Moving IdP specific tests out into a separate module
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/eccd097a Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/eccd097a Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/eccd097a Branch: refs/heads/master Commit: eccd097ab68224d15230b782ea227a1063e12dce Parents: ae4b661 Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Dec 16 17:56:55 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Dec 16 17:56:55 2015 +0000 ---------------------------------------------------------------------- systests/idp/pom.xml | 244 ++++++++++ .../apache/cxf/fediz/systests/idp/IdpTest.java | 325 +++++++++++++ .../idp/src/test/resources/alice_client.jks | Bin 0 -> 2225 bytes systests/idp/src/test/resources/client.jks | Bin 0 -> 2061 bytes systests/idp/src/test/resources/clienttrust.jks | Bin 0 -> 1512 bytes systests/idp/src/test/resources/entity_wreq.xml | 25 + .../idp/src/test/resources/logging.properties | 54 +++ .../test/resources/realma/entities-realma.xml | 473 +++++++++++++++++++ systests/idp/src/test/resources/server.jks | Bin 0 -> 3859 bytes systests/pom.xml | 1 + .../integrationtests/AbstractAttackTests.java | 237 ---------- .../fediz/integrationtests/AbstractTests.java | 360 +++++++------- 12 files changed, 1323 insertions(+), 396 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/pom.xml ---------------------------------------------------------------------- diff --git a/systests/idp/pom.xml b/systests/idp/pom.xml new file mode 100644 index 0000000..5d41b26 --- /dev/null +++ b/systests/idp/pom.xml @@ -0,0 +1,244 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-systests</artifactId> + <version>1.3.0-SNAPSHOT</version> + <relativePath>../pom.xml</relativePath> + </parent> + <groupId>org.apache.cxf.fediz.systests</groupId> + <artifactId>fediz-systests-idp</artifactId> + <name>Apache Fediz IdP Systests</name> + <packaging>jar</packaging> + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> + </properties> + <dependencies> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-core</artifactId> + <version>${tomcat7.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-logging-juli</artifactId> + <version>${tomcat7.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.eclipse.jdt.core.compiler</groupId> + <artifactId>ecj</artifactId> + <version>${ecj.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.tomcat.embed</groupId> + <artifactId>tomcat-embed-jasper</artifactId> + <version>${tomcat7.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>${junit.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-tomcat7</artifactId> + <version>${project.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.cxf.fediz.systests</groupId> + <artifactId>fediz-systests-tests</artifactId> + <version>${project.version}</version> + <type>test-jar</type> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-api</artifactId> + <version>${slf4j.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.slf4j</groupId> + <artifactId>slf4j-jdk14</artifactId> + <version>${slf4j.version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.hsqldb</groupId> + <artifactId>hsqldb</artifactId> + <version>${hsqldb.version}</version> + <scope>test</scope> + </dependency> + </dependencies> + <build> + <plugins> + <plugin> + <groupId>org.codehaus.mojo</groupId> + <artifactId>build-helper-maven-plugin</artifactId> + <executions> + <execution> + <id>reserve-network-port</id> + <goals> + <goal>reserve-network-port</goal> + </goals> + <phase>initialize</phase> + <configuration> + <portNames> + <portName>idp.https.port</portName> + <portName>rp.https.port</portName> + </portNames> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-dependency-plugin</artifactId> + <executions> + <execution> + <id>copy-idp-sts</id> + <phase>generate-resources</phase> + <goals> + <goal>unpack</goal> + </goals> + <configuration> + <artifactItems> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp</outputDirectory> + </artifactItem> + <artifactItem> + <groupId>org.apache.cxf.fediz</groupId> + <artifactId>fediz-idp-sts</artifactId> + <version>${project.version}</version> + <type>war</type> + <overWrite>true</overWrite> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp-sts</outputDirectory> + </artifactItem> + </artifactItems> + <outputAbsoluteArtifactFilename>true</outputAbsoluteArtifactFilename> + <overWriteSnapshots>true</overWriteSnapshots> + <overWriteIfNewer>true</overWriteIfNewer> + <stripVersion>true</stripVersion> + </configuration> + </execution> + <execution> + <id>copy-xalan-to-idp</id> + <phase>generate-resources</phase> + <goals> + <goal>copy</goal> + </goals> + <configuration> + <artifactItems> + <artifactItem> + <groupId>xalan</groupId> + <artifactId>xalan</artifactId> + <version>${xalan.version}</version> + <outputDirectory>target/tomcat/idp/webapps/fediz-idp/WEB-INF/lib</outputDirectory> + </artifactItem> + </artifactItems> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <artifactId>maven-resources-plugin</artifactId> + <version>2.7</version> + <executions> + <execution> + <id>copy-entities-to-idp</id> + <phase>generate-test-sources</phase> + <goals> + <goal>copy-resources</goal> + </goals> + <configuration> + <outputDirectory>${basedir}/target/tomcat/idp/webapps/fediz-idp/WEB-INF/classes</outputDirectory> + <resources> + <resource> + <directory>${basedir}/src/test/resources/realma</directory> + <includes> + <include>entities-realma.xml</include> + </includes> + <filtering>true</filtering> + </resource> + </resources> + </configuration> + </execution> + </executions> + </plugin> + <plugin> + <artifactId>maven-failsafe-plugin</artifactId> + <inherited>true</inherited> + <executions> + <execution> + <id>integration-test</id> + <phase>integration-test</phase> + <goals> + <goal>integration-test</goal> + </goals> + <configuration> + <skip>false</skip> + <systemPropertyVariables> + <wt.headless>true</wt.headless> + <idp.https.port>${idp.https.port}</idp.https.port> + <rp.https.port>${rp.https.port}</rp.https.port> + </systemPropertyVariables> + <includes> + <include>**/idp/**</include> + </includes> + <argLine>-Xms512m -Xmx1024m -XX:MaxPermSize=256m </argLine> + <!--argLine>-Xms512m -Xmx1024m -XX:MaxPermSize=256m -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=y</argLine--> + </configuration> + </execution> + <execution> + <id>verify</id> + <phase>verify</phase> + <goals> + <goal>verify</goal> + </goals> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-surefire-plugin</artifactId> + <inherited>true</inherited> + <configuration> + <excludes> + <exclude>**/idp/**</exclude> + </excludes> + </configuration> + </plugin> + </plugins> + </build> +</project> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java new file mode 100644 index 0000000..3138cb5 --- /dev/null +++ b/systests/idp/src/test/java/org/apache/cxf/fediz/systests/idp/IdpTest.java @@ -0,0 +1,325 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.cxf.fediz.systests.idp; + +import java.io.File; +import java.io.FileInputStream; +import java.net.URLEncoder; + +import org.apache.catalina.LifecycleState; +import org.apache.catalina.connector.Connector; +import org.apache.catalina.startup.Tomcat; +import org.apache.commons.io.IOUtils; +import org.apache.cxf.fediz.core.util.DOMUtils; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.wss4j.dom.engine.WSSConfig; +import org.apache.xml.security.keys.KeyInfo; +import org.apache.xml.security.signature.XMLSignature; +import org.junit.AfterClass; +import org.junit.Assert; +import org.junit.BeforeClass; +import org.junit.Test; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.Node; + +import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.html.DomElement; +import com.gargoylesoftware.htmlunit.html.DomNodeList; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import com.gargoylesoftware.htmlunit.xml.XmlPage; + +/** + * Some tests invoking directly on the IdP + */ +public class IdpTest { + + static String idpHttpsPort; + static String rpHttpsPort; + + private static Tomcat idpServer; + + @BeforeClass + public static void init() { + System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog"); + System.setProperty("org.apache.commons.logging.simplelog.showdatetime", "true"); + System.setProperty("org.apache.commons.logging.simplelog.log.httpclient.wire", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.commons.httpclient", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.webflow", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.springframework.security.web", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf.fediz", "info"); + System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.cxf", "info"); + + idpHttpsPort = System.getProperty("idp.https.port"); + Assert.assertNotNull("Property 'idp.https.port' null", idpHttpsPort); + rpHttpsPort = System.getProperty("rp.https.port"); + Assert.assertNotNull("Property 'rp.https.port' null", rpHttpsPort); + + initIdp(); + + WSSConfig.init(); + } + + private static void initIdp() { + try { + idpServer = new Tomcat(); + idpServer.setPort(0); + String currentDir = new File(".").getCanonicalPath(); + idpServer.setBaseDir(currentDir + File.separator + "target"); + + idpServer.getHost().setAppBase("tomcat/idp/webapps"); + idpServer.getHost().setAutoDeploy(true); + idpServer.getHost().setDeployOnStartup(true); + + Connector httpsConnector = new Connector(); + httpsConnector.setPort(Integer.parseInt(idpHttpsPort)); + httpsConnector.setSecure(true); + httpsConnector.setScheme("https"); + //httpsConnector.setAttribute("keyAlias", keyAlias); + httpsConnector.setAttribute("keystorePass", "tompass"); + httpsConnector.setAttribute("keystoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("truststorePass", "tompass"); + httpsConnector.setAttribute("truststoreFile", "test-classes/server.jks"); + httpsConnector.setAttribute("clientAuth", "want"); + // httpsConnector.setAttribute("clientAuth", "false"); + httpsConnector.setAttribute("sslProtocol", "TLS"); + httpsConnector.setAttribute("SSLEnabled", true); + + idpServer.getService().addConnector(httpsConnector); + + idpServer.addWebapp("/fediz-idp-sts", "fediz-idp-sts"); + idpServer.addWebapp("/fediz-idp", "fediz-idp"); + + idpServer.start(); + } catch (Exception e) { + e.printStackTrace(); + } + } + + @AfterClass + public static void cleanup() { + try { + if (idpServer.getServer() != null + && idpServer.getServer().getState() != LifecycleState.DESTROYED) { + if (idpServer.getServer().getState() != LifecycleState.STOPPED) { + idpServer.stop(); + } + idpServer.