View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.wss4j.dom.message.token;
21  
22  import java.util.Collections;
23  
24  import org.apache.wss4j.common.bsp.BSPEnforcer;
25  import org.apache.wss4j.common.bsp.BSPRule;
26  import org.apache.wss4j.common.ext.WSSecurityException;
27  import org.apache.wss4j.common.token.Reference;
28  import org.apache.wss4j.common.token.SecurityTokenReference;
29  import org.apache.wss4j.common.util.DOM2Writer;
30  import org.apache.wss4j.common.util.SOAPUtil;
31  import org.apache.wss4j.dom.WSConstants;
32  
33  import org.apache.wss4j.dom.engine.WSSConfig;
34  
35  import org.junit.jupiter.api.Test;
36  import org.w3c.dom.Document;
37  import org.w3c.dom.Element;
38  
39  import static org.junit.jupiter.api.Assertions.assertTrue;
40  import static org.junit.jupiter.api.Assertions.fail;
41  
42  /**
43   * Some tests for the SecurityTokenReference class.
44   */
45  public class SecurityTokenReferenceTest {
46      private static final org.slf4j.Logger LOG =
47          org.slf4j.LoggerFactory.getLogger(SecurityTokenReferenceTest.class);
48  
49      public SecurityTokenReferenceTest() {
50          WSSConfig.init();
51      }
52  
53      /**
54       * Test for a Reference with no URI
55       */
56      @Test
57      public void testReferenceNoURI() throws Exception {
58          Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
59  
60          // Create the STR
61          SecurityTokenReference str = new SecurityTokenReference(doc);
62          str.addWSSENamespace();
63          Reference ref = new Reference(doc);
64          ref.setValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
65          ref.setURI(null);
66          str.setReference(ref);
67  
68          if (LOG.isDebugEnabled()) {
69              LOG.debug(str.toString());
70          }
71  
72          // Process the STR
73          Element strElement = str.getElement();
74          try {
75              new SecurityTokenReference(strElement, new BSPEnforcer(true));
76              fail("Failure expected on a reference with no URI");
77          } catch (WSSecurityException ex) {
78              assertTrue(ex.getMessage().contains("Reference URI is null"));
79          }
80      }
81  
82      /**
83       * Test for a SecurityTokenReference having multiple data references
84       */
85      @Test
86      public void testMultipleChildren() throws Exception {
87          Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
88  
89          // Create the STR
90          SecurityTokenReference str = new SecurityTokenReference(doc);
91          str.addWSSENamespace();
92          str.setKeyIdentifierEncKeySHA1("123456");
93          Element strElement = str.getElement();
94  
95          Reference ref = new Reference(doc);
96          ref.setValueType(WSConstants.WSS_ENC_KEY_VALUE_TYPE);
97          ref.setURI("#123");
98          strElement.appendChild(ref.getElement());
99  
100         if (LOG.isDebugEnabled()) {
101             LOG.debug(str.toString());
102         }
103 
104         BSPEnforcer bspEnforcer = new BSPEnforcer();
105         // Process the STR
106         try {
107             new SecurityTokenReference(strElement, bspEnforcer);
108             fail("Failure expected on multiple data references");
109         } catch (WSSecurityException ex) {
110             assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
111         }
112 
113         bspEnforcer.setIgnoredBSPRules(Collections.singletonList(BSPRule.R3061));
114         new SecurityTokenReference(strElement, bspEnforcer);
115     }
116 
117     /**
118      * Test for a SecurityTokenReference having a Key Identifier with no ValueType
119      */
120     @Test
121     public void testKeyIdentifierNoValueType() throws Exception {
122         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
123 
124         // Create the STR
125         SecurityTokenReference str = new SecurityTokenReference(doc);
126         str.addWSSENamespace();
127         str.setKeyIdentifier(null, "#123");
128         Element strElement = str.getElement();
129 
130         if (LOG.isDebugEnabled()) {
131             LOG.debug(str.toString());
132         }
133 
134         BSPEnforcer bspEnforcer = new BSPEnforcer();
135         // Process the STR
136         try {
137             new SecurityTokenReference(strElement, bspEnforcer);
138             fail("Failure expected on a Key Identifier with no ValueType");
139         } catch (WSSecurityException ex) {
140             assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
141         }
142 
143         bspEnforcer.setIgnoredBSPRules(Collections.singletonList(BSPRule.R3054));
144     }
145 
146     /**
147      * Test for a SecurityTokenReference having a Key Identifier with a bad EncodingType
148      */
149     @Test
150     public void testKeyIdentifierBadEncodingType() throws Exception {
151         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
152 
153         // Create the STR
154         SecurityTokenReference str = new SecurityTokenReference(doc);
155         str.addWSSENamespace();
156         Element strElement = str.getElement();
157 
158         Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
159         keyId.setAttributeNS(null, "ValueType", SecurityTokenReference.ENC_KEY_SHA1_URI);
160         keyId.setAttributeNS(null, "EncodingType", "http://bad_encoding");
161         keyId.appendChild(doc.createTextNode("#123"));
162         strElement.appendChild(keyId);
163 
164         if (LOG.isDebugEnabled()) {
165             LOG.debug(str.toString());
166         }
167 
168         BSPEnforcer bspEnforcer = new BSPEnforcer();
169         // Process the STR
170         try {
171             new SecurityTokenReference(strElement, bspEnforcer);
