cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject git commit: Adding a Action -> Policy test for a KeyIdentifier fix
Date Tue, 26 Aug 2014 11:10:38 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 0c25f5ee5 -> fad393891


Adding a Action -> Policy test for a KeyIdentifier fix


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/fad39389
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/fad39389
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/fad39389

Branch: refs/heads/master
Commit: fad3938916f91ae67b98f817f54f2a9177a1e7e2
Parents: 0c25f5e
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Aug 26 11:53:56 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Aug 26 11:55:21 2014 +0100

----------------------------------------------------------------------
 .../X509TokenPolicyValidator.java               |  64 ++++++++++-
 .../cxf/systest/ws/action/ActionTest.java       |  25 ++++
 .../cxf/systest/ws/action/DoubleItAction.wsdl   |   5 +
 .../systest/ws/action/DoubleItActionPolicy.wsdl | 113 +++++++++++++++++++
 .../org/apache/cxf/systest/ws/action/client.xml |  32 ++++++
 .../org/apache/cxf/systest/ws/action/server.xml |   9 ++
 6 files changed, 243 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/fad39389/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
index ff1730a..4759f27 100644
--- a/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
+++ b/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/policyvalidators/X509TokenPolicyValidator.java
@@ -33,8 +33,10 @@ import org.apache.cxf.ws.policy.AssertionInfoMap;
 import org.apache.wss4j.common.ext.WSSecurityException;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSSecurityEngineResult;
+import org.apache.wss4j.dom.bsp.BSPEnforcer;
 import org.apache.wss4j.dom.message.token.BinarySecurity;
 import org.apache.wss4j.dom.message.token.X509Security;
+import org.apache.wss4j.dom.str.STRParser;
 import org.apache.wss4j.dom.util.WSSecurityUtil;
 import org.apache.wss4j.policy.SPConstants;
 import org.apache.wss4j.policy.model.X509Token;
@@ -59,7 +61,7 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator
imple
     ) {
         Collection<AssertionInfo> ais = getAllAssertionsByLocalname(aim, SPConstants.X509_TOKEN);
         if (!ais.isEmpty()) {
-            parsePolicies(ais, message, results);
+            parsePolicies(ais, message, signedResults, results);
             
             assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN10);
             assertPolicy(aim, SPConstants.WSS_X509_PKI_PATH_V1_TOKEN11);
@@ -80,6 +82,7 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator
imple
     private void parsePolicies(
         Collection<AssertionInfo> ais, 
         Message message,
+        List<WSSecurityEngineResult> signedResults,
         List<WSSecurityEngineResult> results
     ) {
         List<WSSecurityEngineResult> bstResults = 
@@ -93,14 +96,14 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator
imple
                 continue;
             }
 
-            if (bstResults.isEmpty()) {
+            if (bstResults.isEmpty() && signedResults.isEmpty()) {
                 ai.setNotAsserted(
                     "The received token does not match the token inclusion requirement"
                 );
                 continue;
             }
 
-            if (!checkTokenType(x509TokenPolicy.getTokenType(), bstResults)) {
+            if (!checkTokenType(x509TokenPolicy.getTokenType(), bstResults, signedResults))
{
                 ai.setNotAsserted("An incorrect X.509 Token Type is detected");
                 continue;
             }
@@ -112,9 +115,10 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator
imple
      */
     private boolean checkTokenType(
         TokenType tokenType,
-        List<WSSecurityEngineResult> bstResults
+        List<WSSecurityEngineResult> bstResults,
+        List<WSSecurityEngineResult> signedResults
     ) {
-        if (bstResults.isEmpty()) {
+        if (bstResults.isEmpty() && signedResults.isEmpty()) {
             return false;
         }
 
