From 998c663f0d497ba6fe5d4e848ac192bcb90b491a Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Tue, 27 Nov 2018 08:18:18 +0200 Subject: [PATCH] Add Tests for findSamlRealm (#35905) This commit adds a test for handling correctly all they possible `SamlPrepareAuthenticationRequest` parameter combinations that we might get from Kibana or a custom web application talking to the SAML APIs. We can match the correct SAML realm based either on the realm name or the ACS URL. If both are included in the request then both need to match the realm configuration. --- .../security/authc/saml/SamlRealmTests.java | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java index 03423b5a067..b5280082737 100644 --- a/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java +++ b/x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlRealmTests.java @@ -30,6 +30,7 @@ import org.elasticsearch.xpack.core.ssl.CertParsingUtils; import org.elasticsearch.xpack.core.ssl.PemUtils; import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.ssl.TestsSSLService; +import org.elasticsearch.xpack.security.authc.Realms; import org.elasticsearch.xpack.security.authc.support.MockLookupRealm; import org.elasticsearch.xpack.security.authc.support.UserRoleMapper; import org.hamcrest.Matchers; @@ -64,6 +65,7 @@ import java.util.Locale; import java.util.Set; import java.util.concurrent.atomic.AtomicReference; import java.util.function.Supplier; +import java.util.stream.Stream; import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.hamcrest.Matchers.arrayContainingInAnyOrder; @@ -630,6 +632,35 @@ public class SamlRealmTests extends SamlTestCase { } } + public void testCorrectRealmSelected() throws Exception { + final String acsUrl = "https://idp.test/saml/login"; + final UserRoleMapper roleMapper = mock(UserRoleMapper.class); + final EntityDescriptor idp = mockIdp(); + final SpConfiguration sp = new SpConfiguration("", acsUrl, null, null, null, Collections.emptyList()); + final SamlAuthenticator authenticator = mock(SamlAuthenticator.class); + final SamlLogoutRequestHandler logoutHandler = mock(SamlLogoutRequestHandler.class); + final Settings.Builder realmSettings = Settings.builder() + .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.getAttribute()), "uid") + .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_METADATA_PATH), "http://url.to/metadata") + .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_ENTITY_ID), TEST_IDP_ENTITY_ID) + .put(getFullSettingKey(REALM_NAME, SamlRealmSettings.SP_ACS), acsUrl); + final RealmConfig config = buildConfig(realmSettings.build()); + final SamlRealm realm = buildRealm(config, roleMapper, authenticator, logoutHandler, idp, sp); + final Realms realms = mock(Realms.class); + when(realms.realm(REALM_NAME)).thenReturn(realm); + when(realms.stream()).thenAnswer(i -> Stream.of(realm)); + final String emptyRealmName = randomBoolean() ? null : ""; + assertThat(SamlRealm.findSamlRealms(realms, emptyRealmName, acsUrl).size(), equalTo(1)); + assertThat(SamlRealm.findSamlRealms(realms, emptyRealmName, acsUrl).get(0), equalTo(realm)); + assertThat(SamlRealm.findSamlRealms(realms, "my-saml", acsUrl).size(), equalTo(1)); + assertThat(SamlRealm.findSamlRealms(realms, "my-saml", acsUrl).get(0), equalTo(realm)); + assertThat(SamlRealm.findSamlRealms(realms, "my-saml", null).size(), equalTo(1)); + assertThat(SamlRealm.findSamlRealms(realms, "my-saml", null).get(0), equalTo(realm)); + assertThat(SamlRealm.findSamlRealms(realms, "my-saml", "https://idp.test:443/saml/login").size(), equalTo(0)); + assertThat(SamlRealm.findSamlRealms(realms, "incorrect", acsUrl).size(), equalTo(0)); + assertThat(SamlRealm.findSamlRealms(realms, "incorrect", "https://idp.test:443/saml/login").size(), equalTo(0)); + } + private EntityDescriptor mockIdp() { final EntityDescriptor descriptor = mock(EntityDescriptor.class); when(descriptor.getEntityID()).thenReturn("https://idp.saml/");