libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-18146 Search for clients by client attribute when doing saml artifact resolution

Browse source
This commit is contained in:
Michal Hajas 2021-05-26 15:29:15 +02:00 committed by Hynek Mlnařík
parent 2cb59e2503
commit 4dcb69596b
26 changed files with 364 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/custom/JpaUpdate14_0_0_MigrateSamlArtifactAttribute.java Normal file
View file

@ -0,0 +1,84 @@
/*
* Copyright 2020 Red Hat, Inc. and/or its affiliates
* and other contributors as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.keycloak.connections.jpa.updater.liquibase.custom;
import liquibase.exception.CustomChangeException;
import liquibase.statement.core.InsertStatement;
import liquibase.structure.core.Table;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.HashMap;
import java.util.Map;
import static org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString;
public class JpaUpdate14_0_0_MigrateSamlArtifactAttribute extends CustomKeycloakTask {
private static final String SAML_ARTIFACT_BINDING_IDENTIFIER = "saml.artifact.binding.identifier";
private final Map<String, String> clientIds = new HashMap<>();
@Override
protected void generateStatementsImpl() throws CustomChangeException {
extractClientsData("SELECT C.ID, C.CLIENT_ID FROM " + getTableName("CLIENT") + " C " +
"LEFT JOIN " + getTableName("CLIENT_ATTRIBUTES") + " CA " +
"ON C.ID = CA.CLIENT_ID AND CA.NAME='" + SAML_ARTIFACT_BINDING_IDENTIFIER + "' " +
"WHERE C.PROTOCOL='saml' AND CA.NAME IS NULL");
for (Map.Entry<String, String> clientPair : clientIds.entrySet()) {
String id = clientPair.getKey();
String clientId = clientPair.getValue();
String samlIdentifier = computeArtifactBindingIdentifierString(clientId);
statements.add(
new InsertStatement(null, null, database.correctObjectName("CLIENT_ATTRIBUTES", Table.class))
.addColumnValue("CLIENT_ID", id)
.addColumnValue("NAME", SAML_ARTIFACT_BINDING_IDENTIFIER)
.addColumnValue("VALUE", samlIdentifier)
);
}
}
private void extractClientsData(String sql) throws CustomChangeException {
try (PreparedStatement statement = jdbcConnection.prepareStatement(sql);
ResultSet rs = statement.executeQuery()) {
while (rs.next()) {
String id = rs.getString(1);
String clientId = rs.getString(2);
if (id == null || id.trim().isEmpty()
|| clientId == null || clientId.trim().isEmpty()) {
continue;
}
clientIds.put(id, clientId);
}
} catch (Exception e) {
throw new CustomChangeException(getTaskId() + ": Exception when extracting data from previous version", e);
}
}
@Override
protected String getTaskId() {
return "Migrate Saml attributes (14.0.0)";
}
}

4
model/jpa/src/main/java/org/keycloak/models/jpa/JpaClientProviderFactory.java
View file

@ -23,6 +23,7 @@ import org.keycloak.models.ClientProvider;
import org.keycloak.models.ClientProviderFactory;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import javax.persistence.EntityManager;
import java.util.Arrays;
@ -38,7 +39,8 @@ public class JpaClientProviderFactory implements ClientProviderFactory {
private Set<String> clientSearchableAttributes = null;
private static final List<String> REQUIRED_SEARCHABLE_ATTRIBUTES = Arrays.asList(
"saml_idp_initiated_sso_url_name"
"saml_idp_initiated_sso_url_name",
SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER
);
@Override

4
model/jpa/src/main/resources/META-INF/jpa-changelog-14.0.0.xml
View file

@ -71,4 +71,8 @@
</createIndex>
</changeSet>
<changeSet author="keycloak" id="KEYCLOAK-18146-add-saml-art-binding-identifier">
<customChange class="org.keycloak.connections.jpa.updater.liquibase.custom.JpaUpdate14_0_0_MigrateSamlArtifactAttribute"/>
</changeSet>
</databaseChangeLog>

13
server-spi-private/src/main/java/org/keycloak/models/utils/RepresentationToModel.java
View file

