View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.util.LinkedList;
22  import java.util.List;
23  
24  import javax.xml.namespace.QName;
25  
26  import org.apache.wss4j.common.ext.WSSecurityException;
27  import org.apache.wss4j.common.saml.SAMLCallback;
28  import org.apache.wss4j.common.saml.SamlAssertionWrapper;
29  import org.apache.wss4j.common.saml.bean.SubjectBean;
30  import org.apache.wss4j.common.saml.bean.Version;
31  import org.apache.wss4j.policy.stax.PolicyViolationException;
32  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
33  import org.apache.wss4j.stax.ext.WSSConstants;
34  import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
35  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
36  import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
37  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
38  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
39  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
40  import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
41  import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
42  import org.junit.jupiter.api.Test;
43  
44  import static org.junit.jupiter.api.Assertions.assertEquals;
45  import static org.junit.jupiter.api.Assertions.assertTrue;
46  import static org.junit.jupiter.api.Assertions.fail;
47  
48  public class SamlTokenTest extends AbstractPolicyTestBase {
49  
50      @Test
51      public void testPolicy() throws Exception {
52          String policyString =
53                  "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
54                          "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
55                          "<sp:InitiatorToken>\n" +
56                          "   <wsp:Policy>\n" +
57                          "       <sp:SamlToken>\n" +
58                          "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
59                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
60                          "               <sp:WssSamlV20Token11/>\n" +
61                          "           </wsp:Policy>\n" +
62                          "       </sp:SamlToken>\n" +
63                          "   </wsp:Policy>\n" +
64                          "</sp:InitiatorToken>\n" +
65                          "<sp:RecipientToken>\n" +
66                          "   <wsp:Policy>\n" +
67                          "       <sp:SamlToken>\n" +
68                          "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
69                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
70                          "               <sp:WssSamlV20Token11/>\n" +
71                          "           </wsp:Policy>\n" +
72                          "       </sp:SamlToken>\n" +
73                          "   </wsp:Policy>\n" +
74                          "</sp:RecipientToken>\n" +
75                          "   <sp:AlgorithmSuite>\n" +
76                          "       <wsp:Policy>\n" +
77                          "           <sp:Basic256/>\n" +
78                          "       </wsp:Policy>\n" +
79                          "   </sp:AlgorithmSuite>\n" +
80                          "</wsp:Policy>\n" +
81                          "</sp:AsymmetricBinding>";
82  
83          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
84  
85          SAMLCallback samlCallback = new SAMLCallback();
86          samlCallback.setSamlVersion(Version.SAML_20);
87          samlCallback.setIssuer("xs:anyURI");
88          SubjectBean subjectBean = new SubjectBean();
89          samlCallback.setSubject(subjectBean);
90          SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
91  
92          SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
93          SamlSecurityTokenImpl securityToken =
94              new SamlSecurityTokenImpl(
95                      samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
96                      WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
97          securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
98          initiatorTokenSecurityEvent.setSecurityToken(securityToken);
99          policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
100 
101         SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
102         securityToken =
103             new SamlSecurityTokenImpl(
104                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
105                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
106         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
107         recipientTokenSecurityEvent.setSecurityToken(securityToken);
108         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
109 
110         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
111         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
112         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
113         SignedPartSecurityEvent signedPartSecurityEvent =
114                 new SignedPartSecurityEvent(
115                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
116         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
117         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
118 
119         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
120                 new ContentEncryptedElementSecurityEvent(
121                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
122         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
123         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
124 
125         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
126         operationSecurityEvent.setOperation(new QName("definitions"));
127         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
128 
129         policyEnforcer.doFinal();
130     }
131 
132     @Test
133     public void testPolicyNegative() throws Exception {
134         String policyString =
135                 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
136                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
137                         "<sp:InitiatorToken>\n" +
138                         "   <wsp:Policy>\n" +
139                         "       <sp:SamlToken>\n" +
140                         "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
141                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
142                         "               <sp:WssSamlV20Token11/>\n" +
143                         "           </wsp:Policy>\n" +
144                         "       </sp:SamlToken>\n" +
145                         "   </wsp:Policy>\n" +
146                         "</sp:InitiatorToken>\n" +
147                         "<sp:RecipientToken>\n" +
148                         "   <wsp:Policy>\n" +
149                         "       <sp:SamlToken>\n" +
150                         "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
151                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
152                         "               <sp:WssSamlV20Token11/>\n" +
153                         "           </wsp:Policy>\n" +
154                         "       </sp:SamlToken>\n" +
155                         "   </wsp:Policy>\n" +
156                         "</sp:RecipientToken>\n" +
157                         "   <sp:AlgorithmSuite>\n" +
158                         "       <wsp:Policy>\n" +
159                         "           <sp:Basic256/>\n" +
160                         "       </wsp:Policy>\n" +
161                         "   </sp:AlgorithmSuite>\n" +
162                         "</wsp:Policy>\n" +
163                         "</sp:AsymmetricBinding>";
164 
165         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
166 
167         SAMLCallback samlCallback = new SAMLCallback();
168         samlCallback.setSamlVersion(Version.SAML_20);
169         samlCallback.setIssuer("xs:anyURI");
170         SubjectBean subjectBean = new SubjectBean();
171         samlCallback.setSubject(subjectBean);
172         SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
173 
174         SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
175         SamlSecurityTokenImpl securityToken =
176             new SamlSecurityTokenImpl(
177                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
178                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
179         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
180         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
181         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
182 
183         samlCallback.setIssuer("xs:otherURI");
184         samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
185 
186         SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
187         securityToken =
188             new SamlSecurityTokenImpl(
189                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
190                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
191         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
192         recipientTokenSecurityEvent.setSecurityToken(securityToken);
193         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
194 
195         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
196         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
197         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
198         SignedPartSecurityEvent signedPartSecurityEvent =
199                 new SignedPartSecurityEvent(
200                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
201         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
202         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
203 
204         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
205                 new ContentEncryptedElementSecurityEvent(
206                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
207         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
208         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
209 
210         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
211         operationSecurityEvent.setOperation(new QName("definitions"));
212 
213         try {
214             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
215             fail("Exception expected");
216         } catch (WSSecurityException e) {
217             assertTrue(e.getCause() instanceof PolicyViolationException);
218             assertEquals(e.getCause().getMessage(),
219                     "IssuerName in Policy (xs:anyURI) didn't match with the one in the SamlToken (xs:otherURI)");
220             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
221         }
222     }
223 }