def test_perform_with_event(base_url: str, all_realms: List[Realm],
full_scan_mock_session: Session,
well_known_list: List[WellKnown]):
realms_scanner = RealmScanner(
realms=['master', 'other'],
base_url=base_url,
session_provider=lambda: full_scan_mock_session)
well_known_scanner = WellKnownScanner(
base_url=base_url, session_provider=lambda: full_scan_mock_session)
client_scanner = ClientScanner(
clients=['client1', 'client2'],
base_url=base_url,
session_provider=lambda: full_scan_mock_session)
mediator = Mediator([realms_scanner, well_known_scanner, client_scanner])
mediator.start()
assert mediator.scan_results.get(
WrapperTypes.REALM_TYPE) == set(all_realms)
assert mediator.scan_results.get(
WrapperTypes.WELL_KNOWN_TYPE) == set(well_known_list)
assert len(mediator.scan_results.get(WrapperTypes.CLIENT_TYPE)) == 4
def test_perform(base_url: str, full_scan_mock_session: Session,
all_realms: List[Realm], all_clients: List[Client],
well_known_list: List[WellKnown],
security_console_results: List[SecurityConsole],
master_realm: Realm, other_realm: Realm):
class TestNoneSignScanner(NoneSignScanner, MockPrintLogger):
pass
scanner = TestNoneSignScanner(
username='******',
password='******',
base_url=base_url,
session_provider=lambda: full_scan_mock_session)
mediator = Mediator([scanner])
mediator.send(WrapperTypes.REALM_TYPE, set(all_realms))
mediator.send(WrapperTypes.CLIENT_TYPE, set(all_clients))
mediator.send(WrapperTypes.WELL_KNOWN_TYPE, set(well_known_list))
mediator.send(WrapperTypes.SECURITY_CONSOLE, set(security_console_results))
assert mediator.scan_results.get(WrapperTypes.NONE_SIGN) == {
NoneSign(other_realm), NoneSign(master_realm)
}
assert 'Got token via password method. access_token:eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3ODM4MGM2ZS1iODhmLTQ5NDQtOGRkZS03NTQyMDNkMjFhODEifQ.eyJleHAiOjE2MjE2NzU5NzIsImlhdCI6MTYyMTYzOTk3MiwianRpIjoiMGU2NDcxOTItMzU5ZS00NmU4LWFkYWQtNTQzNmQyNjMyZjA1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjJjMTZhY2Y1LWMwOTYtNDg5ZC1iYjFjLTU4ZTc0ZTJiZjAzMiIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiZWY3ZjNjZmItMDAzZS00YzViLWEzMWQtYmI0OGFhZjAzNzk3Iiwic3RhdGVfY2hlY2tlciI6ImtKNy05MURtNVEwVXktT1JfVlJnT1d5eF91Wkh3M0ZfczktTVdlUjZRTlEifQ.6yZvyGKEH0NXmLY8nKRQMLsMQYPXq5dYCsIF3LRiOxI, refresh_token:eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3ODM4MGM2ZS1iODhmLTQ5NDQtOGRkZS03NTQyMDNkMjFhODEifQ.eyJleHAiOjE2MjE2NzU5NzIsImlhdCI6MTYyMTYzOTk3MiwianRpIjoiMGU2NDcxOTItMzU5ZS00NmU4LWFkYWQtNTQzNmQyNjMyZjA1IiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjJjMTZhY2Y1LWMwOTYtNDg5ZC1iYjFjLTU4ZTc0ZTJiZjAzMiIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiZWY3ZjNjZmItMDAzZS00YzViLWEzMWQtYmI0OGFhZjAzNzk3Iiwic3RhdGVfY2hlY2tlciI6ImtKNy05MURtNVEwVXktT1JfVlJnT1d5eF91Wkh3M0ZfczktTVdlUjZRTlEifQ.6yZvyGKEH0NXmLY8nKRQMLsMQYPXq5dYCsIF3LRiOxI' in scanner.infos
assert {
'color': 'grey',
'message': 'No secret for realm master'
} in scanner.verboses
def test_perform_with_event(master_realm: Realm, base_url: str,
full_scan_mock_session: Session):
mediator = Mediator([
SecurityConsoleScanner(base_url=base_url,
session_provider=lambda: full_scan_mock_session)
])
mediator.send(WrapperTypes.REALM_TYPE, {master_realm})
assert mediator.scan_results.get(WrapperTypes.SECURITY_CONSOLE) == set()
def __init__(self,
scanners: List[Scanner],
initial_values=None,
verbose=False,
fail_fast=False,
**kwargs):
if initial_values is None:
initial_values = {}
self.mediator = Mediator(scanners, initial_values, fail_fast=fail_fast)
self.fail_fast = fail_fast
super().__init__(verbose=verbose, **kwargs)
def test_perform_with_event(base_url: str, all_realms: List[Realm],
full_scan_mock_session: Session,
well_known_list: List[WellKnown]):
mediator = Mediator([
WellKnownScanner(base_url=base_url,
session_provider=lambda: full_scan_mock_session)
])
mediator.send(WrapperTypes.REALM_TYPE, set(all_realms))
assert mediator.scan_results.get(
WrapperTypes.WELL_KNOWN_TYPE) == set(well_known_list)
def test_perform_with_event(base_url: str, full_scan_mock_session: Session,
