1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.LinkedList;
22 import java.util.List;
23
24 import javax.xml.namespace.QName;
25
26 import org.apache.wss4j.common.ext.WSSecurityException;
27 import org.apache.wss4j.common.saml.SAMLCallback;
28 import org.apache.wss4j.common.saml.SamlAssertionWrapper;
29 import org.apache.wss4j.common.saml.bean.SubjectBean;
30 import org.apache.wss4j.common.saml.bean.Version;
31 import org.apache.wss4j.policy.stax.PolicyViolationException;
32 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
33 import org.apache.wss4j.stax.ext.WSSConstants;
34 import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
35 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
36 import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
37 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
38 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
39 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
40 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
41 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
42 import org.junit.jupiter.api.Test;
43
44 import static org.junit.jupiter.api.Assertions.assertEquals;
45 import static org.junit.jupiter.api.Assertions.assertTrue;
46 import static org.junit.jupiter.api.Assertions.fail;
47
48 public class SamlTokenTest extends AbstractPolicyTestBase {
49
50 @Test
51 public void testPolicy() throws Exception {
52 String policyString =
53 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
54 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
55 "<sp:InitiatorToken>\n" +
56 " <wsp:Policy>\n" +
57 " <sp:SamlToken>\n" +
58 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
59 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
60 " <sp:WssSamlV20Token11/>\n" +
61 " </wsp:Policy>\n" +
62 " </sp:SamlToken>\n" +
63 " </wsp:Policy>\n" +
64 "</sp:InitiatorToken>\n" +
65 "<sp:RecipientToken>\n" +
66 " <wsp:Policy>\n" +
67 " <sp:SamlToken>\n" +
68 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
69 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
70 " <sp:WssSamlV20Token11/>\n" +
71 " </wsp:Policy>\n" +
72 " </sp:SamlToken>\n" +
73 " </wsp:Policy>\n" +
74 "</sp:RecipientToken>\n" +
75 " <sp:AlgorithmSuite>\n" +
76 " <wsp:Policy>\n" +
77 " <sp:Basic256/>\n" +
78 " </wsp:Policy>\n" +
79 " </sp:AlgorithmSuite>\n" +
80 "</wsp:Policy>\n" +
81 "</sp:AsymmetricBinding>";
82
83 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
84
85 SAMLCallback samlCallback = new SAMLCallback();
86 samlCallback.setSamlVersion(Version.SAML_20);
87 samlCallback.setIssuer("xs:anyURI");
88 SubjectBean subjectBean = new SubjectBean();
89 samlCallback.setSubject(subjectBean);
90 SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
91
92 SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
93 SamlSecurityTokenImpl securityToken =
94 new SamlSecurityTokenImpl(
95 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
96 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
97 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
98 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
99 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
100
101 SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
102 securityToken =
103 new SamlSecurityTokenImpl(
104 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
105 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
106 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
107 recipientTokenSecurityEvent.setSecurityToken(securityToken);
108 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
109
110 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
111 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
112 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
113 SignedPartSecurityEvent signedPartSecurityEvent =
114 new SignedPartSecurityEvent(
115 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
116 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
117 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
118
119 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
120 new ContentEncryptedElementSecurityEvent(
121 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
122 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
123 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
124
125 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
126 operationSecurityEvent.setOperation(new QName("definitions"));
127 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
128
129 policyEnforcer.doFinal();
130 }
131
132 @Test
133 public void testPolicyNegative() throws Exception {
134 String policyString =
135 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
136 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
137 "<sp:InitiatorToken>\n" +
138 " <wsp:Policy>\n" +
139 " <sp:SamlToken>\n" +
140 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
141 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
142 " <sp:WssSamlV20Token11/>\n" +
143 " </wsp:Policy>\n" +
144 " </sp:SamlToken>\n" +
145 " </wsp:Policy>\n" +
146 "</sp:InitiatorToken>\n" +
147 "<sp:RecipientToken>\n" +
148 " <wsp:Policy>\n" +
149 " <sp:SamlToken>\n" +
150 " <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
151 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
152 " <sp:WssSamlV20Token11/>\n" +
153 " </wsp:Policy>\n" +
154 " </sp:SamlToken>\n" +
155 " </wsp:Policy>\n" +
156 "</sp:RecipientToken>\n" +
157 " <sp:AlgorithmSuite>\n" +
158 " <wsp:Policy>\n" +
159 " <sp:Basic256/>\n" +
160 " </wsp:Policy>\n" +
161 " </sp:AlgorithmSuite>\n" +
162 "</wsp:Policy>\n" +
163 "</sp:AsymmetricBinding>";
164
165 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
166
167 SAMLCallback samlCallback = new SAMLCallback();
168 samlCallback.setSamlVersion(Version.SAML_20);
169 samlCallback.setIssuer("xs:anyURI");
170 SubjectBean subjectBean = new SubjectBean();
171 samlCallback.setSubject(subjectBean);
172 SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
173
174 SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
175 SamlSecurityTokenImpl securityToken =
176 new SamlSecurityTokenImpl(
177 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
178 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
179 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
180 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
181 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
182
183 samlCallback.setIssuer("xs:otherURI");
184 samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
185
186 SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
187 securityToken =
188 new SamlSecurityTokenImpl(
189 samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
190 WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
191 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
192 recipientTokenSecurityEvent.setSecurityToken(securityToken);
193 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
194
195 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
196 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
197 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
198 SignedPartSecurityEvent signedPartSecurityEvent =
199 new SignedPartSecurityEvent(
200 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
201 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
202 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
203
204 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
205 new ContentEncryptedElementSecurityEvent(
206 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
207 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
208 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
209
210 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
211 operationSecurityEvent.setOperation(new QName("definitions"));
212
213 try {
214 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
215 fail("Exception expected");
216 } catch (WSSecurityException e) {
217 assertTrue(e.getCause() instanceof PolicyViolationException);
218 assertEquals(e.getCause().getMessage(),
219 "IssuerName in Policy (xs:anyURI) didn't match with the one in the SamlToken (xs:otherURI)");
220 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
221 }
222 }
223 }