Test scenarios for verifying of JS injection for WebAuthn Policy

Closes #9544
2022-01-31 11:56:06 +01:00 · 2022-01-31 11:56:06 +01:00 · 243b6ba552
commit 243b6ba552
parent 47208b7a20
2 changed files with 206 additions and 0 deletions
--- a/testsuite/integration-arquillian/tests/other/webauthn/src/test/java/org/keycloak/testsuite/webauthn/registration/PolicyJsInjectionTest.java
+++ b/testsuite/integration-arquillian/tests/other/webauthn/src/test/java/org/keycloak/testsuite/webauthn/registration/PolicyJsInjectionTest.java
@ -0,0 +1,175 @@
 /*
 * Copyright 2022 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.testsuite.webauthn.registration;
 import org.hamcrest.Matchers;
 import org.junit.Test;
 import org.keycloak.representations.idm.CredentialRepresentation;
 import org.keycloak.testsuite.webauthn.AbstractWebAuthnVirtualTest;
 import org.keycloak.testsuite.webauthn.pages.WebAuthnAuthenticatorsList;
 import org.keycloak.testsuite.webauthn.updaters.AbstractWebAuthnRealmUpdater;
 import org.keycloak.testsuite.webauthn.utils.WebAuthnRealmData;
 import org.keycloak.utils.StringUtil;
 import java.io.Closeable;
 import java.io.IOException;
 import java.util.function.Consumer;
 import java.util.function.Function;
 import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.MatcherAssert.assertThat;
 /**
 * Verify JS attack in WebAuthn Policy
 *
 * @author <a href="mailto:mabartos@redhat.com">Martin Bartos</a>
 */
 public class PolicyJsInjectionTest extends AbstractWebAuthnVirtualTest {
    // If there's an unexpected alert, the test fails -> we verified here that the script is not executed
    protected final String PROMPT_SCRIPT = "required\"; window.prompt('Injection'); \"<img id=\"image-inject\" src='none'/> ";
    // The page is redirect, if the script is executed
    protected final String REDIRECT_SCRIPT = "required\"; window.location.href = \"http://www.keycloak.org\";\"";
    @Test
    public void relyingPartyEntityName() {
        verifyInjection((updater) -> updater.setWebAuthnPolicyRpEntityName(REDIRECT_SCRIPT),
                WebAuthnRealmData::getRpEntityName,
                REDIRECT_SCRIPT);
    }
    @Test
    public void relyingPartyId() throws IOException {
        try (Closeable u = getWebAuthnRealmUpdater()
                .setWebAuthnPolicyRpId(PROMPT_SCRIPT)
                .update()) {
            WebAuthnRealmData data = new WebAuthnRealmData(testRealm().toRepresentation(), isPasswordless());
            assertThat(data.getRpId(), is(PROMPT_SCRIPT));
            registerDefaultUser(false);
            webAuthnErrorPage.assertCurrent();
            assertThat(webAuthnErrorPage.getError(), containsString("The relying party ID is not a registrable domain suffix of, nor equal to the current domain."));
        }
    }
    @Test
    public void attestationConveyancePreference() {
        verifyInjection((updater) -> updater.setWebAuthnPolicyAttestationConveyancePreference(REDIRECT_SCRIPT),
                WebAuthnRealmData::getAttestationConveyancePreference,
                REDIRECT_SCRIPT,
                "Failed to read the 'attestation' property from 'PublicKeyCredentialCreationOptions': The provided value 'required\"; window.location.href = \"http://www.keycloak.org\";\"' is not a valid enum value of type AttestationConveyancePreference.");
    }
    @Test
    public void authenticatorAttachment() {
        verifyInjection((updater) -> updater.setWebAuthnPolicyAuthenticatorAttachment(REDIRECT_SCRIPT),
                WebAuthnRealmData::getAuthenticatorAttachment,
                REDIRECT_SCRIPT,
                "Failed to read the 'authenticatorAttachment' property from 'AuthenticatorSelectionCriteria': The provided value 'required\"; window.location.href = \"http://www.keycloak.org\";\"' is not a valid enum value of type AuthenticatorAttachment.");
    }
    @Test
    public void requireResidentKey() {
        // requireResidentKey is set to 'false' and the value is ignored -> success
        verifyInjection((updater) -> updater.setWebAuthnPolicyRequireResidentKey(PROMPT_SCRIPT),
                WebAuthnRealmData::getRequireResidentKey,
                PROMPT_SCRIPT);
    }
