cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1169703 - in /cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security: policy/builders/ policy/model/ wss4j/ wss4j/policyvalidators/
Date Mon, 12 Sep 2011 11:52:22 GMT
Author: coheigea
Date: Mon Sep 12 11:52:21 2011
New Revision: 1169703

URL: http://svn.apache.org/viewvc?rev=1169703&view=rev
Log:
[CXF-2924] - Added a policy validator for AlgorithmSuites
 - Only checks signatures for the moment.

Added:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
Modified:
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
    cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java?rev=1169703&r1=1169702&r2=1169703&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/builders/SamlTokenBuilder.java
Mon Sep 12 11:52:21 2011
@@ -69,12 +69,21 @@ public class SamlTokenBuilder implements
                         if (policyChild instanceof Element) {
                             QName qname = 
                                 new QName(policyChild.getNamespaceURI(), policyChild.getLocalName());
-                            if (SPConstants.SAML_11_TOKEN_10.equals(qname.getLocalPart()))
{
+                            String localname = qname.getLocalPart();
+                            if (SPConstants.SAML_11_TOKEN_10.equals(localname)) {
                                 samlToken.setUseSamlVersion11Profile10(true);
-                            } else if (SPConstants.SAML_11_TOKEN_11.equals(qname.getLocalPart()))
{
+                            } else if (SPConstants.SAML_11_TOKEN_11.equals(localname)) {
                                 samlToken.setUseSamlVersion11Profile11(true);
-                            } else if (SPConstants.SAML_20_TOKEN_11.equals(qname.getLocalPart()))
{
+                            } else if (SPConstants.SAML_20_TOKEN_11.equals(localname)) {
                                 samlToken.setUseSamlVersion20Profile11(true);
+                            } else if (SPConstants.REQUIRE_DERIVED_KEYS.equals(localname))
{
+                                samlToken.setDerivedKeys(true);
+                            } else if (SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS.equals(localname))
{
+                                samlToken.setExplicitDerivedKeys(true);
+                            } else if (SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS.equals(localname))
{
+                                samlToken.setImpliedDerivedKeys(true);
+                            } else if (SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE.equals(localname))
{
+                                samlToken.setRequireKeyIdentifierReference(true);
                             }
                         }
                     }

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java?rev=1169703&r1=1169702&r2=1169703&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/model/SamlToken.java
Mon Sep 12 11:52:21 2011
@@ -29,6 +29,7 @@ public class SamlToken extends Token {
     private boolean useSamlVersion11Profile10;
     private boolean useSamlVersion11Profile11;
     private boolean useSamlVersion20Profile11;
+    private boolean requireKeyIdentifierReference;
 
     public SamlToken(SPConstants version) {
         super(version);
@@ -58,6 +59,14 @@ public class SamlToken extends Token {
         this.useSamlVersion20Profile11 = useSamlVersion20Profile11;
     }
     
+    public boolean isRequireKeyIdentifierReference() {
+        return requireKeyIdentifierReference;
+    }
+
+    public void setRequireKeyIdentifierReference(boolean requireKeyIdentifierReference) {
+        this.requireKeyIdentifierReference = requireKeyIdentifierReference;
+    }
+    
     public QName getName() {
         return SP12Constants.INSTANCE.getSamlToken();
     }
@@ -106,9 +115,25 @@ public class SamlToken extends Token {
                 // <sp:WssSamlV11Token11 />
                 writer.writeStartElement(prefix, SPConstants.SAML_11_TOKEN_11, namespaceURI);
             } else {
-               // <sp:WssSamlV20Token11 />
+                // <sp:WssSamlV20Token11 />
                 writer.writeStartElement(prefix, SPConstants.SAML_20_TOKEN_11, namespaceURI);
             }
+            
+            if (isDerivedKeys()) {
+                writer.writeStartElement(prefix, SPConstants.REQUIRE_DERIVED_KEYS, namespaceURI);
+                writer.writeEndElement();
+            } else if (isExplicitDerivedKeys()) {
+                writer.writeStartElement(prefix, SPConstants.REQUIRE_EXPLICIT_DERIVED_KEYS,
namespaceURI);
+                writer.writeEndElement();
+            } else if (isImpliedDerivedKeys()) {
+                writer.writeStartElement(prefix, SPConstants.REQUIRE_IMPLIED_DERIVED_KEYS,
namespaceURI);
+                writer.writeEndElement();
+            }
+            
+            if (isRequireKeyIdentifierReference()) {
+                writer.writeStartElement(prefix, SPConstants.REQUIRE_KEY_IDENTIFIER_REFERENCE,
namespaceURI);
+                writer.writeEndElement();
+            }
 
             writer.writeEndElement();
 