@@ -150,6 +154,56 @@ public class X509TokenPolicyValidator extends AbstractTokenPolicyValidator
imple
                 }
             }
         }
+        
+        // Maybe the X.509 token was included as a KeyIdentifier
+        if (X509_V3_VALUETYPE.equals(requiredType)) {
+            for (WSSecurityEngineResult result : signedResults) {
+                STRParser.REFERENCE_TYPE referenceType = 
+                    (STRParser.REFERENCE_TYPE)result.get(WSSecurityEngineResult.TAG_X509_REFERENCE_TYPE);
+                if (STRParser.REFERENCE_TYPE.KEY_IDENTIFIER == referenceType) {
+                    Element signatureElement = 
+                        (Element)result.get(WSSecurityEngineResult.TAG_TOKEN_ELEMENT);
+                    Element keyIdentifier = getKeyIdentifier(signatureElement);
+                    if (keyIdentifier != null 
+                        && X509_V3_VALUETYPE.equals(keyIdentifier.getAttributeNS(null,
"ValueType"))) {
+                        try {
+                            X509Security token = 
+                                new X509Security(keyIdentifier, 
+                                                 new BSPEnforcer(true));
+                            X509Certificate cert = token.getX509Certificate(null);
+                            if (cert != null && cert.getVersion() == 3) {
+                                return true;
+                            }
+                        } catch (WSSecurityException e) {
+                            LOG.log(Level.FINE, e.getMessage());
+                        }
+                    }
+                }
+            }
+        }
         return false;
     }
+    
+    private Element getKeyIdentifier(Element signatureElement) {
+        if (signatureElement != null) {
+            Element keyInfoElement = 
+                WSSecurityUtil.getDirectChildElement(
+                    signatureElement, "KeyInfo", WSConstants.SIG_NS
+                );
+            if (keyInfoElement != null) {
+                Element strElement = 
+                    WSSecurityUtil.getDirectChildElement(
+                        keyInfoElement, "SecurityTokenReference", WSConstants.WSSE_NS
+                    );
+                if (strElement != null) {
+                    Element kiElement = 
+                        WSSecurityUtil.getDirectChildElement(
+                            strElement, "KeyIdentifier", WSConstants.WSSE_NS
+                        );
+                    return kiElement;
+                }
+            }
+        }
+        return null;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fad39389/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
index 0c0a143..3a51de6 100644
--- a/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
+++ b/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/action/ActionTest.java
@@ -219,4 +219,29 @@ public class ActionTest extends AbstractBusClientServerTestBase {
         ((java.io.Closeable)port).close();
         bus.shutdown(true);
     }
+    
+    // Here the client is using "Actions", where the server is using an AsymmetricBinding
policy
+    @org.junit.Test
+    public void testAsymmetricActionToPolicy() throws Exception {
+
+        SpringBusFactory bf = new SpringBusFactory();
+        URL busFile = ActionTest.class.getResource("client.xml");
+
+        Bus bus = bf.createBus(busFile.toString());
+        SpringBusFactory.setDefaultBus(bus);
+        SpringBusFactory.setThreadDefaultBus(bus);
+        
+        URL wsdl = ActionTest.class.getResource("DoubleItAction.wsdl");
+        Service service = Service.create(wsdl, SERVICE_QNAME);
+        QName portQName = new QName(NAMESPACE, "DoubleItAsymmetricPort");
+        DoubleItPortType port = 
+                service.getPort(portQName, DoubleItPortType.class);
+        updateAddressPort(port, PORT);
+        
+        // Successful call
+        port.doubleIt(25);
+        
+        ((java.io.Closeable)port).close();
+        bus.shutdown(true);
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/fad39389/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
index e08c9af..41b37ed 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItAction.wsdl
@@ -34,6 +34,7 @@
             </wsdl:fault>
         </wsdl:operation>
     </wsdl:binding>
+    
     <wsdl:service name="DoubleItService">
         <wsdl:port name="DoubleIt3DESEncryptionPort" binding="tns:DoubleItNoSecurityBinding">
             <soap:address location="http://localhost:9001/DoubleIt3DESEncryption"/>
@@ -56,5 +57,9 @@
         <wsdl:port name="DoubleItSignaturePort2" binding="tns:DoubleItNoSecurityBinding">
             <soap:address location="http://localhost:9001/DoubleItSignature2"/>
         </wsdl:port>
+        <wsdl:port name="DoubleItAsymmetricPort" binding="tns:DoubleItNoSecurityBinding">
+            <soap:address location="http://localhost:9001/DoubleItAsymmetric"/>
+        </wsdl:port>
     </wsdl:service>
+    
 </wsdl:definitions>