    @Test
    public void userVerificationRequirement() {
        verifyInjection((updater) -> updater.setWebAuthnPolicyUserVerificationRequirement(PROMPT_SCRIPT),
                WebAuthnRealmData::getUserVerificationRequirement,
                PROMPT_SCRIPT,
                "Failed to read the 'userVerification' property from 'AuthenticatorSelectionCriteria': The provided value 'required\"; window.prompt('Injection'); \"<img id=\"image-inject\" src='none'/> ' is not a valid enum value of type UserVerificationRequirement.");
    }
    @Test
    public void injectUserLabel() {
        final String originalLabel = "label'`;window.prompt(\"another\");'";
        registerDefaultUser(originalLabel);
        appPage.assertCurrent();
        final CredentialRepresentation credential = userResource().credentials()
                .stream()
                .filter(f -> f.getType().equals(getCredentialType()))
                .findFirst()
                .orElse(null);
        assertThat(credential, notNullValue());
        assertThat(credential.getUserLabel(), is(originalLabel));
        if (!isPasswordless()) {
            logout();
            loginPage.open();
            loginPage.assertCurrent(TEST_REALM_NAME);
            loginPage.login(USERNAME, PASSWORD);
            webAuthnLoginPage.assertCurrent();
            WebAuthnAuthenticatorsList authenticators = webAuthnLoginPage.getAuthenticators();
            assertThat(authenticators, notNullValue());
            assertThat(authenticators.getItems(), not(Matchers.empty()));
            assertThat(authenticators.getLabels().get(0), is("label`;window.prompt(\"another\");"));
        }
    }
    private void verifyInjection(Consumer<AbstractWebAuthnRealmUpdater<?>> realmSetter, Function<WebAuthnRealmData, String> realmGetter, String requiredValue) {
        verifyInjection(realmSetter, realmGetter, requiredValue, "");
    }
    /**
     * Verify the possibility of executing the JS injection in WebAuthn Policy settings
     *
     * @param realmSetter   set Realm WebAuthn policy
     * @param realmGetter   get Realm WebAuthn policy
     * @param expectedValue expected value save in realm
     * @param errorMessage  expected message if it's present
     */
    private void verifyInjection(Consumer<AbstractWebAuthnRealmUpdater<?>> realmSetter, Function<WebAuthnRealmData, String> realmGetter, String expectedValue, String errorMessage) {
        AbstractWebAuthnRealmUpdater<?> updater = getWebAuthnRealmUpdater();
        realmSetter.accept(updater);
        try (Closeable u = updater.update()) {
            WebAuthnRealmData data = new WebAuthnRealmData(testRealm().toRepresentation(), isPasswordless());
            assertThat(realmGetter.apply(data), is(expectedValue));
            boolean shouldSuccess = StringUtil.isBlank(errorMessage);
            registerDefaultUser(shouldSuccess);
            if (shouldSuccess) {
                appPage.assertCurrent();
            } else {
                webAuthnErrorPage.assertCurrent();
                assertThat(webAuthnErrorPage.getError(), containsString(errorMessage));
            }
        } catch (IOException e) {
            throw new RuntimeException("Cannot verify test scenarios for WebAuthn Policy JS Injection", e);
        }
    }
 }
--- a/testsuite/integration-arquillian/tests/other/webauthn/src/test/java/org/keycloak/testsuite/webauthn/registration/passwordless/PwdLessPolicyJsInjectionTest.java
+++ b/testsuite/integration-arquillian/tests/other/webauthn/src/test/java/org/keycloak/testsuite/webauthn/registration/passwordless/PwdLessPolicyJsInjectionTest.java
@ -0,0 +1,31 @@
 /*
 * Copyright 2022 Red Hat, Inc. and/or its affiliates
 * and other contributors as indicated by the @author tags.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.keycloak.testsuite.webauthn.registration.passwordless;
 import org.keycloak.testsuite.webauthn.registration.PolicyJsInjectionTest;
 /**
 * @author <a href="mailto:mabartos@redhat.com">Martin Bartos</a>
 */
 public class PwdLessPolicyJsInjectionTest extends PolicyJsInjectionTest {
    @Override
    public boolean isPasswordless() {
        return true;
    }
 }