def kerberos_form_fallback(logger, s, response, header, cookie):
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form")
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
req_kerberos_fallback = Request(method=method_form,
url="{url}".format(url=url_form),
headers=header,
cookies=cookie)
prepared_request = req_kerberos_fallback.prepare()
log_request(logger, req_kerberos_fallback)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
return response
def redirect_to_idp(logger, s, redirect_url, header, cookie):
"""
Helper dedicated to perform the redirect request to the identity provider
:param logger:
:param s: session s
:param redirect_url: redirect url
:param header: header used for the requests
:param cookie:
:return:
"""
req_get_keycloak = Request(method='GET',
url="{url}".format(url=redirect_url),
cookies=cookie,
headers=header)
prepared_request = req_get_keycloak.prepare()
log_request(logger, req_get_keycloak)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
return response
def get_access_token(logger, s, data, idp_scheme, idp_port, idp_ip, realm_id):
"""
Helper dedicated to obtain the access token for Keycloak
:param logger:
:param s: session s
:param data: payload of the request
:param idp_scheme: identity provider http scheme
:param idp_port: identity provider port
:param idp_ip: identity provider ip
:param realm_id: id of the realm
:return:
"""
req_get_access_token = Request(
method='POST',
url=
"{scheme}://{ip}:{port}/auth/realms/{realm}/protocol/openid-connect/token"
.format(scheme=idp_scheme, ip=idp_ip, port=idp_port, realm=realm_id),
data=data)
prepared_request = req_get_access_token.prepare()
log_request(logger, req_get_access_token)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
access_token = json.loads(response.text)['access_token']
return access_token
def broker_fill_in_form(logger, s, response, header, cookie, new_cookie,
idp_broker, idp_form_id):
"""
Method that simulates the requests that need to be done when a user first logs in using a broker,
as he is asked to fill in a form with his email, first name and last name
:param logger:
:param s:
:param response:
:param header:
:param cookie:
:param idp_broker:
:return:
"""
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": idp_form_id})
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
for input in inputs:
if input.get('name') == "username":
username = input.get('value')
user_data = {}
user_data["username"] = username
if idp_broker == "cloudtrust_saml":
user_data["email"] = "*****@*****.**"
user_data["firstName"] = "Mr."
user_data["lastName"] = "Test"
else:
user_data["email"] = "*****@*****.**"
user_data["firstName"] = "Mr."
user_data["lastName"] = "Test"
req_send_user_data = Request(method=method_form,
url="{url}".format(url=url_form),
data=user_data,
cookies={
**cookie,
**new_cookie
},
headers=header)
prepared_request = req_send_user_data.prepare()
log_request(logger, req_send_user_data)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
redirect_url = response.headers['Location']
response = redirect_to_idp(logger, s, redirect_url, header, {
**cookie,
**new_cookie
})
return response
def send_credentials_to_idp(logger, s, header, idp_ip, idp_port, redirect_url,
url_form, credentials_data, cookie, method):
"""
Helper dedicated to send the credentials to the identity provider
:param logger:
:param s: session s
:param header: header used for the requests
:param idp_ip: identity provider ip
:param idp_port: identity provider port
:param redirect_url: referer url
:param url_form: url used for the request
:param credentials_data: credentials, e.g. password and username
:param cookie: keycloak cookie
:param method: method used to do the request, e.g. GET, POST
:return:
"""
header_login_keycloak = {
**header,
'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{host}".format(host=redirect_url),
}
req_login_idp = Request(method=method,
url="{url}".format(url=url_form),
data=credentials_data,
cookies=cookie,
headers=header_login_keycloak)
prepared_request = req_login_idp.prepare()
log_request(logger, req_login_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
return response
def access_sp_ws_fed(logger, s, header, sp_ip, sp_port, sp_scheme, sp_path):
"""
Helper dedicated to access the service provider in order to obtain the
endpoint of the IDP, where the connection protocol is WSFED
:param logger:
:param s: session s
:param header: header used for the request
:param sp_ip: service provider ip
:param sp_port: service provider port
:param sp_scheme: service provider http scheme
:param sp_path: service provider path
:return:
"""
# Access to the SP
header_sp_page = {
**header, 'Host': "{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
req_get_sp_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_path),
headers=header_sp_page,
)
prepared_request = req_get_sp_page.prepare()
log_request(logger, req_get_sp_page)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
return response
def remove_user_sessions(s, logger, idp_ip, idp_port, idp_scheme, idp_username,
idp_password, idp_client_id, idp_realm_id,
idp_realm_test, user_id):
"""
Helper dedicated to remove all users sessions associated with the user id
:param settings:
:return:
"""
access_token_data = {
"client_id": idp_client_id,
"username": idp_username,
"password": idp_password,
"grant_type": "password"
}
access_token = get_access_token(logger, s, access_token_data, idp_scheme,
idp_port, idp_ip, idp_realm_id)
header = {
'Accept':
"application/json,text/plain, */*",
'Accept-Encoding':
"gzip, deflate",
'Accept-Language':
"en-US,en;q=0.5",
'User-Agent':
"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0",
'Connection':
"keep-alive",
'Content-Type':
"application/json",
'Referer':
"{scheme}://{ip}:{port}/auth/admin/master/console/".format(
scheme=idp_scheme, ip=idp_ip, port=idp_port),
'Host':
"{ip}:{port}".format(ip=idp_ip, port=idp_port),
"DNT":
"1",
"Keep-Alive":
"timeout=15, max=3",
'Authorization':
'Bearer ' + access_token
}
req_remove_user_sessions = Request(
method='POST',
url="{scheme}://{ip}:{port}/auth/admin/realms/{realm}/users/{id}/logout"
.format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port,
realm=idp_realm_test,
id=user_id),
headers=header,
)
prepared_request = req_remove_user_sessions.prepare()
log_request(logger, req_remove_user_sessions)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
return response.status_code
def test_security_broker_fuzzing(self, settings):
"""
This test respects the following use-case:
- we simulate a login using an external IDP; in this case the external IDP generates a token that is transmitted
to the broker IDP and used further to allow access to the service provider for the correctly authenticated user
- for the tests, we fuzz one or more of the parameters 'wa', 'wtrealm', 'wresult' or 'wctx' from the token sent from the
external IDP to the broker IDP
- we check what is the return code of the broker IDP when sending the fuzzed token
- afterwards, we check if Keycloak is still working properly by doing a login and a logout
Repeat the previous steps an unlimited number of times
- as output we expect to receive 400 and 414 from Keycloak and for the login and logout to be done
successfully
:param settings:
:return:
"""
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_test_realm = settings["idp"]["test_realm"]["name"]
idp_form_id = settings["idp"]["login_form_update"]
idp_broker = settings["idp"]["wsfed_broker"]
# a login WSFED query
query = "wa=wsignin1.0&" \
"wreply=http%3A%2F%2F127.0.0.1%3A7000%2Fj_spring_fediz_security_check&" \
"wtrealm=sp_wsfed1&" \
"wct=2018-07-10T14%3A43%3A45.921Z&" \
"wctx=48022b8c-9b80-4446-8487-f94b24439f44"
initial_redirect_url = "{scheme}://{ip}:{port}/auth/realms/{realm}/protocol/wsfed?{query}".format(
scheme=idp_scheme,
ip=idp_ip,
port=idp_port,
realm=idp_test_realm,
query=query)
# follow the login flow up to the moment that the external IDP sends the reply (containing the wsfed fields)
# to the broker
#for i in range(0,1):
while True:
s = Session()
# Service provider settings
sp = settings["sps_wsfed"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Identity provider settings
# IDP broker
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_broker = settings["idp"]["wsfed_broker"]
idp_client_id = settings["idp"]["master_realm"]["client_id"]
idp_realm_id = settings["idp"]["master_realm"]["name"]
idp_realm_test = settings["idp"]["test_realm"]["name"]
idp_master_username = settings["idp"]["master_realm"]["username"]
idp_master_password = settings["idp"]["master_realm"]["password"]
idp_username = settings["idp_external"]["test_realm"]["username"]
idp_password = settings["idp_external"]["test_realm"]["password"]
# IDP external
idp2_ip = settings["idp_external"]["ip"]
idp2_port = settings["idp_external"]["port"]
idp2_scheme = settings["idp_external"]["http_scheme"]
idp2_client_id = settings["idp_external"]["master_realm"][
"client_id"]
idp2_realm_id = settings["idp_external"]["master_realm"]["name"]
idp2_realm_test = settings["idp_external"]["test_realm"]["name"]
idp2_master_username = settings["idp_external"]["master_realm"][
"username"]
idp2_master_password = settings["idp_external"]["master_realm"][
"password"]
keycloak_login_form_id = settings["idp"]["login_form_id"]
# Common header for all the requests
header = req.get_header()
response = req.redirect_to_idp(logger, s, initial_redirect_url,
header, None)
keycloak_cookie = response.cookies
if response.status_code == HTTPStatus.UNAUTHORIZED and response.headers[
'WWW-Authenticate'] == 'Negotiate':
