Removing some unneeded code from the security unit tests # Conflicts: # rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/bfdb3f8f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/bfdb3f8f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/bfdb3f8f Branch: refs/heads/3.1.x-fixes Commit: bfdb3f8ff39b948be9f97bc489df06955f16bdc7 Parents: 65869af Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Wed Aug 16 17:44:49 2017 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Wed Aug 16 17:46:31 2017 +0100 ---------------------------------------------------------------------- .../wss4j/AbstractPolicySecurityTest.java | 129 ++++--------------- .../wss4j/example-sts-issued-saml-assertion.xml | 58 +-------- 2 files changed, 25 insertions(+), 162 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/bfdb3f8f/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java index b627081..9b25f16 100644 --- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java +++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java @@ -22,6 +22,7 @@ import java.io.Closeable; import java.net.URL; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.List; import java.util.Map; import java.util.Properties; @@ -47,6 +48,7 @@ import org.apache.cxf.binding.soap.SoapMessage; import org.apache.cxf.endpoint.Endpoint; import org.apache.cxf.feature.Feature; import org.apache.cxf.helpers.CastUtils; +import org.apache.cxf.helpers.DOMUtils; import org.apache.cxf.interceptor.AbstractAttributedInterceptorProvider; import org.apache.cxf.message.Message; import org.apache.cxf.service.Service; @@ -67,13 +69,14 @@ import org.apache.neethi.Policy; import org.apache.wss4j.common.crypto.Crypto; import org.apache.wss4j.common.crypto.CryptoFactory; import org.apache.wss4j.common.crypto.CryptoType; +import org.apache.wss4j.common.saml.OpenSAMLUtil; +import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.dom.WSConstants; import org.apache.wss4j.dom.WSDataRef; import org.apache.wss4j.dom.engine.WSSecurityEngineResult; import org.apache.wss4j.dom.handler.WSHandlerConstants; import org.apache.wss4j.dom.handler.WSHandlerResult; import org.apache.wss4j.policy.SP12Constants; -import org.apache.wss4j.policy.model.AsymmetricBinding; public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest { protected PolicyBuilder policyBuilder; @@ -318,9 +321,7 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest { return msg.getContent(SOAPMessage.class).getSOAPPart(); } - - // TODO: This method can be removed or reduced when testSignedElementsWithIssuedSAMLToken is - // cleaned up. + protected void runOutInterceptorAndValidateSamlTokenAttached(String policyDoc) throws Exception { // create the request message final Document document = this.readDocument("wsse-request-clean.xml"); @@ -334,16 +335,23 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest { // add an "issued" assertion into the message exchange Element issuedAssertion = this.readDocument("example-sts-issued-saml-assertion.xml").getDocumentElement(); - - String assertionId = issuedAssertion.getAttributeNodeNS(null, "AssertionID").getNodeValue(); - - SecurityToken issuedToken = - new SecurityToken(assertionId, issuedAssertion, null); - + Properties cryptoProps = new Properties(); URL url = ClassLoader.getSystemResource("outsecurity.properties"); cryptoProps.load(url.openStream()); Crypto crypto = CryptoFactory.getInstance(cryptoProps); + + // Sign the "issued" assertion + SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(issuedAssertion); + assertionWrapper.signAssertion("myalias", "myAliasPassword", crypto, false); + + Document doc = DOMUtils.newDocument(); + issuedAssertion = OpenSAMLUtil.toDom(assertionWrapper.getSaml1(), doc); + String assertionId = issuedAssertion.getAttributeNodeNS(null, "AssertionID").getNodeValue(); + + SecurityToken issuedToken = + new SecurityToken(assertionId, issuedAssertion, null); + String alias = cryptoProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias"); CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); cryptoType.setAlias(alias); @@ -361,8 +369,10 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest { // fire the interceptor and verify results final Document signedDoc = this.runOutInterceptorAndValidate( msg, policy, aim, null, null); - - verifySignatureCoversAssertion(signedDoc, assertionId); + + this.runInInterceptorAndValidate(signedDoc, + policy, Collections.singletonList(SP12Constants.ISSUED_TOKEN), null, + Collections.singletonList(CoverageType.SIGNED)); } protected PolicyBasedWSS4JOutInterceptorInternal getOutInterceptor() { @@ -467,101 +477,6 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest { } assertTrue(foundReferenceList); } - - // TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding - // is cleaned up by adding server side enforcement of signature related algorithms. - // See https://issues.apache.org/jira/browse/WSS-222 - protected void verifySignatureAlgorithms(Document signedDoc, AssertionInfoMap aim) throws Exception { - final AssertionInfo assertInfo = aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next(); - assertNotNull(assertInfo); - - final AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion(); - final String expectedSignatureMethod = binding.getAlgorithmSuite().getAsymmetricSignature(); - final String expectedDigestAlgorithm = - binding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest(); - final String expectedCanonAlgorithm = binding.getAlgorithmSuite().getC14n().getValue(); - - XPathFactory factory = XPathFactory.newInstance(); - XPath xpath = factory.newXPath(); - final NamespaceContext nsContext = this.getNamespaceContext(); - xpath.setNamespaceContext(nsContext); - - // Signature Algorithm - final XPathExpression sigAlgoExpr = - xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo" - + "/ds:SignatureMethod/@Algorithm"); - - final String sigMethod = (String) sigAlgoExpr.evaluate(signedDoc, XPathConstants.STRING); - assertEquals(expectedSignatureMethod, sigMethod); - - // Digest Method Algorithm - final XPathExpression digestAlgoExpr = xpath.compile( - "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod"); - - final NodeList digestMethodNodes = - (NodeList) digestAlgoExpr.evaluate(signedDoc, XPathConstants.NODESET); - - for (int i = 0; i < digestMethodNodes.getLength(); i++) { - Node node = (Node)digestMethodNodes.item(i); - String digestAlgorithm = node.getAttributes().getNamedItem("Algorithm").getNodeValue(); - assertEquals(expectedDigestAlgorithm, digestAlgorithm); - } - - // Canonicalization Algorithm - final XPathExpression canonAlgoExpr = - xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo" - + "/ds:CanonicalizationMethod/@Algorithm"); - final String canonMethod = (String) canonAlgoExpr.evaluate(signedDoc, XPathConstants.STRING); - assertEquals(expectedCanonAlgorithm, canonMethod); - } - - // TODO: This method can be removed when runOutInterceptorAndValidateSamlTokenAttached - // is cleaned up. - protected void verifySignatureCoversAssertion(Document signedDoc, String assertionId) throws Exception { - XPathFactory factory = XPathFactory.newInstance(); - XPath xpath = factory.newXPath(); - final NamespaceContext nsContext = this.getNamespaceContext(); - xpath.setNamespaceContext(nsContext); - - // Find the SecurityTokenReference for the assertion - final XPathExpression strExpr = xpath.compile( - "/s:Envelope/s:Header/wsse:Security/wsse:SecurityTokenReference/wsse:KeyIdentifier"); - - final NodeList strKeyIdNodes = - (NodeList) strExpr.evaluate(signedDoc, XPathConstants.NODESET); - - String strId = null; - for (int i = 0; i < strKeyIdNodes.getLength(); i++) { - Node keyIdNode = (Node) strKeyIdNodes.item(i); - String strKey = keyIdNode.getTextContent(); - if (strKey.equals(assertionId)) { - Node strNode = (Node) keyIdNode.getParentNode(); - strId = strNode.getAttributes(). - getNamedItemNS(nsContext.getNamespaceURI("wsu"), "Id").getNodeValue(); - break; - } - } - assertNotNull("SecurityTokenReference for " + assertionId + " not found in security header.", strId); - - // Verify STR is included in the signature references - final XPathExpression sigRefExpr = - xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference"); - - final NodeList sigReferenceNodes = - (NodeList) sigRefExpr.evaluate(signedDoc, XPathConstants.NODESET); - - boolean foundStrReference = false; - for (int i = 0; i < sigReferenceNodes.getLength(); i++) { - Node sigRefNode = (Node) sigReferenceNodes.item(i); - String sigRefURI = sigRefNode.getAttributes().getNamedItem("URI").getNodeValue(); - if (sigRefURI.equals("#" + strId)) { - foundStrReference = true; - break; - } - } - - assertTrue("SecurityTokenReference for " + assertionId + " is not signed.", foundStrReference); - } protected void verifyEncryptedHeader(Document originalDoc, Document processedDoc) throws Exception { XPathFactory factory = XPathFactory.newInstance(); http://git-wip-us.apache.org/repos/asf/cxf/blob/bfdb3f8f/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml ---------------------------------------------------------------------- diff --git a/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml b/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml index ed5abe6..6768104 100644 --- a/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml +++ b/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml @@ -6,10 +6,9 @@ <saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" AssertionID="uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522" - IssueInstant="2010-07-29T20:48:46.229Z" Issuer="TEST-STS" + Issuer="TEST-STS" MajorVersion="1" MinorVersion="1"> - <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z" - NotOnOrAfter="2010-07-29T20:49:22.229Z"> + <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z"> <saml:AudienceRestrictionCondition> <saml:Audience>test-service</saml:Audience> </saml:AudienceRestrictionCondition> @@ -21,7 +20,7 @@ <saml:NameIdentifier>CN=test-user,OU=test,OU=CXF,O=Apache Software Foundation</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> - urn:oasis:names:tc:SAML:1.0:cm:holder-of-key + urn:oasis:names:tc:SAML:1.0:cm:bearer </saml:ConfirmationMethod> <ds:KeyInfo> <ds:X509Data> @@ -41,55 +40,4 @@ </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> - <ds:Signature> - <ds:SignedInfo> - <ds:CanonicalizationMethod - Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> - <ds:SignatureMethod - Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> - <ds:Reference - URI="#uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522"> - <ds:Transforms> - <ds:Transform - Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> - <ds:Transform - Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> - </ds:Transforms> - <ds:DigestMethod - Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> - <ds:DigestValue>+oA6MZcwrQrVa+IwsOejQW91VwM= - </ds:DigestValue> - </ds:Reference> - </ds:SignedInfo> - <ds:SignatureValue> - WNU2nQEnGtMl3f+bApcFB/fFb36WCfBMae/9wFs5Y2Be6RVZ0FMv6NYMhEboWwuUuRMAZ8L8Ac4H - 2Xp76pd/9ypO/IY+oM5k6A4N+p8q/VX5f3Qnkh5EcF2k69LVfMNpBje+eksUyHyREUd8w6Ejh1O1 - kLkR4oxBLjvYm+GLGFEmMYTpFHFyAK1bn1BdvAtDb3/hDZeGASRWUPnYFuqMTMUqa1O6iBISQFM1 - 3KUwhvKk7xODSsIsivFYFcP/7MamYOwr5UWyDex2xID9ubXdzu0B/Ey6IslaCCFZSZK1WfSiTU2Q - yZarJS6WBDTNCt2ad29A5oURJpwEsdXQsOtNmA== - </ds:SignatureValue> - <ds:KeyInfo> - <ds:X509Data> - <ds:X509Certificate>MIIDmzCCAoOgAwIBAgIBAzANBgkqhkiG9w0 - BAQUFADBYMSYwJAYDVQQKEx1Qcm9ncmVzcyBTb2Z0 - d2FyZSBDb3Jwb3JhdGlvbjELMAkGA1UECxMCcHMxDTALBgNVBAsTBHRlc3QxEjAQBgNVBAMTCVRl - c3QgQ0EgMTAeFw0wOTEyMTgwMTQ5MDFaFw0xOTEyMTYwMTQ2NDFaMFkxJjAkBgNVBAoTHVByb2dy - ZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMQswCQYDVQQLEwJwczENMAsGA1UECxMEdGVzdDETMBEG - A1UEAxMKc3RzLWlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf6fT4yXU8J - sfQAa6Kidu8NVONLF4HPgGMnB/JxcMJFzYvG9J2WtWTV0PEwzoLronC/92NcEmHktaY6mbgXQx90 - 4nnyXVs1mhSFbFjuunOCwbYbLoP0hTSOAFEXIMZfIev6ecnSS2jbuhz4CRKxdbtf5d1QF2MWataN - zTXYqoWuHKcSxzha4DlS8W9MVAp4gi6yubbbb0KZxMDeTiuCM8kJ1B0et+qAw3hVRosWHxzvcJz7 - zzc2fscOSVBtwDyYZdEShHt8oL+9bs1oiWHZm35/YP476AOC9rznYU6ekXtVszwak5kOAheJC9sx - BF+WMmMRZc3w3ZMEJUcLMgYj678CAwEAAaNvMG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6hTh - MTVrJEvhmPWvHzgFS4fbPr4wCwYDVR0PBAQDAgSwMBEGCWCGSAGG+EIBAQQEAwIFoDAeBglghkgB - hvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQAbb5autCceUfJLII1T - C2zqTFdxFzW6Pa1Ni8VYtxEVli5d48R3VgfPm4o1uP5MeJJc1LzgwQ7TYWhdmwDAWIbXvNtaMzDZ - FZK2kgU4yjhPSTTqMZvvdJlADBQbZPKxsd9NT5K7FEcxuWNOnjRl1vZZ3pbgbR/aq12g9ERWjvt6 - ZOS0/Rc2mv8uie1rCpPIdes/nj9yTP+pMIGI65RhMHrr3zPIkl6ZWPPWFoXkOS26e8AKkfMadaZd - WKrB3xkBW5eDoUz22DaolFw5WfJJD2s3kto26/UYjjRviZ9j+YkRVRDLDn3j/8wcdYD2p1anzMKU - TjZe7HgwbK7N/J5QJ/KQ - </ds:X509Certificate> - </ds:X509Data> - </ds:KeyInfo> - </ds:Signature> </saml:Assertion>