestDocument(SAML_CLIENT_ID_SALES_POST_SIG, SAML_ASSERTION_CONSUMER_URL_SALES_POST_SIG, getAuthServerSamlEndpoint(REALM_NAME));
    Document doc = SAML2Request.convert(loginRep);
    URI redirect = Binding.REDIRECT.createSamlUnsignedRequest(getAuthServerSamlEndpoint(REALM_NAME), null, doc).getURI();
    String query = redirect.getRawQuery();
    SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA_SHA256;
    // now add the relayState
    String relayStatePart = encodedRelayState == null ? "" : ("&" + GeneralConstants.RELAY_STATE + "=" + encodedRelayState);
    String sigAlgPart = "&" + GeneralConstants.SAML_SIG_ALG_REQUEST_KEY + "=" + Encode.encodeQueryParamAsIs(signatureAlgorithm.getXmlSignatureMethod());
    Signature signature = signatureAlgorithm.createSignature();
    byte[] sig;
    signature.initSign(KeyUtils.privateKeyFromString(SAML_CLIENT_SALES_POST_SIG_PRIVATE_KEY));
    signature.update(query.getBytes(GeneralConstants.SAML_CHARSET));
    signature.update(relayStatePart.getBytes(GeneralConstants.SAML_CHARSET));
    signature.update(sigAlgPart.getBytes(GeneralConstants.SAML_CHARSET));
    sig = signature.sign();
    String encodedSig = RedirectBindingUtil.base64Encode(sig);
    String sigPart = "&" + GeneralConstants.SAML_SIGNATURE_REQUEST_KEY + "=" + Encode.encodeQueryParamAsIs(encodedSig);
    new SamlClientBuilder().navigateTo(redirect.toString() + relayStatePart + sigAlgPart + sigPart).assertResponse(statusCodeIsHC(Status.OK)).execute();
}
Also used : AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Signature(java.security.Signature) SignatureAlgorithm(org.keycloak.saml.SignatureAlgorithm) Matchers.containsString(org.hamcrest.Matchers.containsString) IOUtil.documentToString(org.keycloak.testsuite.utils.io.IOUtil.documentToString) Document(org.w3c.dom.Document) URI(java.net.URI) PROTOCOL_NSURI(org.keycloak.saml.common.constants.JBossSAMLURIConstants.PROTOCOL_NSURI)

Example 38 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class BasicSamlTest method testReauthnWithForceAuthn.