response = req.kerberos_form_fallback(logger, s, response,
header,
{**keycloak_cookie})
# In the login page we can choose to login with the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
div = soup.find("div", {"id": "kc-social-providers"})
assert div is not None
# we can have several idp external; choose the one needed for the test
all_li = div.find_all('li')
for li in all_li:
if li.span.text == idp_broker:
external_idp_url = "{scheme}://{ip}:{port}".format(
scheme=idp_scheme, ip=idp_ip,
port=idp_port) + li.a['href']
assert external_idp_url is not None
# Select to login with the external IDP
req_choose_external_idp = Request(
method='GET',
url="{url}".format(url=external_idp_url),
headers=header,
cookies=keycloak_cookie)
prepared_request = req_choose_external_idp.prepare()
req.log_request(logger, req_choose_external_idp)
response = s.send(prepared_request, allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
params = {}
for input in inputs:
params[input.get('name')] = input.get('value')
# Redirect to external IDP
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
params=params,
headers=header)
referer_url = url_form
prepared_request = req_redirect_external_idp.prepare()
req.log_request(logger, req_redirect_external_idp)
response = s.send(prepared_request, allow_redirects=False)
logger.debug(response.status_code)
keycloak_cookie2 = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
assert form is not None
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
# Authenticate to the external IDP
response = req.send_credentials_to_idp(logger, s, header, idp2_ip,
idp2_port, referer_url,
url_form, credentials_data,
{**keycloak_cookie2},
method_form)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
try:
## we fuzz the values of the token
params = ['wa', 'wtrealm', 'wresult', 'wctx']
# choose what parameters are going to be fuzzed
for i in range(0, len(params)):
random.seed(
calendar.timegm(time.gmtime()) +
random.randint(0, 1000))
choice = random.random()
if choice > 0.5: # we fuzz the parameter
fuzz_value = fuzz.get_fuzzed_value(
logger, token[params[i]])
token[params[i]] = fuzz_value
except Exception as e:
print("There is a problem with the fuzzer: {e}".format(e=e))
logger.info(
"There is a problem with the fuzzer: {e}".format(e=e))
logger.info(
"Fuzzed token sent to the broker is {t}".format(t=token))
req_token_from_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=token,
cookies=keycloak_cookie,
headers=header)
prepared_request = req_token_from_external_idp.prepare()
req.log_request(logger, req_token_from_external_idp)
response = s.send(prepared_request, allow_redirects=False)
# log what status code we get from the broker
logger.info(response.status_code)
# check that Keycloak is up there running and able to answer to requests
# run the wsfed login test
s = Session()
response = req.access_sp_ws_fed(logger, s, header, sp_ip, sp_port,
sp_scheme, sp_path)
session_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip,
port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, session_cookie)
keycloak_cookie = response.cookies
if response.status_code == HTTPStatus.UNAUTHORIZED and response.headers[
'WWW-Authenticate'] == 'Negotiate':
response = req.kerberos_form_fallback(logger, s, response,
header, {
**keycloak_cookie,
**session_cookie
})
# In the login page we can choose to login with the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
div = soup.find("div", {"id": "kc-social-providers"})
assert div is not None
# we can have several idp external; choose the one needed for the test
all_li = div.find_all('li')
for li in all_li:
if li.span.text == idp_broker:
external_idp_url = "{scheme}://{ip}:{port}".format(
scheme=idp_scheme, ip=idp_ip,
port=idp_port) + li.a['href']
assert external_idp_url is not None
# Select to login with the external IDP
req_choose_external_idp = Request(
method='GET',
url="{url}".format(url=external_idp_url),
headers=header,
cookies=keycloak_cookie)
prepared_request = req_choose_external_idp.prepare()
log_request(logger, req_choose_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
params = {}
for input in inputs:
params[input.get('name')] = input.get('value')
header_redirect_external_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp2_ip,
port=idp2_port),
'Referer': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
# Redirect to external IDP
if idp_broker == "cloudtrust_saml":
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=params,
headers=header_redirect_external_idp)
else:
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
params=params,
headers=header_redirect_external_idp)
referer_url = url_form
prepared_request = req_redirect_external_idp.prepare()
log_request(logger, req_redirect_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
# if we have an identity provider saml, we do an extra redirect
if idp_broker == "cloudtrust_saml":
redirect_url = response.headers['Location']
keycloak_cookie2 = response.cookies
response = req.redirect_to_idp(logger, s, redirect_url, header,
keycloak_cookie2)
else:
keycloak_cookie2 = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
assert form is not None
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
# Authenticate to the external IDP
response = req.send_credentials_to_idp(logger, s, header, idp2_ip,
idp2_port, referer_url,
url_form, credentials_data,
{
**keycloak_cookie2,
**session_cookie
}, method_form)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
req_token_from_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=token,
cookies=keycloak_cookie,
headers=header)
prepared_request = req_token_from_external_idp.prepare()
log_request(logger, req_token_from_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
if response.status_code == HTTPStatus.FOUND:
new_cookie = response.cookies
redirect_url = response.headers['Location']
response = req.redirect_to_idp(logger, s, redirect_url, header,
{
**keycloak_cookie,
**new_cookie
})
response = req.broker_fill_in_form(logger, s, response, header,
keycloak_cookie, new_cookie,
idp_broker, idp_form_id)
# Get the token from the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
# Access SP with the token
(response, sp_cookie) = req.access_sp_with_token(
logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme,
idp_ip, idp_port, method_form, url_form, token, session_cookie,
keycloak_cookie2)
assert response.status_code == HTTPStatus.OK
# assert that we are logged in
assert re.search(sp_message, response.text) is not None
logger.info("Login returned a {code} status code".format(
code=response.status_code))
# cleanup: remove the open sessions of the test user from the broker IDP and external IDP
# remove the sessions from broker IDP
# first, obtain the id of the user
user_repr = req.get_user(s, logger, idp_ip, idp_port, idp_scheme,
idp_master_username, idp_master_password,
idp_client_id, idp_realm_id,
idp_realm_test, idp_username)
user_id = json.loads(user_repr)[0]['id']
# remove the open sessions
status_code = req.remove_user_sessions(s, logger, idp_ip, idp_port,
idp_scheme,
idp_master_username,
idp_master_password,
idp_client_id, idp_realm_id,
idp_realm_test, user_id)
assert status_code == HTTPStatus.NO_CONTENT
# remove the sessions from the external IDP
# first, obtain the id of the user
user_repr = req.get_user(s, logger, idp2_ip, idp2_port,
idp2_scheme, idp2_master_username,
idp2_master_password, idp2_client_id,
idp2_realm_id, idp2_realm_test,
idp_username)
user_id = json.loads(user_repr)[0]['id']
# remove the open sessions
status_code = req.remove_user_sessions(
s, logger, idp2_ip, idp2_port, idp2_scheme,
idp2_master_username, idp2_master_password, idp2_client_id,
idp2_realm_id, idp2_realm_test, user_id)
assert status_code == HTTPStatus.NO_CONTENT
def delete_realm(settings):
"""
Fixture to perform the deletion of a realm from Keycloak
:param settings:
:return:
"""
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_username = settings["idp"]["master_realm"]["username"]
idp_password = settings["idp"]["master_realm"]["password"]
idp_client_id = settings["idp"]["master_realm"]["client_id"]
idp_realm_id = settings["idp"]["master_realm"]["name"]
idp_realm_test = settings["idp"]["test_realm"]["name"]
s = Session()
access_token_data = {
"client_id": idp_client_id,
"username": idp_username,
"password": idp_password,
"grant_type": "password"
}
access_token = req.get_access_token(logger, s, access_token_data,
idp_scheme, idp_port, idp_ip,
idp_realm_id)
header = {
'Accept':
"application/json,text/plain, */*",
'Accept-Encoding':
"gzip, deflate",
'Accept-Language':
"en-US,en;q=0.5",
'User-Agent':
"Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0",
'Connection':
"keep-alive",
'Content-Type':
"application/json",
'Referer':
"{scheme}://{ip}:{port}/auth/admin/master/console/".format(
scheme=idp_scheme, ip=idp_ip, port=idp_port),
'Host':
"{ip}:{port}".format(ip=idp_ip, port=idp_port),
"DNT":
"1",
"Keep-Alive":
"timeout=15, max=3",
'Authorization':
'Bearer ' + access_token
}
req_delete_realm = Request(
method='DELETE',
url="{scheme}://{ip}:{port}/auth/admin/realms/{realm}".format(
scheme=idp_scheme, ip=idp_ip, port=idp_port, realm=idp_realm_test),
headers=header,
)
prepared_request = req_delete_realm.prepare()
log_request(logger, req_delete_realm)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
return response
def access_sp_with_token(logger, s, header, sp_ip, sp_port, sp_scheme,
idp_scheme, idp_ip, idp_port, method, url, token,
session_cookie, keycloak_cookie):
"""
Helper dedicated to access the service provider endpoint with the token obtained from the identity provider.