@ -141,6 +141,8 @@ import org.keycloak.storage.federated.UserFederatedStorageProvider;
import org.keycloak.util.JsonSerialization;
import org.keycloak.validation.ValidationUtil;
import static org.keycloak.protocol.saml.util.ArtifactBindingUtils.computeArtifactBindingIdentifierString;
public class RepresentationToModel {
private static Logger logger = Logger.getLogger(RepresentationToModel.class);
@ -1407,6 +1409,11 @@ public class RepresentationToModel {
}
}
if ("saml".equals(resourceRep.getProtocol())
&& (resourceRep.getAttributes() == null
|| !resourceRep.getAttributes().containsKey("saml.artifact.binding.identifier"))) {
client.setAttribute("saml.artifact.binding.identifier", computeArtifactBindingIdentifierString(resourceRep.getClientId()));
}
if (resourceRep.getAuthenticationFlowBindingOverrides() != null) {
for (Map.Entry<String, String> entry : resourceRep.getAuthenticationFlowBindingOverrides().entrySet()) {
@ -1559,6 +1566,12 @@ public class RepresentationToModel {
}
}
if ("saml".equals(rep.getProtocol())
&& (rep.getAttributes() == null
|| !rep.getAttributes().containsKey("saml.artifact.binding.identifier"))) {
resource.setAttribute("saml.artifact.binding.identifier", computeArtifactBindingIdentifierString(rep.getClientId()));
}
if (rep.getAuthenticationFlowBindingOverrides() != null) {
for (Map.Entry<String, String> entry : rep.getAuthenticationFlowBindingOverrides().entrySet()) {
if (entry.getValue() == null || entry.getValue().trim().equals("")) {

7
server-spi-private/src/main/java/org/keycloak/protocol/saml/ArtifactResolver.java
View file

@ -2,10 +2,9 @@ package org.keycloak.protocol.saml;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.provider.Provider;
import java.util.stream.Stream;
/**
* Provides a way to create and resolve artifacts for SAML Artifact binding
@ -15,12 +14,12 @@ public interface ArtifactResolver extends Provider {
/**
* Returns client model that issued artifact
*
* @param session KeycloakSession for searching for client corresponding client
* @param artifact the artifact
* @param clients stream of clients, the stream will be searched for a client that issued the artifact
* @return the client model that issued the artifact
* @throws ArtifactResolverProcessingException When an error occurs during client search
*/
ClientModel selectSourceClient(String artifact, Stream<ClientModel> clients) throws ArtifactResolverProcessingException;
ClientModel selectSourceClient(KeycloakSession session, String artifact) throws ArtifactResolverProcessingException;
/**
* Creates and stores an artifact

51
server-spi-private/src/main/java/org/keycloak/protocol/saml/util/ArtifactBindingUtils.java Normal file
View file

@ -0,0 +1,51 @@
package org.keycloak.protocol.saml.util;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
public class ArtifactBindingUtils {
public static String artifactToResolverProviderId(String artifact) {
return byteArrayToResolverProviderId(Base64.getDecoder().decode(artifact));
}
public static String byteArrayToResolverProviderId(byte[] ar) {
return String.format("%02X%02X", ar[0], ar[1]);
}
/**
* Computes identifier from the given String, for example, from entityId
*
* @param identifierFrom String that will be turned into an identifier
* @return Base64 of SHA-1 hash of the identifierFrom
*/
public static String computeArtifactBindingIdentifierString(String identifierFrom) {
return Base64.getEncoder().encodeToString(computeArtifactBindingIdentifier(identifierFrom));
}
/**
* Turns byte representation of the identifier into readable String
*
* @param identifier byte representation of the identifier
* @return Base64 of the identifier
*/
public static String getArtifactBindingIdentifierString(byte[] identifier) {
return Base64.getEncoder().encodeToString(identifier);
}
/**
* Computes 20 bytes long byte identifier of the given string, for example, from entityId
*
* @param identifierFrom String that will be turned into an identifier
* @return SHA-1 hash of the given identifierFrom
*/
public static byte[] computeArtifactBindingIdentifier(String identifierFrom) {
try {
MessageDigest sha1Digester = MessageDigest.getInstance("SHA-1");
return sha1Digester.digest(identifierFrom.getBytes(StandardCharsets.UTF_8));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException("JVM does not support required cryptography algorithms: SHA-1/SHA1PRNG.", e);
}
}
}

28
services/src/main/java/org/keycloak/protocol/saml/DefaultSamlArtifactResolver.java
View file