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + } + + public String getIdpHttpsPort() { + return idpHttpsPort; + } + + public String getRpHttpsPort() { + return rpHttpsPort; + } + + public String getServletContextName() { + return "fedizhelloworld"; + } + + @org.junit.Test + public void testSuccessfulInvokeOnIdP() throws Exception { + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld"; + String wreply = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + // Parse the form to get the token (wresult) + DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); + + String wresult = null; + for (DomElement result : results) { + if ("wresult".equals(result.getAttributeNS(null, "name"))) { + wresult = result.getAttributeNS(null, "value"); + break; + } + } + + Assert.assertNotNull(wresult); + + webClient.close(); + } + + @Test + public void testIdPMetadata() throws Exception { + String url = "https://localhost:"; + getIdpHttpsPort() + + "/fediz-idp/FederationMetadata/2007-06/FederationMetadata.xml"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getOptions().setSSLClientCertificate( + this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks"); + + final XmlPage rpPage = webClient.getPage(url); + final String xmlContent = rpPage.asXml(); + Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor")); + + // Now validate the Signature + Document doc = rpPage.getXmlDocument(); + + doc.getDocumentElement().setIdAttributeNS(null, "ID", true); + + Node signatureNode = + DOMUtils.getChild(doc.getDocumentElement(), "Signature"); + Assert.assertNotNull(signatureNode); + + XMLSignature signature = new XMLSignature((Element)signatureNode, ""); + KeyInfo ki = signature.getKeyInfo(); + Assert.assertNotNull(ki); + Assert.assertNotNull(ki.getX509Certificate()); + + Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate())); + + webClient.close(); + } + + @Test + public void testIdPServiceMetadata() throws Exception { + String url = "https://localhost:"; + getIdpHttpsPort() + + "/fediz-idp/metadata/urn:org:apache:cxf:fediz:idp:realm-B"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getOptions().setSSLClientCertificate( + this.getClass().getClassLoader().getResource("client.jks"), "storepass", "jks"); + + final XmlPage rpPage = webClient.getPage(url); + final String xmlContent = rpPage.asXml(); + Assert.assertTrue(xmlContent.startsWith("<md:EntityDescriptor")); + + // Now validate the Signature + Document doc = rpPage.getXmlDocument(); + + doc.getDocumentElement().setIdAttributeNS(null, "ID", true); + + Node signatureNode = + DOMUtils.getChild(doc.getDocumentElement(), "Signature"); + Assert.assertNotNull(signatureNode); + + XMLSignature signature = new XMLSignature((Element)signatureNode, ""); + KeyInfo ki = signature.getKeyInfo(); + Assert.assertNotNull(ki); + Assert.assertNotNull(ki.getX509Certificate()); + + Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate())); + + webClient.close(); + } + + // Send an unknown wreq value + @org.junit.Test + public void testBadWReq() throws Exception { + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld"; + String wreply = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + String testWReq = + "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\";>" + + "<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV3.0</TokenType>" + + "</RequestSecurityToken>"; + url += "&wreq=" + URLEncoder.encode(testWReq, "UTF-8"); + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreq value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + + webClient.close(); + } + + // Send an entity expansion attack for the wreq value + @org.junit.Test + public void testEntityExpansionWReq() throws Exception { + String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/federation?"; + url += "wa=wsignin1.0"; + url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; + url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld"; + String wreply = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; + url += "&wreply=" + wreply; + + FileInputStream is = new FileInputStream("src/test/resources/entity_wreq.xml"); + String entity = IOUtils.toString(is); + String validWreq = + "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\";>" + + "<TokenType>&m;http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>" + + "</RequestSecurityToken>"; + + url += "&wreq=" + URLEncoder.encode(entity + validWreq, "UTF-8"); + + String user = "alice"; + String password = "ecila"; + + final WebClient webClient = new WebClient(); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + try { + webClient.getPage(url); + Assert.fail("Failure expected on a bad wreq value"); + } catch (FailingHttpStatusCodeException ex) { + Assert.assertEquals(ex.getStatusCode(), 400); + } + + webClient.close(); + } + +} http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/resources/alice_client.jks ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/alice_client.jks b/systests/idp/src/test/resources/alice_client.jks new file mode 100644 index 0000000..879df98 Binary files /dev/null and b/systests/idp/src/test/resources/alice_client.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/resources/client.jks ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/client.jks b/systests/idp/src/test/resources/client.jks new file mode 100644 index 0000000..62d221e Binary files /dev/null and b/systests/idp/src/test/resources/client.