Requests done in this method are dependent of the functionality of the servide provider.
:param logger:
:param s: session s
:param header: header used for the requests
:param sp_ip: service provider ip
:param sp_port: service provider port
:param idp_scheme: identity provider http scheme
:param idp_ip: identity provider ip
:param idp_port: identity provider port
:param method: method used to do the request, e.g. GET, POST
:param url: url used to make the request
:param token: token obtained from the identity provider
:param session_cookie: session cookie
:param keycloak_cookie: keycloak session cookie
:return:
"""
# Perform a callback
header_callback = {
**header,
'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port),
}
req_sp_with_token = Request(method=method,
url="{url}".format(url=url),
data=token,
cookies=session_cookie,
headers=header_callback)
prepared_request = req_sp_with_token.prepare()
log_request(logger, req_sp_with_token)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
sp_cookie = response.cookies
url_sp = response.headers['Location']
if url_sp == "/":
url_sp = "{scheme}://{ip}:{port}".format(ip=sp_ip,
port=sp_port,
scheme=sp_scheme)
header_login_sp = {
**header,
'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port),
}
req_get_sp_page_final = Request(method='GET',
url="{url}".format(url=url_sp),
cookies={
**session_cookie,
**keycloak_cookie,
**response.cookies
},
headers=header_login_sp)
prepared_request = req_get_sp_page_final.prepare()
log_request(logger, req_get_sp_page_final)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
return response, sp_cookie
def test_CT_TC_WS_FED_BROKER_ACCESS_CONTROL_RBAC_KO_SP_initiated(
self, settings):
"""
Scenario: User logs in to SP1 where he has the appropriate role.
Same user tries to log in to SP2, SP that he is not authorized to access. He should receive an
error message saying he has not the authorization.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp = settings["sps_wsfed"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Service provider 2 settings
sp2 = settings["sps_wsfed"][2]
sp2_ip = sp2["ip"]
sp2_port = sp2["port"]
sp2_scheme = sp2["http_scheme"]
sp2_path = sp2["path"]
sp2_message = settings["idp"]["not_authorized_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_broker = settings["idp"]["wsfed_broker"]
idp_form_id = settings["idp"]["login_form_update"]
idp_username = settings["idp_external"]["test_realm"]["username"]
idp_password = settings["idp_external"]["test_realm"]["password"]
idp2_ip = settings["idp_external"]["ip"]
idp2_port = settings["idp_external"]["port"]
idp2_scheme = settings["idp_external"]["http_scheme"]
keycloak_login_form_id = settings["idp"]["login_form_id"]
# Common header for all the requests
header = req.get_header()
# We check that test works for both types of identity provider
idp_brokers = [
settings["idp"]["saml_broker"], settings["idp"]["wsfed_broker"]
]
for idp_broker in idp_brokers:
response = req.access_sp_ws_fed(logger, s, header, sp_ip, sp_port,
sp_scheme, sp_path)
session_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip,
port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, session_cookie)
keycloak_cookie = response.cookies
# In the login page we can choose to login with the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
div = soup.find("div", {"id": "kc-social-providers"})
assert div is not None
# we can have several idp external; choose the one needed for the test
all_li = div.find_all('li')
for li in all_li:
if li.span.text == idp_broker:
external_idp_url = "{scheme}://{ip}:{port}".format(
scheme=idp_scheme, ip=idp_ip,
port=idp_port) + li.a['href']
assert external_idp_url is not None
# Select to login with the external IDP
req_choose_external_idp = Request(
method='GET',
url="{url}".format(url=external_idp_url),
headers=header,
cookies=keycloak_cookie)
prepared_request = req_choose_external_idp.prepare()
log_request(logger, req_choose_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
params = {}
for input in inputs:
params[input.get('name')] = input.get('value')
header_redirect_external_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp2_ip,
port=idp2_port),
'Referer': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
# Redirect to external IDP
if idp_broker == "cloudtrust_saml":
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=params,
headers=header_redirect_external_idp)
else:
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
params=params,
headers=header_redirect_external_idp)
# url_parts = list(urlparse.urlparse(url_form))
# query = dict(urlparse.parse_qsl(url_parts[4]))
# query.update(params)
# url_parts[4] = urlencode(query)
# referer_url = urlparse.urlunparse(url_parts)
referer_url = url_form
prepared_request = req_redirect_external_idp.prepare()
log_request(logger, req_redirect_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
# if we have an identity provider saml, we do an extra redirect
if idp_broker == "cloudtrust_saml":
redirect_url = response.headers['Location']
keycloak_cookie2 = response.cookies
response = req.redirect_to_idp(logger, s, redirect_url, header,
keycloak_cookie2)
else:
keycloak_cookie2 = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
assert form is not None
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
# Authenticate to the external IDP
response = req.send_credentials_to_idp(logger, s, header, idp2_ip,
idp2_port, referer_url,
url_form, credentials_data,
{
**keycloak_cookie2,
**session_cookie
}, method_form)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
req_token_from_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=token,
cookies=keycloak_cookie,
headers=header)
prepared_request = req_token_from_external_idp.prepare()
log_request(logger, req_token_from_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
if response.status_code == HTTPStatus.FOUND:
new_cookie = response.cookies
redirect_url = response.headers['Location']
response = req.redirect_to_idp(logger, s, redirect_url, header,
{
**keycloak_cookie,
**new_cookie
})
response = req.broker_fill_in_form(logger, s, response, header,
keycloak_cookie, new_cookie,
idp_broker, idp_form_id)
keycloak_cookie3 = response.cookies
logger.debug(response.status_code)
# Get the token from the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
# Access SP with the token
(response, sp_cookie) = req.access_sp_with_token(
logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme,
idp_ip, idp_port, method_form, url_form, token, session_cookie,
keycloak_cookie2)
assert response.status_code == HTTPStatus.OK
# assert that we are logged in
assert re.search(sp_message, response.text) is not None
# User is logged in on SP1
# Attempt to perform login on SP2
response = req.access_sp_ws_fed(logger, s, header, sp2_ip,
sp2_port, sp2_scheme, sp2_path)
session_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip,
port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp2_ip, port=sp2_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp,
{**keycloak_cookie3})
# Assert that the client is not authorized to access SP2
assert response.status_code == HTTPStatus.FORBIDDEN
assert re.search(sp2_message, response.text) is not None
def test_CT_TC_WS_FED_BROKER_SIMPLE_SP_initiated(self, settings):
"""
Test the CT_TC_WS_FED_BROKER_SIMPLE use case with the SP-initiated flow, i.e. the user accesses the application
, which is a service provider (SP), that redirects him to the keycloak, the identity provider (IDP).