master_realm: Realm, other_realm: Realm):
scanner = RealmScanner(base_url=base_url,
realms=['master', 'other'],
session_provider=lambda: full_scan_mock_session)
mediator = Mediator([scanner])
scanner.perform_base()
assert mediator.scan_results.get(
WrapperTypes.REALM_TYPE) == {master_realm, other_realm}
def test_perform_with_event(base_url: str, full_scan_mock_session: Session,
master_realm: Realm, other_realm: Realm,
client1: Client, client2: Client,
well_known_list: List[WellKnown]):
mediator = Mediator([
OpenRedirectScanner(base_url=base_url,
session_provider=lambda: full_scan_mock_session)
])
mediator.send(WrapperTypes.REALM_TYPE, {master_realm, other_realm})
mediator.send(WrapperTypes.CLIENT_TYPE, {client1})
mediator.send(WrapperTypes.WELL_KNOWN_TYPE, set(well_known_list))
assert mediator.scan_results.get(WrapperTypes.OPEN_REDIRECT) == {
OpenRedirect(master_realm, client1),
OpenRedirect(other_realm, client1),
}
def test_client_registration_scanner_should_not_register(master_realm: Realm,
well_known_master: WellKnown,
credential_set: Set[Credential],
well_known_json_master: dict):
class TestRandomStr(RandomStr):
def random_str(self) -> str:
return '456789'
class TestClientRegistrationScanner(ClientRegistrationScanner, TestRandomStr):
pass
session_provider = lambda: MockSpec(
get={
'http://localhost:8080/auth/realms/master/.well-known/openid-configuration': RequestSpec(
MockResponse(status_code=200, response=well_known_json_master)
),
},
post={
'http://localhost:8080/auth/realms/master/clients-registrations/openid-connect':
RequestSpec(response=MockResponse(status_code=403),
assertion=check_request, assertion_value={'json': {
"application_type": "web",
"redirect_uris": [
"http://callback/callback"],
"client_name": "keycloak-client-456789",
"logo_uri": "http://callback/logo.png",
"jwks_uri": "http://callback/public_keys.jwks"
}}),
'http://localhost:8080/auth/realms/master/protocol/openid-connect/token': RequestSpec(
response=MockResponse(status_code=403))
},
).session()
mediator = Mediator([
TestClientRegistrationScanner(['http://callback'], base_url='http://localhost:8080',
session_provider=session_provider)
])
mediator.send(WrapperTypes.REALM_TYPE, {master_realm})
mediator.send(WrapperTypes.WELL_KNOWN_TYPE, {well_known_master})
mediator.send(WrapperTypes.CREDENTIAL_TYPE, credential_set)
assert mediator.scan_results.get(WrapperTypes.CLIENT_REGISTRATION) == set()
def test_perform_with_event(base_url, full_scan_mock_session: Session,
all_realms: List[Realm], all_clients: List[Client],
well_known_list: List[WellKnown],
master_realm: Realm, other_realm: Realm):
scanner = FormPostXssScanner(
base_url=base_url, session_provider=lambda: full_scan_mock_session)
mediator = Mediator([scanner])
mediator.send(WrapperTypes.REALM_TYPE, set(all_realms))
mediator.send(WrapperTypes.CLIENT_TYPE, set(all_clients))
mediator.send(WrapperTypes.WELL_KNOWN_TYPE, set(well_known_list))
assert mediator.scan_results.get(WrapperTypes.FORM_POST_XSS) == set()
## TODO: test when vulnerable
class MasterScanner(PrintLogger):
def __init__(self,
scanners: List[Scanner],
initial_values=None,
verbose=False,
fail_fast=False,
**kwargs):
if initial_values is None:
initial_values = {}
self.mediator = Mediator(scanners, initial_values, fail_fast=fail_fast)
self.fail_fast = fail_fast
super().__init__(verbose=verbose, **kwargs)
def start(self) -> ScanStatus:
has_errors, vf = self.mediator.start()
return ScanStatus(has_errors, vf.has_vuln)
def test_client_registration_scanner_should_register(master_realm: Realm,
well_known_master: WellKnown,
credential_set: Set[Credential],
well_known_json_master: dict):
class TestRandomStr(RandomStr):
def random_str(self) -> str:
return '456789'
class TestClientRegistrationScanner(ClientRegistrationScanner, TestRandomStr):
pass
response = {
"redirect_uris":
["http://localhost:8080/callback"],
"token_endpoint_auth_method": "client_secret_basic",
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code", "none"],
"client_id": "539ce782-5d15-4256-a5fa-1a46609d056b",