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/resources/clienttrust.jks ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/clienttrust.jks b/systests/idp/src/test/resources/clienttrust.jks new file mode 100644 index 0000000..c3ad459 Binary files /dev/null and b/systests/idp/src/test/resources/clienttrust.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/resources/entity_wreq.xml ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/entity_wreq.xml b/systests/idp/src/test/resources/entity_wreq.xml new file mode 100644 index 0000000..c0ff502 --- /dev/null +++ b/systests/idp/src/test/resources/entity_wreq.xml @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE RequestSecurityTokenResponseCollection [<!ENTITY a "1234567890" > + +<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" > + +<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" > + +<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;" > + +<!ENTITY e "&d;&d;&d;&d;&d;&d;&d;&d;" > + +<!ENTITY f "&e;&e;&e;&e;&e;&e;&e;&e;" > + +<!ENTITY g "&f;&f;&f;&f;&f;&f;&f;&f;" > + +<!ENTITY h "&g;&g;&g;&g;&g;&g;&g;&g;" > + +<!ENTITY i "&h;&h;&h;&h;&h;&h;&h;&h;" > + +<!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;" > + +<!ENTITY k "&j;&j;&j;&j;&j;&j;&j;&j;" > + +<!ENTITY l "&k;&k;&k;&k;&k;&k;&k;&k;" > + +<!ENTITY m "&l;&l;&l;&l;&l;&l;&l;&l;" > ]> \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/resources/logging.properties ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/logging.properties b/systests/idp/src/test/resources/logging.properties new file mode 100644 index 0000000..040b210 --- /dev/null +++ b/systests/idp/src/test/resources/logging.properties @@ -0,0 +1,54 @@ +############################################################ +# Default Logging Configuration File +# +# You can use a different file by specifying a filename +# with the java.util.logging.config.file system property. +# For example java -Djava.util.logging.config.file=myfile +############################################################ + +############################################################ +# Global properties +############################################################ + +# "handlers" specifies a comma separated list of log Handler +# classes. These handlers will be installed during VM startup. +# Note that these classes must be on the system classpath. +# By default we only configure a ConsoleHandler, which will only +# show messages at the WARNING and above levels. +handlers= java.util.logging.ConsoleHandler +#handlers= java.util.logging.FileHandler, java.util.logging.ConsoleHandler + +# Default global logging level. +# This specifies which kinds of events are logged across +# all loggers. For any given facility this global level +# can be overridden by a facility specific level +# Note that the ConsoleHandler also has a separate level +# setting to limit messages printed to the console. +.level= INFO + +############################################################ +# Handler specific properties. +# Describes specific configuration info for Handlers. +############################################################ + +# default file output is in user's home directory. +java.util.logging.FileHandler.pattern = %h/java%u.log +java.util.logging.FileHandler.limit = 50000 +java.util.logging.FileHandler.count = 1 +java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter + +# Limit the message that are printed on the console to WARNING and above. +java.util.logging.ConsoleHandler.level = WARNING +java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter + + +############################################################ +# Facility specific properties. +# Provides extra control for each logger. +############################################################ + +# For example, set the com.xyz.foo logger to only log SEVERE +# messages: +#com.xyz.foo.level = SEVERE +org.apache.ws.security.level = FINEST +org.apache.cxf.fediz.level = FINEST http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/resources/realma/entities-realma.xml ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/realma/entities-realma.xml b/systests/idp/src/test/resources/realma/entities-realma.xml new file mode 100644 index 0000000..f947274 --- /dev/null +++ b/systests/idp/src/test/resources/realma/entities-realma.xml @@ -0,0 +1,473 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:util="http://www.springframework.org/schema/util"; + xsi:schemaLocation=" + http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.1.xsd + http://www.springframework.org/schema/util + http://www.springframework.org/schema/util/spring-util-2.0.xsd";> + + <bean id="idp-realmA" class="org.apache.cxf.fediz.service.idp.service.jpa.IdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" /> + <property name="uri" value="realma" /> + <property name="provideIdpList" value="true" /> + <property name="useCurrentIdp" value="true" /> + <property name="certificate" value="stsKeystoreA.properties" /> + <property name="certificatePassword" value="realma" /> + <property name="stsUrl" value="https://localhost:${idp.https.port}/fediz-idp-sts/REALMA"; /> + <property name="idpUrl" value="https://localhost:${idp.https.port}/fediz-idp/federation"; /> + <property name="rpSingleSignOutConfirmation" value="true"/> + <property name="supportedProtocols"> + <util:list> + <value>http://docs.oasis-open.org/wsfed/federation/200706 + </value> + <value>http://docs.oasis-open.org/ws-sx/ws-trust/200512 + </value> + </util:list> + </property> + <property name="tokenTypesOffered"> + <util:list> + <value>urn:oasis:names:tc:SAML:1.0:assertion</value> + <value>urn:oasis:names:tc:SAML:2.0:assertion</value> + </util:list> + </property> + <property name="authenticationURIs"> + <util:map> + <entry key="default" value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/SslAndKey"; + value="federation/krb" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/default"; + value="federation/up" /> + <entry key="http://docs.oasis-open.org/wsfed/authorization/200706/authntypes/Ssl"; + value="federation/clientcert" /> + </util:map> + </property> + <property name="serviceDisplayName" value="REALM A" /> + <property name="serviceDescription" value="IDP of Realm A" /> + <property name="applications"> + <util:list> + <ref bean="srv-fedizhelloworld" /> + </util:list> + </property> + <property name="trustedIdps"> + <util:list> + <ref bean="trusted-idp-realmB" /> + </util:list> + </property> + <property name="claimTypesOffered"> + <util:list> + <ref bean="claim_role" /> + <ref bean="claim_surname" /> + <ref bean="claim_givenname" /> + <ref bean="claim_email" /> + </util:list> + </property> + </bean> + + <bean id="trusted-idp-realmB" + class="org.apache.cxf.fediz.service.idp.service.jpa.TrustedIdpEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-B" /> + <property name="cacheTokens" value="true" /> + <property name="url" value="https://localhost:12443/fediz-idp-remote/federation"; /> + <property name="certificate" value="realmb.cert" /> + <property name="trustType" value="PEER_TRUST" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"; /> + <property name="federationType" value="FEDERATE_IDENTITY" /> + <property name="name" value="Realm B" /> + <property name="description" value="Realm B description" /> + </bean> + + <bean id="srv-fedizhelloworld" class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationEntity"> + <property name="realm" value="urn:org:apache:cxf:fediz:fedizhelloworld" /> + <property name="protocol" value="http://docs.oasis-open.org/wsfed/federation/200706"; /> + <property name="serviceDisplayName" value="Fedizhelloworld" /> + <property name="serviceDescription" value="Web Application to illustrate WS-Federation" /> + <property name="role" value="ApplicationServiceType" /> + <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; /> + <property name="lifeTime" value="3600" /> + <property name="passiveRequestorEndpointConstraint" + value="https://localhost:(\d)*/(\w)*helloworld(\w)*/secure/.*" /> + </bean> + + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_role" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_givenname" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_surname" /> + <property name="optional" value="false" /> + </bean> + <bean class="org.apache.cxf.fediz.service.idp.service.jpa.ApplicationClaimEntity"> + <property name="application" ref="srv-fedizhelloworld" /> + <property name="claim" ref="claim_email" /> + <property name="optional" value="false" /> + </bean> + + <bean id="claim_role" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"; /> + <property name="displayName" + value="role" /> + <property name="description" + value="Description for role" /> + </bean> + <bean id="claim_givenname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; /> + <property name="displayName" + value="firstname" /> + <property name="description" + value="Description for firstname" /> + </bean> + <bean id="claim_surname" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; /> + <property name="displayName" + value="lastname" /> + <property name="description" + value="Description for lastname" /> + </bean> + <bean id="claim_email" + class="org.apache.cxf.fediz.service.idp.service.jpa.ClaimEntity"> + <property name="claimType" + value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"; /> + <property name="displayName" + value="email" /> + <property name="description" + value="Description for email" /> + </bean> + + + <bean id="entitlement_claim_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_LIST" /> + <property name="description" + value="Description for CLAIM_LIST" /> + </bean> + <bean id="entitlement_claim_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_CREATE" /> + <property name="description" + value="Description for CLAIM_CREATE" /> + </bean> + <bean id="entitlement_claim_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_READ" /> + <property name="description" + value="Description for CLAIM_READ" /> + </bean> + <bean id="entitlement_claim_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_UPDATE" /> + <property name="description" + value="Description for CLAIM_UPDATE" /> + </bean> + <bean id="entitlement_claim_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="CLAIM_DELETE" /> + <property name="description" + value="Description for CLAIM_DELETE" /> + </bean> + + <bean id="entitlement_application_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_LIST" /> + <property name="description" + value="Description for APPLICATION_LIST" /> + </bean> + <bean id="entitlement_application_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_CREATE" /> + <property name="description" + value="Description for APPLICATION_CREATE" /> + </bean> + <bean