Java Code Examples for com.gargoylesoftware.htmlunit.html.HtmlPage#getFormByName()

@Test
public void defaultWorkspaceVolume() throws Exception {
    KubernetesCloud cloud = new KubernetesCloud("kubernetes");
    j.jenkins.clouds.add(cloud);
    j.jenkins.save();
    JenkinsRule.WebClient wc = j.createWebClient();
    HtmlPage p = wc.goTo("configureClouds/");
    HtmlForm f = p.getFormByName("config");
    HtmlButton buttonExtends = HtmlFormUtil.getButtonByCaption(f, "Pod Templates...");
    buttonExtends.click();
    HtmlButton buttonAdd = HtmlFormUtil.getButtonByCaption(f, "Add Pod Template");
    buttonAdd.click();
    HtmlButton buttonDetails = HtmlFormUtil.getButtonByCaption(f, "Pod Template details...");
    buttonDetails.click();
    DomElement templates = p.getElementByName("templates");
    HtmlInput templateName = getInputByName(templates, "_.name");
    templateName.setValueAttribute("default-workspace-volume");
    j.submit(f);
    cloud = j.jenkins.clouds.get(KubernetesCloud.class);
    PodTemplate podTemplate = cloud.getTemplates().get(0);
    assertEquals("default-workspace-volume", podTemplate.getName());
    assertEquals(WorkspaceVolume.getDefault(), podTemplate.getWorkspaceVolume());
}
 

public static String loginWithCookieManager(String url, String user, String password, String idpPort,
        String formName, CookieManager cookieManager) throws IOException {
    final WebClient webClient = new WebClient();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(idpPort)),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    final HtmlForm form = idpPage.getFormByName(formName);
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    final HtmlPage rpPage = button.click();
    Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
                      || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));

    webClient.close();
    return rpPage.getBody().getTextContent();
}
 

@org.junit.Test
public void testSAMLTokenWithNonMatchingAudienceRestriction() throws Exception {
    String url = "https://localhost:" + TomcatLauncher.getRpHttpsPort() + '/' + SERVLET_CONTEXT_NAME
            + "/secure/fedservlet";
    String user = "alice";
    String password = "ecila";

    final WebClient webClient = new WebClient();
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(TomcatLauncher.getIdpHttpsPort())),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    final HtmlForm form = idpPage.getFormByName("signinresponseform");
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    try {
        button.click();
        Assert.fail("Failure expected on a bad audience restriction value");
    } catch (FailingHttpStatusCodeException ex) {
        Assert.assertEquals(ex.getStatusCode(), 401);
    }

    webClient.close();
}
 

@Test
public void testFrenchValidationMessage() throws Exception {

    HtmlPage page1 = webClient.getPage(webUrl + "resources/validation?lang=fr");
    HtmlForm form1 = page1.getFormByName("form");
    form1.getInputByName("name").setValueAttribute("foo");

    HtmlPage page2 = form1.getInputByName("button").click();
    assertThat(page2.getWebResponse().getContentAsString(),
            CoreMatchers.containsString("entre 5 et 10"));

}
 

@Test
public void doReplace_should_trim_input() throws Exception {
    HtmlPage page = j.createWebClient().goTo("configuration-as-code");
    j.assertGoodStatus(page);

    HtmlForm form = page.getFormByName("replace");
    HtmlInput input = form.getInputByName("_.newSource");
    String configUri = getClass().getResource("merge3.yml").toExternalForm();
    input.setValueAttribute("  " + configUri + "  ");
    HtmlPage resultPage = j.submit(form);
    j.assertGoodStatus(resultPage);

    assertEquals("Configured by Configuration as Code plugin", j.jenkins.getSystemMessage());
}
 

@Test
public void testFrenchValidationMessage() throws Exception {

    HtmlPage page1 = webClient.getPage(webUrl + "resources/validation?lang=fr");
    HtmlForm form1 = page1.getFormByName("form");
    form1.getInputByName("name").setValueAttribute("foo");

    HtmlPage page2 = form1.getInputByName("button").click();
    assertThat(page2.getWebResponse().getContentAsString(),
            CoreMatchers.containsString("entre 5 et 10"));

}
 

public static void logout(String url, CookieManager cookieManager, boolean wsfed) throws IOException {
    final WebClient webClient = new WebClient();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    final HtmlPage idpPage = webClient.getPage(url);

