def test_CT_TC_SAML_IDP_ACCESS_CONTROL_RBAC_OK_IDP_initiated(
self, settings):
"""
Scenario: User logs in to the IDP. He then accesses SP1 where he has the appropriate role.
Same user tries to log in to SP2, SP that he is authorized to access. He should
be able to access SP2 without authenticating again.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp = settings["sps_saml"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Service provider 2 settings
sp2 = settings["sps_saml"][1]
sp2_ip = sp2["ip"]
sp2_port = sp2["port"]
sp2_scheme = sp2["http_scheme"]
sp2_path = sp2["path"]
sp2_message = sp2["logged_in_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_message = settings["idp"]["logged_in_message"]
idp_test_realm = settings["idp"]["test_realm"]["name"]
idp_path = "auth/realms/{realm}/account".format(realm=idp_test_realm)
idp_username = settings["idp"]["test_realm"]["username"]
idp_password = settings["idp"]["test_realm"]["password"]
# Common header for all the requests
header = req.get_header()
# Perform login to IDP
(oath_cookie, keycloak_cookie, keycloak_cookie2,
response) = req.login_idp(logger, s, header, idp_ip, idp_port,
idp_scheme, idp_path, idp_username,
idp_password)
assert response.status_code == HTTPStatus.OK
# Assert we are logged in to IDP
assert re.search(idp_message, response.text) is not None
# Access SP1
(session_cookie,
response) = req.access_sp_saml(logger, s, header, sp_ip, sp_port,
sp_scheme, sp_path, idp_ip, idp_port)
# store the cookie received from keycloak
keycloak_cookie3 = response.cookies
assert response.status_code == HTTPStatus.FOUND
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, {
**keycloak_cookie3,
**keycloak_cookie2
})
assert response.status_code == HTTPStatus.OK
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the token (SAML response) from the identity provider
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
(response, sp_cookie) = req.access_sp_with_token(
logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme, idp_ip,
idp_port, method_form, url_form, token, session_cookie,
keycloak_cookie2)
assert response.status_code == HTTPStatus.OK
assert re.search(sp_message, response.text) is not None
# User can access SP1
# Attempt to access SP2
(session_cookie,
response) = req.access_sp_saml(logger, s, header, sp2_ip, sp2_port,
sp2_scheme, sp2_path, idp_ip, idp_port)
session_cookie2 = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp2_ip, port=sp2_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, {
**session_cookie2,
**keycloak_cookie2
})
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the token (SAML response) from the identity provider
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
(response, sp2_cookie) = req.access_sp_with_token(
logger, s, header, sp2_ip, sp2_port, sp2_scheme, idp_scheme,
idp_ip, idp_port, method_form, url_form, token, session_cookie,
session_cookie2)
assert response.status_code == HTTPStatus.OK
assert re.search(sp2_message, response.text) is not None
def test_CT_TC_SAML_SSO_FORM_SIMPLE_IDP_initiated(self, settings):
"""
Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the IDP-initiated flow, i.e. the user logs in keycloak,
the identity provider (IDP), and then accesses the application, which is a service provider (SP).
The application redirect towards keycloak to obtain the SAML token.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp_ip = settings["service_provider"]["ip"]
sp_port = settings["service_provider"]["port"]
sp_scheme = settings["service_provider"]["http_scheme"]
sp_path = settings["service_provider"]["path"]
sp_message = settings["service_provider"]["logged_in_message"]
# Identity provider settings
idp_ip = settings["identity_provider"]["ip"]
idp_port = settings["identity_provider"]["port"]
idp_scheme = settings["identity_provider"]["http_scheme"]
idp_path = settings["identity_provider"]["path"]
idp_message = settings["identity_provider"]["logged_in_message"]
idp_username = settings["identity_provider"]["username"]
idp_password = settings["identity_provider"]["password"]
keycloak_login_form_id = settings["identity_provider"]["login_form_id"]
# Common header for all the requests
header = {
'Accept':
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
'Accept-Encoding': "gzip, deflate",
'Accept-Language': "en-US,en;q=0.5",
'User-Agent':
"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0",
'Connection': "keep-alive",
'Upgrade-Insecure-Requests': "1",
}
(oath_cookie, keycloak_cookie, keycloak_cookie2,
response) = req.login_idp(s, header, idp_ip, idp_port, idp_scheme,
idp_path, idp_username, idp_password)
assert response.status_code == 200
# Assert we are logged in
assert re.search(idp_message, response.text) is not None
(session_cookie,
response) = req.access_sp_saml(s, header, sp_ip, sp_port, sp_scheme,
sp_path, idp_ip, idp_port)
# store the cookie received from keycloak
keycloak_cookie3 = response.cookies
assert response.status_code == 302
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(s, redirect_url, header_redirect_idp, {
**keycloak_cookie3,
**keycloak_cookie2
})
assert response.status_code == 200
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the saml response from the identity provider
saml_response = {}
for input in inputs:
saml_response[input.get('name')] = input.get('value')
(response, sp_cookie) = req.access_sp_with_token(
s, header, sp_ip, sp_port, idp_scheme, idp_ip, idp_port,
method_form, url_form, saml_response, session_cookie,
keycloak_cookie2)
assert response.status_code == 200
assert re.search(sp_message, response.text) is not None
def test_CT_TC_SAML_SSO_FORM_SIMPLE_IDP_initiated(self, settings):
"""
Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the IDP-initiated flow, i.e. the user logs in keycloak,
the identity provider (IDP), and then accesses the application, which is a service provider (SP).