id="entitlement_application_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_READ" /> + <property name="description" + value="Description for APPLICATION_READ" /> + </bean> + <bean id="entitlement_application_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_UPDATE" /> + <property name="description" + value="Description for APPLICATION_UPDATE" /> + </bean> + <bean id="entitlement_application_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="APPLICATION_DELETE" /> + <property name="description" + value="Description for APPLICATION_DELETE" /> + </bean> + + <bean id="entitlement_trustedidp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_LIST" /> + <property name="description" + value="Description for TRUSTEDIDP_LIST" /> + </bean> + <bean id="entitlement_trustedidp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_CREATE" /> + <property name="description" + value="Description for TRUSTEDIDP_CREATE" /> + </bean> + <bean id="entitlement_trustedidp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_READ" /> + <property name="description" + value="Description for TRUSTEDIDP_READ" /> + </bean> + <bean id="entitlement_trustedidp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_UPDATE" /> + <property name="description" + value="Description for TRUSTEDIDP_UPDATE" /> + </bean> + <bean id="entitlement_trustedidp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="TRUSTEDIDP_DELETE" /> + <property name="description" + value="Description for TRUSTEDIDP_DELETE" /> + </bean> + + <bean id="entitlement_idp_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_LIST" /> + <property name="description" + value="Description for IDP_LIST" /> + </bean> + <bean id="entitlement_idp_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_CREATE" /> + <property name="description" + value="Description for IDP_CREATE" /> + </bean> + <bean id="entitlement_idp_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_READ" /> + <property name="description" + value="Description for IDP_READ" /> + </bean> + <bean id="entitlement_idp_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_UPDATE" /> + <property name="description" + value="Description for IDP_UPDATE" /> + </bean> + <bean id="entitlement_idp_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="IDP_DELETE" /> + <property name="description" + value="Description for IDP_DELETE" /> + </bean> + + <bean id="entitlement_role_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_LIST" /> + <property name="description" + value="Description for ROLE_LIST" /> + </bean> + <bean id="entitlement_role_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_CREATE" /> + <property name="description" + value="Description for ROLE_CREATE" /> + </bean> + <bean id="entitlement_role_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_READ" /> + <property name="description" + value="Description for ROLE_READ" /> + </bean> + <bean id="entitlement_role_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_UPDATE" /> + <property name="description" + value="Description for ROLE_UPDATE" /> + </bean> + <bean id="entitlement_role_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ROLE_DELETE" /> + <property name="description" + value="Description for ROLE_DELETE" /> + </bean> + + <bean id="entitlement_entitlement_list" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_LIST" /> + <property name="description" + value="Description for ENTITLEMENT_LIST" /> + </bean> + <bean id="entitlement_entitlement_create" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_CREATE" /> + <property name="description" + value="Description for ENTITLEMENT_CREATE" /> + </bean> + <bean id="entitlement_entitlement_read" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_READ" /> + <property name="description" + value="Description for ENTITLEMENT_READ" /> + </bean> + <bean id="entitlement_entitlement_update" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_UPDATE" /> + <property name="description" + value="Description for ENTITLEMENT_UPDATE" /> + </bean> + <bean id="entitlement_entitlement_delete" + class="org.apache.cxf.fediz.service.idp.service.jpa.EntitlementEntity"> + <property name="name" + value="ENTITLEMENT_DELETE" /> + <property name="description" + value="Description for ENTITLEMENT_DELETE" /> + </bean> + + <bean id="role_admin" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="ADMIN" /> + <property name="description" + value="This is the administrator role with full access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_create" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_claim_update" /> + <ref bean="entitlement_claim_delete" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_create" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_idp_update" /> + <ref bean="entitlement_idp_delete" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_create" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_trustedidp_update" /> + <ref bean="entitlement_trustedidp_delete" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_create" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_application_update" /> + <ref bean="entitlement_application_delete" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_create" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_role_update" /> + <ref