"client_secret": "c94f5fc0-0a04-4e2f-aec6-b1f5edad1d44",
"client_name": "keycloak-client-456789",
"scope": "address phone offline_access microprofile-jwt",
"jwks_uri": "http://localhost:8080/public_keys.jwks",
"subject_type": "pairwise",
"request_uris": ["http://localhost:8080/rf.txt"],
"tls_client_certificate_bound_access_tokens": False,
"client_id_issued_at": 1622306364,
"client_secret_expires_at": 0,
"registration_client_uri": "http://localhost:8080/auth/realms/master/clients-registrations/openid-connect/539ce782-5d15-4256-a5fa-1a46609d056b",
"backchannel_logout_session_required": False
}
session_provider = lambda: MockSpec(
get={
'http://localhost:8080/auth/realms/master/.well-known/openid-configuration': RequestSpec(
MockResponse(status_code=200, response=well_known_json_master)
),
},
post={
'http://localhost:8080/auth/realms/master/clients-registrations/openid-connect':
RequestSpec(response=MockResponse(status_code=201, response=response),
assertion=check_request, assertion_value={'json': {
"application_type": "web",
"redirect_uris": [
"http://callback/callback"],
"client_name": "keycloak-client-456789",
"logo_uri": "http://callback/logo.png",
"jwks_uri": "http://callback/public_keys.jwks"
}})}).session()
mediator = Mediator([
TestClientRegistrationScanner(['http://callback'], base_url='http://localhost:8080',
session_provider=session_provider)
])
mediator.send(WrapperTypes.REALM_TYPE, {master_realm})
mediator.send(WrapperTypes.WELL_KNOWN_TYPE, {well_known_master})
mediator.send(WrapperTypes.CREDENTIAL_TYPE, credential_set)
assert mediator.scan_results.get(WrapperTypes.CLIENT_REGISTRATION) == {ClientRegistration(
'http://callback',
name='keycloak-client-456789',
url='http://localhost:8080/auth/realms/master/clients-registrations/openid-connect/539ce782-5d15-4256-a5fa-1a46609d056b',
json=response
)}
def test_perform_with_event(base_url: str, all_realms: List[Realm],
all_clients: List[Client],
well_known_list: List[WellKnown],
full_scan_mock_session: requests.Session, capsys):
mediator = Mediator([
LoginScanner(base_url=base_url,
session_provider=lambda: full_scan_mock_session)
])
mediator.send(WrapperTypes.USERNAME_TYPE, {Username('admin')})
mediator.send(WrapperTypes.PASSWORD_TYPE, {Password('pa55w0rd')})
mediator.send(WrapperTypes.REALM_TYPE, set(all_realms))
mediator.send(WrapperTypes.CLIENT_TYPE, set(all_clients))
mediator.send(WrapperTypes.WELL_KNOWN_TYPE, set(well_known_list))
result = mediator.scan_results.get(WrapperTypes.CREDENTIAL_TYPE)
captured = capsys.readouterr()
assert result == {
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client('client1',
'http://localhost:8080/auth/realms/master/client1'),
'admin', 'pa55w0rd'),
Credential(
Realm(
'master', 'http://localhost:8080/auth/realms/master', {
'realm': 'master',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/master/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/master/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/master/client2'),
'admin', 'pa55w0rd'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client('client1',
'http://localhost:8080/auth/realms/master/client1'),
'admin', 'pa55w0rd'),
Credential(
Realm(
'other', 'http://localhost:8080/auth/realms/other', {
'realm': 'other',
'public_key':
'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwbbkdpQ9J5QR4nmfNL6y/+3PaIKzoeUIa1oRI1QlmXgtD/mCURhdVi52S0xQ8XGy2HIsrrct/G6rVMPDBzqa2bdKP0uB6iuuBmeH/RyJlMCdrXYTZjG5uWt6SlI7462966iqGYq1o3crHbSnLr/9OFIJD2zFBEYJZ2Xbd9IRcGpwpCSKJ5YAs1EnmLQrEBHxdLsQyIiHy5yU8bT5otgyS4tvn0UiY04zOonsvH5XmzvaZ77fo6DV8GY79eqCECiBF2OHUhZ7GjZfcHlKzeCS4vEODntPc/FzV+eqDkv9/ikDwJ9KHsLbIUkR9Ob2JE7jHg0a76CF2N/z8tztFAruawIDAQAB',
'token-service':
'http://localhost:8080/auth/realms/other/protocol/openid-connect',
'account-service':
'http://localhost:8080/auth/realms/other/account',
'tokens-not-before': 0
}),
Client('client2',
'http://localhost:8080/auth/realms/master/client2'),
'admin', 'pa55w0rd')
}
assert "[+] LoginScanner - Form login work for admin on realm other, client client2, (<openid location>)" in captured.out