KEYCLOAK-7316: Default back to false if isPassive is missing in request.
This commit is contained in:
parent
dffe70e40a
commit
c8c76cc03f
6 changed files with 90 additions and 4 deletions
|
@ -96,12 +96,13 @@ import static org.hamcrest.Matchers.is;
|
||||||
import static org.hamcrest.Matchers.not;
|
import static org.hamcrest.Matchers.not;
|
||||||
import static org.hamcrest.Matchers.notNullValue;
|
import static org.hamcrest.Matchers.notNullValue;
|
||||||
import static org.hamcrest.Matchers.nullValue;
|
import static org.hamcrest.Matchers.nullValue;
|
||||||
|
|
||||||
import static org.junit.Assert.assertEquals;
|
import static org.junit.Assert.assertEquals;
|
||||||
import static org.junit.Assert.assertNotNull;
|
import static org.junit.Assert.assertNotNull;
|
||||||
import static org.junit.Assert.assertNull;
|
import static org.junit.Assert.assertNull;
|
||||||
import static org.junit.Assert.assertThat;
|
import static org.junit.Assert.assertThat;
|
||||||
import static org.junit.Assert.assertTrue;
|
import static org.junit.Assert.assertTrue;
|
||||||
|
import static org.junit.Assert.assertFalse;
|
||||||
/**
|
/**
|
||||||
* Test class for SAML parser.
|
* Test class for SAML parser.
|
||||||
*
|
*
|
||||||
|
@ -680,6 +681,28 @@ public class SAMLParserTest {
|
||||||
assertThat(req.getRequestedAuthnContext().getAuthnContextDeclRef(), hasItem(is("urn:kc:SAML:2.0:ac:ref:demo:decl")));
|
assertThat(req.getRequestedAuthnContext().getAuthnContextDeclRef(), hasItem(is("urn:kc:SAML:2.0:ac:ref:demo:decl")));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test //https://issues.jboss.org/browse/KEYCLOAK-7316
|
||||||
|
public void testAuthnRequestOptionalIsPassive() throws Exception {
|
||||||
|
AuthnRequestType req = assertParsed("KEYCLOAK-7316-noAtrributes.xml", AuthnRequestType.class);
|
||||||
|
|
||||||
|
assertThat("Not null!", req.isIsPassive(), nullValue());
|
||||||
|
assertThat("Not null!", req.isForceAuthn(), nullValue());
|
||||||
|
|
||||||
|
req = assertParsed("KEYCLOAK-7316-withTrueAttributes.xml", AuthnRequestType.class);
|
||||||
|
|
||||||
|
assertThat(req.isIsPassive(), notNullValue());
|
||||||
|
assertTrue("Wrong value!", req.isIsPassive().booleanValue());
|
||||||
|
assertThat(req.isForceAuthn(), notNullValue());
|
||||||
|
assertTrue("Wrong value!", req.isForceAuthn().booleanValue());
|
||||||
|
|
||||||
|
req = assertParsed("KEYCLOAK-7316-withFalseAttributes.xml", AuthnRequestType.class);
|
||||||
|
|
||||||
|
assertThat(req.isIsPassive(), notNullValue());
|
||||||
|
assertFalse("Wrong value!", req.isIsPassive().booleanValue());
|
||||||
|
assertThat(req.isForceAuthn(), notNullValue());
|
||||||
|
assertFalse("Wrong value!", req.isForceAuthn().booleanValue());
|
||||||
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testAuthnRequestInvalidPerXsdWithValidationDisabled() throws Exception {
|
public void testAuthnRequestInvalidPerXsdWithValidationDisabled() throws Exception {
|
||||||
AuthnRequestType req = assertParsed("saml20-authnrequest-invalid-per-xsd.xml", AuthnRequestType.class);
|
AuthnRequestType req = assertParsed("saml20-authnrequest-invalid-per-xsd.xml", AuthnRequestType.class);
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||||
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||||
|
ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
|
||||||
|
Version="2.0"
|
||||||
|
IssueInstant="2017-11-16T07:09:05Z"
|
||||||
|
Destination="https://idp.example.com/auth/realms/MYIDP/protocol/saml"
|
||||||
|
AssertionConsumerServiceURL="https://iif.example.com/idp/module.php/saml/sp/saml2-acs.php/default-sp"
|
||||||
|
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
||||||
|
>
|
||||||
|
<saml:Issuer>https://iif.example.com/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
|
||||||
|
<samlp:Scoping>
|
||||||
|
<samlp:RequesterID>https://some.domain/sp</samlp:RequesterID>
|
||||||
|
</samlp:Scoping>
|
||||||
|
</samlp:AuthnRequest>
|
|
@ -0,0 +1,16 @@
|
||||||
|
<samlp:AuthnRequest ForceAuthn="false"
|