Modified: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java?rev=1169703&r1=1169702&r2=1169703&view=diff
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
(original)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java
Mon Sep 12 11:52:21 2011
@@ -73,6 +73,7 @@ import org.apache.cxf.ws.security.policy
 import org.apache.cxf.ws.security.policy.model.X509Token;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageScope;
 import org.apache.cxf.ws.security.wss4j.CryptoCoverageUtil.CoverageType;
+import org.apache.cxf.ws.security.wss4j.policyvalidators.AlgorithmSuitePolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.EndorsingTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.SamlTokenPolicyValidator;
 import org.apache.cxf.ws.security.wss4j.policyvalidators.UsernameTokenPolicyValidator;
@@ -617,9 +618,9 @@ public class PolicyBasedWSS4JInIntercept
         
         assertHeadersExists(aim, msg, soapHeader);
         
-        assertAsymetricBinding(aim, msg, prots, hasDerivedKeys);
-        assertSymetricBinding(aim, msg, prots, hasDerivedKeys);
-        assertTransportBinding(aim);
+        assertAsymetricBinding(aim, msg, prots, results, hasDerivedKeys);
+        assertSymmetricBinding(aim, msg, prots, results, hasDerivedKeys);
+        assertTransportBinding(aim, results);
         
         X509TokenPolicyValidator x509Validator = new X509TokenPolicyValidator(msg, results);
         x509Validator.validatePolicy(aim);
@@ -689,9 +690,10 @@ public class PolicyBasedWSS4JInIntercept
         
     }
 
-    private boolean assertSymetricBinding(AssertionInfoMap aim, 
+    private boolean assertSymmetricBinding(AssertionInfoMap aim, 
                                            SoapMessage message,
                                            Protections prots,
+                                           List<WSSecurityEngineResult> results,
                                            Boolean derived) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.SYMMETRIC_BINDING);
         if (ais == null) {
@@ -706,12 +708,20 @@ public class PolicyBasedWSS4JInIntercept
                     if (prots == Protections.ENCRYPT_SIGN
                         || prots == Protections.SIGN_ENCRYPT) {
                         ai.setNotAsserted("Not encrypted before signed and then protected");
+                        return false;
                     }
                 } else if (prots == Protections.SIGN_ENCRYPT) {
-                    ai.setNotAsserted("Not encrypted before signed");                   

+                    ai.setNotAsserted("Not encrypted before signed");
+                    return false;
                 }
             } else if (prots == Protections.ENCRYPT_SIGN) {
-                ai.setNotAsserted("Not signed before encrypted");                       
            
+                ai.setNotAsserted("Not signed before encrypted");
+                return false;
+            }
+            
+            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
+            if (!algorithmValidator.validatePolicy(ai, abinding.getAlgorithmSuite())) {
+                return false;
             }
             
             if (abinding.getEncryptionToken() != null) {
@@ -732,6 +742,7 @@ public class PolicyBasedWSS4JInIntercept
     private boolean assertAsymetricBinding(AssertionInfoMap aim, 
                                            SoapMessage message,
                                            Protections prots,
+                                           List<WSSecurityEngineResult> results,
                                            Boolean derived) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.ASYMMETRIC_BINDING);
         if (ais == null) {                       
@@ -745,13 +756,22 @@ public class PolicyBasedWSS4JInIntercept
                     if (prots == Protections.ENCRYPT_SIGN
                         || prots == Protections.SIGN_ENCRYPT) {
                         ai.setNotAsserted("Not encrypted before signed and then protected");
+                        return false;
                     }
                 } else if (prots == Protections.SIGN_ENCRYPT) {
-                    ai.setNotAsserted("Not encrypted before signed");                   

+                    ai.setNotAsserted("Not encrypted before signed");
+                    return false;
                 }
             } else if (prots == Protections.ENCRYPT_SIGN) {
-                ai.setNotAsserted("Not signed before encrypted");                       
            
