Repository: cxf Updated Branches: refs/heads/master aeff8782d -> 3228637a5
Adding more SAML SSO tests Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3228637a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3228637a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3228637a Branch: refs/heads/master Commit: 3228637a5070a25f625fb18fc21a7dd54ce16dfd Parents: aeff878 Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Fri Jul 31 11:59:53 2015 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Fri Jul 31 11:59:53 2015 +0100 ---------------------------------------------------------------------- ...AbstractRequestAssertionConsumerHandler.java | 13 ++ .../saml/sso/SAMLSSOResponseValidator.java | 17 ++ .../saml/sso/CombinedValidatorTest.java | 190 +++++++++++++++++-- 3 files changed, 208 insertions(+), 12 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/3228637a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java index 9e5d669..4d9638b 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java @@ -65,6 +65,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS private boolean enforceAssertionsSigned = true; private boolean enforceKnownIssuer = true; private boolean keyInfoMustBeAvailable = true; + private boolean enforceResponseSigned; private TokenReplayCache<String> replayCache; private MessageContext messageContext; @@ -318,6 +319,7 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS ssoResponseValidator.setRequestId(requestState.getSamlRequestId()); ssoResponseValidator.setSpIdentifier(requestState.getIssuerId()); ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned); + ssoResponseValidator.setEnforceResponseSigned(enforceResponseSigned); ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer); ssoResponseValidator.setReplayCache(getReplayCache()); @@ -337,4 +339,15 @@ public abstract class AbstractRequestAssertionConsumerHandler extends AbstractSS public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) { this.keyInfoMustBeAvailable = keyInfoMustBeAvailable; } + + public boolean isEnforceResponseSigned() { + return enforceResponseSigned; + } + + /** + * Enforce that a SAML Response must be signed. + */ + public void setEnforceResponseSigned(boolean enforceResponseSigned) { + this.enforceResponseSigned = enforceResponseSigned; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/3228637a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java index 168f511..702145b 100644 --- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java +++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java @@ -44,6 +44,7 @@ public class SAMLSSOResponseValidator { private String clientAddress; private String requestId; private String spIdentifier; + private boolean enforceResponseSigned; private boolean enforceAssertionsSigned = true; private boolean enforceKnownIssuer = true; private TokenReplayCache<String> replayCache; @@ -91,6 +92,11 @@ public class SAMLSSOResponseValidator { throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); } + if (enforceResponseSigned && !samlResponse.isSigned()) { + LOG.fine("The Response must be signed!"); + throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity"); + } + // Validate Assertions org.opensaml.saml.saml2.core.Assertion validAssertion = null; Date sessionNotOnOrAfter = null; @@ -338,5 +344,16 @@ public class SAMLSSOResponseValidator { public void setReplayCache(TokenReplayCache<String> replayCache) { this.replayCache = replayCache; } + + public boolean isEnforceResponseSigned() { + return enforceResponseSigned; + } + + /** + * Enforce whether a SAML Response must be signed. + */ + public void setEnforceResponseSigned(boolean enforceResponseSigned) { + this.enforceResponseSigned = enforceResponseSigned; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/3228637a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java index 53aed3e..c600004 100644 --- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java +++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java @@ -21,6 +21,8 @@ package org.apache.cxf.rs.security.saml.sso; import java.io.InputStream; import java.security.KeyStore; +import java.security.PrivateKey; +import java.security.cert.X509Certificate; import java.util.Collections; import javax.xml.parsers.DocumentBuilder; @@ -28,9 +30,10 @@ import javax.xml.parsers.DocumentBuilderFactory; import org.w3c.dom.Document; import org.w3c.dom.Element; - import org.apache.wss4j.common.crypto.Crypto; +import org.apache.wss4j.common.crypto.CryptoType; import org.apache.wss4j.common.crypto.Merlin; +import org.apache.wss4j.common.ext.WSSecurityException; import org.apache.wss4j.common.saml.OpenSAMLUtil; import org.apache.wss4j.common.saml.SAMLCallback; import org.apache.wss4j.common.saml.SAMLUtil; @@ -43,24 +46,41 @@ import org.apache.wss4j.common.util.Loader; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSSConfig; import org.joda.time.DateTime; +import org.opensaml.saml.common.SignableSAMLObject; import org.opensaml.saml.common.xml.SAMLConstants; import org.opensaml.saml.saml2.core.Response; import org.opensaml.saml.saml2.core.Status; +import org.opensaml.security.x509.BasicX509Credential; +import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory; +import org.opensaml.xmlsec.signature.KeyInfo; +import org.opensaml.xmlsec.signature.Signature; +import org.opensaml.xmlsec.signature.support.SignatureConstants; /** * Some unit tests for the SAMLProtocolResponseValidator and the SAMLSSOResponseValidator */ public class CombinedValidatorTest extends org.junit.Assert { + private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance(); + static { WSSConfig.init(); OpenSAMLUtil.initSamlEngine(); + DOC_BUILDER_FACTORY.setNamespaceAware(true); } @org.junit.Test public void testSuccessfulValidation() throws Exception { - Element responseElement = createResponse(); + DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder(); + Document doc = docBuilder.newDocument(); + + Response response = createResponse(doc); + + Element responseElement = OpenSAMLUtil.toDom(response, doc); + doc.appendChild(responseElement); + assertNotNull(responseElement); + Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement); Crypto issuerCrypto = new Merlin(); @@ -95,7 +115,14 @@ public class CombinedValidatorTest extends org.junit.Assert { @org.junit.Test public void testWrappingAttack3() throws Exception { - Element responseElement = createResponse(); + DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder(); + Document doc = docBuilder.newDocument(); + + Response response = createResponse(doc); + + Element responseElement = OpenSAMLUtil.toDom(response, doc); + doc.appendChild(responseElement); + assertNotNull(responseElement); // Get Assertion Element Element assertionElement = @@ -156,12 +183,98 @@ public class CombinedValidatorTest extends org.junit.Assert { assertEquals("alice", parsedAssertion.getSubjectName()); } - private Element createResponse() throws Exception { - DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance(); - docBuilderFactory.setNamespaceAware(true); - DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder(); + @org.junit.Test + public void testSuccessfulSignedValidation() throws Exception { + + DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder(); Document doc = docBuilder.newDocument(); + Response response = createResponse(doc); + + Crypto issuerCrypto = new Merlin(); + KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class); + InputStream input = Merlin.loadInputStream(loader, "alice.jks"); + keyStore.load(input, "password".toCharArray()); + ((Merlin)issuerCrypto).setKeyStore(keyStore); + + signResponse(response, "alice", "password", issuerCrypto, true); + + Element responseElement = OpenSAMLUtil.toDom(response, doc); + doc.appendChild(responseElement); + assertNotNull(responseElement); + + Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement); + + // Validate the Response + SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator(); + validator.validateSamlResponse( + marshalledResponse, issuerCrypto, new KeystorePasswordCallback() + ); + + // Test SSO validation + SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator(); + ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer"); + ssoValidator.setAssertionConsumerURL("http://recipient.apache.org"); + ssoValidator.setClientAddress("http://apache.org"); + ssoValidator.setRequestId("12345"); + ssoValidator.setSpIdentifier("http://service.apache.org"); + + // Parse the response + SSOValidatorResponse ssoResponse = + ssoValidator.validateSamlResponse(marshalledResponse, false); + SamlAssertionWrapper parsedAssertion = + new SamlAssertionWrapper(ssoResponse.getAssertionElement()); + + assertEquals("alice", parsedAssertion.getSubjectName()); + } + + @org.junit.Test + public void testEnforceResponseSigned() throws Exception { + + DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder(); + Document doc = docBuilder.newDocument(); + + Response response = createResponse(doc); + + Element responseElement = OpenSAMLUtil.toDom(response, doc); + doc.appendChild(responseElement); + assertNotNull(responseElement); + + Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement); + + Crypto issuerCrypto = new Merlin(); + KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); + ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class); + InputStream input = Merlin.loadInputStream(loader, "alice.jks"); + keyStore.load(input, "password".toCharArray()); + ((Merlin)issuerCrypto).setKeyStore(keyStore); + + // Validate the Response + SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator(); + validator.validateSamlResponse( + marshalledResponse, issuerCrypto, new KeystorePasswordCallback() + ); + + // Test SSO validation + SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator(); + ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer"); + ssoValidator.setAssertionConsumerURL("http://recipient.apache.org"); + ssoValidator.setClientAddress("http://apache.org"); + ssoValidator.setRequestId("12345"); + ssoValidator.setSpIdentifier("http://service.apache.org"); + ssoValidator.setEnforceResponseSigned(true); + + // Parse the response + try { + ssoValidator.validateSamlResponse(marshalledResponse, false); + fail("Failure expected on an unsigned Response"); + } catch (WSSecurityException ex) { + // expected + } + } + + private Response createResponse(Document doc) throws Exception { Status status = SAML2PResponseComponentBuilder.createStatus( SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null @@ -170,6 +283,7 @@ public class CombinedValidatorTest extends org.junit.Assert { SAML2PResponseComponentBuilder.createSAMLResponse( "http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status ); + response.setDestination("http://recipient.apache.org"); // Create an AuthenticationAssertion SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler(); @@ -209,10 +323,62 @@ public class CombinedValidatorTest extends org.junit.Assert { response.getAssertions().add(assertion.getSaml2()); - Element policyElement = OpenSAMLUtil.toDom(response, doc); - doc.appendChild(policyElement); - assertNotNull(policyElement); - - return policyElement; + return response; + } + + private void signResponse( + Response response, + String issuerKeyName, + String issuerKeyPassword, + Crypto issuerCrypto, + boolean useKeyInfo + ) throws Exception { + // + // Create the signature + // + Signature signature = OpenSAMLUtil.buildSignature(); + signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + + // prepare to sign the SAML token + CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); + cryptoType.setAlias(issuerKeyName); + X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType); + if (issuerCerts == null) { + throw new Exception( + "No issuer certs were found to sign the SAML Assertion using issuer name: " + issuerKeyName); + } + + String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1; + String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm(); + + if (pubKeyAlgo.equalsIgnoreCase("DSA")) { + sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA; + } + + PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword); + + signature.setSignatureAlgorithm(sigAlgo); + + BasicX509Credential signingCredential = + new BasicX509Credential(issuerCerts[0], privateKey); + signature.setSigningCredential(signingCredential); + + if (useKeyInfo) { + X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory(); + kiFactory.setEmitEntityCertificate(true); + + try { + KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential); + signature.setKeyInfo(keyInfo); + } catch (org.opensaml.security.SecurityException ex) { + throw new Exception("Error generating KeyInfo from signing credential", ex); + } + } + + // add the signature to the assertion + SignableSAMLObject signableObject = (SignableSAMLObject) response; + signableObject.setSignature(signature); + signableObject.releaseDOM(); + signableObject.releaseChildrenDOM(true); } }