@ -1,22 +1,22 @@
package org.keycloak.protocol.saml;
import com.google.common.base.Charsets;
import com.google.common.base.Strings;
import org.jboss.logging.Logger;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.saml.common.constants.GeneralConstants;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Base64;
import java.util.stream.Stream;
import java.util.Collections;
import static org.keycloak.protocol.saml.DefaultSamlArtifactResolverFactory.TYPE_CODE;
import static org.keycloak.protocol.saml.SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER;
/**
* ArtifactResolver for artifact-04 format.
@ -43,18 +43,13 @@ public class DefaultSamlArtifactResolver implements ArtifactResolver {
}
@Override
public ClientModel selectSourceClient(String artifact, Stream<ClientModel> clients) throws ArtifactResolverProcessingException {
try {
byte[] source = extractSourceFromArtifact(artifact);
public ClientModel selectSourceClient(KeycloakSession session, String artifact) throws ArtifactResolverProcessingException {
byte[] source = extractSourceFromArtifact(artifact);
String identifier = ArtifactBindingUtils.getArtifactBindingIdentifierString(source);
MessageDigest sha1Digester = MessageDigest.getInstance("SHA-1");
return clients.filter(clientModel -> Arrays.equals(source,
sha1Digester.digest(clientModel.getClientId().getBytes(Charsets.UTF_8))))
.findFirst()
.orElseThrow(() -> new ArtifactResolverProcessingException("No client matching the artifact source found"));
} catch (NoSuchAlgorithmException e) {
throw new ArtifactResolverProcessingException(e);
}
return session.clients().searchClientsByAttributes(session.getContext().getRealm(),
Collections.singletonMap(SAML_ARTIFACT_BINDING_IDENTIFIER, identifier), 0, 1)
.findFirst().orElseThrow(() -> new ArtifactResolverProcessingException("No client matching the artifact source found"));
}
@Override
@ -109,8 +104,7 @@ public class DefaultSamlArtifactResolver implements ArtifactResolver {
SecureRandom handleGenerator = SecureRandom.getInstance("SHA1PRNG");
byte[] trimmedIndex = new byte[2];
MessageDigest sha1Digester = MessageDigest.getInstance("SHA-1");
byte[] source = sha1Digester.digest(entityId.getBytes(Charsets.UTF_8));
byte[] source = ArtifactBindingUtils.computeArtifactBindingIdentifier(entityId);
byte[] assertionHandle = new byte[20];
handleGenerator.nextBytes(assertionHandle);

9
services/src/main/java/org/keycloak/protocol/saml/SamlClient.java
View file

@ -20,6 +20,7 @@ package org.keycloak.protocol.saml;
import org.jboss.logging.Logger;
import org.keycloak.models.ClientConfigResolver;
import org.keycloak.models.ClientModel;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.util.XmlKeyInfoKeyNameTransformer;
@ -258,4 +259,12 @@ public class SamlClient extends ClientConfigResolver {
return -1;
}
}
public void setArtifactBindingIdentifierFrom(String identifierFrom) {
client.setAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER, ArtifactBindingUtils.computeArtifactBindingIdentifierString(identifierFrom));
}
public String getArtifactBindingIdentifier() {
return client.getAttribute(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER);
}
}

1
services/src/main/java/org/keycloak/protocol/saml/SamlConfigAttributes.java
View file

@ -43,4 +43,5 @@ public interface SamlConfigAttributes {
String SAML_ENCRYPTION_CERTIFICATE_ATTRIBUTE = "saml.encryption." + CertificateInfoHelper.X509CERTIFICATE;
String SAML_ENCRYPTION_PRIVATE_KEY_ATTRIBUTE = "saml.encryption." + CertificateInfoHelper.PRIVATE_KEY;
String SAML_ASSERTION_LIFESPAN = "saml.assertion.lifespan";
String SAML_ARTIFACT_BINDING_IDENTIFIER = "saml.artifact.binding.identifier";
}

2
services/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java
View file

@ -175,6 +175,8 @@ public class SamlProtocolFactory extends AbstractLoginProtocolFactory {
if (clientRep.isFrontchannelLogout() == null) {
newClient.setFrontchannelLogout(true);
}
client.setArtifactBindingIdentifierFrom(clientRep.getClientId());
}
}

