Add Tests for findSamlRealm (#35905)

This commit adds a test for handling correctly all they possible 
`SamlPrepareAuthenticationRequest` parameter combinations that 
we might get from Kibana or a custom web application talking to the
SAML APIs. 
We can match the correct SAML realm based either on the realm name
or the ACS URL. If both are included in the request then both need to 
match the realm configuration.
This commit is contained in:
Ioannis Kakavas 2018-11-27 08:18:18 +02:00 committed by GitHub
parent 5b427d415e
commit 998c663f0d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 0 deletions

View File

@ -30,6 +30,7 @@ import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
import org.elasticsearch.xpack.core.ssl.PemUtils; import org.elasticsearch.xpack.core.ssl.PemUtils;
import org.elasticsearch.xpack.core.ssl.SSLService; import org.elasticsearch.xpack.core.ssl.SSLService;
import org.elasticsearch.xpack.core.ssl.TestsSSLService; import org.elasticsearch.xpack.core.ssl.TestsSSLService;
import org.elasticsearch.xpack.security.authc.Realms;
import org.elasticsearch.xpack.security.authc.support.MockLookupRealm; import org.elasticsearch.xpack.security.authc.support.MockLookupRealm;
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper; import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
import org.hamcrest.Matchers; import org.hamcrest.Matchers;
@ -64,6 +65,7 @@ import java.util.Locale;
import java.util.Set; import java.util.Set;
import java.util.concurrent.atomic.AtomicReference; import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier; import java.util.function.Supplier;
import java.util.stream.Stream;
import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey; import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
import static org.hamcrest.Matchers.arrayContainingInAnyOrder; import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
@ -630,6 +632,35 @@ public class SamlRealmTests extends SamlTestCase {
} }
} }
public void testCorrectRealmSelected() throws Exception {
final String acsUrl = "https://idp.test/saml/login";
final UserRoleMapper roleMapper = mock(UserRoleMapper.class);
final EntityDescriptor idp = mockIdp();
final SpConfiguration sp = new SpConfiguration("<sp>", acsUrl, null, null, null, Collections.emptyList());
final SamlAuthenticator authenticator = mock(SamlAuthenticator.class);
final SamlLogoutRequestHandler logoutHandler = mock(SamlLogoutRequestHandler.class);
final Settings.Builder realmSettings = Settings.builder()
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.getAttribute()), "uid")
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_METADATA_PATH), "http://url.to/metadata")
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_ENTITY_ID), TEST_IDP_ENTITY_ID)
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.SP_ACS), acsUrl);
final RealmConfig config = buildConfig(realmSettings.build());
final SamlRealm realm = buildRealm(config, roleMapper, authenticator, logoutHandler, idp, sp);
final Realms realms = mock(Realms.class);
when(realms.realm(REALM_NAME)).thenReturn(realm);
when(realms.stream()).thenAnswer(i -> Stream.of(realm));
final String emptyRealmName = randomBoolean() ? null : "";
assertThat(SamlRealm.findSamlRealms(realms, emptyRealmName, acsUrl).size(), equalTo(1));
assertThat(SamlRealm.findSamlRealms(realms, emptyRealmName, acsUrl).get(0), equalTo(realm));
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", acsUrl).size(), equalTo(1));
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", acsUrl).get(0), equalTo(realm));
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", null).size(), equalTo(1));
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", null).get(0), equalTo(realm));
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", "https://idp.test:443/saml/login").size(), equalTo(0));
assertThat(SamlRealm.findSamlRealms(realms, "incorrect", acsUrl).size(), equalTo(0));
assertThat(SamlRealm.findSamlRealms(realms, "incorrect", "https://idp.test:443/saml/login").size(), equalTo(0));
}
private EntityDescriptor mockIdp() { private EntityDescriptor mockIdp() {
final EntityDescriptor descriptor = mock(EntityDescriptor.class); final EntityDescriptor descriptor = mock(EntityDescriptor.class);
when(descriptor.getEntityID()).thenReturn("https://idp.saml/"); when(descriptor.getEntityID()).thenReturn("https://idp.saml/");