The user has to login to keycloak which will give him the SAML token. The token will give him access to the
application.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp = settings["sps_wsfed"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_form_id = settings["idp"]["login_form_update"]
idp_username = settings["idp_external"]["test_realm"]["username"]
idp_password = settings["idp_external"]["test_realm"]["password"]
idp2_ip = settings["idp_external"]["ip"]
idp2_port = settings["idp_external"]["port"]
idp2_scheme = settings["idp_external"]["http_scheme"]
keycloak_login_form_id = settings["idp"]["login_form_id"]
# Common header for all the requests
header = req.get_header()
# We check that login works for both types of identity provider
idp_brokers = [
settings["idp"]["saml_broker"], settings["idp"]["wsfed_broker"]
]
for idp_broker in idp_brokers:
response = req.access_sp_ws_fed(logger, s, header, sp_ip, sp_port,
sp_scheme, sp_path)
session_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip,
port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, session_cookie)
keycloak_cookie = response.cookies
if response.status_code == HTTPStatus.UNAUTHORIZED and response.headers[
'WWW-Authenticate'] == 'Negotiate':
response = req.kerberos_form_fallback(logger, s, response,
header, {
**keycloak_cookie,
**session_cookie
})
# In the login page we can choose to login with the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
div = soup.find("div", {"id": "kc-social-providers"})
assert div is not None
# we can have several idp external; choose the one needed for the test
all_li = div.find_all('li')
for li in all_li:
if li.span.text == idp_broker:
external_idp_url = "{scheme}://{ip}:{port}".format(
scheme=idp_scheme, ip=idp_ip,
port=idp_port) + li.a['href']
assert external_idp_url is not None
# Select to login with the external IDP
req_choose_external_idp = Request(
method='GET',
url="{url}".format(url=external_idp_url),
headers=header,
cookies=keycloak_cookie)
prepared_request = req_choose_external_idp.prepare()
log_request(logger, req_choose_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
params = {}
for input in inputs:
params[input.get('name')] = input.get('value')
header_redirect_external_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp2_ip,
port=idp2_port),
'Referer': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
# Redirect to external IDP
if idp_broker == "cloudtrust_saml":
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=params,
headers=header_redirect_external_idp)
else:
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
params=params,
headers=header_redirect_external_idp)
referer_url = url_form
prepared_request = req_redirect_external_idp.prepare()
log_request(logger, req_redirect_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
# if we have an identity provider saml, we do an extra redirect
if idp_broker == "cloudtrust_saml":
redirect_url = response.headers['Location']
keycloak_cookie2 = response.cookies
response = req.redirect_to_idp(logger, s, redirect_url, header,
keycloak_cookie2)
else:
keycloak_cookie2 = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
assert form is not None
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
# Authenticate to the external IDP
response = req.send_credentials_to_idp(logger, s, header, idp2_ip,
idp2_port, referer_url,
url_form, credentials_data,
{
**keycloak_cookie2,
**session_cookie
}, method_form)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
req_token_from_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=token,
cookies=keycloak_cookie,
headers=header)
prepared_request = req_token_from_external_idp.prepare()
log_request(logger, req_token_from_external_idp)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
if response.status_code == HTTPStatus.FOUND:
new_cookie = response.cookies
redirect_url = response.headers['Location']
response = req.redirect_to_idp(logger, s, redirect_url, header,
{
**keycloak_cookie,
**new_cookie
})
response = req.broker_fill_in_form(logger, s, response, header,
keycloak_cookie, new_cookie,
idp_broker, idp_form_id)
# Get the token from the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
# Access SP with the token
(response, sp_cookie) = req.access_sp_with_token(
logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme,
idp_ip, idp_port, method_form, url_form, token, session_cookie,
keycloak_cookie2)
assert response.status_code == HTTPStatus.OK
# assert that we are logged in
assert re.search(sp_message, response.text) is not None
def access_sp_saml(logger, s, header, sp_ip, sp_port, sp_scheme, sp_path,
idp_ip, idp_port):
"""
Helper dedicated to access the service provider in order to obtain the
endpoint of the IDP, where the connection protocol is SAML
:param logger:
:param s: session s
:param header: header used for the request
:param sp_ip: service provider ip
:param sp_port: service provider port
:param sp_scheme: service provider http scheme
:param sp_path: service provider path
:param idp_ip: identity provider ip
:param idp_port: identity provider port
:return:
"""
# Access to the SP
header_sp_page = {
**header, 'Host': "{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
req_get_sp_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_path),
headers=header_sp_page,
)
prepared_request = req_get_sp_page.prepare()
log_request(logger, req_get_sp_page)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
# store the session cookie
session_cookie = response.cookies
# Response returns a form that requests a post with RelayState and SAMLRequest as input
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
# Do a SAML request to the identity provider
saml_request = {}
for input in inputs:
saml_request[input.get('name')] = input.get('value')
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
req_idp_saml_request = Request(method=method_form,
url="{url}".format(url=url_form),
data=saml_request,
headers=header_redirect_idp)
prepared_request = req_idp_saml_request.prepare()
log_request(logger, req_idp_saml_request)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
return session_cookie, response
def login_idp(logger, s, header, idp_ip, idp_port, idp_scheme, idp_path,
idp_username, idp_password):
"""
Helper dedicated to perform the requests needed to authenticate to the identity provider.
We are in the case of a scenario with IDP-initiated flow
:param logger:
:param s: session s
:param header: header used for the requests
:param idp_ip: identity provider ip
:param idp_port: identity provider port
:param idp_scheme: identity provider http scheme
:param idp_path: identity provider path
:param idp_username: username
:param idp_password: password
:return:
"""
# Request access to the IDP
header_idp_page = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
req_get_idp_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port,
path=idp_path),
headers=header_idp_page,
)
prepared_request = req_get_idp_page.prepare()
log_request(logger, req_get_idp_page)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
oath_cookie = response.cookies
url_redirect = response.headers['Location']
req_idp_redirect = Request(method='GET',
url="{url}".format(url=url_redirect),
headers=header_idp_page)
prepared_request = req_idp_redirect.prepare()
log_request(logger, req_idp_redirect)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
keycloak_cookie = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
method_form = form.get('method')
# Send credentials to the IDP
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
#TODO: replace this code by calling send credentials to idp
header_login_keycloak = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
req_login_idp = Request(method=method_form,
url="{url}".format(url=url_form),
data=credentials_data,
cookies=keycloak_cookie,
headers=header_login_keycloak)
prepared_request = req_login_idp.prepare()
log_request(logger, req_login_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
keycloak_cookie2 = response.cookies
url_redirect = response.headers['Location']
req_idp_redirect = Request(method='GET',
url="{url}".format(url=url_redirect),
headers=header_login_keycloak,
cookies=keycloak_cookie2)
prepared_request = req_idp_redirect.prepare()
log_request(logger, req_idp_redirect)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
keycloak_cookie3 = response.cookies
url_redirect = response.headers['Location']
req_idp_redirect = Request(method='GET',
url="{url}".format(url=url_redirect),
headers=header_login_keycloak,
cookies=keycloak_cookie3)
prepared_request = req_idp_redirect.prepare()
log_request(logger, req_idp_redirect)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
return oath_cookie, keycloak_cookie, keycloak_cookie2, response
def test_CT_TC_SAML_SSO_FORM_SIMPLE__ARTIFACT_BINDING_SP_initiated(self, settings):
"""
Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the SP-initiated flow, i.e. the user accesses the application
, which is a service provider (SP), that redirects him to the keycloak, the identity provider (IDP).
The user has to login to keycloak.