The application redirect towards keycloak to obtain the SAML token.
The token contains builtin and external claims.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp = settings["sps_saml"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_test_realm = settings["idp"]["test_realm"]["name"]
idp_path = "auth/realms/{realm}/account".format(realm=idp_test_realm)
idp_message = settings["idp"]["logged_in_message"]
idp_username = settings["idp"]["test_realm"]["username"]
idp_password = settings["idp"]["test_realm"]["password"]
idp_attr_name = settings["idp"]["test_realm"]["attr_name"]
idp_attr_tag = settings["idp"]["test_realm"]["attr_xml_elem"]
idp_attr_name_external = settings["idp"]["test_realm"][
"external_attr_name"]
# Common header for all the requests
header = req.get_header()
(oath_cookie, keycloak_cookie, keycloak_cookie2,
response) = req.login_idp(logger, s, header, idp_ip, idp_port,
idp_scheme, idp_path, idp_username,
idp_password)
assert response.status_code == HTTPStatus.OK
# Assert we are logged in
assert re.search(idp_message, response.text) is not None
(session_cookie,
response) = req.access_sp_saml(logger, s, header, sp_ip, sp_port,
sp_scheme, sp_path, idp_ip, idp_port)
# store the cookie received from keycloak
keycloak_cookie3 = response.cookies
assert response.status_code == HTTPStatus.FOUND
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, {
**keycloak_cookie3,
**keycloak_cookie2
})
assert response.status_code == HTTPStatus.OK
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the token (SAML response) from the identity provider
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
decoded_token = base64.b64decode(token['SAMLResponse']).decode("utf-8")
val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name)
# assert that the IDP added the location attribute in the token
assert re.search(val, decoded_token) is not None
# assert that the external claim is also in the token
val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name_external)
assert re.search(val, decoded_token) is not None
(response, sp_cookie) = req.access_sp_with_token(
logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme, idp_ip,
idp_port, method_form, url_form, token, session_cookie,
keycloak_cookie2)
assert response.status_code == HTTPStatus.OK
assert re.search(sp_message, response.text) is not None
def test_CT_TC_WS_FED_SSO_FORM_SIMPLE_IDP_initiated(self, settings):
"""
Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the IDP-initiated flow, i.e. the user logs in keycloak,
the identity provider (IDP), and then accesses the application, which is a service provider (SP).
The application redirect towards keycloak to obtain the WSFED token.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sps = [settings["sps_wsfed"][0], settings["sps_wsfed"][1]]
for sp in sps:
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_test_realm = settings["idp"]["test_realm"]["name"]
idp_path = "auth/realms/{realm}/account".format(
realm=idp_test_realm)
idp_message = settings["idp"]["logged_in_message"]
idp_username = settings["idp"]["test_realm"]["username"]
idp_password = settings["idp"]["test_realm"]["password"]
# Common header for all the requests
header = req.get_header()
(oath_cookie, keycloak_cookie, keycloak_cookie2,
response) = req.login_idp(logger, s, header, idp_ip, idp_port,
idp_scheme, idp_path, idp_username,
idp_password)
assert response.status_code == HTTPStatus.OK
# Assert we are logged in
assert re.search(idp_message, response.text) is not None
response = req.access_sp_ws_fed(logger, s, header, sp_ip, sp_port,
sp_scheme, sp_path)
# store the cookie received from keycloak
session_cookie = response.cookies
assert response.status_code == HTTPStatus.FOUND
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip,
port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp,
{**keycloak_cookie2})
assert response.status_code == HTTPStatus.OK
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the saml response from the identity provider
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
(response, sp_cookie) = req.access_sp_with_token(
logger,
s,
header,
sp_ip,
sp_port,
sp_scheme,
idp_scheme,
idp_ip,
idp_port,
method_form,
url_form,
token,
session_cookie,
keycloak_cookie2,
)
assert response.status_code == HTTPStatus.OK
assert re.search(sp_message, response.text) is not None