private void testReauthnWithForceAuthn(Boolean reloginRequired) throws Exception {
    // Ensure that the first authentication passes
    SamlClient samlClient = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().execute(hr -> {
        try {
            SAMLDocumentHolder doc = Binding.POST.extractResponse(hr);
            assertThat(doc.getSamlObject(), Matchers.isSamlStatusResponse(JBossSAMLURIConstants.STATUS_SUCCESS));
        } catch (IOException ex) {
            Logger.getLogger(BasicSamlTest.class.getName()).log(Level.SEVERE, null, ex);
        }
    });
    List<Step> secondAuthn = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST2, SAML_ASSERTION_CONSUMER_URL_SALES_POST2, Binding.POST).transformObject(so -> {
        so.setForceAuthn(reloginRequired);
        return so;
    }).build().assertResponse(Matchers.bodyHC(containsString(Objects.equals(reloginRequired, Boolean.TRUE) ? "Sign in" : GeneralConstants.SAML_RESPONSE_KEY))).getSteps();
    samlClient.execute(secondAuthn);
}
Also used : Matchers.statusCodeIsHC(org.keycloak.testsuite.util.Matchers.statusCodeIsHC) EntityUtils(org.apache.http.util.EntityUtils) Document(org.w3c.dom.Document) Matchers.nullValue(org.hamcrest.Matchers.nullValue) SamlClient(org.keycloak.testsuite.util.SamlClient) RedirectStrategyWithSwitchableFollowRedirect(org.keycloak.testsuite.util.SamlClient.RedirectStrategyWithSwitchableFollowRedirect) UriBuilder(javax.ws.rs.core.UriBuilder) URI(java.net.URI) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) NAMEID_FORMAT_TRANSIENT(org.keycloak.saml.common.constants.JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT) Matchers.notNullValue(org.hamcrest.Matchers.notNullValue) Matchers(org.keycloak.testsuite.util.Matchers) Signature(java.security.Signature) SamlProtocol(org.keycloak.protocol.saml.SamlProtocol) Logger(java.util.logging.Logger) DocumentUtil(org.keycloak.saml.common.util.DocumentUtil) Objects(java.util.Objects) ParsingException(org.keycloak.saml.common.exceptions.ParsingException) List(java.util.List) Response(javax.ws.rs.core.Response) Matchers.is(org.hamcrest.Matchers.is) Matchers.containsString(org.hamcrest.Matchers.containsString) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) PROTOCOL_NSURI(org.keycloak.saml.common.constants.JBossSAMLURIConstants.PROTOCOL_NSURI) RealmsResource(org.keycloak.services.resources.RealmsResource) Encode(org.jboss.resteasy.util.Encode) AuthServerContainerExclude(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude) SAML2Request(org.keycloak.saml.processing.api.saml.v2.request.SAML2Request) GeneralConstants(org.keycloak.saml.common.constants.GeneralConstants) CoreMatchers.not(org.hamcrest.CoreMatchers.not) IOUtil.setDocElementAttributeValue(org.keycloak.testsuite.utils.io.IOUtil.setDocElementAttributeValue) HttpUriRequest(org.apache.http.client.methods.HttpUriRequest) Attr(org.w3c.dom.Attr) Level(java.util.logging.Level) ProcessingException(org.keycloak.saml.common.exceptions.ProcessingException) CloseableHttpResponse(org.apache.http.client.methods.CloseableHttpResponse) MatcherAssert.assertThat(org.hamcrest.MatcherAssert.assertThat) SignatureAlgorithm(org.keycloak.saml.SignatureAlgorithm) AuthServer(org.keycloak.testsuite.arquillian.annotation.AuthServerContainerExclude.AuthServer) Status(javax.ws.rs.core.Response.Status) ConfigurationException(org.keycloak.saml.common.exceptions.ConfigurationException) RedirectBindingUtil(org.keycloak.saml.processing.web.util.RedirectBindingUtil) CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) AuthnRequestType(org.keycloak.dom.saml.v2.protocol.AuthnRequestType) JBossSAMLURIConstants(org.keycloak.saml.common.constants.JBossSAMLURIConstants) Test(org.junit.Test) IOException(java.io.IOException) KeyUtils(org.keycloak.testsuite.util.KeyUtils) AUTH_SERVER_PORT(org.keycloak.testsuite.util.ServerURLs.AUTH_SERVER_PORT) Element(org.w3c.dom.Element) Step(org.keycloak.testsuite.util.SamlClient.Step) Matcher(org.hamcrest.Matcher) Binding(org.keycloak.testsuite.util.SamlClient.Binding) HttpClientBuilder(org.apache.http.impl.client.HttpClientBuilder) IOUtil.documentToString(org.keycloak.testsuite.utils.io.IOUtil.documentToString) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) IOException(java.io.IOException) Step(org.keycloak.testsuite.util.SamlClient.Step) SamlClient(org.keycloak.testsuite.util.SamlClient)

Example 39 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class IncludeOneTimeUseConditionTest method testOneTimeUseConditionIncluded.

private void testOneTimeUseConditionIncluded(Boolean oneTimeUseConditionShouldBeIncluded) throws IOException {
    try (Closeable c = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST).setAttribute(SamlConfigAttributes.SAML_ONETIMEUSE_CONDITION, oneTimeUseConditionShouldBeIncluded.toString()).update()) {
        SAMLDocumentHolder res = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().getSamlResponse(Binding.POST);
        assertThat(res.getSamlObject(), notNullValue());
        assertThat(res.getSamlObject(), instanceOf(ResponseType.class));
        ResponseType rt = (ResponseType) res.getSamlObject();
        assertThat(rt.getAssertions(), not(empty()));
        final ConditionsType conditionsType = rt.getAssertions().get(0).getAssertion().getConditions();
        assertThat(conditionsType, notNullValue());
        assertThat(conditionsType.getConditions(), not(empty()));
        final List<ConditionAbstractType> conditions = conditionsType.getConditions();
        final Collection<ConditionAbstractType> oneTimeUseConditions = Collections2.filter(conditions, input -> input instanceof OneTimeUseType);
        final boolean oneTimeUseConditionAdded = !oneTimeUseConditions.isEmpty();
        assertThat(oneTimeUseConditionAdded, is(oneTimeUseConditionShouldBeIncluded));
    }
}
Also used : OneTimeUseType(org.keycloak.dom.saml.v2.assertion.OneTimeUseType) ConditionAbstractType(org.keycloak.dom.saml.v2.assertion.ConditionAbstractType) SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) Closeable(java.io.Closeable) ConditionsType(org.keycloak.dom.saml.v2.assertion.ConditionsType) ResponseType(org.keycloak.dom.saml.v2.protocol.ResponseType)

