cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] git commit: Finishing with SAML SSO Metadata support and adding unit tests
Date Wed, 24 Sep 2014 13:51:28 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/master cefaa41e7 -> 5333692bf


Finishing with SAML SSO Metadata support and adding unit tests


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/4a9f1581
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/4a9f1581
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/4a9f1581

Branch: refs/heads/master
Commit: 4a9f158154cd01ae9bec4678c6c8ba01c0e7045c
Parents: cefaa41
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Sep 24 14:51:00 2014 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Sep 24 14:51:00 2014 +0100

----------------------------------------------------------------------
 .../cxf/fediz/core/metadata/MetadataWriter.java |  50 ++++++-
 .../core/federation/FederationMetaDataTest.java |   7 +-
 .../fediz/core/samlsso/SAMLMetaDataTest.java    | 134 +++++++++++++++++++
 .../resources/fediz_meta_test_config_saml.xml   |  90 +++++++++++++
 4 files changed, 269 insertions(+), 12 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a9f1581/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
index 1f647b9..86c446f 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/metadata/MetadataWriter.java
@@ -81,13 +81,13 @@ public class MetadataWriter {
             writer.writeStartElement("", "EntityDescriptor", SAML2_METADATA_NS);
             writer.writeAttribute("ID", referenceID);
             
-            String audience = "_someID";
             String serviceURL = protocol.getApplicationServiceURL();
-            List<String> audienceList = config.getAudienceUris();
-            if (audienceList != null && audienceList.size() > 0 && !"".equals(audienceList.get(0)))
{
-                audience = audienceList.get(0);
-            }
             if (serviceURL == null) {
+                String audience = "_someID";
+                List<String> audienceList = config.getAudienceUris();
+                if (audienceList != null && audienceList.size() > 0 &&
!"".equals(audienceList.get(0))) {
+                    audience = audienceList.get(0);
+                }
                 serviceURL = audience;
             }
             
@@ -244,14 +244,50 @@ public class MetadataWriter {
         writer.writeAttribute("WantAssertionsSigned", "true");
         writer.writeAttribute("protocolSupportEnumeration", "urn:oasis:names:tc:SAML:2.0:protocol");
         
+        if (config.getLogoutURL() != null) {
+            writer.writeStartElement("", "SingleLogoutService", SAML2_METADATA_NS);
+            writer.writeAttribute("Location", config.getLogoutURL());
+            writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
+            writer.writeEndElement(); // SingleLogoutService
+        }
+        
         writer.writeStartElement("", "AssertionConsumerService", SAML2_METADATA_NS);
+        writer.writeAttribute("Location", serviceURL);
         writer.writeAttribute("index", "0");
         writer.writeAttribute("isDefault", "true");
         writer.writeAttribute("Binding", "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
-        writer.writeAttribute("Location", serviceURL);
         writer.writeEndElement(); // AssertionConsumerService
         
-        if (config.getSigningKey() != null && protocol.isSignRequest()) {
+        if (protocol.getClaimTypesRequested() != null && !protocol.getClaimTypesRequested().isEmpty())
{
+            writer.writeStartElement("", "AttributeConsumingService", SAML2_METADATA_NS);
+            writer.writeAttribute("index", "0");
+            
+            writer.writeStartElement("", "ServiceName", SAML2_METADATA_NS);
+            writer.writeAttribute("xml:lang", "en");
+            writer.writeCharacters(config.getName());
+            writer.writeEndElement(); // ServiceName
+            
+            for (Claim claim : protocol.getClaimTypesRequested()) {
+                writer.writeStartElement("", "RequestedAttribute", SAML2_METADATA_NS);
+                writer.writeAttribute("isRequired", Boolean.toString(claim.isOptional()));
+                writer.writeAttribute("Name", claim.getType());
+                writer.writeAttribute("NameFormat", 
+                                      "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified");
+                writer.writeEndElement(); // RequestedAttribute
+            }
+            
+            writer.writeEndElement(); // AttributeConsumingService
+        }
+        
+        boolean hasSigningKey = false;
+        try {
+            if (config.getSigningKey().getCrypto() != null) {
+                hasSigningKey = true;
+            }
+        } catch (Exception ex) {
+            LOG.info("No signingKey element found in config: " + ex.getMessage());
+        }
+        if (protocol.isSignRequest() && hasSigningKey) {
             writer.writeStartElement("", "KeyDescriptor", SAML2_METADATA_NS);
             writer.writeAttribute("use", "signing");
             

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a9f1581/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
index f49c90d..441b4be 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/federation/FederationMetaDataTest.java
@@ -94,7 +94,6 @@ public class FederationMetaDataTest {
         Assert.assertNotNull(ki.getX509Certificate());
 
         Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
-        
     }
 
     @org.junit.Test
@@ -107,12 +106,11 @@ public class FederationMetaDataTest {
             Document doc;
            
             doc = wfProc.getMetaData(config);
-            Assert.assertNull(doc);          
+            Assert.assertNull(doc);
+            fail("Failure expected as signing store contains more than one certificate");
         } catch (ProcessingException ex) {
             //Expected as signing store contains more than one certificate
         }
-
-        
     }
     
     @org.junit.Test
@@ -129,7 +127,6 @@ public class FederationMetaDataTest {
         } catch (TransformerException e) {
             fail("Exception not expected: " + e.getMessage()); 
         }
-        
     }
 
