def test_CT_TC_SAML_IDP_ACCESS_CONTROL_RBAC_OK_IDP_initiated( self, settings): """ Scenario: User logs in to the IDP. He then accesses SP1 where he has the appropriate role. Same user tries to log in to SP2, SP that he is authorized to access. He should be able to access SP2 without authenticating again. :param settings: :return: """ s = Session() # Service provider settings sp = settings["sps_saml"][0] sp_ip = sp["ip"] sp_port = sp["port"] sp_scheme = sp["http_scheme"] sp_path = sp["path"] sp_message = sp["logged_in_message"] # Service provider 2 settings sp2 = settings["sps_saml"][1] sp2_ip = sp2["ip"] sp2_port = sp2["port"] sp2_scheme = sp2["http_scheme"] sp2_path = sp2["path"] sp2_message = sp2["logged_in_message"] # Identity provider settings idp_ip = settings["idp"]["ip"] idp_port = settings["idp"]["port"] idp_scheme = settings["idp"]["http_scheme"] idp_message = settings["idp"]["logged_in_message"] idp_test_realm = settings["idp"]["test_realm"]["name"] idp_path = "auth/realms/{realm}/account".format(realm=idp_test_realm) idp_username = settings["idp"]["test_realm"]["username"] idp_password = settings["idp"]["test_realm"]["password"] # Common header for all the requests header = req.get_header() # Perform login to IDP (oath_cookie, keycloak_cookie, keycloak_cookie2, response) = req.login_idp(logger, s, header, idp_ip, idp_port, idp_scheme, idp_path, idp_username, idp_password) assert response.status_code == HTTPStatus.OK # Assert we are logged in to IDP assert re.search(idp_message, response.text) is not None # Access SP1 (session_cookie, response) = req.access_sp_saml(logger, s, header, sp_ip, sp_port, sp_scheme, sp_path, idp_ip, idp_port) # store the cookie received from keycloak keycloak_cookie3 = response.cookies assert response.status_code == HTTPStatus.FOUND redirect_url = response.headers['Location'] header_redirect_idp = { **header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port), 'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port) } response = req.redirect_to_idp(logger, s, redirect_url, header_redirect_idp, { **keycloak_cookie3, **keycloak_cookie2 }) assert response.status_code == HTTPStatus.OK soup = BeautifulSoup(response.content, 'html.parser') form = soup.body.form url_form = form.get('action') inputs = form.find_all('input') method_form = form.get('method') # Get the token (SAML response) from the identity provider token = {} for input in inputs: token[input.get('name')] = input.get('value') (response, sp_cookie) = req.access_sp_with_token( logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme, idp_ip, idp_port, method_form, url_form, token, session_cookie, keycloak_cookie2) assert response.status_code == HTTPStatus.OK assert re.search(sp_message, response.text) is not None # User can access SP1 # Attempt to access SP2 (session_cookie, response) = req.access_sp_saml(logger, s, header, sp2_ip, sp2_port, sp2_scheme, sp2_path, idp_ip, idp_port) session_cookie2 = response.cookies redirect_url = response.headers['Location'] header_redirect_idp = { **header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port), 'Referer': "{ip}:{port}".format(ip=sp2_ip, port=sp2_port) } response = req.redirect_to_idp(logger, s, redirect_url, header_redirect_idp, { **session_cookie2, **keycloak_cookie2 }) soup = BeautifulSoup(response.content, 'html.parser') form = soup.body.form url_form = form.get('action') inputs = form.find_all('input') method_form = form.get('method') # Get the token (SAML response) from the identity provider token = {} for input in inputs: token[input.get('name')] = input.get('value') (response, sp2_cookie) = req.access_sp_with_token( logger, s, header, sp2_ip, sp2_port, sp2_scheme, idp_scheme, idp_ip, idp_port, method_form, url_form, token, session_cookie, session_cookie2) assert response.status_code == HTTPStatus.OK assert re.search(sp2_message, response.text) is not None