The IDP sends an artifact encoded in SAMLart and then IDP and SP discuss directly (not passing through the browser)
in order to obtain the SAML token. The token will give to the user the access to the
application.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sps = [settings["sps_saml"][0]]
for sp in sps:
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_username = settings["idp"]["test_realm"]["username"]
idp_password = settings["idp"]["test_realm"]["password"]
keycloak_login_form_id = settings["idp"]["login_form_id"]
# Common header for all the requests
header = req.get_header()
(session_cookie, response) = req.access_sp_saml(logger, s, header, sp_ip, sp_port, sp_scheme, sp_path,
idp_ip, idp_port)
assert response.status_code == HTTPStatus.FOUND
# store the cookie received from keycloak
keycloak_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header,
'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url, header_redirect_idp, keycloak_cookie)
if response.status_code == HTTPStatus.UNAUTHORIZED and response.headers['WWW-Authenticate'] == 'Negotiate':
response = req.kerberos_form_fallback(logger, s, response, header,
{**keycloak_cookie, **session_cookie})
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
assert form is not None
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
# Simulate the login to the identity provider by providing the credentials
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
response = req.send_credentials_to_idp(logger, s, header, idp_ip, idp_port, redirect_url, url_form, credentials_data, keycloak_cookie, method_form)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND #or response.status_code == 303 or response.status_code == 307
# While normally at this stage we would get the token (SAML response) from the identity provider,
# for this use case, we get the artifact encoded in the parameter SAMLart
assert response.status_code == HTTPStatus.FOUND # HTTPStatus.OK
redirect_url = response.headers['Location']
# extract the SAMLart
parsed = urlparse.urlparse(redirect_url)
artifact = urlparse.parse_qs(parsed.query)['SAMLart']
# assert we received the artifact in encoded in the SAMLart parameter
assert artifact is not None
req_get_artifact = Request(
method='GET',
url="{url}".format(url=redirect_url),
cookies={**session_cookie, **keycloak_cookie},
headers=header
)
prepared_request = req_get_artifact.prepare()
log_request(logger, req_get_artifact)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
# wait for IDP to send the SAML token to SP
time.sleep(2)
# assert that we are logged in
assert re.search(sp_message, response.text) is not None
def test_CT_TC_SAML_IDP_LOGOUT_SIMPLE(self, settings, login_sso_form):
"""
Test the CT_TC_SAML_IDP_LOGOUT_SIMPLE use case with the SP-initiated flow, i.e. the user that accessed the SP
asks to be logged out. This will trigger the logout to be performed on the IDP side and the user will
be able to see the "You're logged out" page.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp = settings["sps_saml"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_logout_path = sp["logout_path"]
sp_message = sp["logged_out_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
# Common header for all the requests
header = req.get_header()
# Perform login using the fixture login_sso_form
sp_cookie, keycloak_cookie = login_sso_form
# User is logged in
# Access to the SP logout page
header_sp_logout_page = {
**header, 'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=sp_scheme,
ip=sp_ip,
port=sp_port)
}
req_get_sp_logout_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_logout_path),
headers=header_sp_logout_page,
cookies=sp_cookie)
prepared_request = req_get_sp_logout_page.prepare()
log_request(logger, req_get_sp_logout_page)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
# SP redirects me to IDP with a SAML request
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
# Do a SAML request to the identity provider
saml_request = {}
for input in inputs:
saml_request[input.get('name')] = input.get('value')
header_redirect_idp = {
**header,
'Host':
"{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer':
"{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
ip=sp_ip,
port=sp_port,
path=sp_logout_path),
}
req_idp_saml_request = Request(method=method_form,
url="{url}".format(url=url_form),
data=saml_request,
headers=header_redirect_idp,
cookies={**keycloak_cookie})
prepared_request = req_idp_saml_request.prepare()
log_request(logger, req_idp_saml_request)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the token (SAML response) from the identity provider
saml_response = {}
for input in inputs:
saml_response[input.get('name')] = input.get('value')
header_idp_saml_response = {
**header,
'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port),
}
# Provide to the SP the SAML response
req_sp_saml_response = Request(method=method_form,
url="{url}".format(url=url_form),
data=saml_response,
headers=header_idp_saml_response)
prepared_request = req_sp_saml_response.prepare()
log_request(logger, req_sp_saml_response)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
url_sp = response.headers['Location']
req_logout = Request(method='GET',
url="{url}".format(url=url_sp),
headers=header_idp_saml_response)
prepared_request = req_logout.prepare()
log_request(logger, req_logout)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
# Assert the logout page is displayed
assert re.search(sp_message, response.text) is not None
def test_CT_TC_WS_FED_IDP_LOGOUT_PERIMETRIC(self, settings,
login_sso_form):
"""
Scenario: user is logged in on several SPs.
The user logs out of one SP. Access to all SPs should require a new log in.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp1 = settings["sps_wsfed"][0]
sp_ip = sp1["ip"]
sp_port = sp1["port"]
sp_scheme = sp1["http_scheme"]
sp_path = sp1["path"]
sp_logout_path = sp1["logout_path"]
sp_message = sp1["logged_out_message"]
sp2 = settings["sps_wsfed"][1]
sp2_ip = sp2["ip"]
sp2_port = sp2["port"]
sp2_scheme = sp2["http_scheme"]
sp2_path = sp2["path"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
# Common header for all the requests
header = req.get_header()
# Perform login using the fixture login_sso_form
sp_cookie, keycloak_cookie = login_sso_form
# User is logged in on SP1
# Perform login on SP2
response = req.access_sp_ws_fed(logger, s, header, sp2_ip, sp2_port,
sp2_scheme, sp2_path)
session_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp2_ip, port=sp2_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp,
{**keycloak_cookie})
if response.status_code == HTTPStatus.UNAUTHORIZED and response.headers[
'WWW-Authenticate'] == 'Negotiate':
response = req.kerberos_form_fallback(logger, s, response, header,
{
**keycloak_cookie,
**session_cookie
})
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
(response, sp2_cookie) = req.access_sp_with_token(
logger,
s,
header,
sp2_ip,
sp2_port,
sp2_scheme,
idp_scheme,
idp_ip,
idp_port,
method_form,
url_form,
token,
session_cookie,
keycloak_cookie,
)
# req_get_sp_login_reload_page = Request(
# method='GET',
# url="{scheme}://{ip}:{port}/{path}".format(
# scheme=sp2_scheme,
# port=sp2_port,
# ip=sp2_ip,
# path=sp2_path
# ),
# headers=header_sp2_reload_page,
# cookies={**session_cookie}
# )
#
# prepared_request = req_get_sp_login_reload_page.prepare()
#
# logger.debug(
# json.dumps(
# prepared_request_to_json(req_get_sp_login_reload_page),
# sort_keys=True,
# indent=4,
# separators=(',', ': ')
# )
# )
#
# response = s.send(prepared_request, verify=False, allow_redirects=False)
#
# logger.debug(response.status_code)
#
# # the user is logged in and refreshing the page will return an OK
# assert response.status_code == 200
# User is now logged in on both applications: SP1 and SP2
# Logout from the first applications
header_sp_logout_page = {
**header, 'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=sp_scheme,
ip=sp_ip,
port=sp_port)
}
req_get_sp_logout_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_logout_path),
headers=header_sp_logout_page,
cookies={**sp_cookie})
prepared_request = req_get_sp_logout_page.prepare()
log_request(logger, req_get_sp_logout_page)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
# new session cookie
session_cookie2 = response.cookies
redirect_url = response.headers['Location']
req_sp_logout_redirect = Request(method='GET',
url=redirect_url,
headers=header_sp_logout_page,
cookies={**sp_cookie})
prepared_request = req_sp_logout_redirect.prepare()
log_request(logger, req_sp_logout_redirect)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
redirect_url = response.headers['Location']
response = req.redirect_to_idp(logger, s, redirect_url, header,
sp_cookie)
assert response.status_code == HTTPStatus.OK
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
# Send ws fed response
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
(response,
cookie) = req.access_sp_with_token(logger, s, header, sp_ip, sp_port,
sp_scheme, idp_scheme, idp_ip,
idp_port, method_form, url_form,
token, sp_cookie, sp_cookie)
assert response.status_code == HTTPStatus.OK
assert re.search(sp_message, response.text) is not None
# Check that when the user accesses the secured page of SP1 with the old session cookie,
# he is redirected to log in
req_get_sp_login_reload_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_path),
headers=header,
cookies={**session_cookie})
prepared_request = req_get_sp_login_reload_page.prepare()
log_request(logger, req_get_sp_login_reload_page)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
# Assert that the refresh page gives a 302 which signals that the user is logged out of SP
assert response.status_code == HTTPStatus.FOUND
# Check if the user is logged out from SP2: perform a refresh of the page; we expect to get a redirect
header_sp2_reload_page = {
**header,
'Host': "{ip}:{port}".format(ip=sp2_ip, port=sp2_port),
}
req_get_sp_login_reload_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp2_scheme,
port=sp2_port,
ip=sp2_ip,
path=sp2_path),
headers=header_sp2_reload_page,
cookies={**session_cookie})
prepared_request = req_get_sp_login_reload_page.prepare()
log_request(logger, req_get_sp_login_reload_page)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
# Assert that the refresh page gives a 302 which signals that the user is logged out of SP2
assert response.status_code == HTTPStatus.FOUND
def login_external_idp(logger, s, header, idp_ip, idp_port, idp_scheme,
idp_path, idp_username, idp_password, idp2_ip,
idp2_port, idp_broker, idp_form_id):
# Request access to the broker IDP
header_idp_page = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
