def test_should_fail_when_bad_form_on_auth(well_known_master: WellKnown,
login_html_page: str):
session_provider = lambda: mock_session({
'http://localhost:8080/auth/realms/master/protocol/openid-connect/auth':
RequestSpec(response=MockResponse(status_code=200, response='nothing'),
assertion=lambda **kwargs: kwargs['params'] == {
'response_type': 'code',
'client_id': 'account',
'code_challenge_method': 'S256',
'code_challenge':
'W59JjmjRrRjxwZVd1SZW-zfqGilWDldy2gUAMPX8EuE',
'redirect_uri': None
})
})
kapi = KeyCloakApi(well_known=well_known_master.json,
session_provider=session_provider)
with pytest.raises(FailedAuthException) as e:
r = kapi.auth(Client('account', url=''),
password='******',
username='******')
assert str(e.value) == "'NoneType' object has no attribute 'attrs'"
def test_should_make_auth(well_known_master: WellKnown, login_html_page: str):
session_provider = lambda: mock_session(
{
'http://localhost:8080/auth/realms/master/protocol/openid-connect/auth':
RequestSpec(response=MockResponse(status_code=200,
response=login_html_page),
assertion=lambda **kwargs: kwargs['params'] == {
'response_type': 'code',
'client_id': 'account',
'code_challenge_method': 'S256',
'code_challenge':
'W59JjmjRrRjxwZVd1SZW-zfqGilWDldy2gUAMPX8EuE',
'redirect_uri': None
})
},
post={
'http://localhost:8080/auth/realms/master/login-actions/authenticate?session_code=bR4rBd0QNGsd_kGuqiyLEuYuY6FK3Lx9HCYJEltUQBk&execution=de13838a-ee3d-404e-b16d-b0d7aa320844&client_id=account-console&tab_id=GXMjAPR3DsQ':
RequestSpec(response=MockResponse(status_code=302),
assertion=lambda **kwargs: kwargs['data'] == {
'password': '******',
'username': '******'
})
})
kapi = KeyCloakApi(well_known=well_known_master.json,
session_provider=session_provider)
r = kapi.auth(Client('account', url=''), password='******', username='******')
assert r.status_code == 302
def test_should_return_token(well_known_master: WellKnown):
session_provider = lambda: mock_session(
post={
'http://localhost:8080/auth/realms/master/protocol/openid-connect/token':
RequestSpec(response=MockResponse(
status_code=200,
response={
'access_token': 'access_token',
'refresh_token': 'refresh_token'
}),
assertion=lambda **kwargs: kwargs['data'] == {
'client_id': 'account',
'client_secret': '',
'grant_type': 'password',
'password': '******',
'username': '******'
})
})
kapi = KeyCloakApi(well_known=well_known_master.json,
session_provider=session_provider)
assert kapi.get_token('account', '', 'user', 'pass',
'password') == ('access_token', 'refresh_token')
def perform(self, launch_properties, scan_properties):
realms = scan_properties['realms'].keys()
for realm in realms:
clients = scan_properties['clients'][realm]
well_known = scan_properties['wellknowns'][realm]
api = KeyCloakApi(well_known)
if 'security-admin-console' not in scan_properties \
or realm not in scan_properties['security-admin-console'] \
or 'secret' not in scan_properties['security-admin-console'][realm]:
verbose('No secret for realm {}'.format(realm))
continue
client_secret = scan_properties['security-admin-console'][realm][
'secret']
for client in clients:
if 'username' in launch_properties:
username = launch_properties['username']
if 'password' in launch_properties:
password = launch_properties['password']
test_none(api, client, client_secret, username,
password)
else:
test_none(api, client, client_secret, username,
username)
else:
info(
'No none scan, provide credentials to test jwt none signature'
)
def perform(self, realm: Realm, client: Client, well_known: WellKnown,
security_console: SecurityConsole, **kwargs) -> (Set[NoneSign], VulnFlag):
# TODO : make secret type + use credentials
vf = VulnFlag()
api = KeyCloakApi(well_known=well_known.json, session_provider=super().session, verbose=super().is_verbose())
if well_known.realm == realm and security_console.secret:
if self.username is not None:
password = self.password
if self.password is None:
password = self.username
if self.test_none(api, client, security_console.secret, self.username, password):
return {NoneSign(realm)}, vf
else:
super().info('No none scan, provide credentials to test jwt none signature')
else:
super().verbose(f'No secret for realm {realm.name}')
return set(), vf
def try_form_auth(self, client: Client, realm: Realm, well_known: WellKnown, results: Set[Credential],
username: Username, password: Password):
kapi = KeyCloakApi(well_known.json, verbose=super().is_verbose(),
session_provider=super().session)
try:
r = kapi.auth(client, username, password)
if r.status_code == 302:
results.add(Credential(realm, client, username, password))
super().find(self.name(), f'Form login work for {username} on realm {realm.name}, '
f'client {client.name}, ({r.headers.get("Location", "<unable to get header>")})')
except HTTPError as e:
super().verbose(f'HTTP error when login : {e}')
except FailedAuthException as e:
super().verbose(f'auth process fail : {e}')
def try_token(self, client: Client, grant_type: str, realm: Realm, well_known: WellKnown, results: Set[Credential],
username: Username, password: Password):
kapi = KeyCloakApi(well_known.json, verbose=super().is_verbose(),
session_provider=super().session)
# TODO : get client secret
try:
access_token, refresh_token = kapi.get_token(client.name, '', username, password,
grant_type=grant_type)
super().find(self.name(), f'Can login with username {username} on realm {realm.name}, '
f'client {client.name}, grant_type: {grant_type}')
super().verbose(f'access_token: {access_token}, refresh_token: {refresh_token}, '
f'password: {password}')
results.add(Credential(realm, client, username, password))
except HTTPError as e:
super().verbose(f'HTTP error when login : {e}')
def test_session_must_be_different_all_calls():
kapi = KeyCloakApi(well_known={},
session_provider=lambda: requests.Session())
assert kapi.session() != kapi.session()