Example 40 with SamlClientBuilder

use of org.keycloak.testsuite.util.SamlClientBuilder in project keycloak by keycloak.

the class SamlConsentTest method rejectedConsentResponseTest.

@Test
public void rejectedConsentResponseTest() throws ParsingException, ConfigurationException, ProcessingException {
    ClientRepresentation client = adminClient.realm(REALM_NAME).clients().findByClientId(SAML_CLIENT_ID_SALES_POST).get(0);
    adminClient.realm(REALM_NAME).clients().get(client.getId()).update(ClientBuilder.edit(client).consentRequired(true).attribute(SamlProtocol.SAML_IDP_INITIATED_SSO_URL_NAME, "sales-post").attribute(SamlProtocol.SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE, SAML_ASSERTION_CONSUMER_URL_SALES_POST + "saml").attribute(SamlConfigAttributes.SAML_SERVER_SIGNATURE, "true").build());
    log.debug("Log in using idp initiated login");
    SAMLDocumentHolder documentHolder = new SamlClientBuilder().authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST).build().login().user(bburkeUser).build().consentRequired().approveConsent(false).build().getSamlResponse(Binding.POST);
    final String samlDocumentString = IOUtil.documentToString(documentHolder.getSamlDocument());
    // KEYCLOAK-4262
    assertThat(samlDocumentString, containsString("<dsig:Signature"));
    // KEYCLOAK-4261
    assertThat(samlDocumentString, not(containsString("<samlp:LogoutResponse")));
    // KEYCLOAK-4261
    assertThat(samlDocumentString, containsString("<samlp:Response"));
    // KEYCLOAK-4181
    assertThat(samlDocumentString, containsString("<samlp:Status"));
    // KEYCLOAK-4181
    assertThat(samlDocumentString, containsString("<samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:RequestDenied\""));
}
Also used : SAMLDocumentHolder(org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder) SamlClientBuilder(org.keycloak.testsuite.util.SamlClientBuilder) CoreMatchers.containsString(org.hamcrest.CoreMatchers.containsString) ClientRepresentation(org.keycloak.representations.idm.ClientRepresentation) Test(org.junit.Test)

Aggregations

SamlClientBuilder (org.keycloak.testsuite.util.SamlClientBuilder)108 Test (org.junit.Test)99 SAMLDocumentHolder (org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder)65 ResponseType (org.keycloak.dom.saml.v2.protocol.ResponseType)42 Document (org.w3c.dom.Document)38 AuthnRequestType (org.keycloak.dom.saml.v2.protocol.AuthnRequestType)35 AbstractSamlTest (org.keycloak.testsuite.saml.AbstractSamlTest)30 StatusResponseType (org.keycloak.dom.saml.v2.protocol.StatusResponseType)28 Matchers.containsString (org.hamcrest.Matchers.containsString)26 JBossSAMLURIConstants (org.keycloak.saml.common.constants.JBossSAMLURIConstants)23 Closeable (java.io.Closeable)21 URI (java.net.URI)20 IOException (java.io.IOException)19 SamlClient (org.keycloak.testsuite.util.SamlClient)18 ArtifactResponseType (org.keycloak.dom.saml.v2.protocol.ArtifactResponseType)17 Element (org.w3c.dom.Element)17 List (java.util.List)16 Response (javax.ws.rs.core.Response)15 Matchers.is (org.hamcrest.Matchers.is)14 ClientRepresentation (org.keycloak.representations.idm.ClientRepresentation)14