req_get_idp_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port,
path=idp_path),
headers=header_idp_page,
)
prepared_request = req_get_idp_page.prepare()
log_request(logger, req_get_idp_page)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
oath_cookie = response.cookies
url_redirect = response.headers['Location']
req_idp_redirect = Request(method='GET',
url="{url}".format(url=url_redirect),
headers=header_idp_page)
prepared_request = req_idp_redirect.prepare()
log_request(logger, req_idp_redirect)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
keycloak_cookie = response.cookies
# In the login page we can choose to login with the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
div = soup.find("div", {"id": "kc-social-providers"})
assert div is not None
# we can have several idp external; choose the one needed for the test
all_li = div.find_all('li')
for li in all_li:
if li.span.text == idp_broker:
external_idp_url = "{scheme}://{ip}:{port}".format(
scheme=idp_scheme, ip=idp_ip, port=idp_port) + li.a['href']
assert external_idp_url is not None
# Select to login with the external IDP
req_choose_external_idp = Request(method='GET',
url="{url}".format(url=external_idp_url),
headers=header,
cookies=keycloak_cookie)
prepared_request = req_choose_external_idp.prepare()
log_request(logger, req_choose_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
# get the HTTP binding response with the url to the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
params = {}
for input in inputs:
params[input.get('name')] = input.get('value')
header_redirect_external_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp2_ip, port=idp2_port),
'Referer': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
# Redirect to external IDP
if idp_broker == "cloudtrust_saml":
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=params,
headers=header_redirect_external_idp)
else:
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
params=params,
headers=header_redirect_external_idp)
referer_url = url_form
prepared_request = req_redirect_external_idp.prepare()
log_request(logger, req_redirect_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
# if we have an identity provider saml, we do an extra redirect
if idp_broker == "cloudtrust_saml":
redirect_url = response.headers['Location']
keycloak_cookie_ext = response.cookies
response = redirect_to_idp(logger, s, redirect_url, header,
keycloak_cookie_ext)
else:
keycloak_cookie_ext = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
# Authenticate to the external IDP
response = send_credentials_to_idp(logger, s, header, idp2_ip, idp2_port,
referer_url, url_form, credentials_data,
{**keycloak_cookie_ext}, method_form)
credentials_cookie = response.cookies
# get the HTTP binding response with the url to the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
req_token_from_external_idp = Request(method=method_form,
url="{url}".format(url=url_form),
data=token,
cookies=keycloak_cookie,
headers=header)
prepared_request = req_token_from_external_idp.prepare()
log_request(logger, req_token_from_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
keycloak_cookie3 = response.cookies
url_redirect = response.headers['Location']
req_idp_redirect = Request(method='GET',
url="{url}".format(url=url_redirect),
headers=header_idp_page,
cookies={
**keycloak_cookie,
**keycloak_cookie3
})
prepared_request = req_idp_redirect.prepare()
log_request(logger, req_idp_redirect)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
if response.status_code == HTTPStatus.OK:
response = broker_fill_in_form(logger, s, response, header,
keycloak_cookie, response.cookies,
idp_broker, idp_form_id)
else:
url_redirect = response.headers['Location']
req_idp_redirect = Request(method='GET',
url="{url}".format(url=url_redirect),
headers=header_idp_page,
cookies={
**keycloak_cookie,
**keycloak_cookie3
})
prepared_request = req_idp_redirect.prepare()
log_request(logger, req_idp_redirect)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
return (oath_cookie, response.cookies, response)
def test_CT_TC_WS_FED_IDP_LOGOUT_SIMPLE(self, settings, login_sso_form):
"""
Test the CT_TC_WS_FED_IDP_LOGOUT_SIMPLE use case with the SP-initiated flow, i.e. the user that accessed the SP
asks to be logged out. This will trigger the logout to be performed on the IDP side and the user will
be able to see the "You're logged out" page.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sps = [settings["sps_wsfed"][0]]
for sp in sps:
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_logout_path = sp["logout_path"]
sp_message = sp["logged_out_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
# Common header for all the requests
header = req.get_header()
# Perform login using the fixture login_sso_form
sp_cookie, keycloak_cookie = login_sso_form
# User is logged in
# Access to the SP logout page
header_sp_logout_page = {
**header,
'Host': "{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer': "{scheme}://{ip}:{port}".format(scheme=sp_scheme, ip=sp_ip, port=sp_port)
}
req_get_sp_logout_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(
scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_logout_path
),
headers=header_sp_logout_page,
cookies=sp_cookie
)
prepared_request = req_get_sp_logout_page.prepare()
log_request(logger, req_get_sp_logout_page)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
redirect_url = response.headers['Location']
req_sp_logout_redirect = Request(
method='GET',
url= redirect_url,
headers=header_sp_logout_page,
cookies={**sp_cookie}
)
prepared_request = req_sp_logout_redirect.prepare()
log_request(logger, req_sp_logout_redirect)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
redirect_url = response.headers['Location']
response = req.redirect_to_idp(logger, s, redirect_url, header, {**sp_cookie, **keycloak_cookie})
assert response.status_code == HTTPStatus.OK
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
# Send the token
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
(response, cookie) = req.access_sp_with_token(logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme, idp_ip, idp_port,
method_form, url_form, token, sp_cookie, sp_cookie, )
assert response.status_code == HTTPStatus.OK
assert re.search(sp_message, response.text) is not None
def test_CT_TC_SAML_SSO_FORM_SIMPLE_IDP_initiated_keycloak_endpoint(
self, settings):
"""
Test the CT_TC_SAML_SSO_FORM_SIMPLE use case with the IDP-initiated flow, where we set up an endpoint
on Keycloak with IDP Initiated SSO URL Name.
Thus, the user accesses
http[s]://host:port/auth/realms/{RealmName}/protocol/saml/clients/{IDP Initiated SSO URL Name}
to authenticate to Keycloak and obtain the token (SAML response) and gets redirected
to the SP that he can access.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp = settings["sps_saml"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
sp_sso_url_name = sp["sso_url_name"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_test_realm = settings["idp"]["test_realm"]["name"]
idp_login_endpoint = "auth/realms/{realm}/protocol/saml/clients/{name}".format(
realm=idp_test_realm, name=sp_sso_url_name)
idp_username = settings["idp"]["test_realm"]["username"]
idp_password = settings["idp"]["test_realm"]["password"]
idp_attr_name = settings["idp"]["test_realm"]["attr_name"]
idp_attr_tag = settings["idp"]["test_realm"]["attr_xml_elem"]
idp_attr_name_external = settings["idp"]["test_realm"][
"external_attr_name"]
keycloak_login_form_id = settings["idp"]["login_form_id"]
# Common header for all the requests
header = req.get_header()
# Idp endpoint for client
url_endpoint = "{scheme}://{ip}:{port}/{path}".format(
scheme=idp_scheme,
ip=idp_ip,
port=idp_port,
path=idp_login_endpoint)
req_access_idp_endpoint = Request(
method='GET',
url=url_endpoint,
headers=header,
)
prepared_request = req_access_idp_endpoint.prepare()
log_request(logger, req_access_idp_endpoint)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
keycloak_cookie = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
assert form is not None
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
# Provide the credentials
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
response = req.send_credentials_to_idp(logger, s, header, idp_ip,
idp_port, url_endpoint,
url_form, credentials_data,
keycloak_cookie, method_form)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
keycloak_cookie_2 = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the token (SAML response) from the identity provider
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
decoded_token = base64.b64decode(token['SAMLResponse']).decode("utf-8")
val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name)
# assert that the IDP added the location attribute in the token
assert re.search(val, decoded_token) is not None
# assert that the external claim is also in the token
val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name_external)
assert re.search(val, decoded_token) is not None
(response, sp_cookie) = req.access_sp_with_token(
logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme, idp_ip,
idp_port, method_form, url_form, token, keycloak_cookie_2,
keycloak_cookie_2)
assert response.status_code == HTTPStatus.OK
# Access the secure page of the SP
header_sp_page = {
**header, 'Host': "{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
req_get_sp_page = Request(method='GET',
url="{scheme}://{ip}:{port}/{path}".format(
scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_path),
headers=header_sp_page,
cookies=sp_cookie)
prepared_request = req_get_sp_page.prepare()
log_request(logger, req_get_sp_page)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
assert re.search(sp_message, response.text) is not None
def login_broker_sso_form(settings, pytestconfig):
"""
Fixture to perform the log in when we have a broker and an external IDP
:param settings: settings of the IDP and SP
:param pytestconfig: fixture that provides the standard used for log in: WSFED or SAML
:return:
"""
standard = pytestconfig.getoption('standard')
s = Session()
# Standard
if standard == "WSFED":
client = "sps_wsfed"
idp_broker = settings["idp"]["saml_broker"]
elif standard == "SAML":
client = "sps_saml"
idp_broker = settings["idp"]["wsfed_broker"]
# Service provider settings
sp = settings[client][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp2_ip = settings["idp_external"]["ip"]
idp2_port = settings["idp_external"]["port"]
idp2_scheme = settings["idp_external"]["http_scheme"]
idp_username = settings["idp_external"]["test_realm"]["username"]
