/*
* JBoss, Home of Professional Open Source.
* Copyright 2014, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.as.test.integration.security.picketlink;
import static org.junit.Assert.assertEquals;
import java.net.URL;
import java.util.LinkedList;
import java.util.List;
import javax.naming.Context;
import org.apache.http.auth.AuthSchemeProvider;
import org.apache.http.auth.AuthScope;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.config.AuthSchemes;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.OperateOnDeployment;
import org.jboss.arquillian.container.test.api.RunAsClient;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.arquillian.test.api.ArquillianResource;
import org.jboss.as.arquillian.api.ServerSetup;
import org.jboss.as.arquillian.api.ServerSetupTask;
import org.jboss.as.network.NetworkUtils;
import org.jboss.as.security.Constants;
import org.jboss.as.test.integration.security.common.AbstractKrb5ConfServerSetupTask;
import org.jboss.as.test.integration.security.common.AbstractSecurityDomainsServerSetupTask;
import org.jboss.as.test.integration.security.common.Krb5LoginConfiguration;
import org.jboss.as.test.integration.security.common.NullHCCredentials;
import org.jboss.as.test.integration.security.common.Utils;
import org.jboss.as.test.integration.security.common.config.SecurityDomain;
import org.jboss.as.test.integration.security.common.config.SecurityModule;
import org.jboss.as.test.integration.security.common.negotiation.JBossNegotiateSchemeFactory;
import org.jboss.as.test.integration.security.common.negotiation.KerberosTestUtils;
import org.jboss.as.test.integration.security.common.servlets.PrintAttributeServlet;
import org.jboss.logging.Logger;
import org.jboss.shrinkwrap.api.ShrinkWrap;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.runner.RunWith;
/**
* This class tests passUserPrincipalToAttributeManager attribute of Picketlink's IDPWebBrowserSSOValve. It's a regression test
* for attribute mapping in Identity Provider (IdP) when SPNEGO (Kerberos) authentication is used.
* <p>
* PLINK-405
*
* @author Josef Cacek
*/
@RunWith(Arquillian.class)
@RunAsClient
@ServerSetup({KerberosServerSetupTask.Krb5ConfServerSetupTask.class, KerberosServerSetupTask.SystemPropertiesSetup.class,
KerberosServerSetupTask.class, SAML2AttributeMappingTestCase.SecurityDomainsSetup.class})
@Ignore("AS7-6796 - Undertow SPNEGO")
public class SAML2AttributeMappingTestCase {
private static final String SP_RESPONSE_BODY = "Welcome to SP";
private static Logger LOGGER = Logger.getLogger(SAML2AttributeMappingTestCase.class);
protected static final String IDP = "idp";
protected static final String SP = "sp";
private static final String IDP_CONTEXT_PATH = "idp";
@ArquillianResource
@OperateOnDeployment(IDP)
private URL idpUrl;
@ArquillianResource
@OperateOnDeployment(SP)
private URL spUrl;
/**
* Skip unsupported/unstable/buggy Kerberos configurations.
*/
@Before
public void before() {
KerberosTestUtils.assumeKerberosAuthenticationSupported();
}
@Deployment(name = IDP)
public static WebArchive deploymentIdP() {
LOGGER.trace("Start deployment " + IDP);
final WebArchive war = ShrinkWrap.create(WebArchive.class, IDP + ".war");
war.addAsWebInfResource(SAML2AttributeMappingTestCase.class.getPackage(), "attrib-web.xml", "web.xml");
war.addAsManifestResource(Utils.getJBossDeploymentStructure("org.jboss.security.negotiation", "org.picketlink"),
"jboss-deployment-structure.xml");
war.addAsWebInfResource(new StringAsset(PicketLinkTestBase.propertiesReplacer("picketlink-idp.xml", IDP, "", IDP)),
"picketlink.xml");
war.add(new StringAsset("Welcome to IdP"), "index.jsp");
war.add(new StringAsset("Welcome to IdP hosted"), "hosted/index.jsp");
war.addAsWebInfResource(SAML2AttributeMappingTestCase.class.getPackage(), "attrib-jboss-web.xml", "jboss-web.xml");
return war;
}
@Deployment(name = SP)
public static WebArchive deploymentSP() {
LOGGER.trace("Start deployment " + SP);
final WebArchive war = ShrinkWrap.create(WebArchive.class, SP + ".war");
war.addAsWebInfResource(SAML2AttributeMappingTestCase.class.getPackage(), "attrib-web.xml", "web.xml");
war.addAsWebInfResource(Utils.getJBossWebXmlAsset("sp",
"org.picketlink.identity.federation.bindings.tomcat.sp.ServiceProviderAuthenticator"), "jboss-web.xml");
war.addAsManifestResource(Utils.getJBossDeploymentStructure("org.picketlink"), "jboss-deployment-structure.xml");
war.addAsWebInfResource(
new StringAsset(PicketLinkTestBase.propertiesReplacer("picketlink-sp.xml", SP, "REDIRECT", IDP_CONTEXT_PATH)),
"picketlink.xml");
war.add(new StringAsset(SP_RESPONSE_BODY), "index.jsp");
war.addClass(PrintAttributeServlet.class);
return war;
}
/**
* Tests IDP attribute mapping when passUserPrincipalToAttributeManager is set to "true". Automatic handling of redirections
* is enabled for HTTP client used.