http://git-wip-us.apache.org/repos/asf/cxf/blob/fad39389/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItActionPolicy.wsdl
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItActionPolicy.wsdl
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItActionPolicy.wsdl
new file mode 100644
index 0000000..84403e2
--- /dev/null
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/DoubleItActionPolicy.wsdl
@@ -0,0 +1,113 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+ 
+ http://www.apache.org/licenses/LICENSE-2.0
+ 
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<wsdl:definitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://www.example.org/contract/DoubleIt"
xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:sp13="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802" name="DoubleIt" targetNamespace="http://www.example.org/contract/DoubleIt">
+    <wsdl:import location="src/test/resources/DoubleItLogical.wsdl" namespace="http://www.example.org/contract/DoubleIt"/>
+    <wsdl:binding name="DoubleItAsymmetricBinding" type="tns:DoubleItPortType">
+        <wsp:PolicyReference URI="#DoubleItAsymmetricPolicy"/>
+        <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
+        <wsdl:operation name="DoubleIt">
+            <soap:operation soapAction=""/>
+            <wsdl:input>
+                <soap:body use="literal"/>
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Input_Policy"/>
+            </wsdl:input>
+            <wsdl:output>
+                <soap:body use="literal"/>
+                <wsp:PolicyReference URI="#DoubleItBinding_DoubleIt_Output_Policy"/>
+            </wsdl:output>
+            <wsdl:fault name="DoubleItFault">
+                <soap:body use="literal" name="DoubleItFault"/>
+            </wsdl:fault>
+        </wsdl:operation>
+    </wsdl:binding>
+    
+    <wsdl:service name="DoubleItService">
+        <wsdl:port name="DoubleItAsymmetricPort" binding="tns:DoubleItAsymmetricBinding">
+            <soap:address location="http://localhost:9001/DoubleItAsymmetric"/>
+        </wsdl:port>
+    </wsdl:service>
+    
+    <wsp:Policy wsu:Id="DoubleItAsymmetricPolicy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:AsymmetricBinding>
+                    <wsp:Policy>
+                        <sp:InitiatorToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:InitiatorToken>
+                        <sp:RecipientToken>
+                            <wsp:Policy>
+                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
+                                    <wsp:Policy>
+                                        <sp:WssX509V3Token10/>
+                                    </wsp:Policy>
+                                </sp:X509Token>
+                            </wsp:Policy>
+                        </sp:RecipientToken>
+                        <sp:Layout>
+                            <wsp:Policy>
+                                <sp:Lax/>
+                            </wsp:Policy>
+                        </sp:Layout>
+                        <sp:IncludeTimestamp/>
+                        <sp:OnlySignEntireHeadersAndBody/>
+                        <sp:AlgorithmSuite>
+                            <wsp:Policy>
+                                <sp:Basic128/>
+                            </wsp:Policy>
+                        </sp:AlgorithmSuite>
+                    </wsp:Policy>
+                </sp:AsymmetricBinding>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Input_Policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:EncryptedParts>
+                    <sp:Body/>
+                </sp:EncryptedParts>
+                <sp:SignedParts>
+                    <sp:Body/>
+                </sp:SignedParts>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+    
+    <wsp:Policy wsu:Id="DoubleItBinding_DoubleIt_Output_Policy">
+        <wsp:ExactlyOne>
+            <wsp:All>
+                <sp:EncryptedParts>
+                    <sp:Body/>
+                </sp:EncryptedParts>
+                <sp:SignedParts>
+                    <sp:Body/>
+                </sp:SignedParts>
+            </wsp:All>
+        </wsp:ExactlyOne>
+    </wsp:Policy>
+</wsdl:definitions>

http://git-wip-us.apache.org/repos/asf/cxf/blob/fad39389/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
index 0dca80c..c45b4e1 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client.xml
@@ -138,4 +138,36 @@
             </bean>
         </jaxws:inInterceptors>
     </jaxws:client>
+    
+    <jaxws:client name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricPort"
createdFromAPI="true">
+        <jaxws:outInterceptors>
+            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
+                <constructor-arg>
+                    <map>
+                        <entry key="action" value="Timestamp Signature Encrypt"/>
+                        <entry key="signatureUser" value="alice"/>
+                        <entry key="signaturePropFile" value="alice.properties"/>
+                        <entry key="encryptionUser" value="bob"/>
+                        <entry key="encryptionPropFile" value="bob.properties"/>
+                        <entry key="signatureKeyIdentifier" value="DirectReference"/>
+                        <entry key="signatureParts" value="{}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{}{http://schemas.xmlsoap.org/soap/envelope/}Body;"/>
+                        <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+                        <entry key="signatureKeyIdentifier" value="X509KeyIdentifier"/>
+                    </map>
+                </constructor-arg>
+            </bean>
+        </jaxws:outInterceptors>
+        <jaxws:inInterceptors>
+            <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
+                <constructor-arg>
+                    <map>
+                        <entry key="action" value="Timestamp Signature Encrypt"/>
+                        <entry key="signatureVerificationPropFile" value="bob.properties"/>
+                        <entry key="decryptionPropFile" value="alice.properties"/>
+                        <entry key="passwordCallbackClass" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+                    </map>
+                </constructor-arg>
+            </bean>
+        </jaxws:inInterceptors>
+    </jaxws:client>
 </beans>

http://git-wip-us.apache.org/repos/asf/cxf/blob/fad39389/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
----------------------------------------------------------------------
diff --git a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
index 71fac62..a3789d0 100644
--- a/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
+++ b/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/server.xml
@@ -176,4 +176,13 @@
             </bean>
         </jaxws:inInterceptors>
     </jaxws:endpoint>
+    
+    <jaxws:endpoint xmlns:s="http://www.example.org/contract/DoubleIt" id="Asymmetric"
address="http://localhost:${testutil.ports.Server}/DoubleItAsymmetric" serviceName="s:DoubleItService"
endpointName="s:DoubleItAsymmetricPort" implementor="org.apache.cxf.systest.ws.common.DoubleItImpl"
wsdlLocation="org/apache/cxf/systest/ws/action/DoubleItActionPolicy.wsdl">
+        <jaxws:properties>
+            <entry key="ws-security.callback-handler" value="org.apache.cxf.systest.ws.common.KeystorePasswordCallback"/>
+            <entry key="ws-security.signature.properties" value="bob.properties"/>
+            <entry key="ws-security.encryption.properties" value="alice.properties"/>
+            <entry key="ws-security.encryption.username" value="alice"/>
+        </jaxws:properties>
+    </jaxws:endpoint>
 </beans>


Mime
View raw message