 }

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a9f1581/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
new file mode 100644
index 0000000..3c04d9d
--- /dev/null
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLMetaDataTest.java
@@ -0,0 +1,134 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.cxf.fediz.core.samlsso;
+
+import java.io.File;
+import java.net.URL;
+
+import javax.xml.transform.TransformerException;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import org.apache.cxf.fediz.common.SecurityTestUtil;
+import org.apache.cxf.fediz.core.config.FedizConfigurator;
+import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
+import org.apache.cxf.fediz.core.processor.FederationProcessorImpl;
+import org.apache.cxf.fediz.core.processor.FedizProcessor;
+import org.apache.cxf.fediz.core.util.DOMUtils;
+import org.apache.xml.security.exceptions.XMLSecurityException;
+import org.apache.xml.security.keys.KeyInfo;
+import org.apache.xml.security.signature.XMLSignature;
+import org.apache.xml.security.signature.XMLSignatureException;
+import org.junit.AfterClass;
+import org.junit.Assert;
+
+import static org.junit.Assert.fail;
+
+/**
+ * Some tests for creating SAMLRequests using the SAMLProcessorImpl
+ */
+public class SAMLMetaDataTest {
+    private static final String CONFIG_FILE = "fediz_meta_test_config_saml.xml";
+    
+    @AfterClass
+    public static void cleanup() {
+        SecurityTestUtil.cleanup();
+    }
+    
+    private FedizContext loadConfig(String context) {
+        try {
+            FedizConfigurator configurator = new FedizConfigurator();
+            final URL resource = Thread.currentThread().getContextClassLoader()
+                    .getResource(CONFIG_FILE);
+            File f = new File(resource.toURI());
+            configurator.loadConfig(f);
+            return configurator.getFedizContext(context);
+        } catch (Exception e) {
+            e.printStackTrace();
+            return null;
+        }
+    }
+    
+    @org.junit.Test
+    public void validateMetaDataWithAlias() throws ProcessingException, XMLSignatureException,
XMLSecurityException {
+
+        FedizContext config = loadConfig("ROOT");
+
+        FedizProcessor wfProc = new FederationProcessorImpl();
+        Document doc = wfProc.getMetaData(config);
+        Assert.assertNotNull(doc);
+        
+        Node signatureNode = doc.getElementsByTagName("Signature").item(0);
+        Assert.assertNotNull(signatureNode);
+        
+        doc.getDocumentElement().setIdAttributeNS(null, "ID", true);
+
+        try {
+            DOMUtils.writeXml(doc, System.out);
+        } catch (TransformerException e) {
+            fail("Exception not expected: " + e.getMessage()); 
+        }
+        
+        // Validate the signature
+        XMLSignature signature = new XMLSignature((Element)signatureNode, "");
+        KeyInfo ki = signature.getKeyInfo();
+        Assert.assertNotNull(ki);
+        Assert.assertNotNull(ki.getX509Certificate());
+
+        Assert.assertTrue(signature.checkSignatureValue(ki.getX509Certificate()));
+        
+    }
+
+    @org.junit.Test
+    public void validateMetaDataNoAlias() throws ProcessingException {
+
+        try {
+            FedizContext config = loadConfig("ROOT_NO_KEY");
+
+            FedizProcessor wfProc = new FederationProcessorImpl();
+            Document doc;
+           
+            doc = wfProc.getMetaData(config);
+            Assert.assertNull(doc);
+            fail("Failure expected as signing store contains more than one certificate");
+        } catch (ProcessingException ex) {
+            //Expected as signing store contains more than one certificate
+        }
+    }
+    
+    @org.junit.Test
+    public void validateMetaDataNoSigningKey() throws ProcessingException {
+
+        FedizContext config = loadConfig("ROOT_NO_SIGNINGKEY");
+
+        FedizProcessor wfProc = new FederationProcessorImpl();
+        Document doc = wfProc.getMetaData(config);
+        Assert.assertNotNull(doc);
+        
+        try {
+            DOMUtils.writeXml(doc, System.out);
+        } catch (TransformerException e) {
+            fail("Exception not expected: " + e.getMessage()); 
+        }
+    }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/4a9f1581/plugins/core/src/test/resources/fediz_meta_test_config_saml.xml
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/resources/fediz_meta_test_config_saml.xml b/plugins/core/src/test/resources/fediz_meta_test_config_saml.xml
new file mode 100644
index 0000000..2151ce5
--- /dev/null
+++ b/plugins/core/src/test/resources/fediz_meta_test_config_saml.xml
@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<FedizConfig>
+	<contextConfig name="ROOT">
+		<audienceUris>
+			<audienceItem>http://Server:Port/value from first audienceUri config property</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+		<maximumClockSkew>1000</maximumClockSkew>
+		<signingKey keyAlias="mystskey" keyPassword="stskpass">
+			<keyStore file="stsstore.jks" password="stsspass" type="JKS" />
+		</signingKey>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="samlProtocolType" version="1.2">
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+			<signRequest>true</signRequest>
+		</protocol>
+		<logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+	</contextConfig>
+	<contextConfig name="ROOT_NO_KEY">
+		<audienceUris>
+			<audienceItem>http://Server:Port/value from first audienceUri config property</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+		<maximumClockSkew>1000</maximumClockSkew>
+		<signingKey keyPassword="stskpass">
+			<keyStore file="stsstore.jks" password="stsspass" type="JKS" />
+		</signingKey>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="samlProtocolType" version="1.2">
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+			<signRequest>true</signRequest>
+		</protocol>
+		<logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+	</contextConfig>
+	<contextConfig name="ROOT_NO_SIGNINGKEY">
+		<audienceUris>
+			<audienceItem>http://Server:Port/value from first audienceUri config property</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="samlProtocolType" version="1.2">
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+			<signRequest>true</signRequest>
+		</protocol>
+		<logoutURL>/secure/logout</logoutURL>
+        <logoutRedirectTo>/index.html</logoutRedirectTo>
+	</contextConfig>
+</FedizConfig>


Mime
View raw message