cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject cxf-fediz git commit: [FEDIZ-111] - Adding some chain trust tests
Date Tue, 07 Apr 2015 15:20:25 GMT
Repository: cxf-fediz
Updated Branches:
  refs/heads/1.1.x-fixes 098eabe7e -> d38c1a5a6


[FEDIZ-111] - Adding some chain trust tests

Conflicts:
	plugins/core/src/test/resources/fediz_test_config.xml


Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d38c1a5a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d38c1a5a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d38c1a5a

Branch: refs/heads/1.1.x-fixes
Commit: d38c1a5a670398ed7f57331dfb458716ce4f31d7
Parents: 098eabe
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Tue Apr 7 16:05:30 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Tue Apr 7 16:19:53 2015 +0100

----------------------------------------------------------------------
 .../cxf/fediz/core/saml/SAMLTokenValidator.java |  8 +-
 .../cxf/fediz/core/FederationProcessorTest.java | 45 ++++++++++
 .../src/test/resources/fediz_test_config.xml    | 93 ++++++++++++++++++++
 3 files changed, 145 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d38c1a5a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
index 3030479..8937a14 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
@@ -123,7 +123,13 @@ public class SAMLTokenValidator implements TokenValidator {
             
             List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers();
             for (TrustedIssuer ti : trustedIssuers) {
-                List<String> subjectConstraints = Collections.singletonList(ti.getSubject());
+                List<String> subjectConstraints = null;
+                if (ti.getSubject() == null) {
+                    subjectConstraints = Collections.emptyList();
+                } else {
+                    subjectConstraints = Collections.singletonList(ti.getSubject());
+                }
+                
                 if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST))
{
                     trustValidator.setSubjectConstraints(subjectConstraints);
                     trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS);

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d38c1a5a/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
b/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
index 5d1a3d8..1555ebd 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
@@ -243,6 +243,51 @@ public class FederationProcessorTest {
         
     }
     
+    @org.junit.Test
+    public void testChainTrust() throws Exception {
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        ConditionsBean cp = new ConditionsBean();
+        cp.setAudienceURI(TEST_AUDIENCE);
+        callbackHandler.setConditions(cp);
+        
+        SAMLParms samlParms = new SAMLParms();
+        samlParms.setCallbackHandler(callbackHandler);
+        AssertionWrapper assertion = new AssertionWrapper(samlParms);
+        String rstr = createSamlToken(assertion, "mystskey", true);
+        
+        FederationRequest wfReq = new FederationRequest();
+        wfReq.setWa(FederationConstants.ACTION_SIGNIN);
+        wfReq.setWresult(rstr);
+        
+        // Test successful trust validation (subject cert constraint)
+        configurator = null;
+        FederationContext config = getFederationConfigurator().getFederationContext("CHAIN_TRUST");
+        
+        FederationProcessor wfProc = new FederationProcessorImpl();
+        FederationResponse wfRes = wfProc.processRequest(wfReq, config);
+        
+        Assert.assertEquals("Principal name wrong", TEST_USER,
+                            wfRes.getUsername());
+        Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+        Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
+        
+        // Test unsuccessful trust validation (bad subject cert constraint)
+        configurator = null;
+        config = getFederationConfigurator().getFederationContext("CHAIN_TRUST2");
+        
+        wfProc = new FederationProcessorImpl();
+        try {
+            wfRes = wfProc.processRequest(wfReq, config);
+            Assert.fail("Processing must fail because of invalid subject cert constraint");
+        } catch (ProcessingException ex) {
+            // expected
+        }
+    }
+    
     /**
      * Validate SAML 2 token which includes the role attribute with 2 values
      * Roles are encoded as a multi-value saml attribute

http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d38c1a5a/plugins/core/src/test/resources/fediz_test_config.xml
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/resources/fediz_test_config.xml b/plugins/core/src/test/resources/fediz_test_config.xml
index d2f83d2..b862ac3 100644
--- a/plugins/core/src/test/resources/fediz_test_config.xml
+++ b/plugins/core/src/test/resources/fediz_test_config.xml
@@ -234,4 +234,97 @@
             </claimTypesRequested>
         </protocol>
     </contextConfig>	
+    <contextConfig name="CLIENT_TRUST">
+		<audienceUris>
+			<audienceItem>http://host_one:port/url</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="clientonly.jks" password="cspass"
+					type="JKS" />
+			</trustManager>		
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="federationProtocolType" version="1.2">
+			<realm>target realm</realm>
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<authenticationType value="some auth type" type="String" />
+			<freshness>10000</freshness>
+			<reply>reply value</reply>
+			<request>REQUEST</request>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+		</protocol>
+	</contextConfig>
+	
+	<contextConfig name="CHAIN_TRUST">
+		<audienceUris>
+			<audienceItem>http://host_one:port/url</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>	
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
+		</trustedIssuers>
+
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="federationProtocolType" version="1.2">
+			<realm>target realm</realm>
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<authenticationType value="some auth type" type="String" />
+			<freshness>10000</freshness>
+			<reply>reply value</reply>
+			<request>REQUEST</request>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+		</protocol>
+	</contextConfig>
+	
+	<contextConfig name="CHAIN_TRUST2">
+		<audienceUris>
+			<audienceItem>http://host_one:port/url</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+					type="JKS" />
+			</trustManager>	
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="ChainTrust" subject=".*CN=www.sts2.com.*" />
+		</trustedIssuers>
+
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+			xsi:type="federationProtocolType" version="1.2">
+			<realm>target realm</realm>
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<authenticationType value="some auth type" type="String" />
+			<freshness>10000</freshness>
+			<reply>reply value</reply>
+			<request>REQUEST</request>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+		</protocol>
+	</contextConfig>
+	
 </FedizConfig>


Mime
View raw message