idp_password = settings["idp_external"]["test_realm"]["password"]
keycloak_login_form_id = settings["idp"]["login_form_id"]
# Common header for all the requests
header = req.get_header()
(session_cookie, response) = req.access_sp_saml(logger, s, header, sp_ip,
sp_port, sp_scheme,
sp_path, idp_ip, idp_port)
# store the cookie received from keycloak
keycloak_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, keycloak_cookie)
if response.status_code == HTTPStatus.UNAUTHORIZED and response.headers[
'WWW-Authenticate'] == 'Negotiate':
response = req.kerberos_form_fallback(logger, s, response, header, {
**keycloak_cookie,
**session_cookie
})
# In the login page we can choose to login with the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
div = soup.find("div", {"id": "kc-social-providers"})
# we can have several idp external; choose the one needed for the test
all_li = div.find_all('li')
for li in all_li:
if li.span.text == idp_broker:
external_idp_url = "{scheme}://{ip}:{port}".format(
scheme=idp_scheme, ip=idp_ip, port=idp_port) + li.a['href']
# Select to login with the external IDP
req_choose_external_idp = Request(method='GET',
url="{url}".format(url=external_idp_url),
headers=header,
cookies=keycloak_cookie)
prepared_request = req_choose_external_idp.prepare()
log_request(logger, req_choose_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
# get the HTTP binding response with the url to the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
params = {}
for input in inputs:
params[input.get('name')] = input.get('value')
header_redirect_external_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp2_ip, port=idp2_port),
'Referer': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
# Redirect to external IDP
if idp_broker == "cloudtrust_saml":
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=params,
headers=header_redirect_external_idp)
else:
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
params=params,
headers=header_redirect_external_idp)
referer_url = url_form
prepared_request = req_redirect_external_idp.prepare()
log_request(logger, req_redirect_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
# if we have an identity provider saml, we do an extra redirect
if idp_broker == "cloudtrust_saml":
redirect_url = response.headers['Location']
keycloak_cookie2 = response.cookies
response = req.redirect_to_idp(logger, s, redirect_url, header,
keycloak_cookie2)
else:
keycloak_cookie2 = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
# Authenticate to the external IDP
response = req.send_credentials_to_idp(logger, s, header, idp2_ip,
idp2_port, referer_url, url_form,
credentials_data, {
**keycloak_cookie2,
**session_cookie
}, method_form)
keycloak_cookie3 = response.cookies
# get the HTTP binding response with the url to the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
req_token_from_external_idp = Request(method=method_form,
url="{url}".format(url=url_form),
data=token,
cookies=keycloak_cookie,
headers=header)
prepared_request = req_token_from_external_idp.prepare()
log_request(logger, req_token_from_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
if response.status_code == HTTPStatus.FOUND: # user logs in for the first time and has to fill in a form
response = req.broker_fill_in_form(logger, s, response, header,
keycloak_cookie, idp_broker,
settings)
# Get the token (SAML response) from the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
# Access SP with the token
(response,
sp_cookie) = req.access_sp_with_token(logger, s, header, sp_ip, sp_port,
sp_scheme, idp_scheme, idp_ip,
idp_port, method_form, url_form,
token, session_cookie,
keycloak_cookie)
return sp_cookie, keycloak_cookie3, response.status_code
def test_CT_TC_SAML_SSO_BROKER_SIMPLE_SP_initiated(self, settings):
"""
Test the CT_TC_SAML_SSO_BROKER_SIMPLE use case with the SP-initiated flow, i.e. the user accesses the application
, which is a service provider (SP), that redirects him to the keycloak, the identity provider (IDP).
The user has to login to keycloak which will give him the SAML token. The token will give him access to the
application.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp = settings["sps_saml"][0]
sp_ip = sp["ip"]
sp_port = sp["port"]
sp_scheme = sp["http_scheme"]
sp_path = sp["path"]
sp_message = sp["logged_in_message"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
idp_username = settings["idp_external"]["test_realm"]["username"]
idp_password = settings["idp_external"]["test_realm"]["password"]
idp_broker = settings["idp"]["saml_broker"]
idp_form_id = settings["idp"]["login_form_update"]
idp2_ip = settings["idp_external"]["ip"]
idp2_port = settings["idp_external"]["port"]
idp2_scheme = settings["idp_external"]["http_scheme"]
idp_attr_name = settings["idp"]["test_realm"]["attr_name"]
idp_attr_name_external = settings["idp"]["test_realm"]["external_attr_name"]
idp_attr_tag = settings["idp"]["test_realm"]["attr_xml_elem"]
idp_attr_name_broker = settings["idp_external"]["test_realm"]["attr_name"]
idp_attr_tag_broker = settings["idp_external"]["test_realm"]["attr_xml_elem"]
keycloak_login_form_id = settings["idp"]["login_form_id"]
# Common header for all the requests
header = req.get_header()
# We check that test works for both types of identity provider
idp_brokers = [settings["idp"]["saml_broker"], settings["idp"]["wsfed_broker"]]
for idp_broker in idp_brokers:
(session_cookie, response) = req.access_sp_saml(logger, s, header, sp_ip, sp_port, sp_scheme, sp_path,
idp_ip, idp_port)
assert response.status_code == HTTPStatus.FOUND
# store the cookie received from keycloak
keycloak_cookie = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header,
'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp_ip, port=sp_port)
}
response = req.redirect_to_idp(logger, s, redirect_url, header_redirect_idp, keycloak_cookie)
# In the login page we can choose to login with the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
div = soup.find("div", {"id": "kc-social-providers"})
assert div is not None
# we can have several idp external; choose the one needed for the test
all_li = div.find_all('li')
for li in all_li:
if li.span.text == idp_broker:
external_idp_url = "{scheme}://{ip}:{port}".format(scheme=idp_scheme, ip=idp_ip, port=idp_port) + li.a['href']
assert external_idp_url is not None
# Select to login with the external IDP
req_choose_external_idp = Request(
method='GET',
url="{url}".format(url=external_idp_url),
headers=header,
cookies=keycloak_cookie
)
prepared_request = req_choose_external_idp.prepare()
log_request(logger, req_choose_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the external IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
params = {}
for input in inputs:
params[input.get('name')] = input.get('value')
header_redirect_external_idp = {
**header,
'Host': "{ip}:{port}".format(ip=idp2_ip, port=idp2_port),
'Referer': "{ip}:{port}".format(ip=idp_ip, port=idp_port)
}
# Redirect to external IDP
if idp_broker == "cloudtrust_saml":
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=params,
headers=header_redirect_external_idp
)
else:
req_redirect_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
params=params,
headers=header_redirect_external_idp
)
# url_parts = list(urlparse.urlparse(url_form))
# query = dict(urlparse.parse_qsl(url_parts[4]))
# query.update(params)
# url_parts[4] = urlencode(query)
# referer_url = urlparse.urlunparse(url_parts)
referer_url = url_form
prepared_request = req_redirect_external_idp.prepare()
log_request(logger, req_redirect_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
# if we have an identity provider saml, we do an extra redirect
if idp_broker == "cloudtrust_saml":
redirect_url = response.headers['Location']
keycloak_cookie_ext = response.cookies
response = req.redirect_to_idp(logger, s, redirect_url, header, keycloak_cookie_ext)
else:
keycloak_cookie_ext = response.cookies
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.find("form", {"id": keycloak_login_form_id})
assert form is not None
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "username" in input_name
assert "password" in input_name
credentials_data = {}
credentials_data["username"] = idp_username
credentials_data["password"] = idp_password
# Authenticate to the external IDP
response = req.send_credentials_to_idp(logger, s, header, idp2_ip, idp2_port, referer_url, url_form,
credentials_data, {**session_cookie, **keycloak_cookie_ext}, method_form)
assert response.status_code == HTTPStatus.OK or response.status_code == HTTPStatus.FOUND
# get the HTTP binding response with the url to the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
req_token_from_external_idp = Request(
method=method_form,
url="{url}".format(url=url_form),
data=token,
cookies= keycloak_cookie,
headers=header
)
prepared_request = req_token_from_external_idp.prepare()
log_request(logger, req_token_from_external_idp)
response = s.send(prepared_request, verify=False, allow_redirects=False)
logger.debug(response.status_code)
if response.status_code == HTTPStatus.FOUND:
new_cookie = response.cookies
redirect_url = response.headers['Location']
response = req.redirect_to_idp(logger, s, redirect_url, header, {**keycloak_cookie, **new_cookie})
response = req.broker_fill_in_form(logger, s, response, header, keycloak_cookie, new_cookie, idp_broker,
idp_form_id)
# Get the token (SAML response) from the broker IDP
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
decoded_token = base64.b64decode(token['SAMLResponse']).decode("utf-8")
val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name)
# assert that the IDP added the location attribute in the token
assert re.search(val, decoded_token) is not None
# assert that the external claim is also in the token
val = idp_attr_tag + "=\"{v}\"".format(v=idp_attr_name_external)
assert re.search(val, decoded_token) is not None
# assert that the claims that come from the external IDP are well in the token
val = idp_attr_tag_broker + "=\"{v}\"".format(v=idp_attr_name_broker)
# assert that the IDP added the location attribute in the token
assert re.search(val, decoded_token) is not None
# Access SP with the token
(response, sp_cookie) = req.access_sp_with_token(logger, s, header, sp_ip, sp_port, sp_scheme, idp_scheme,
idp_ip, idp_port, method_form, url_form, token, session_cookie,
keycloak_cookie)
assert response.status_code == HTTPStatus.OK
# assert that we are logged in
assert re.search(sp_message, response.text) is not None
def test_CT_TC_SAML_IDP_LOGOUT_PERIMETRIC(self, settings, login_sso_form):
"""
Scenario: user is logged in on several SPs.