4
services/src/main/java/org/keycloak/protocol/saml/SamlService.java
View file

@ -71,7 +71,7 @@ import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
import org.keycloak.protocol.saml.profile.ecp.SamlEcpProfileService;
import org.keycloak.protocol.saml.profile.util.Soap;
import org.keycloak.protocol.util.ArtifactBindingUtils;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.rotation.HardcodedKeyLocator;
import org.keycloak.rotation.KeyLocator;
import org.keycloak.saml.BaseSAML2BindingBuilder;
@ -341,7 +341,7 @@ public class SamlService extends AuthorizationEndpointBase {
//Find client
ClientModel client;
try {
client = getArtifactResolver(artifact).selectSourceClient(artifact, realm.getClientsStream());
client = getArtifactResolver(artifact).selectSourceClient(session, artifact);
Response error = checkClientValidity(client);
if (error != null) {

15
services/src/main/java/org/keycloak/protocol/util/ArtifactBindingUtils.java
View file

@ -1,15 +0,0 @@
package org.keycloak.protocol.util;
import org.keycloak.protocol.saml.DefaultSamlArtifactResolverFactory;
import java.util.Base64;
public class ArtifactBindingUtils {
public static String artifactToResolverProviderId(String artifact) {
return byteArrayToResolverProviderId(Base64.getDecoder().decode(artifact));
}
public static String byteArrayToResolverProviderId(byte[] ar) {
return String.format("%02X%02X", ar[0], ar[1]);
}
}

13
services/src/main/java/org/keycloak/services/managers/ClientManager.java
View file

@ -35,6 +35,9 @@ import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.LoginProtocolFactory;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.mappers.UserSessionNoteMapper;
import org.keycloak.protocol.saml.SamlClient;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.representations.adapters.config.BaseRealmConfig;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;
import org.keycloak.representations.idm.ClientRepresentation;
@ -191,7 +194,8 @@ public class ClientManager {
}
}
public void clientIdChanged(ClientModel client, String newClientId) {
public void clientIdChanged(ClientModel client, ClientRepresentation newClientRepresentation) {
String newClientId = newClientRepresentation.getClientId();
logger.debugf("Updating clientId from '%s' to '%s'", client.getClientId(), newClientId);
UserModel serviceAccountUser = realmManager.getSession().users().getServiceAccount(client);
@ -199,6 +203,13 @@ public class ClientManager {
String username = ServiceAccountConstants.SERVICE_ACCOUNT_USER_PREFIX + newClientId;
serviceAccountUser.setUsername(username);
}
if (SamlProtocol.LOGIN_PROTOCOL.equals(client.getProtocol())) {
SamlClient samlClient = new SamlClient(client);
samlClient.setArtifactBindingIdentifierFrom(newClientId);
newClientRepresentation.getAttributes().put(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER, samlClient.getArtifactBindingIdentifier());
}
}
@JsonPropertyOrder({"realm", "realm-public-key", "bearer-only", "auth-server-url", "ssl-required",

2
services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java
View file

@ -667,7 +667,7 @@ public class ClientResource {
}
if (rep.getClientId() != null && !rep.getClientId().equals(client.getClientId())) {
new ClientManager(new RealmManager(session)).clientIdChanged(client, rep.getClientId());
new ClientManager(new RealmManager(session)).clientIdChanged(client, rep);
}
if (rep.isFullScopeAllowed() != null && rep.isFullScopeAllowed() != client.isFullScopeAllowed()) {

4
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/CustomTestingSamlArtifactResolver.java
View file

@ -2,6 +2,7 @@ package org.keycloak.testsuite.authentication;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.saml.ArtifactResolver;
import java.io.ByteArrayInputStream;
@ -10,7 +11,6 @@ import java.io.IOException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.stream.Stream;
import static org.keycloak.testsuite.authentication.CustomTestingSamlArtifactResolverFactory.TYPE_CODE;
@ -23,7 +23,7 @@ public class CustomTestingSamlArtifactResolver implements ArtifactResolver {
public static List<String> list = new ArrayList<>();
@Override
public ClientModel selectSourceClient(String artifact, Stream<ClientModel> clients) {
public ClientModel selectSourceClient(KeycloakSession session, String artifact) {
return null;
}

2
testsuite/integration-arquillian/servers/auth-server/services/testsuite-providers/src/main/java/org/keycloak/testsuite/authentication/CustomTestingSamlArtifactResolverFactory.java
View file

@ -5,7 +5,7 @@ import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.protocol.saml.ArtifactResolver;
import org.keycloak.protocol.saml.ArtifactResolverFactory;
import org.keycloak.protocol.util.ArtifactBindingUtils;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
/**
* This ArtifactResolver should be used only for testing purposes.