||||||
|
IsPassive="false"
|
||||||
|
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||||
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||||
|
ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
|
||||||
|
Version="2.0"
|
||||||
|
IssueInstant="2017-11-16T07:09:05Z"
|
||||||
|
Destination="https://idp.example.com/auth/realms/MYIDP/protocol/saml"
|
||||||
|
AssertionConsumerServiceURL="https://iif.example.com/idp/module.php/saml/sp/saml2-acs.php/default-sp"
|
||||||
|
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
||||||
|
>
|
||||||
|
<saml:Issuer>https://iif.example.com/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
|
||||||
|
<samlp:Scoping>
|
||||||
|
<samlp:RequesterID>https://some.domain/sp</samlp:RequesterID>
|
||||||
|
</samlp:Scoping>
|
||||||
|
</samlp:AuthnRequest>
|
|
@ -0,0 +1,16 @@
|
||||||
|
<samlp:AuthnRequest IsPassive="true"
|
||||||
|
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||||
|
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
|
||||||
|
ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473"
|
||||||
|
Version="2.0"
|
||||||
|
IssueInstant="2017-11-16T07:09:05Z"
|
||||||
|
Destination="https://idp.example.com/auth/realms/MYIDP/protocol/saml"
|
||||||
|
AssertionConsumerServiceURL="https://iif.example.com/idp/module.php/saml/sp/saml2-acs.php/default-sp"
|
||||||
|
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
||||||
|
ForceAuthn="true"
|
||||||
|
>
|
||||||
|
<saml:Issuer>https://iif.example.com/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
|
||||||
|
<samlp:Scoping>
|
||||||
|
<samlp:RequesterID>https://some.domain/sp</samlp:RequesterID>
|
||||||
|
</samlp:Scoping>
|
||||||
|
</samlp:AuthnRequest>
|
|
@ -338,8 +338,10 @@ public class SamlService extends AuthorizationEndpointBase {
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
//If unset we fall back to default "false"
|
||||||
return newBrowserAuthentication(authSession, requestAbstractType.isIsPassive(), redirectToAuthentication);
|
final boolean isPassive = (null == requestAbstractType.isIsPassive() ?
|
||||||
|
false : requestAbstractType.isIsPassive().booleanValue());
|
||||||
|
return newBrowserAuthentication(authSession, isPassive, redirectToAuthentication);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected String getBindingType(AuthnRequestType requestAbstractType) {
|
protected String getBindingType(AuthnRequestType requestAbstractType) {
|
||||||
|
|
|
@ -33,7 +33,6 @@ public class AuthnRequestTest extends AbstractSamlTest {
|
||||||
|
|
||||||
// KEYCLOAK-7316
|
// KEYCLOAK-7316
|
||||||
@Test
|
@Test
|
||||||
@Ignore
|
|
||||||
public void testIsPassiveNotSet() throws Exception {
|
public void testIsPassiveNotSet() throws Exception {
|
||||||
String res = new SamlClientBuilder()
|
String res = new SamlClientBuilder()
|
||||||
.authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST)
|
.authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST)
|
||||||
|
@ -48,6 +47,22 @@ public class AuthnRequestTest extends AbstractSamlTest {
|
||||||
assertThat(res, containsString("login"));
|
assertThat(res, containsString("login"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// KEYCLOAK-7316
|
||||||
|
@Test
|
||||||
|
public void testIsForceAuthNotSet() throws Exception {
|
||||||
|
String res = new SamlClientBuilder()
|
||||||
|
.authnRequest(getAuthServerSamlEndpoint(REALM_NAME), SAML_CLIENT_ID_SALES_POST, SAML_ASSERTION_CONSUMER_URL_SALES_POST, Binding.POST)
|
||||||
|
.transformObject(so -> {
|
||||||
|
so.setForceAuthn(null);
|
||||||
|
return so;
|
||||||
|
})
|
||||||
|
.build()
|
||||||
|
|
||||||
|
.executeAndTransform(resp -> EntityUtils.toString(resp.getEntity()));
|
||||||
|
|
||||||
|
assertThat(res, containsString("login"));
|
||||||
|
}
|
||||||
|
|
||||||
// KEYCLOAK-7316
|
// KEYCLOAK-7316
|
||||||
@Test
|
@Test
|
||||||
public void testIsPassiveFalse() throws Exception {
|
public void testIsPassiveFalse() throws Exception {
|
||||||
|
|
Loading…
Reference in a new issue