KEYCLOAK-4552

This commit is contained in:
Hynek Mlnarik 2017-03-09 16:48:59 +01:00
parent 11d93994c2
commit 42954e84d9
9 changed files with 299 additions and 0 deletions

View file

@ -98,6 +98,8 @@ public abstract class SAMLRequestAbstractParser {
request.setIssuer(issuer);
} else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
request.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
} else if (JBossSAMLConstants.EXTENSIONS.get().equals(elementName)) {
request.setExtensions(new SAMLExtensionsParser().parse(xmlEventReader));
}
}

View file

@ -0,0 +1,87 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.saml.processing.core.parsers.saml;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.AttributeQueryType;
import java.io.InputStream;
import org.junit.Test;
import org.junit.Before;
import org.w3c.dom.Element;
import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.assertThat;
/**
* Test class for SAML AttributeQuery parser.
*
* @author hmlnarik
*/
public class SAMLAttributeQueryParserTest {
private SAMLParser parser;
@Before
public void initParser() {
this.parser = new SAMLParser();
}
@Test(timeout = 2000)
public void testSaml20AttributeQuery() throws Exception {
try (InputStream is = SAMLAttributeQueryParserTest.class.getResourceAsStream("saml20-attributequery.xml")) {
Object parsedObject = parser.parse(is);
assertThat(parsedObject, instanceOf(AttributeQueryType.class));
AttributeQueryType query = (AttributeQueryType) parsedObject;
assertThat(query.getSignature(), nullValue());
assertThat(query.getConsent(), nullValue());
assertThat(query.getIssuer(), not(nullValue()));
assertThat(query.getIssuer().getValue(), is("https://sp/"));
NameIDType nameId = (NameIDType) query.getSubject().getSubType().getBaseID();
assertThat(nameId.getValue(), is("CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US"));
}
}
@Test(timeout = 2000)
public void testSaml20AttributeQueryWithExtension() throws Exception {
try (InputStream is = SAMLAttributeQueryParserTest.class.getResourceAsStream("saml20-attributequery-with-extension.xml")) {
Object parsedObject = parser.parse(is);
assertThat(parsedObject, instanceOf(AttributeQueryType.class));
AttributeQueryType query = (AttributeQueryType) parsedObject;
assertThat(query.getSignature(), nullValue());
assertThat(query.getConsent(), nullValue());
assertThat(query.getIssuer(), not(nullValue()));
assertThat(query.getIssuer().getValue(), is("https://sp/"));
NameIDType nameId = (NameIDType) query.getSubject().getSubType().getBaseID();
assertThat(nameId.getValue(), is("CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US"));
assertThat(query.getExtensions(), not(nullValue()));
assertThat(query.getExtensions().getAny().size(), is(1));
assertThat(query.getExtensions().getAny().get(0), instanceOf(Element.class));
Element el = (Element) query.getExtensions().getAny().get(0);
assertThat(el.getLocalName(), is("KeyInfo"));
assertThat(el.getNamespaceURI(), is("urn:keycloak:ext:key:1.0"));
assertThat(el.getAttribute("MessageSigningKeyId"), is("FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"));
}
}
}

View file

@ -0,0 +1,84 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.saml.processing.core.parsers.saml;
import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
import java.io.InputStream;
import org.junit.Test;
import org.junit.Before;
import org.w3c.dom.Element;
import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.assertThat;
/**
* Test class for SAML AuthNRequest parser.
*
* @author hmlnarik
*/
public class SAMLAuthNRequestParserTest {
private SAMLParser parser;
@Before
public void initParser() {
this.parser = new SAMLParser();
}
@Test(timeout = 2000)
public void testSaml20AttributeQuery() throws Exception {
try (InputStream is = SAMLAuthNRequestParserTest.class.getResourceAsStream("saml20-authnrequest.xml")) {
Object parsedObject = parser.parse(is);
assertThat(parsedObject, instanceOf(AuthnRequestType.class));
AuthnRequestType req = (AuthnRequestType) parsedObject;
assertThat(req.getSignature(), nullValue());
assertThat(req.getConsent(), nullValue());
assertThat(req.getIssuer(), not(nullValue()));
assertThat(req.getIssuer().getValue(), is("https://sp/"));
assertThat(req.getNameIDPolicy().getFormat().toString(), is("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
}
}
@Test(timeout = 2000)
public void testSaml20AttributeQueryWithExtension() throws Exception {
try (InputStream is = SAMLAuthNRequestParserTest.class.getResourceAsStream("saml20-authnrequest-with-extension.xml")) {
Object parsedObject = parser.parse(is);
assertThat(parsedObject, instanceOf(AuthnRequestType.class));
AuthnRequestType req = (AuthnRequestType) parsedObject;
assertThat(req.getSignature(), nullValue());
assertThat(req.getConsent(), nullValue());
assertThat(req.getIssuer(), not(nullValue()));
assertThat(req.getIssuer().getValue(), is("https://sp/"));
assertThat(req.getNameIDPolicy().getFormat().toString(), is("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"));
assertThat(req.getExtensions(), not(nullValue()));
assertThat(req.getExtensions().getAny().size(), is(1));
assertThat(req.getExtensions().getAny().get(0), instanceOf(Element.class));
Element el = (Element) req.getExtensions().getAny().get(0);
assertThat(el.getLocalName(), is("KeyInfo"));
assertThat(el.getNamespaceURI(), is("urn:keycloak:ext:key:1.0"));
assertThat(el.getAttribute("MessageSigningKeyId"), is("FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"));
}
}
}