def test_CT_TC_SAML_SSO_FORM_SIMPLE_IDP_initiated(self, settings): """ Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the IDP-initiated flow, i.e. the user logs in keycloak, the identity provider (IDP), and then accesses the application, which is a service provider (SP). The application redirect towards keycloak to obtain the SAML token. :param settings: :return: """ s = Session() # Service provider settings sp_ip = settings["service_provider"]["ip"] sp_port = settings["service_provider"]["port"] sp_scheme = settings["service_provider"]["http_scheme"] sp_path = settings["service_provider"]["path"] sp_message = settings["service_provider"]["logged_in_message"] # Identity provider settings idp_ip = settings["identity_provider"]["ip"] idp_port = settings["identity_provider"]["port"] idp_scheme = settings["identity_provider"]["http_scheme"] idp_path = settings["identity_provider"]["path"] idp_message = settings["identity_provider"]["logged_in_message"] idp_username = settings["identity_provider"]["username"] idp_password = settings["identity_provider"]["password"] keycloak_login_form_id = settings["identity_provider"]["login_form_id"] # Common header for all the requests header = { 'Accept': "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 'Accept-Encoding': "gzip, deflate", 'Accept-Language': "en-US,en;q=0.5", 'User-Agent': "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0", 'Connection': "keep-alive", 'Upgrade-Insecure-Requests': "1", } (oath_cookie, keycloak_cookie, keycloak_cookie2, response) = req.login_idp(s, header, idp_ip, idp_port, idp_scheme, idp_path, idp_username, idp_password) assert response.status_code == 200 # Assert we are logged in assert re.search(idp_message, response.text) is not None (session_cookie, response) = req.access_sp_saml(s, header, sp_ip, sp_port, sp_scheme, sp_path, idp_ip, idp_port) # store the cookie received from keycloak keycloak_cookie3 = response.cookies assert response.status_code == 302 redirect_url = response.headers['Location'] header_redirect_idp = { **header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port), 'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port) } response = req.redirect_to_idp(s, redirect_url, header_redirect_idp, { **keycloak_cookie3, **keycloak_cookie2 }) assert response.status_code == 200 soup = BeautifulSoup(response.content, 'html.parser') form = soup.body.form url_form = form.get('action') inputs = form.find_all('input') method_form = form.get('method') # Get the saml response from the identity provider saml_response = {} for input in inputs: saml_response[input.get('name')] = input.get('value') (response, sp_cookie) = req.access_sp_with_token( s, header, sp_ip, sp_port, idp_scheme, idp_ip, idp_port, method_form, url_form, saml_response, session_cookie, keycloak_cookie2) assert response.status_code == 200 assert re.search(sp_message, response.text) is not None
def test_CT_TC_SAML_SSO_FORM_SIMPLE_IDP_initiated(self, settings): """ Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the IDP-initiated flow, i.e. the user logs in keycloak, the identity provider (IDP), and then accesses the application, which is a service provider (SP). The application redirect towards keycloak to obtain the SAML token. The token contains builtin and external claims. :param settings: :return: """ s = Session() # Service provider settings sp = settings["sps_saml"][0] sp_ip = sp["ip"] sp_port = sp["port"] sp_scheme = sp["http_scheme"] sp_path = sp["path"] sp_message = sp["logged_in_message"] # Identity provider settings idp_ip = settings["idp"]["ip"] idp_port = settings["idp"]["port"] idp_scheme = settings["idp"]["http_scheme"] idp_test_realm = settings["idp"]["test_realm"]["name"] idp_path = "auth/realms/{realm}/account".format(realm=idp_test_realm) idp_message = settings["idp"]["logged_in_message"] idp_username = settings["idp"]["test_realm"]["username"] idp_password = settings["idp"]["test_realm"]["password"] idp_attr_name = settings["idp"]["test_realm"]["attr_name"] idp_attr_tag = settings["idp"]["test_realm"]["attr_xml_elem"] idp_attr_name_external = settings["idp"]["test_realm"][ "external_attr_name"] # Common header for all the requests header = req.get_header() (oath_cookie, keycloak_cookie, keycloak_cookie2, response) = req.login_idp(logger, s, header, idp_ip, idp_port, idp_scheme, idp_path, idp_username, idp_password) assert response.status_code == HTTPStatus.OK # Assert we are logged in assert re.search(idp_message, response.text) is