    Assert.assertEquals("IDP SignOut Confirmation Response Page", idpPage.getTitleText());

    final HtmlForm form = idpPage.getFormByName("signoutconfirmationresponseform");
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpLogoutPage = button.click();
    webClient.getOptions().setJavaScriptEnabled(true);

    if (wsfed) {
        DomNodeList<DomElement> images = idpLogoutPage.getElementsByTagName("img");
        Assert.assertEquals(1, images.getLength());
        for (int i = 0; i < images.size(); i++) {
            DomElement domElement = images.get(i);
            String imgSrc = domElement.getAttribute("src");

            //we should get a fault if the image isn't available.
            webClient.getPage(imgSrc);
        }
    } else {
        // For SAML SSO we will be redirected back to the RP
        HtmlForm responseForm = idpLogoutPage.getFormByName("samlsignoutresponseform");
        HtmlSubmitInput button2 = responseForm.getInputByName("_eventId_submit");
        button2.click();
    }

    webClient.close();
}
 

private static String login(String url, String user, String password,
                            String idpPort, String rpIdpPort) throws IOException {
    //
    // Access the RP + get redirected to the IdP for "realm a". Then get redirected to the IdP for
    // "realm b".
    //
    final WebClient webClient = new WebClient();
    CookieManager cookieManager = new CookieManager();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(idpPort)),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    HtmlPage idpPage = webClient.getPage(url);

    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    // Now redirect back to the IdP for Realm A
    HtmlForm form = idpPage.getFormByName("signinresponseform");

    HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    HtmlPage idpPageRealmA = button.click();

    Assert.assertTrue("SAML IDP Response Form".equals(idpPage.getTitleText())
                      || "IDP SignIn Response Form".equals(idpPage.getTitleText()));
    form = idpPageRealmA.getFormByName("samlsigninresponseform");

    // Now redirect back to the SAML SSO web app
    button = form.getInputByName("_eventId_submit");

    XmlPage rpPage = button.click();

    webClient.close();
    return rpPage.asXml();
}
 

/**
 * Verifies that the specified page contains a form with the specified name.
 *
 * @param page the page to check
 * @param name the expected name of a form on the page
 */
public static void assertFormPresent(final HtmlPage page, final String name) {
    try {
        page.getFormByName(name);
    }
    catch (final ElementNotFoundException e) {
        final String msg = "The page does not contain a form named '" + name + "'.";
        throw new AssertionError(msg);
    }
}
 

@Test
public void testGlobalConfigUncheckedSmartNotifiations() throws Exception {
    HtmlPage p = j.createWebClient().goTo("configure");
    HtmlForm f = p.getFormByName("config");
    f.getInputByName("smartNotify").setChecked(false);
    j.submit(f);
    DescriptorImpl globalConfig = j.jenkins.getDescriptorByType(DescriptorImpl.class);
    assertFalse(globalConfig.isSmartNotify());
}
 

/**
 * Test case for bug 707134. Currently I am unable to reproduce the problem.
 * @throws Exception if the test fails
 */
@Test
public void functionDefinedInSameFile() throws Exception {
    final String htmlContent
        = "<html><head><title>First</title><script>\n"
        + "function showFoo(foo) {\n"
        + "  alert('Foo is: |' + foo + '|');\n"
        + "}\n"
        + "</script>\n"
        + "</head><body><form name='form1'>\n"
        + "<input name='text1' type='text'>\n"
        + "<input name='button1' type='button' onclick='showFoo(document.form1.text1.value);'>\n"
        + "</form></body></html>";

    final List<String> collectedAlerts = new ArrayList<>();

    final HtmlPage page = loadPage(htmlContent, collectedAlerts);
    assertEquals("First", page.getTitleText());

    final HtmlForm form = page.getFormByName("form1");
    final HtmlTextInput textInput = form.getInputByName("text1");
    textInput.setValueAttribute("flintstone");

    final HtmlButtonInput button = form.getInputByName("button1");
    assertEquals(Collections.EMPTY_LIST, collectedAlerts);

    button.click();

    assertEquals(new String[] {"Foo is: |flintstone|"}, collectedAlerts);
}
 

private static HtmlPage deleteClient(final HtmlPage registeredClientPage) throws IOException {
    final HtmlForm deleteForm = registeredClientPage.getFormByName("deleteForm");
    assertNotNull(deleteForm);

