libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-6773 XML vulnerability test

Browse source
This commit is contained in:
Hynek Mlnarik 2018-02-28 09:55:11 +01:00 committed by Hynek Mlnařík
parent 215bbaac6c
commit 1b45ab2601
2 changed files with 60 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

43
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractSAMLServletsAdapterTest.java
View file

@ -105,6 +105,7 @@ import org.w3c.dom.NodeList;
import static org.hamcrest.Matchers.*;
import static org.junit.Assert.*;
import static org.keycloak.representations.idm.CredentialRepresentation.PASSWORD;
import static org.keycloak.testsuite.AbstractAuthTest.createUserRepresentation;
import static org.keycloak.testsuite.admin.ApiUtil.createUserAndResetPasswordWithAdminClient;
import static org.keycloak.testsuite.admin.Users.setPasswordFor;
import static org.keycloak.testsuite.auth.page.AuthRealm.SAMLSERVLETDEMO;
@ -800,6 +801,48 @@ public abstract class AbstractSAMLServletsAdapterTest extends AbstractServletsAd
testSuccessfulAndUnauthorizedLogin(salesPostSigEmailServletPage, testRealmSAMLPostLoginPage, "principal=bburke@redhat.com");
}
@Test
public void salesPostSigStaxParsingFlawEmailTest() {
UserRepresentation user = createUserRepresentation("bburke-additional-domain", "bburke@redhat.com.additional.domain", "Bill", "Burke", true);
setPasswordFor(user, PASSWORD);
String resultPage = new SamlClientBuilder()
.navigateTo(salesPostSigEmailServletPage.buildUri())
.processSamlResponse(Binding.POST).build()
.login().user(user).build()
.processSamlResponse(Binding.POST)
.transformString(s -> {
assertThat(s, org.hamcrest.Matchers.containsString(">bburke@redhat.com.additional.domain<"));
s = s.replaceAll("bburke@redhat.com.additional.domain", "bburke@redhat.com<!-- comment -->.additional.domain");
return s;
})
.build()
.executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
assertThat(resultPage, org.hamcrest.Matchers.containsString("principal=bburke@redhat.com.additional.domain"));
}
@Test
public void salesPostSigChangeContents() {
UserRepresentation user = createUserRepresentation("bburke-additional-domain", "bburke@redhat.com.additional.domain", "Bill", "Burke", true);
setPasswordFor(user, PASSWORD);
String resultPage = new SamlClientBuilder()
.navigateTo(salesPostSigEmailServletPage.buildUri())
.processSamlResponse(Binding.POST).build()
.login().user(user).build()
.processSamlResponse(Binding.POST)
.transformString(s -> {
assertThat(s, org.hamcrest.Matchers.containsString(">bburke@redhat.com.additional.domain<"));
s = s.replaceAll("bburke@redhat.com.additional.domain", "bburke@redhat.com");
return s;
})
.build()
.executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
assertThat(resultPage, org.hamcrest.Matchers.containsString("INVALID_SIGNATURE"));
}
@Test
public void salesPostSigPersistentTest() {
salesPostSigPersistentServletPage.navigateTo();

17
testsuite/integration-arquillian/tests/base/src/test/resources/adapter-test/keycloak-saml/testsaml.json
View file

@ -36,6 +36,23 @@
"http://localhost:8081/employee2/": [ "employee" ]
}
},
{
"username" : "bburke-additional-domain",
"enabled": true,
"email" : "bburke@redhat.com.additional.domain",
"credentials" : [
{ "type" : "password",
"value" : "password" }
],
"attributes" : {
"phone": "617"
},
"realmRoles": ["manager", "user"],
"applicationRoles": {
"http://localhost:8081/employee/": [ "employee" ],
"http://localhost:8081/employee2/": [ "employee" ]
}
},
{
"username" : "unauthorized",
"enabled": true,