*
* @throws Exception
*/
@Test
public void testPassUserPrincipalToAttributeManager() throws Exception {
Registry<AuthSchemeProvider> authSchemeRegistry = RegistryBuilder.<AuthSchemeProvider> create()
.register(AuthSchemes.SPNEGO, new JBossNegotiateSchemeFactory(true))
.build();
CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
credentialsProvider.setCredentials(new AuthScope(null, -1, null), new NullHCCredentials());
try (final CloseableHttpClient httpClient = HttpClientBuilder.create()
.setDefaultAuthSchemeRegistry(authSchemeRegistry)
.setDefaultCredentialsProvider(credentialsProvider)
.setRedirectStrategy(Utils.REDIRECT_STRATEGY)
.build()) {
String response = PicketLinkTestBase.makeCallWithKerberosAuthn(spUrl.toURI(), httpClient, "jduke", "theduke", 200);
assertEquals("SP index page was not reached", SP_RESPONSE_BODY, response);
response = PicketLinkTestBase.makeCall(new URL(spUrl.toString() + PrintAttributeServlet.SERVLET_PATH.substring(1)),
httpClient, 200);
assertEquals("cn attribute not stored", "Java Duke", response);
}
}
/**
* A {@link ServerSetupTask} instance which creates security domains for this test case.
*/
static class SecurityDomainsSetup extends AbstractSecurityDomainsServerSetupTask {
private static final String SERVER_SECURITY_DOMAIN = "host";
/**
* Returns SecurityDomains configuration for this testcase.
*
* @see org.jboss.as.test.integration.security.common.AbstractSecurityDomainsServerSetupTask#getSecurityDomains()
*/
@Override
protected SecurityDomain[] getSecurityDomains() {
List<SecurityDomain> res = new LinkedList<SecurityDomain>();
// Add host security domain
res.add(new SecurityDomain.Builder()
.name(SERVER_SECURITY_DOMAIN)
.cacheType("default")
.loginModules(
new SecurityModule.Builder()
.name(Krb5LoginConfiguration.getLoginModule())
.flag(Constants.REQUIRED)
.options(
Krb5LoginConfiguration.getOptions(
KerberosServerSetupTask.getHttpServicePrincipal(managementClient),
AbstractKrb5ConfServerSetupTask.HTTP_KEYTAB_FILE, true)).build()).build());
// Add IdP security domain
res.add(new SecurityDomain.Builder()
.name(IDP)
.loginModules(
new SecurityModule.Builder()
// Login module used for password negotiation
.name("SPNEGO").flag(Constants.REQUISITE).putOption("password-stacking", "useFirstPass")
.putOption("serverSecurityDomain", SERVER_SECURITY_DOMAIN)
.putOption("removeRealmFromPrincipal", "true").build(),
new SecurityModule.Builder()
// Login module used for role retrieval
.name("org.jboss.security.auth.spi.LdapExtLoginModule")
.flag(Constants.REQUIRED)
.putOption("password-stacking", "useFirstPass")
.putOption(
Context.PROVIDER_URL,
"ldap://"
+ NetworkUtils.formatPossibleIpv6Address(Utils
.getCannonicalHost(managementClient)) + ":"
+ KerberosServerSetupTask.LDAP_PORT)
.putOption("baseCtxDN", "ou=People,dc=jboss,dc=org").putOption("baseFilter", "(uid={0})")
.putOption("rolesCtxDN", "ou=Roles,dc=jboss,dc=org")
.putOption("roleFilter", "(|(objectClass=referral)(member={1}))")
.putOption("roleAttributeID", "cn").putOption("referralUserAttributeIDToCheck", "member")
.putOption("bindDN", KerberosServerSetupTask.SECURITY_PRINCIPAL)
.putOption("bindCredential", KerberosServerSetupTask.SECURITY_CREDENTIALS)
.putOption(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory")
.putOption(Context.SECURITY_AUTHENTICATION, "simple").putOption(Context.REFERRAL, "follow")
.putOption("throwValidateError", "true").putOption("roleRecursion", "5").build())
.mappingModules(
new SecurityModule.Builder()
.name("org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider")
.flag("attribute")
.putOption(
Context.PROVIDER_URL,
"ldap://"
+ NetworkUtils.formatPossibleIpv6Address(Utils
.getCannonicalHost(managementClient)) + ":"
+ KerberosServerSetupTask.LDAP_PORT)
.putOption("bindDN", KerberosServerSetupTask.SECURITY_PRINCIPAL)
.putOption("bindCredential", KerberosServerSetupTask.SECURITY_CREDENTIALS)
.putOption("baseCtxDN", "ou=People,dc=jboss,dc=org").putOption("baseFilter", "(uid={0})")
.putOption("attributeList", "cn,sn").putOption("searchTimeLimit", "10000")//
.build()) //
.build());
// Add SP security domain
res.add(new SecurityDomain.Builder()
.name(SP)
.loginModules(
new SecurityModule.Builder()
.name("org.picketlink.identity.federation.bindings.jboss.auth.SAML2LoginModule")
.flag(Constants.REQUIRED).build()).build());
return res.toArray(new SecurityDomain[0]);
}
}
}