    // Delete the client
    final HtmlButton button = deleteForm.getButtonByName("submit_delete_button");
    return button.click();
}
 

private static String loginOIDC(String url, String user, String password,
                            String idpPort, String rpIdpPort) throws IOException {
    //
    // Access the RP + get redirected to the IdP for "realm a". Then get redirected to the IdP for
    // "realm b".
    //
    final WebClient webClient = new WebClient();
    CookieManager cookieManager = new CookieManager();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(idpPort)),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);

    // The decision page is returned as XML for some reason. So parse it and send a form response back.
    HtmlPage oidcIdpConfirmationPage = webClient.getPage(url);
    final HtmlForm oidcForm = oidcIdpConfirmationPage.getForms().get(0);

    WebRequest request = new WebRequest(new URL(oidcForm.getActionAttribute()), HttpMethod.POST);

    request.setRequestParameters(Arrays.asList(
        new NameValuePair("client_id",
            oidcForm.getInputByName("client_id").getValueAttribute()),
        new NameValuePair("redirect_uri",
            oidcForm.getInputByName("redirect_uri").getValueAttribute()),
        new NameValuePair("scope",
            oidcForm.getInputByName("scope").getValueAttribute()),
        new NameValuePair("state",
            oidcForm.getInputByName("state").getValueAttribute()),
        new NameValuePair("session_authenticity_token",
            oidcForm.getInputByName("session_authenticity_token").getValueAttribute()),
        new NameValuePair("oauthDecision", "allow")));

    HtmlPage idpPage = webClient.getPage(request);

    assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    // Now redirect back to the RP
    final HtmlForm form = idpPage.getFormByName("signinresponseform");

    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    final HtmlPage rpPage = button.click();
    assertEquals("WS Federation Systests Examples", rpPage.getTitleText());

    webClient.close();
    return rpPage.getBody().getTextContent();
}
 

@org.junit.Test
public void testNoRequestValidation() throws Exception {

    String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworldnoreqvalidation/secure/fedservlet";
    String user = "alice";
    String password = "ecila";

    // Get the initial token
    CookieManager cookieManager = new CookieManager();
    final WebClient webClient = new WebClient();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    // Parse the form to remove the context
    DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");

    for (DomElement result : results) {
        if (getContextName().equals(result.getAttributeNS(null, "name"))) {
            result.setAttributeNS(null, "value", "");
        }
    }

    // Invoke back on the RP

    final HtmlForm form = idpPage.getFormByName(getLoginFormName());
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    final HtmlPage rpPage = button.click();
    Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText())
                      || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText()));

    webClient.close();

}
 

@org.junit.Test
public void testKerberos() throws Exception {
    String url = "https://localhost:" + getRpHttpsPort() + "/fedizhelloworld/secure/fedservlet";
    // Get a Kerberos Ticket +  Base64 encode it
    String ticket = getEncodedKerberosTicket(false);

    final WebClient webClient = new WebClient();
    webClient.getOptions().setUseInsecureSSL(true);

    webClient.getOptions().setJavaScriptEnabled(false);
    webClient.addRequestHeader("Authorization", "Negotiate " + ticket);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    final HtmlForm form = idpPage.getFormByName("signinresponseform");
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    final HtmlPage rpPage = button.click();
    Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());

    final String bodyTextContent = rpPage.getBody().getTextContent();
    String user = "alice";
    Assert.assertTrue("Principal not " + user,
                      bodyTextContent.contains("userPrincipal=" + user));
    Assert.assertTrue("User " + user + " does not have role Admin",
                      bodyTextContent.contains("role:Admin=false"));
    Assert.assertTrue("User " + user + " does not have role Manager",
                      bodyTextContent.contains("role:Manager=false"));
    Assert.assertTrue("User " + user + " must have role User",
                      bodyTextContent.contains("role:User=true"));

    String claim = ClaimTypes.FIRSTNAME.toString();
    Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
                      bodyTextContent.contains(claim + "=Alice"));
    claim = ClaimTypes.LASTNAME.toString();
    Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
                      bodyTextContent.contains(claim + "=Smith"));
    claim = ClaimTypes.EMAILADDRESS.toString();
    Assert.assertTrue("User " + user + " claim " + claim + " is not '[email protected]'",
                      bodyTextContent.contains(claim + "[email protected]"));

    webClient.close();
}
 

@Test
public void testModifiedSignatureValue() throws Exception {

    String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
        + "/secure/fedservlet";
    String user = "alice";
    String password = "ecila";