View file

@ -0,0 +1,69 @@
/*
* Copyright 2016 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.saml.processing.core.parsers.saml;
import org.keycloak.dom.saml.v2.assertion.NameIDType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import java.io.InputStream;
import org.junit.Test;
import org.junit.Before;
import org.w3c.dom.Element;
import static org.hamcrest.CoreMatchers.*;
import static org.junit.Assert.assertThat;
/**
* Test class for SAML SLO parser.
*
* @author hmlnarik
*/
public class SAMLSloRequestParserTest {
private SAMLParser parser;
@Before
public void initParser() {
this.parser = new SAMLParser();
}
@Test(timeout = 2000)
public void testSaml20SloResponseWithExtension() throws Exception {
try (InputStream is = SAMLSloRequestParserTest.class.getResourceAsStream("KEYCLOAK-4552-saml20-aslo-response-via-extension.xml")) {
Object parsedObject = parser.parse(is);
assertThat(parsedObject, instanceOf(LogoutRequestType.class));
LogoutRequestType resp = (LogoutRequestType) parsedObject;
assertThat(resp.getSignature(), nullValue());
assertThat(resp.getConsent(), nullValue());
assertThat(resp.getIssuer(), not(nullValue()));
assertThat(resp.getIssuer().getValue(), is("https://sp/"));
NameIDType nameId = resp.getNameID();
assertThat(nameId.getValue(), is("G-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"));
assertThat(resp.getExtensions(), not(nullValue()));
assertThat(resp.getExtensions().getAny().size(), is(1));
assertThat(resp.getExtensions().getAny().get(0), instanceOf(Element.class));
Element el = (Element) resp.getExtensions().getAny().get(0);
assertThat(el.getLocalName(), is("Asynchronous"));
assertThat(el.getNamespaceURI(), is("urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"));
}
}
}

View file

@ -0,0 +1,9 @@
<?xml version="1.0"?>
<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://keycloak/auth/realms/XXX/protocol/saml" ID="_b89618b16ed98fed3d2f90b2ddee8027" IssueInstant="2017-03-09T09:32:00Z" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://sp/</saml:Issuer>
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">G-XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX</saml:NameID>
<samlp:Extensions>
<aslo:Asynchronous xmlns:aslo="urn:oasis:names:tc:SAML:2.0:protocol:ext:async-slo"/>
</samlp:Extensions>
<samlp:SessionIndex>a1b93b43-4652-4e76-937a-cf3b982d683a</samlp:SessionIndex>
</samlp:LogoutRequest>

View file

@ -0,0 +1,19 @@
<samlp:AttributeQuery
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="aaf23196-1773-2113-474a-fe114412ab72"
Version="2.0"
IssueInstant="2006-07-17T20:31:40">
<samlp:Extensions>
<kckey:KeyInfo xmlns:kckey="urn:keycloak:ext:key:1.0" MessageSigningKeyId="FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"/>
</samlp:Extensions>
<saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
https://sp/
</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US
</saml:NameID>
</saml:Subject>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"/>
</samlp:AttributeQuery>

View file

@ -0,0 +1,16 @@
<samlp:AttributeQuery
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="aaf23196-1773-2113-474a-fe114412ab72"
Version="2.0"
IssueInstant="2006-07-17T20:31:40">
<saml:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
https://sp/
</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">
CN=trscavo@uiuc.edu,OU=User,O=NCSA-TEST,C=US
</saml:NameID>
</saml:Subject>
<saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:2.5.4.42" FriendlyName="givenName"/>
</samlp:AttributeQuery>

View file

@ -0,0 +1,8 @@
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59">
<saml:Issuer>https://sp/</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
<samlp:Extensions>
<kckey:KeyInfo xmlns:kckey="urn:keycloak:ext:key:1.0" MessageSigningKeyId="FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"/>
</samlp:Extensions>
</samlp:AuthnRequest>

View file

@ -0,0 +1,5 @@
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="aaf23196-1773-2113-474a-fe114412ab72" Version="2.0" IssueInstant="2004-12-05T09:21:59">
<saml:Issuer>https://sp/</saml:Issuer>
<samlp:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
</samlp:AuthnRequest>