Add Tests for findSamlRealm (#35905)
This commit adds a test for handling correctly all they possible `SamlPrepareAuthenticationRequest` parameter combinations that we might get from Kibana or a custom web application talking to the SAML APIs. We can match the correct SAML realm based either on the realm name or the ACS URL. If both are included in the request then both need to match the realm configuration.
This commit is contained in:
parent
5b427d415e
commit
998c663f0d
|
@ -30,6 +30,7 @@ import org.elasticsearch.xpack.core.ssl.CertParsingUtils;
|
||||||
import org.elasticsearch.xpack.core.ssl.PemUtils;
|
import org.elasticsearch.xpack.core.ssl.PemUtils;
|
||||||
import org.elasticsearch.xpack.core.ssl.SSLService;
|
import org.elasticsearch.xpack.core.ssl.SSLService;
|
||||||
import org.elasticsearch.xpack.core.ssl.TestsSSLService;
|
import org.elasticsearch.xpack.core.ssl.TestsSSLService;
|
||||||
|
import org.elasticsearch.xpack.security.authc.Realms;
|
||||||
import org.elasticsearch.xpack.security.authc.support.MockLookupRealm;
|
import org.elasticsearch.xpack.security.authc.support.MockLookupRealm;
|
||||||
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
|
import org.elasticsearch.xpack.security.authc.support.UserRoleMapper;
|
||||||
import org.hamcrest.Matchers;
|
import org.hamcrest.Matchers;
|
||||||
|
@ -64,6 +65,7 @@ import java.util.Locale;
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
import java.util.concurrent.atomic.AtomicReference;
|
import java.util.concurrent.atomic.AtomicReference;
|
||||||
import java.util.function.Supplier;
|
import java.util.function.Supplier;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
|
import static org.elasticsearch.xpack.core.security.authc.RealmSettings.getFullSettingKey;
|
||||||
import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
|
import static org.hamcrest.Matchers.arrayContainingInAnyOrder;
|
||||||
|
@ -630,6 +632,35 @@ public class SamlRealmTests extends SamlTestCase {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void testCorrectRealmSelected() throws Exception {
|
||||||
|
final String acsUrl = "https://idp.test/saml/login";
|
||||||
|
final UserRoleMapper roleMapper = mock(UserRoleMapper.class);
|
||||||
|
final EntityDescriptor idp = mockIdp();
|
||||||
|
final SpConfiguration sp = new SpConfiguration("<sp>", acsUrl, null, null, null, Collections.emptyList());
|
||||||
|
final SamlAuthenticator authenticator = mock(SamlAuthenticator.class);
|
||||||
|
final SamlLogoutRequestHandler logoutHandler = mock(SamlLogoutRequestHandler.class);
|
||||||
|
final Settings.Builder realmSettings = Settings.builder()
|
||||||
|
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.PRINCIPAL_ATTRIBUTE.getAttribute()), "uid")
|
||||||
|
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_METADATA_PATH), "http://url.to/metadata")
|
||||||
|
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.IDP_ENTITY_ID), TEST_IDP_ENTITY_ID)
|
||||||
|
.put(getFullSettingKey(REALM_NAME, SamlRealmSettings.SP_ACS), acsUrl);
|
||||||
|
final RealmConfig config = buildConfig(realmSettings.build());
|
||||||
|
final SamlRealm realm = buildRealm(config, roleMapper, authenticator, logoutHandler, idp, sp);
|
||||||
|
final Realms realms = mock(Realms.class);
|
||||||
|
when(realms.realm(REALM_NAME)).thenReturn(realm);
|
||||||
|
when(realms.stream()).thenAnswer(i -> Stream.of(realm));
|
||||||
|
final String emptyRealmName = randomBoolean() ? null : "";
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, emptyRealmName, acsUrl).size(), equalTo(1));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, emptyRealmName, acsUrl).get(0), equalTo(realm));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", acsUrl).size(), equalTo(1));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", acsUrl).get(0), equalTo(realm));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", null).size(), equalTo(1));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", null).get(0), equalTo(realm));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, "my-saml", "https://idp.test:443/saml/login").size(), equalTo(0));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, "incorrect", acsUrl).size(), equalTo(0));
|
||||||
|
assertThat(SamlRealm.findSamlRealms(realms, "incorrect", "https://idp.test:443/saml/login").size(), equalTo(0));
|
||||||
|
}
|
||||||
|
|
||||||
private EntityDescriptor mockIdp() {
|
private EntityDescriptor mockIdp() {
|
||||||
final EntityDescriptor descriptor = mock(EntityDescriptor.class);
|
final EntityDescriptor descriptor = mock(EntityDescriptor.class);
|
||||||
when(descriptor.getEntityID()).thenReturn("https://idp.saml/");
|
when(descriptor.getEntityID()).thenReturn("https://idp.saml/");
|
||||||
|
|
Loading…
Reference in New Issue