    // Get the initial token
    CookieManager cookieManager = new CookieManager();
    final WebClient webClient = new WebClient();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    // Parse the form to get the token (wresult)
    DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");

    for (DomElement result : results) {
        if (getTokenName().equals(result.getAttributeNS(null, "name"))) {
            String value = result.getAttributeNS(null, "value");

            // Decode response
            byte[] deflatedToken = Base64Utility.decode(value);
            InputStream inputStream = new ByteArrayInputStream(deflatedToken);

            Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));

            // Modify SignatureValue
            String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
            Node signatureValue =
                responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0);
            signatureValue.setTextContent("H" + signatureValue.getTextContent());

            // Re-encode response
            String responseMessage = DOM2Writer.nodeToString(responseDoc);
            result.setAttributeNS(null, "value", Base64Utility.encode(responseMessage.getBytes()));
        }
    }

    // Invoke back on the RP

    final HtmlForm form = idpPage.getFormByName(getLoginFormName());
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    try {
        button.click();
        Assert.fail("Failure expected on a modified signature");
    } catch (FailingHttpStatusCodeException ex) {
        // expected
        Assert.assertTrue(401 == ex.getStatusCode() || 403 == ex.getStatusCode());
    }

    webClient.close();
}
 

@org.junit.Test
public void testHolderOfKey() throws Exception {
    String url = "https://localhost:" + TomcatLauncher.getRpHttpsPort() + '/' + SERVLET_CONTEXT_NAME
            + "/secure/fedservlet";
    String user = "alice";
    String password = "ecila";

    final WebClient webClient = new WebClient();
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getOptions().setSSLClientCertificate(
        this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks");
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(TomcatLauncher.getIdpHttpsPort())),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    final HtmlForm form = idpPage.getFormByName("signinresponseform");
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    // Test the Subject Confirmation method here
    DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");

    String wresult = null;
    for (DomElement result : results) {
        if ("wresult".equals(result.getAttributeNS(null, "name"))) {
            wresult = result.getAttributeNS(null, "value");
            break;
        }
    }
    Assert.assertTrue(wresult != null
        && wresult.contains("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"));


    final HtmlPage rpPage = button.click();
    Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());

    final String bodyTextContent = rpPage.getBody().getTextContent();
    Assert.assertTrue("Principal not " + user,
                      bodyTextContent.contains("userPrincipal=" + user));
    Assert.assertTrue("User " + user + " does not have role Admin",
                      bodyTextContent.contains("role:Admin=false"));
    Assert.assertTrue("User " + user + " does not have role Manager",
                      bodyTextContent.contains("role:Manager=false"));
    Assert.assertTrue("User " + user + " must have role User",
                      bodyTextContent.contains("role:User=true"));

    String claim = ClaimTypes.FIRSTNAME.toString();
    Assert.assertTrue("User " + user + " claim " + claim + " is not 'Alice'",
                      bodyTextContent.contains(claim + "=Alice"));
    claim = ClaimTypes.LASTNAME.toString();
    Assert.assertTrue("User " + user + " claim " + claim + " is not 'Smith'",
                      bodyTextContent.contains(claim + "=Smith"));
    claim = ClaimTypes.EMAILADDRESS.toString();
    Assert.assertTrue("User " + user + " claim " + claim + " is not '[email protected]'",
                      bodyTextContent.contains(claim + "[email protected]"));

    webClient.close();
}
 

@Test
public void testAliceModifiedContext() throws Exception {

    String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
        + "/secure/fedservlet";
    String user = "alice";
    String password = "ecila";

    // Get the initial token
    CookieManager cookieManager = new CookieManager();
    final WebClient webClient = new WebClient();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    // Parse the form to get the token (wresult)
    DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");

    for (DomElement result : results) {
        if (getContextName().equals(result.getAttributeNS(null, "name"))) {
            // Now modify the context
            String value = result.getAttributeNS(null, "value");
            value = "H" + value;
            result.setAttributeNS(null, "value", value);
        }
    }