bean="entitlement_role_delete" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_create" /> + <ref bean="entitlement_entitlement_read" /> + <ref bean="entitlement_entitlement_update" /> + <ref bean="entitlement_entitlement_delete" /> + </util:list> + </property> + </bean> + <bean id="role_user" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="USER" /> + <property name="description" + value="This is the user role with read access" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + <ref bean="entitlement_role_list" /> + <ref bean="entitlement_role_read" /> + <ref bean="entitlement_entitlement_list" /> + <ref bean="entitlement_entitlement_read" /> + </util:list> + </property> + </bean> + <bean id="role_idp_login" + class="org.apache.cxf.fediz.service.idp.service.jpa.RoleEntity"> + <property name="name" + value="IDP_LOGIN" /> + <property name="description" + value="This is the IDP login role which is applied to Users during the IDP SSO" /> + <property name="entitlements"> + <util:list> + <ref bean="entitlement_claim_list" /> + <ref bean="entitlement_claim_read" /> + <ref bean="entitlement_idp_list" /> + <ref bean="entitlement_idp_read" /> + <ref bean="entitlement_trustedidp_list" /> + <ref bean="entitlement_trustedidp_read" /> + <ref bean="entitlement_application_list" /> + <ref bean="entitlement_application_read" /> + </util:list> + </property> + </bean> + + + +</beans> + http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/idp/src/test/resources/server.jks ---------------------------------------------------------------------- diff --git a/systests/idp/src/test/resources/server.jks b/systests/idp/src/test/resources/server.jks new file mode 100644 index 0000000..c9c2ce2 Binary files /dev/null and b/systests/idp/src/test/resources/server.jks differ http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/pom.xml ---------------------------------------------------------------------- diff --git a/systests/pom.xml b/systests/pom.xml index 16dced5..eec0bac 100644 --- a/systests/pom.xml +++ b/systests/pom.xml @@ -32,6 +32,7 @@ <modules> <module>tests</module> + <module>idp</module> <module>webapps</module> <module>jetty8</module> <module>jetty9</module> http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/eccd097a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java ---------------------------------------------------------------------- diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java deleted file mode 100644 index 7bec646..0000000 --- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractAttackTests.java +++ /dev/null @@ -1,237 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.fediz.integrationtests; - -import java.net.URLEncoder; - -import com.gargoylesoftware.htmlunit.CookieManager; -import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; -import com.gargoylesoftware.htmlunit.WebClient; -import com.gargoylesoftware.htmlunit.html.DomElement; -import com.gargoylesoftware.htmlunit.html.DomNodeList; -import com.gargoylesoftware.htmlunit.html.HtmlForm; -import com.gargoylesoftware.htmlunit.html.HtmlPage; -import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; - -import org.apache.http.auth.AuthScope; -import org.apache.http.auth.UsernamePasswordCredentials; -import org.apache.wss4j.dom.engine.WSSConfig; -import org.junit.Assert; -import org.junit.Test; - -/** - * Some negative/attack tests for the IdP/RP - */ -public abstract class AbstractAttackTests { - - static final String TEST_WREQ = - "<RequestSecurityToken xmlns=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\";>" - + "<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV3.0</TokenType>" - + "</RequestSecurityToken>"; - - static { - WSSConfig.init(); - } - - public AbstractAttackTests() { - super(); - } - - public abstract String getServletContextName(); - - public abstract String getIdpHttpsPort(); - - public abstract String getRpHttpsPort(); - - @Test - public void testAliceModifiedSignature() throws Exception { - String url = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() - + "/secure/fedservlet"; - String user = "alice"; - String password = "ecila"; - - // Get the initial token - CookieManager cookieManager = new CookieManager(); - final WebClient webClient = new WebClient(); - webClient.setCookieManager(cookieManager); - webClient.getOptions().setUseInsecureSSL(true); - webClient.getCredentialsProvider().setCredentials( - new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), - new UsernamePasswordCredentials(user, password)); - - webClient.getOptions().setJavaScriptEnabled(false); - final HtmlPage idpPage = webClient.getPage(url); - webClient.getOptions().setJavaScriptEnabled(true); - Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); - - // Parse the form to get the token (wresult) - DomNodeList<DomElement> results = idpPage.getElementsByTagName("input"); - - for (DomElement result : results) { - if ("wresult".equals(result.getAttributeNS(null, "name"))) { - // Now modify the Signature - String value = result.getAttributeNS(null, "value"); - value = value.replace("alice", "bob"); - result.setAttributeNS(null, "value", value); - } - } - - // Invoke back on the RP - - final HtmlForm form = idpPage.getFormByName("signinresponseform"); - final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); - - try { - button.click(); - Assert.fail("Failure expected on a modified