Record older ActAs attributes in the newer token
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/4a97a25e Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/4a97a25e Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/4a97a25e Branch: refs/heads/3.1.x-fixes Commit: 4a97a25efc17e0d0ce3d96a1476a8183e5a97879 Parents: 03d40ca Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Tue Oct 25 11:15:02 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue Oct 25 13:37:56 2016 +0100 ---------------------------------------------------------------------- .../ActAsAttributeStatementProvider.java | 30 ++++++ .../token/provider/SAMLProviderActAsTest.java | 96 ++++++++++++++++++++ 2 files changed, 126 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/4a97a25e/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java index 808cad2..cd0e837 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java @@ -34,6 +34,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.saml.bean.AttributeBean; import org.apache.wss4j.common.saml.bean.AttributeStatementBean; import org.apache.wss4j.dom.WSConstants; +import org.opensaml.core.xml.XMLObject; /** * An AttributeStatementProvider implementation to handle "ActAs". It adds an "ActAs "attribute" with the name of @@ -94,6 +95,35 @@ public class ActAsAttributeStatementProvider implements AttributeStatementProvid SamlAssertionWrapper wrapper = new SamlAssertionWrapper((Element)parameter); SAMLTokenPrincipal principal = new SAMLTokenPrincipalImpl(wrapper); parameterBean.addAttributeValue(principal.getName()); + + // Check for other ActAs attributes here + add them in + if (wrapper.getSaml2() != null) { + for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement + : wrapper.getSaml2().getAttributeStatements()) { + for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + parameterBean.addAttributeValue(text); + } + } + } + } + } else if (wrapper.getSaml1() != null) { + for (org.opensaml.saml.saml1.core.AttributeStatement attributeStatement + : wrapper.getSaml1().getAttributeStatements()) { + for (org.opensaml.saml.saml1.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getAttributeName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + parameterBean.addAttributeValue(text); + } + } + } + } + } } return parameterBean; http://git-wip-us.apache.org/repos/asf/cxf/blob/4a97a25e/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java index 768da57..ad90fe4 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java @@ -288,6 +288,102 @@ public class SAMLProviderActAsTest extends org.junit.Assert { assertTrue(tokenString.contains(ClaimTypes.LASTNAME.toString())); } + @org.junit.Test + public void testIncludeOtherActAsAttributesInTheToken() throws Exception { + TokenProvider samlTokenProvider = new SAMLTokenProvider(); + + UsernameTokenType usernameToken = new UsernameTokenType(); + AttributedString username = new AttributedString(); + username.setValue("bob"); + usernameToken.setUsername(username); + JAXBElement<UsernameTokenType> usernameTokenType = + new JAXBElement<UsernameTokenType>( + QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken + ); + + TokenProviderParameters providerParameters = + createProviderParameters( + WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType + ); + //Principal must be set in ReceivedToken/ActAs + providerParameters.getTokenRequirements().getActAs().setPrincipal( + new CustomTokenPrincipal(username.getValue())); + + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE)); + TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + // Verify the token + Element token = (Element)providerResponse.getToken(); + SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); + Assert.assertEquals("technical-user", assertion.getSubjectName()); + + boolean foundActAsAttribute = false; + for (org.opensaml.saml.saml1.core.AttributeStatement attributeStatement + : assertion.getSaml1().getAttributeStatements()) { + for (org.opensaml.saml.saml1.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getAttributeName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + if (text.contains("bob")) { + foundActAsAttribute = true; + break; + } + } + } + } + } + + Assert.assertTrue(foundActAsAttribute); + + // Now get another token "ActAs" the previous token + providerParameters = + createProviderParameters( + WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, token + ); + //Principal must be set in ReceivedToken/ActAs + providerParameters.getTokenRequirements().getActAs().setPrincipal( + new CustomTokenPrincipal("service-A")); + providerParameters.setPrincipal(new CustomTokenPrincipal("service-A")); + + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE)); + providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + // Verify the token + token = (Element)providerResponse.getToken(); + assertion = new SamlAssertionWrapper(token); + Assert.assertEquals("service-A", assertion.getSubjectName()); + + String tokenString = DOM2Writer.nodeToString(token); + System.out.println(tokenString); + + boolean foundBob = false; + boolean foundTechnical = false; + for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement + : assertion.getSaml2().getAttributeStatements()) { + for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + if (text.contains("bob")) { + foundBob = true; + } else if (text.contains("technical-user")) { + foundTechnical = true; + } + } + } + } + } + + Assert.assertTrue(foundBob); + Assert.assertTrue(foundTechnical); + } + private Element getSAMLAssertion() throws Exception { TokenProvider samlTokenProvider = new SAMLTokenProvider(); TokenProviderParameters providerParameters =