5
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/SAMLClientRegistrationTest.java
View file

@ -25,7 +25,9 @@ import org.keycloak.client.registration.Auth;
import org.keycloak.client.registration.ClientRegistrationException;
import org.keycloak.client.registration.HttpErrorException;
import org.keycloak.events.Errors;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.mappers.AttributeStatementHelper;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.representations.idm.ClientInitialAccessCreatePresentation;
import org.keycloak.representations.idm.ClientInitialAccessPresentation;
import org.keycloak.representations.idm.ClientRepresentation;
@ -85,7 +87,8 @@ public class SAMLClientRegistrationTest extends AbstractClientRegistrationTest {
));
assertThat(response.getAttributes().get("saml_single_logout_service_url_redirect"), is("https://LoadBalancer-9.siroe.com:3443/federation/SPSloRedirect/metaAlias/sp"));
assertThat(response.getAttributes().get(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER), is(ArtifactBindingUtils.computeArtifactBindingIdentifierString("loadbalancer-9.siroe.com")));
Assert.assertNotNull(response.getProtocolMappers());
Assert.assertEquals(1,response.getProtocolMappers().size());
ProtocolMapperRepresentation mapper = response.getProtocolMappers().get(0);

22
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/migration/AbstractMigrationTest.java
View file

@ -45,6 +45,8 @@ import org.keycloak.models.utils.DefaultAuthenticationFlows;
import org.keycloak.models.utils.TimeBasedOTP;
import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.protocol.oidc.OIDCLoginProtocolFactory;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.RefreshToken;
import org.keycloak.representations.idm.AuthenticationExecutionExportRepresentation;
@ -78,6 +80,7 @@ import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@ -86,6 +89,7 @@ import java.util.stream.Collectors;
import static org.hamcrest.Matchers.allOf;
import static org.hamcrest.Matchers.containsInAnyOrder;
import static org.hamcrest.Matchers.equalTo;
import static org.hamcrest.Matchers.hasEntry;
import static org.hamcrest.Matchers.hasItem;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
@ -125,7 +129,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
protected void testMigratedMigrationData(boolean supportsAuthzService) {
assertNames(migrationRealm.roles().list(), "offline_access", "uma_authorization", "default-roles-migration", "migration-test-realm-role");
List<String> expectedClientIds = new ArrayList<>(Arrays.asList("account", "account-console", "admin-cli", "broker", "migration-test-client", "realm-management", "security-admin-console"));
List<String> expectedClientIds = new ArrayList<>(Arrays.asList("account", "account-console", "admin-cli", "broker", "migration-test-client", "migration-saml-client", "realm-management", "security-admin-console"));
if (supportsAuthzService) {
expectedClientIds.add("authz-servlet");
@ -304,6 +308,10 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
}
}
protected void testMigrationTo14_0_0() {
testSamlAttributes(migrationRealm);
}
protected void testDeleteAccount(RealmResource realm) {
ClientRepresentation accountClient = realm.clients().findByClientId(ACCOUNT_MANAGEMENT_CLIENT_ID).get(0);
ClientResource accountResource = realm.clients().get(accountClient.getId());
@ -924,6 +932,7 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
protected void testMigrationTo12_x(boolean testRealmAttributesMigration) {
testMigrationTo12_0_0();
testMigrationTo13_0_0(testRealmAttributesMigration);
testMigrationTo14_0_0();
}
protected void testMigrationTo7_x(boolean supportedAuthzServices) {
@ -965,6 +974,17 @@ public abstract class AbstractMigrationTest extends AbstractKeycloakTest {
assertThat(migrationRealm2.toRepresentation().getDefaultRole().getName(), equalTo("default-roles-migration2-1"));
}
protected void testSamlAttributes(RealmResource realm) {
log.info("Testing SAML ARTIFACT BINDING IDENTIFIER");
realm.clients().findAll().stream()
.filter(clientRepresentation -> Objects.equals("saml", clientRepresentation.getProtocol()))
.forEach(clientRepresentation -> {
String clientId = clientRepresentation.getClientId();
assertThat(clientRepresentation.getAttributes(), hasEntry(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER, ArtifactBindingUtils.computeArtifactBindingIdentifierString(clientId)));
});
}
protected void testRealmAttributesMigration() {
log.info("testing realm attributes migration");
Map<String, String> realmAttributes = migrationRealm.toRepresentation().getAttributes();

