cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1478319 - in /cxf/fediz/trunk/plugins/core/src: main/java/org/apache/cxf/fediz/core/saml/ test/java/org/apache/cxf/fediz/core/ test/resources/
Date Thu, 02 May 2013 10:31:25 GMT
Author: coheigea
Date: Thu May  2 10:31:25 2013
New Revision: 1478319

URL: http://svn.apache.org/r1478319
Log:
[FEDIZ-4] - Fixed a bug with HolderOfKey + added a unit test

Added:
    cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties
    cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks   (with props)
Modified:
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
    cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
    cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
    cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
Thu May  2 10:31:25 2013
@@ -102,8 +102,11 @@ public class SAMLTokenValidator implemen
                 throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
             }
             // Verify the signature
-            assertion.verifySignature(requestData,
-                    new WSDocInfo(token.getOwnerDocument()));
+            WSDocInfo docInfo = new WSDocInfo(token.getOwnerDocument());
+            assertion.verifySignature(requestData, docInfo);
+            
+            // Parse the HOK subject if it exists
+            assertion.parseHOKSubject(requestData, docInfo);
 
             // Now verify trust on the signature
             Credential trustCredential = new Credential();
@@ -185,32 +188,7 @@ public class SAMLTokenValidator implemen
                 audience = getAudienceRestriction(assertion.getSaml1());
             }
 
-            List<String> roles = null;
-            FederationProtocol fp = (FederationProtocol)config.getProtocol();
-            if (fp.getRoleURI() != null) {
-                URI roleURI = URI.create(fp.getRoleURI());
-                String delim = fp.getRoleDelimiter();
-                for (Claim c : claims) {
-                    if (roleURI.equals(c.getClaimType())) {
-                        Object oValue = c.getValue();
-                        if ((oValue instanceof String) && !"".equals((String)oValue))
{
-                            if (delim == null) {
-                                roles = Collections.singletonList((String)oValue);
-                            } else {
-                                roles = parseRoles((String)oValue, delim);
-                            }
-                        } else if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty())
{
-                            List<String> values = (List<String>)oValue;
-                            roles = Collections.unmodifiableList(values);
-                        } else if (!((oValue instanceof String) || (oValue instanceof List<?>)))
{
-                            LOG.error("Unsupported value type of Claim value");
-                            throw new IllegalStateException("Unsupported value type of Claim
value");
-                        }
-                        claims.remove(c);
-                        break;
-                    }
-                }
-            }
+            List<String> roles = parseRoles(config, claims);
             
             SAMLTokenPrincipal p = new SAMLTokenPrincipal(assertion);
 
@@ -226,6 +204,37 @@ public class SAMLTokenValidator implemen
             throw new ProcessingException(TYPE.TOKEN_INVALID);
         }
     }
+    
+    protected List<String> parseRoles(FederationContext config, List<Claim> claims)
{
+        List<String> roles = null;
+        FederationProtocol fp = (FederationProtocol)config.getProtocol();
+        if (fp.getRoleURI() != null) {
+            URI roleURI = URI.create(fp.getRoleURI());
+            String delim = fp.getRoleDelimiter();
+            for (Claim c : claims) {
+                if (roleURI.equals(c.getClaimType())) {
+                    Object oValue = c.getValue();
+                    if ((oValue instanceof String) && !"".equals((String)oValue))
{
+                        if (delim == null) {
+                            roles = Collections.singletonList((String)oValue);
+                        } else {
+                            roles = parseRoles((String)oValue, delim);
+                        }
+                    } else if ((oValue instanceof List<?>) && !((List<?>)oValue).isEmpty())
{
+                        List<String> values = (List<String>)oValue;
+                        roles = Collections.unmodifiableList(values);
+                    } else if (!((oValue instanceof String) || (oValue instanceof List<?>)))
{
+                        LOG.error("Unsupported value type of Claim value");
+                        throw new IllegalStateException("Unsupported value type of Claim
value");
+                    }
+                    claims.remove(c);
+                    break;
+                }
+            }
+        }
+        
+        return roles;
+    }
 
     protected List<Claim> parseClaimsInAssertion(
             org.opensaml.saml1.core.Assertion assertion) {

Modified: cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLUtil.java
Thu May  2 10:31:25 2013
@@ -42,8 +42,7 @@ public final class SAMLUtil  {
      * credential of the SAML Assertion must match a client certificate credential when 
      * 2-way TLS is used.
      * @param assertionWrapper the SAML Assertion wrapper object
-     * @tlsCerts The client certificates
-     * @param signedResults a list of all of the signed results
+     * @param tlsCerts The client certificates
      */
     public static boolean checkHolderOfKey(
         AssertionWrapper assertionWrapper,
@@ -68,7 +67,7 @@ public final class SAMLUtil  {
      * Compare the credentials of the assertion to the credentials used in 2-way TLS.
      * Return true on a match
      * @param subjectKeyInfo the SAMLKeyInfo object
-     * @param signedResults a list of all of the signed results
+     * @param tlsCerts The client certificates
      * @return true if the credentials of the assertion were used to verify a signature
      */
     private static boolean compareCredentials(

Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
Thu May  2 10:31:25 2013
@@ -23,6 +23,7 @@ import java.io.File;
 import java.io.IOException;
 import java.math.BigInteger;
 import java.net.URL;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
 
@@ -49,6 +50,7 @@ import org.apache.ws.security.WSPassword
 import org.apache.ws.security.WSSecurityException;
 import org.apache.ws.security.components.crypto.Crypto;
 import org.apache.ws.security.components.crypto.CryptoFactory;
+import org.apache.ws.security.components.crypto.CryptoType;
 import org.apache.ws.security.message.WSSecEncrypt;
 import org.apache.ws.security.saml.ext.AssertionWrapper;
 import org.apache.ws.security.saml.ext.SAMLParms;
@@ -991,6 +993,72 @@ public class FederationProcessorTest {
         assertClaims(wfRes.getClaims(), callbackHandler.getRoleAttributeName());
     }
     
+    /**
+     * Validate a HolderOfKey SAML 2 token
+     */
+    @org.junit.Test
+    public void validateHOKSAML2Token() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.AUTHN);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_HOLDER_KEY);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        cp.setAudienceURI(TEST_AUDIENCE);
+        callbackHandler.setConditions(cp);
+        
+        Crypto clientCrypto = CryptoFactory.getInstance("client-crypto.properties");
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias("myclientkey");
+        X509Certificate[] certs = clientCrypto.getX509Certificates(cryptoType);
+        callbackHandler.setCerts(certs);
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        
+        WSPasswordCallback[] cb = {
+            new WSPasswordCallback("mystskey", WSPasswordCallback.SIGNATURE)
+        };
+        cbPasswordHandler.handle(cb);
+        String password = cb[0].getPassword();
+
+        assertion.signAssertion("mystskey", password, crypto, false);
+
+        Document doc = STSUtil.toSOAPPart(STSUtil.SAMPLE_RSTR_COLL_MSG);
+        Element token = assertion.toDOM(doc);
+
+        Element e = FederationProcessorTest.findElement(doc, "RequestedSecurityToken",
+                                                        FederationConstants.WS_TRUST_13_NS);
+        if (e == null) {
+            e = FederationProcessorTest.findElement(doc, "RequestedSecurityToken",
+                                                    FederationConstants.WS_TRUST_2005_02_NS);
+        }
+        e.appendChild(token);
+                               
+        String rstr = DOM2Writer.nodeToString(doc);
+        
+        FederationRequest wfReq = new FederationRequest();
+        wfReq.setWa(FederationConstants.ACTION_SIGNIN);
+        wfReq.setWresult(rstr);
+        
+        configurator = null;
+        FederationContext config = 
+            getFederationConfigurator().getFederationContext("ROOT_DECRYPTION");
+        
+        FederationProcessor wfProc = new FederationProcessorImpl();
+        try {
+            wfProc.processRequest(wfReq, config);
+            fail("Failure expected on missing client certs");
+        } catch (ProcessingException ex) {
+            // expected
+        }
+        
+        // Now set client certs
+        wfReq.setCerts(certs);      
+        wfProc.processRequest(wfReq, config);
+    }
+    
     private String encryptAndSignToken(
         AssertionWrapper assertion
     ) throws Exception {

Modified: cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java?rev=1478319&r1=1478318&r2=1478319&view=diff
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java
(original)
+++ cxf/fediz/trunk/plugins/core/src/test/java/org/apache/cxf/fediz/core/KeystoreCallbackHandler.java
Thu May  2 10:31:25 2013
@@ -39,6 +39,7 @@ public class KeystoreCallbackHandler imp
     
     public KeystoreCallbackHandler() {
         users.put("mystskey", "stskpass");
+        users.put("myclientkey", "ckpass");
         users.put("realma", "realma");
         users.put("realmb", "realmb");
     }

Added: cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties?rev=1478319&view=auto
==============================================================================
--- cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties (added)
+++ cxf/fediz/trunk/plugins/core/src/test/resources/client-crypto.properties Thu May  2 10:31:25
2013
@@ -0,0 +1,5 @@
+org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
+org.apache.ws.security.crypto.merlin.keystore.type=jks
+org.apache.ws.security.crypto.merlin.keystore.password=cspass
+org.apache.ws.security.crypto.merlin.keystore.file=clientstore.jks
+

Added: cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks
URL: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks?rev=1478319&view=auto
==============================================================================
Binary file - no diff available.

Propchange: cxf/fediz/trunk/plugins/core/src/test/resources/clientstore.jks
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream



Mime
View raw message