+                ai.setNotAsserted("Not signed before encrypted");
+                return false;
+            }
+            
+            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
+            if (!algorithmValidator.validatePolicy(ai, abinding.getAlgorithmSuite())) {
+                return false;
             }
+            
             if (abinding.getInitiatorToken() != null) {
                 assertPolicy(aim, abinding.getInitiatorToken());
                 assertPolicy(aim, abinding.getInitiatorToken().getToken(), derived);
@@ -763,7 +783,7 @@ public class PolicyBasedWSS4JInIntercept
         }
         return true;
     }
-    private boolean assertTransportBinding(AssertionInfoMap aim) {
+    private boolean assertTransportBinding(AssertionInfoMap aim, List<WSSecurityEngineResult>
results) {
         Collection<AssertionInfo> ais = aim.get(SP12Constants.TRANSPORT_BINDING);
         if (ais == null) {                       
             return true;
@@ -776,6 +796,11 @@ public class PolicyBasedWSS4JInIntercept
                 assertPolicy(aim, binding.getTransportToken());
                 assertPolicy(aim, binding.getTransportToken().getToken());
             }
+            
+            AlgorithmSuitePolicyValidator algorithmValidator = new AlgorithmSuitePolicyValidator(results);
+            if (!algorithmValidator.validatePolicy(ai, binding.getAlgorithmSuite())) {
+                return false;
+            }
         }
         
         assertPolicy(aim, SP12Constants.ENCRYPTED_PARTS);

Added: cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
URL: http://svn.apache.org/viewvc/cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java?rev=1169703&view=auto
==============================================================================
--- cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
(added)
+++ cxf/branches/2.4.x-fixes/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/AlgorithmSuitePolicyValidator.java
Mon Sep 12 11:52:21 2011
@@ -0,0 +1,104 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.ws.security.wss4j.policyvalidators;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.ws.policy.AssertionInfo;
+import org.apache.cxf.ws.security.policy.model.AlgorithmSuite;
+import org.apache.ws.security.WSConstants;
+import org.apache.ws.security.WSDataRef;
+import org.apache.ws.security.WSSecurityEngineResult;
+import org.apache.ws.security.util.WSSecurityUtil;
+
+/**
+ * Validate a WSSecurityEngineResult corresponding to the processing of a Signature, EncryptedKey,
+ * EncryptedData or DerivedKey structure against an AlgorithmSuite policy.
+ */
+public class AlgorithmSuitePolicyValidator extends AbstractTokenPolicyValidator {
+    
+    private List<WSSecurityEngineResult> algorithmResults;
+
+    public AlgorithmSuitePolicyValidator(
+        List<WSSecurityEngineResult> results
+    ) {
+        algorithmResults = new ArrayList<WSSecurityEngineResult>();
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.SIGN, algorithmResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.ENCR, algorithmResults);
+        WSSecurityUtil.fetchAllActionResults(results, WSConstants.DKT, algorithmResults);
+    }
+    
+    public boolean validatePolicy(
+        AssertionInfo aiBinding, AlgorithmSuite algorithmPolicy
+    ) {
+        for (WSSecurityEngineResult result : algorithmResults) {
+            Integer actInt = (Integer)result.get(WSSecurityEngineResult.TAG_ACTION);
+            if (WSConstants.SIGN == actInt 
+                && !checkSignatureAlgorithms(result, algorithmPolicy, aiBinding))
{
+                return false;
+            }
+        }
+        return true;
+    }
+    
+    /**
+     * Check the Signature Algorithms
+     */
+    private boolean checkSignatureAlgorithms(
+        WSSecurityEngineResult result, 
+        AlgorithmSuite algorithmPolicy,
+        AssertionInfo ai
+    ) {
+        String signatureMethod = 
+            (String)result.get(WSSecurityEngineResult.TAG_SIGNATURE_METHOD);
+        if (!algorithmPolicy.getAsymmetricSignature().equals(signatureMethod)
+            && !algorithmPolicy.getSymmetricSignature().equals(signatureMethod))
{
+            ai.setNotAsserted(
+                "The signature method does not match the requirement"
+            );
+            return false;
+        }
+        String c14nMethod = 
+            (String)result.get(WSSecurityEngineResult.TAG_CANONICALIZATION_METHOD);
+        if (!algorithmPolicy.getInclusiveC14n().equals(c14nMethod)) {
+            ai.setNotAsserted(
+                "The c14n method does not match the requirement"
+            );
+            return false;
+        }
+
+        List<WSDataRef> dataRefs = 
+            CastUtils.cast((List<?>)result.get(WSSecurityEngineResult.TAG_DATA_REF_URIS));
+        for (WSDataRef dataRef : dataRefs) {
+            String digestMethod = dataRef.getDigestAlgorithm();
+            if (!algorithmPolicy.getDigest().equals(digestMethod)) {
+                ai.setNotAsserted(
+                    "The digest method does not match the requirement"
+                );
+                return false;
+            }
+        }
+        
+        return true;
+    }
+    
+}



Mime
View raw message