    // Invoke back on the RP

    final HtmlForm form = idpPage.getFormByName(getLoginFormName());
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    try {
        button.click();
        Assert.fail("Failure expected on a modified context");
    } catch (FailingHttpStatusCodeException ex) {
        // Request Timeout expected here, as the context isn't known - the session is presumed to have expired
        Assert.assertTrue(408 == ex.getStatusCode());
    }

    webClient.close();
}
 

private static String login(String url, String user, String password,
                                       String idpPort, String rpIdpPort) throws IOException {
    //
    // Access the RP + get redirected to the IdP for "realm a". Then get redirected to the IdP for
    // "realm b".
    //
    final WebClient webClient = new WebClient();
    CookieManager cookieManager = new CookieManager();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(idpPort)),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    // For some reason, redirecting back to the IdP for "realm a" is not working with htmlunit. So extract
    // the parameters manually from the form, and access the IdP for "realm a" with them
    DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");

    String wresult = null;
    String wa = "wsignin1.0";
    String wctx = null;
    String wtrealm = null;
    for (DomElement result : results) {
        if ("wresult".equals(result.getAttributeNS(null, "name"))) {
            wresult = result.getAttributeNS(null, "value");
        } else if ("wctx".equals(result.getAttributeNS(null, "name"))) {
            wctx = result.getAttributeNS(null, "value");
        } else if ("wtrealm".equals(result.getAttributeNS(null, "name"))) {
            wtrealm = result.getAttributeNS(null, "value");
        }
    }
    Assert.assertTrue(wctx != null && wresult != null && wtrealm != null);
    webClient.close();

    // Invoke on the IdP for "realm a"
    final WebClient webClient2 = new WebClient();
    webClient2.setCookieManager(cookieManager);
    webClient2.getOptions().setUseInsecureSSL(true);

    String url2 = "https://localhost:" + rpIdpPort + "/fediz-idp/federation?";
    url2 += "wctx=" + wctx + "&";
    url2 += "wa=" + wa + "&";
    url2 += "wtrealm=" + URLEncoder.encode(wtrealm, "UTF8") + "&";
    url2 += "wresult=" + URLEncoder.encode(wresult, "UTF8");

    webClient2.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage2 = webClient2.getPage(url2);
    webClient2.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText());

    // Now redirect back to the RP
    final HtmlForm form2 = idpPage2.getFormByName("signinresponseform");

    final HtmlSubmitInput button2 = form2.getInputByName("_eventId_submit");

    final HtmlPage rpPage = button2.click();
    Assert.assertEquals("WS Federation Systests Examples", rpPage.getTitleText());

    webClient2.close();
    return rpPage.getBody().getTextContent();
}
 

@Test
public void testEntityExpansionAttack2() throws Exception {

    String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet";
    String user = "alice";
    String password = "ecila";

    // Get the initial token
    CookieManager cookieManager = new CookieManager();
    final WebClient webClient = new WebClient();
    webClient.setCookieManager(cookieManager);
    webClient.getOptions().setUseInsecureSSL(true);
    webClient.getCredentialsProvider().setCredentials(
        new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
        new UsernamePasswordCredentials(user, password));

    webClient.getOptions().setJavaScriptEnabled(false);
    final HtmlPage idpPage = webClient.getPage(url);
    webClient.getOptions().setJavaScriptEnabled(true);
    Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());

    // Parse the form to get the token (wresult)
    DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");

    String entity = getResourceAsString("/entity2.xml");
    String reference = "&m;";

    for (DomElement result : results) {
        if (getTokenName().equals(result.getAttributeNS(null, "name"))) {
            // Now modify the Signature
            String value = result.getAttributeNS(null, "value");

            if (isWSFederation()) {
                value = entity + value;
                value = value.replace("alice", reference);
                result.setAttributeNS(null, "value", value);
            } else {
                // Decode response
                byte[] deflatedToken = Base64Utility.decode(value);
                InputStream inputStream = new ByteArrayInputStream(deflatedToken);

                Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8"));

                // Modify SignatureValue to include the entity
                String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
                Node signatureValue =
                    responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0);
                signatureValue.setTextContent(reference + signatureValue.getTextContent());

                // Re-encode response
                String responseMessage = DOM2Writer.nodeToString(responseDoc);
                result.setAttributeNS(null, "value", Base64Utility.encode((entity + responseMessage).getBytes()));
            }
        }
    }

    // Invoke back on the RP

    final HtmlForm form = idpPage.getFormByName(getLoginFormName());
    final HtmlSubmitInput button = form.getInputByName("_eventId_submit");

    try {
        button.click();
        Assert.fail("Failure expected on an entity expansion attack");
    } catch (FailingHttpStatusCodeException ex) {
        // expected
        Assert.assertTrue(401 == ex.getStatusCode() || 403 == ex.getStatusCode());
    }

    webClient.close();
}