signature"); - } catch (FailingHttpStatusCodeException ex) { - // expected - Assert.assertTrue(ex.getMessage().contains("401 Unauthorized") - || ex.getMessage().contains("401 Authentication Failed") - || ex.getMessage().contains("403 Forbidden")); - } - - webClient.close(); - } - - @Test - public void testConcurrentRequests() throws Exception { - - String url1 = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; - String url2 = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/test.html"; - String user = "bob"; - String password = "bob"; - - // Get the initial token - CookieManager cookieManager = new CookieManager(); - final WebClient webClient = new WebClient(); - webClient.setCookieManager(cookieManager); - webClient.getOptions().setUseInsecureSSL(true); - webClient.getCredentialsProvider().setCredentials( - new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), - new UsernamePasswordCredentials(user, password)); - - webClient.getOptions().setJavaScriptEnabled(false); - final HtmlPage idpPage1 = webClient.getPage(url1); - final HtmlPage idpPage2 = webClient.getPage(url2); - webClient.getOptions().setJavaScriptEnabled(true); - Assert.assertEquals("IDP SignIn Response Form", idpPage1.getTitleText()); - Assert.assertEquals("IDP SignIn Response Form", idpPage2.getTitleText()); - - // Invoke back on the page1 RP - final HtmlForm form = idpPage1.getFormByName("signinresponseform"); - final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); - final HtmlPage rpPage1 = button.click(); - Assert.assertTrue("WS Federation Systests Examples".equals(rpPage1.getTitleText()) - || "WS Federation Systests Spring Examples".equals(rpPage1.getTitleText())); - - String bodyTextContent1 = rpPage1.getBody().getTextContent(); - - Assert.assertTrue("Principal not " + user, - bodyTextContent1.contains("userPrincipal=" + user)); - - // Invoke back on the page2 RP - final HtmlForm form2 = idpPage2.getFormByName("signinresponseform"); - final HtmlSubmitInput button2 = form2.getInputByName("_eventId_submit"); - final HtmlPage rpPage2 = button2.click(); - String bodyTextContent2 = rpPage2.getBody().getTextContent(); - - Assert.assertTrue("Unexpected content of RP page", bodyTextContent2.contains("Secure Test")); - - webClient.close(); - } - - @org.junit.Test - public void testMaliciousRedirect() throws Exception { - String url = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; - String user = "alice"; - String password = "ecila"; - - CookieManager cookieManager = new CookieManager(); - - // 1. Login - HTTPTestUtils.loginWithCookieManager(url, user, password, getIdpHttpsPort(), cookieManager); - - // 2. Now we should have a cookie from the RP and IdP and should be able to do - // subsequent requests without authenticate again. Lets test this first. - WebClient webClient = new WebClient(); - webClient.setCookieManager(cookieManager); - webClient.getOptions().setUseInsecureSSL(true); - HtmlPage rpPage = webClient.getPage(url); - Assert.assertTrue("WS Federation Systests Examples".equals(rpPage.getTitleText()) - || "WS Federation Systests Spring Examples".equals(rpPage.getTitleText())); - - // 3. Now a malicious user sends the client a URL with a bad "wreply" address to the IdP - String maliciousURL = "https://www.apache.org/attack";; - String idpUrl - = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/federation"; - idpUrl += "?wa=wsignin1.0&wreply=" + URLEncoder.encode(maliciousURL, "UTF-8"); - idpUrl += "&wtrealm=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Afedizhelloworld"; - idpUrl += "&whr=urn%3Aorg%3Aapache%3Acxf%3Afediz%3Aidp%3Arealm-A"; - webClient.close(); - - final WebClient webClient2 = new WebClient(); - webClient2.setCookieManager(cookieManager); - webClient2.getOptions().setUseInsecureSSL(true); - webClient2.getCredentialsProvider().setCredentials( - new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), - new UsernamePasswordCredentials(user, password)); - - webClient2.getOptions().setJavaScriptEnabled(false); - try { - webClient2.getPage(idpUrl); - Assert.fail("Failure expected on a bad wreply address"); - } catch (FailingHttpStatusCodeException ex) { - Assert.assertEquals(ex.getStatusCode(), 400); - } - webClient2.close(); - } - - // Send an unknown wreq value - @org.junit.Test - public void testBadWReq() throws Exception { - String url = "https://localhost:"; + getIdpHttpsPort() + "/fediz-idp/federation?"; - url += "wa=wsignin1.0"; - url += "&whr=urn:org:apache:cxf:fediz:idp:realm-A"; - url += "&wtrealm=urn:org:apache:cxf:fediz:fedizhelloworld"; - String wreply = "https://localhost:"; + getRpHttpsPort() + "/" + getServletContextName() + "/secure/fedservlet"; - url += "&wreply=" + wreply; - url += "&wreq=" + URLEncoder.encode(TEST_WREQ, "UTF-8"); - - String user = "alice"; - String password = "ecila"; - - final WebClient webClient = new WebClient(); - webClient.getOptions().setUseInsecureSSL(true); - webClient.getCredentialsProvider().setCredentials( - new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), - new UsernamePasswordCredentials(user, password)); - - webClient.getOptions().setJavaScriptEnabled(false); - try { - webClient.getPage(url); - Assert.fail("Failure expected on a bad wreq value"); - } catch (FailingHttpStatusCodeException ex) { - Assert.assertEquals(ex.getStatusCode(), 400); - } - - webClient.close(); - } -}