172             fail("Failure expected on a Key Identifier with a Bad EncodingType");
173         } catch (WSSecurityException ex) {
174             assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
175         }
176 
177         bspEnforcer.setIgnoredBSPRules(Collections.singletonList(BSPRule.R3071));
178     }
179 
180 
181     /**
182      * Test for a SecurityTokenReference having a Key Identifier with no EncodingType
183      */
184     @Test
185     public void testKeyIdentifierNoEncodingType() throws Exception {
186         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
187 
188         // Create the STR
189         SecurityTokenReference str = new SecurityTokenReference(doc);
190         str.addWSSENamespace();
191         Element strElement = str.getElement();
192 
193         Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
194         keyId.setAttributeNS(null, "ValueType", SecurityTokenReference.ENC_KEY_SHA1_URI);
195         keyId.appendChild(doc.createTextNode("#123"));
196         strElement.appendChild(keyId);
197 
198         if (LOG.isDebugEnabled()) {
199             LOG.debug(str.toString());
200         }
201 
202         BSPEnforcer bspEnforcer = new BSPEnforcer();
203         // Process the STR
204         try {
205             new SecurityTokenReference(strElement, bspEnforcer);
206             fail("Failure expected on a Key Identifier with no EncodingType");
207         } catch (WSSecurityException ex) {
208             assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
209         }
210 
211         bspEnforcer.setIgnoredBSPRules(Collections.singletonList(BSPRule.R3070));
212     }
213 
214     /**
215      * Test for a SecurityTokenReference having a Key Identifier with no EncodingType, but
216      * it should pass as the ValueType is for a SAML Assertion.
217      */
218     @Test
219     public void testKeyIdentifierSAMLNoEncodingType() throws Exception {
220         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
221 
222         // Create the STR
223         SecurityTokenReference str = new SecurityTokenReference(doc);
224         str.addWSSENamespace();
225         Element strElement = str.getElement();
226 
227         Element keyId = doc.createElementNS(WSConstants.WSSE_NS, "wsse:KeyIdentifier");
228         keyId.setAttributeNS(null, "ValueType", WSConstants.WSS_SAML_KI_VALUE_TYPE);
229         keyId.appendChild(doc.createTextNode("#123"));
230         strElement.appendChild(keyId);
231 
232         if (LOG.isDebugEnabled()) {
233             LOG.debug(str.toString());
234         }
235 
236         BSPEnforcer bspEnforcer = new BSPEnforcer();
237         new SecurityTokenReference(strElement, bspEnforcer);
238     }
239 
240     /**
241      * Test for a SecurityTokenReference having an Embedded Child, which in turn has a
242      * SecurityTokenReference child.
243      */
244     @Test
245     public void testEmbeddedSTRChild() throws Exception {
246         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
247 
248         // Create the STR
249         SecurityTokenReference str = new SecurityTokenReference(doc);
250         str.addWSSENamespace();
251         Element strElement = str.getElement();
252 
253         Element embedded = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Embedded");
254         str = new SecurityTokenReference(doc);
255         str.addWSSENamespace();
256         embedded.appendChild(str.getElement());
257 
258         strElement.appendChild(embedded);
259 
260         if (LOG.isDebugEnabled()) {
261             LOG.debug(DOM2Writer.nodeToString(strElement));
262         }
263 
264         BSPEnforcer bspEnforcer = new BSPEnforcer();
265         // Process the STR
266         try {
267             new SecurityTokenReference(strElement, bspEnforcer);
268             fail("Failure expected on an Embedded Child with a SecurityTokenReference child");
269         } catch (WSSecurityException ex) {
270             assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
271         }
272 
273         bspEnforcer.setIgnoredBSPRules(Collections.singletonList(BSPRule.R3056));
274     }
275 
276     /**
277      * Test for a SecurityTokenReference having an Embedded Child, which has multiple
278      * children.
279      */
280     @Test
281     public void testMultipleEmbeddedChildren() throws Exception {
282         Document doc = SOAPUtil.toSOAPPart(SOAPUtil.SAMPLE_SOAP_MSG);
283 
284         // Create the STR
285         SecurityTokenReference str = new SecurityTokenReference(doc);
286         str.addWSSENamespace();
287         Element strElement = str.getElement();
288 
289         Element embedded = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Embedded");
290         Element embedded1 = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Reference");
291         Element embedded2 = doc.createElementNS(WSConstants.WSSE_NS, "wsse:Reference");
292         embedded.appendChild(embedded1);
293         embedded.appendChild(embedded2);
294 
295         strElement.appendChild(embedded);
296 
297         if (LOG.isDebugEnabled()) {
298             LOG.debug(DOM2Writer.nodeToString(strElement));
299         }
300 
301         BSPEnforcer bspEnforcer = new BSPEnforcer();
302         // Process the STR
303         try {
304             new SecurityTokenReference(strElement, bspEnforcer);
305             fail("Failure expected on an Embedded Child with multiple children");
306         } catch (WSSecurityException ex) {
307             assertTrue(ex.getErrorCode() == WSSecurityException.ErrorCode.INVALID_SECURITY);
308         }
309 
310         bspEnforcer.setIgnoredBSPRules(Collections.singletonList(BSPRule.R3060));
311     }
312 
313 }