The user logs out of one SP. Access to all the other SPs should require a new log in.
:param settings:
:return:
"""
s = Session()
# Service provider settings
sp1 = settings["sps_saml"][0]
sp_ip = sp1["ip"]
sp_port = sp1["port"]
sp_scheme = sp1["http_scheme"]
sp_path = sp1["path"]
sp_logout_path = sp1["logout_path"]
sp_message = sp1["logged_out_message"]
sp2 = settings["sps_saml"][1]
sp2_ip = sp2["ip"]
sp2_port = sp2["port"]
sp2_scheme = sp2["http_scheme"]
sp2_path = sp2["path"]
# Identity provider settings
idp_ip = settings["idp"]["ip"]
idp_port = settings["idp"]["port"]
idp_scheme = settings["idp"]["http_scheme"]
# Common header for all the requests
header = req.get_header()
# Perform login using the fixture login_sso_form
sp_cookie, keycloak_cookie = login_sso_form
# User is logged in on SP1
# Perform login on SP2
(session_cookie,
response) = req.access_sp_saml(logger, s, header, sp2_ip, sp2_port,
sp2_scheme, sp2_path, idp_ip, idp_port)
session_cookie2 = response.cookies
redirect_url = response.headers['Location']
header_redirect_idp = {
**header, 'Host': "{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer': "{ip}:{port}".format(ip=sp2_ip, port=sp2_port)
}
response = req.redirect_to_idp(logger, s, redirect_url,
header_redirect_idp, {
**keycloak_cookie,
**session_cookie2
})
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the token (SAML response) from the identity provider
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
(response, sp2_cookie) = req.access_sp_with_token(
logger,
s,
header,
sp2_ip,
sp2_port,
sp2_scheme,
idp_scheme,
idp_ip,
idp_port,
method_form,
url_form,
token,
session_cookie,
session_cookie2,
)
# req_get_sp_login_reload_page = Request(
# method='GET',
# url="{scheme}://{ip}:{port}/{path}".format(
# scheme=sp2_scheme,
# port=sp2_port,
# ip=sp2_ip,
# path=sp2_path
# ),
# headers=header_sp2_reload_page,
# cookies={**session_cookie}
# )
#
# prepared_request = req_get_sp_login_reload_page.prepare()
#
# logger.debug(
# json.dumps(
# prepared_request_to_json(req_get_sp_login_reload_page),
# sort_keys=True,
# indent=4,
# separators=(',', ': ')
# )
# )
#
# response = s.send(prepared_request, verify=False, allow_redirects=False)
#
# logger.debug(response.status_code)
#
# # the user is logged in and refreshing the page will return an OK
# assert response.status_code == 200
# User is now logged in on both applications: SP1 and SP2
# Logout from the first applications
header_sp_logout_page = {
**header, 'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=sp_scheme,
ip=sp_ip,
port=sp_port)
}
req_get_sp_logout_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_logout_path),
headers=header_sp_logout_page,
cookies={**sp_cookie})
prepared_request = req_get_sp_logout_page.prepare()
log_request(logger, req_get_sp_logout_page)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
# new session cookie
session_cookie2 = response.cookies
# SP redirects me to IDP with a SAML request
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
method_form = form.get('method')
inputs = form.find_all('input')
# Do a SAML request to the identity provider
saml_request = {}
for input in inputs:
saml_request[input.get('name')] = input.get('value')
header_redirect_idp = {
**header,
'Host':
"{ip}:{port}".format(ip=idp_ip, port=idp_port),
'Referer':
"{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
ip=sp_ip,
port=sp_port,
path=sp_logout_path),
}
req_idp_saml_request = Request(method=method_form,
url="{url}".format(url=url_form),
data=saml_request,
headers=header_redirect_idp)
prepared_request = req_idp_saml_request.prepare()
log_request(logger, req_idp_saml_request)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
url_form = form.get('action')
inputs = form.find_all('input')
method_form = form.get('method')
# Get the token (SAML response) from the identity provider
token = {}
for input in inputs:
token[input.get('name')] = input.get('value')
header_idp_saml_response = {
**header,
'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port),
}
# Provide to the SP the SAML response
req_sp_saml_response = Request(method=method_form,
url="{url}".format(url=url_form),
data=token,
headers=header_idp_saml_response)
prepared_request = req_sp_saml_response.prepare()
log_request(logger, req_sp_saml_response)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
url_sp = response.headers['Location']
req_logout = Request(method='GET',
url="{url}".format(url=url_sp),
headers=header_idp_saml_response)
prepared_request = req_logout.prepare()
log_request(logger, req_logout)
response = s.send(prepared_request, verify=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
# Assert the logout page is displayed
assert re.search(sp_message, response.text) is not None
# Check that when the user accesses the secured page of SP1 with the old session cookie,
# he receives a 200 with the SAML request
header_sp_reload_page = {
**header, 'Host':
"{ip}:{port}".format(ip=sp_ip, port=sp_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port)
}
req_get_sp_login_reload_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp_scheme,
port=sp_port,
ip=sp_ip,
path=sp_path),
headers=header_sp_reload_page,
cookies={**session_cookie})
prepared_request = req_get_sp_login_reload_page.prepare()
log_request(logger, req_get_sp_login_reload_page)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
# Response should return a form that requests a post with RelayState and SAMLRequest as input
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
inputs = form.find_all('input')
# Check we get RelayState and SAMLRequest
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "RelayState" in input_name
assert "SAMLRequest" in input_name
# Check if the user is logged out from SP2: perform a refresh of the page; we expect to get a 200 with a form
# containing the SAMLRequest
header_sp2_reload_page = {
**header, 'Host':
"{ip}:{port}".format(ip=sp2_ip, port=sp2_port),
'Referer':
"{scheme}://{ip}:{port}".format(scheme=idp_scheme,
ip=idp_ip,
port=idp_port)
}
req_get_sp_login_reload_page = Request(
method='GET',
url="{scheme}://{ip}:{port}/{path}".format(scheme=sp2_scheme,
port=sp2_port,
ip=sp2_ip,
path=sp2_path),
headers=header_sp2_reload_page,
cookies={**session_cookie})
prepared_request = req_get_sp_login_reload_page.prepare()
log_request(logger, req_get_sp_login_reload_page)
response = s.send(prepared_request,
verify=False,
allow_redirects=False)
logger.debug(response.status_code)
assert response.status_code == HTTPStatus.OK
# Response should return a form that requests a post with RelayState and SAMLRequest as input
soup = BeautifulSoup(response.content, 'html.parser')
form = soup.body.form
inputs = form.find_all('input')
# Check we get a form with input RelayState and SAMLRequest
input_name = []
for input in inputs:
input_name.append(input.get('name'))
assert "RelayState" in input_name
assert "SAMLRequest" in input_name