not None (session_cookie, response) = req.access_sp_saml(logger, s, header, sp_ip, sp_port, sp_scheme, sp_path, idp_ip, idp_port) # store the cookie received from keycloak keycloak_cookie3 = response.cookies assert response.status_code == HTTPStatus.FOUND redirect_url = response.headers['Location'] header_redirect_idp = { **header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port), 'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port) } response = req.redirect_to_idp(logger, s, redirect_url, header_redirect_idp, { **keycloak_cookie3, **keycloak_cookie2 }) assert response.status_code == HTTPStatus.OK soup = BeautifulSoup(response.content, 'html.parser') form = soup.body.form url_form = form.get('action') inputs = form.find_all('input') method_form = form.get('method') # Get the token (SAML response) from the identity provider token = {} for input in inputs: token[input.get('name')] = input.get('value') decoded_token = base64.b64decode(token['SAMLResponse']).decode("utf-8") val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name) # assert that the IDP added the location attribute in the token assert re.search(val, decoded_token) is not None # assert that the external claim is also in the token val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name_external) assert re.search(val, decoded_token) is not None (response, sp_cookie) = req.access_sp_with_token( logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme, idp_ip, idp_port, method_form, url_form, token, session_cookie, keycloak_cookie2) assert response.status_code == HTTPStatus.OK assert re.search(sp_message, response.text) is not None
def test_CT_TC_WS_FED_SSO_FORM_SIMPLE_IDP_initiated(self, settings): """ Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the IDP-initiated flow, i.e. the user logs in keycloak, the identity provider (IDP), and then accesses the application, which is a service provider (SP). The application redirect towards keycloak to obtain the WSFED token. :param settings: :return: """ s = Session() # Service provider settings sps = [settings["sps_wsfed"][0], settings["sps_wsfed"][1]] for sp in sps: sp_ip = sp["ip"] sp_port = sp["port"] sp_scheme = sp["http_scheme"] sp_path = sp["path"] sp_message = sp["logged_in_message"] # Identity provider settings idp_ip = settings["idp"]["ip"] idp_port = settings["idp"]["port"] idp_scheme = settings["idp"]["http_scheme"] idp_test_realm = settings["idp"]["test_realm"]["name"] idp_path = "auth/realms/{realm}/account".format( realm=idp_test_realm) idp_message = settings["idp"]["logged_in_message"] idp_username = settings["idp"]["test_realm"]["username"] idp_password = settings["idp"]["test_realm"]["password"] # Common header for all the requests header = req.get_header() (oath_cookie, keycloak_cookie, keycloak_cookie2, response) = req.login_idp(logger, s, header, idp_ip, idp_port, idp_scheme, idp_path, idp_username, idp_password) assert response.status_code == HTTPStatus.OK # Assert we are logged in assert re.search(idp_message, response.text) is not None response = req.access_sp_ws_fed(logger, s, header, sp_ip, sp_port, sp_scheme, sp_path) # store the cookie received from keycloak session_cookie = response.cookies assert response.status_code == HTTPStatus.FOUND redirect_url = response.headers['Location'] header_redirect_idp = { **header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port), 'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port) } response = req.redirect_to_idp(logger, s, redirect_url, header_redirect_idp, {**keycloak_cookie2}) assert response.status_code == HTTPStatus.OK soup = BeautifulSoup(response.content, 'html.parser') form = soup.body.form url_form = form.get('action') inputs = form.find_all('input') method_form = form.get('method') # Get the saml response from the identity provider token = {} for input in inputs: token[input.get('name')] = input.get('value') (response, sp_cookie) = req.access_sp_with_token( logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme, idp_ip, idp_port, method_form, url_form, token, session_cookie, keycloak_cookie2, ) assert response.status_code == HTTPStatus.OK assert re.search(sp_message, response.text) is not None