36
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/saml/ArtifactBindingTest.java
View file

@ -19,6 +19,7 @@ import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.SamlProtocol;
import org.keycloak.protocol.saml.SamlProtocolUtils;
import org.keycloak.protocol.saml.profile.util.Soap;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.common.constants.GeneralConstants;
@ -984,4 +985,39 @@ public class ArtifactBindingTest extends AbstractSamlTest {
assertThat(spDescriptor.getSingleLogoutService().get(0).getLocation(), is(equalTo(new URI("http://url.artifact.test"))));
}
@Test
public void testArtifactBindingIdentifierChangedWhenClientIdChanged() throws IOException {
ClientRepresentation clientRepresentation = adminClient.realm(REALM_NAME)
.clients()
.findByClientId(SAML_CLIENT_ID_SALES_POST)
.get(0);
String oldIdentifier = clientRepresentation.getAttributes().get(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER);
assertThat(oldIdentifier, notNullValue());
final String newClientId = "new_client_id";
try (ClientAttributeUpdater cau = ClientAttributeUpdater.forClient(adminClient, REALM_NAME, SAML_CLIENT_ID_SALES_POST)
.setClientId(newClientId)
.update()
) {
clientRepresentation = adminClient.realm(REALM_NAME)
.clients()
.findByClientId(newClientId)
.get(0);
String identifier = clientRepresentation.getAttributes().get(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER);
assertThat(identifier, not(equalTo(oldIdentifier)));
assertThat(identifier, equalTo(ArtifactBindingUtils.computeArtifactBindingIdentifierString(newClientId)));
}
clientRepresentation = adminClient.realm(REALM_NAME)
.clients()
.findByClientId(SAML_CLIENT_ID_SALES_POST)
.get(0);
assertThat(clientRepresentation.getAttributes().get(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER), equalTo(oldIdentifier));
}
}

17
testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-1.9.8.Final.json
View file

@ -2225,6 +2225,21 @@
"useTemplateConfig" : false,
"useTemplateScope" : false,
"useTemplateMappers" : false
}, {
"clientId": "migration-saml-client",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8080/sales-post",
"redirectUris": [
"http://localhost:8080/sales-post/*"
],
"attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8080/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8080/sales-post/saml",
"saml.authnstatement": "true",
"saml_idp_initiated_sso_url_name": "sales-post"
}
}, {
"id" : "e6856a02-8f24-48d3-bb06-fae5dddae83e",
"clientId" : "realm-management",
@ -3943,4 +3958,4 @@
"resetCredentialsFlow" : "reset credentials",
"clientAuthenticationFlow" : "clients",
"keycloakVersion" : "7.0.0.GA"
} ]
} ]

17
testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-2.5.5.Final.json
View file

@ -2602,6 +2602,21 @@
"useTemplateConfig" : false,
"useTemplateScope" : false,
"useTemplateMappers" : false
}, {
"clientId": "migration-saml-client",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8080/sales-post",
"redirectUris": [
"http://localhost:8080/sales-post/*"
],
"attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8080/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8080/sales-post/saml",
"saml.authnstatement": "true",
"saml_idp_initiated_sso_url_name": "sales-post"
}
}, {
"id" : "c8204f6f-f8c2-4af8-9bac-c45c95b4673b",
"clientId" : "realm-management",
@ -4616,4 +4631,4 @@
"waitIncrementSeconds" : "60"
},
"keycloakVersion" : "2.5.5.Final"
} ]
} ]

17
testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-3.4.3.Final.json
View file

@ -810,6 +810,21 @@
"useTemplateConfig" : false,
"useTemplateScope" : false,
"useTemplateMappers" : false
}, {
"clientId": "migration-saml-client",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8080/sales-post",
"redirectUris": [
"http://localhost:8080/sales-post/*"
],
"attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8080/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8080/sales-post/saml",
"saml.authnstatement": "true",
"saml_idp_initiated_sso_url_name": "sales-post"
}
}, {
"id" : "9a37d2c5-6a36-4a2c-b837-f2ea846fb0d5",
"clientId" : "realm-management",
@ -4974,4 +4989,4 @@
"waitIncrementSeconds" : "60"
},
"keycloakVersion" : "3.4.3.Final"
} ]
} ]

17
testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-4.8.3.Final.json
View file

@ -528,6 +528,21 @@
"nodeReRegistrationTimeout" : -1,
"defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ],
"optionalClientScopes" : [ "address", "phone", "offline_access" ]
}, {
"clientId": "migration-saml-client",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8080/sales-post",
"redirectUris": [
"http://localhost:8080/sales-post/*"
],
"attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8080/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8080/sales-post/saml",
"saml.authnstatement": "true",
"saml_idp_initiated_sso_url_name": "sales-post"
}
}, {
"id" : "99a28a93-e2e3-4b1d-a377-8a30f6b4930a",
"clientId" : "realm-management",
@ -4730,4 +4745,4 @@
},
"keycloakVersion" : "4.8.3.Final",
"userManagedAccessAllowed" : false
} ]
} ]

17
testsuite/integration-arquillian/tests/base/src/test/resources/migration-test/migration-realm-9.0.3.json
View file

@ -554,6 +554,21 @@
"defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ],
"optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
}, {
"clientId": "migration-saml-client",
"enabled": true,
"fullScopeAllowed": true,
"protocol": "saml",
"baseUrl": "http://localhost:8080/sales-post",
"redirectUris": [
"http://localhost:8080/sales-post/*"
],
"attributes": {
"saml_assertion_consumer_url_post": "http://localhost:8080/sales-post/saml",
"saml_single_logout_service_url_post": "http://localhost:8080/sales-post/saml",
"saml.authnstatement": "true",
"saml_idp_initiated_sso_url_name": "sales-post"
}
},{
"id" : "cb1a7042-228c-4f8e-b0c9-654f1855d1b8",
"clientId" : "realm-management",
"name" : "${client_realm-management}",
@ -5411,4 +5426,4 @@
"attributes" : { },
"keycloakVersion" : "9.0.3",
"userManagedAccessAllowed" : false
} ]
} ]

5
testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/clients/AbstractClientTest.java
View file

@ -4,6 +4,8 @@ import org.jboss.arquillian.graphene.page.Page;
import org.junit.Before;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;
import org.keycloak.testsuite.console.AbstractConsoleTest;
@ -87,6 +89,7 @@ public abstract class AbstractClientTest extends AbstractConsoleTest {
attributes.put(SAML_SIGNATURE_ALGORITHM, "RSA_SHA256");
attributes.put(SAML_FORCE_NAME_ID_FORMAT, "false");
attributes.put(SAML_NAME_ID_FORMAT, "username");
attributes.put(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER, ArtifactBindingUtils.computeArtifactBindingIdentifierString("saml"));
return attributes;
}
@ -147,4 +150,4 @@ public abstract class AbstractClientTest extends AbstractConsoleTest {
return clientsResource().get(id);
}
}
}

20
testsuite/integration-arquillian/tests/other/console/src/test/java/org/keycloak/testsuite/console/clients/ClientSettingsTest.java
View file

@ -20,6 +20,8 @@ package org.keycloak.testsuite.console.clients;
import org.jboss.arquillian.graphene.page.Page;
import org.junit.Test;
import org.keycloak.common.Profile;
import org.keycloak.protocol.saml.SamlConfigAttributes;
import org.keycloak.protocol.saml.util.ArtifactBindingUtils;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.testsuite.arquillian.annotation.EnableFeature;
import org.keycloak.testsuite.console.page.clients.settings.ClientSettings;
@ -29,6 +31,7 @@ import org.openqa.selenium.By;
import javax.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import static org.junit.Assert.*;
import static org.keycloak.testsuite.auth.page.login.Login.OIDC;
@ -202,6 +205,23 @@ public class ClientSettingsTest extends AbstractClientTest {
assertClientSamlAttributes(getSAMLAttributes(), found.getAttributes());
}
@Test
public void updateSAML() {
createSAML();
final String newClientId = "new_client_id";
clientSettingsPage.form().setClientId(newClientId);
clientSettingsPage.form().save();
ClientRepresentation found = findClientByClientId(newClientId);
Map<String, String> samlAttributes = getSAMLAttributes();
samlAttributes.put(SamlConfigAttributes.SAML_ARTIFACT_BINDING_IDENTIFIER, ArtifactBindingUtils.computeArtifactBindingIdentifierString(newClientId));
assertClientSamlAttributes(samlAttributes, found.getAttributes());
}
@Test
public void invalidSettings() {
clientsPage.table().createClient();