cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/4] cxf git commit: Adding more SAML SSO tests
Date Fri, 31 Jul 2015 11:11:58 GMT
Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes c716a824b -> 6c2ab7d08


Adding more SAML SSO tests

Conflicts:
	rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java

Conflicts:
	rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
	rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ef06a563
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ef06a563
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ef06a563

Branch: refs/heads/2.7.x-fixes
Commit: ef06a5634c203bd23aa9887d91db3003451c7c4a
Parents: c716a82
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Fri Jul 31 11:59:53 2015 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Fri Jul 31 12:06:51 2015 +0100

----------------------------------------------------------------------
 ...AbstractRequestAssertionConsumerHandler.java |  23 ++
 .../saml/sso/SAMLSSOResponseValidator.java      |  17 ++
 .../saml/sso/CombinedValidatorTest.java         | 211 ++++++++++++++++++-
 3 files changed, 240 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/ef06a563/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
index f622ace..2c37543 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/AbstractRequestAssertionConsumerHandler.java
@@ -65,6 +65,11 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
     private boolean supportBase64Encoding = true;
     private boolean enforceAssertionsSigned = true;
     private boolean enforceKnownIssuer = true;
+<<<<<<< HEAD
+=======
+    private boolean keyInfoMustBeAvailable = true;
+    private boolean enforceResponseSigned;
+>>>>>>> a61db28... Adding more SAML SSO tests
     private TokenReplayCache<String> replayCache;
 
     private MessageContext messageContext;
@@ -318,6 +323,7 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
             ssoResponseValidator.setRequestId(requestState.getSamlRequestId());
             ssoResponseValidator.setSpIdentifier(requestState.getIssuerId());
             ssoResponseValidator.setEnforceAssertionsSigned(enforceAssertionsSigned);
+            ssoResponseValidator.setEnforceResponseSigned(enforceResponseSigned);
             ssoResponseValidator.setEnforceKnownIssuer(enforceKnownIssuer);
             ssoResponseValidator.setReplayCache(getReplayCache());
 
@@ -334,4 +340,21 @@ public class AbstractRequestAssertionConsumerHandler extends AbstractSSOSpHandle
         LOG.warning(errorMsg.toString());
     }
     
+<<<<<<< HEAD
+=======
+    public void setKeyInfoMustBeAvailable(boolean keyInfoMustBeAvailable) {
+        this.keyInfoMustBeAvailable = keyInfoMustBeAvailable;
+    }
+
+    public boolean isEnforceResponseSigned() {
+        return enforceResponseSigned;
+    }
+
+    /**
+     * Enforce that a SAML Response must be signed.
+     */
+    public void setEnforceResponseSigned(boolean enforceResponseSigned) {
+        this.enforceResponseSigned = enforceResponseSigned;
+    }
+>>>>>>> a61db28... Adding more SAML SSO tests
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ef06a563/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
index 2d864a5..30bdcd8 100644
--- a/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
+++ b/rt/rs/security/sso/saml/src/main/java/org/apache/cxf/rs/security/saml/sso/SAMLSSOResponseValidator.java
@@ -44,6 +44,7 @@ public class SAMLSSOResponseValidator {
     private String clientAddress;
     private String requestId;
     private String spIdentifier;
+    private boolean enforceResponseSigned;
     private boolean enforceAssertionsSigned = true;
     private boolean enforceKnownIssuer = true;
     private TokenReplayCache<String> replayCache;
@@ -91,6 +92,11 @@ public class SAMLSSOResponseValidator {
             throw new WSSecurityException(WSSecurityException.FAILURE, "invalidSAMLsecurity");
         }
         
+        if (enforceResponseSigned && !samlResponse.isSigned()) {
+            LOG.fine("The Response must be signed!");
+            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "invalidSAMLsecurity");
+        }
+        
         // Validate Assertions
         org.opensaml.saml2.core.Assertion validAssertion = null;
         Date sessionNotOnOrAfter = null;
@@ -333,5 +339,16 @@ public class SAMLSSOResponseValidator {
     public void setReplayCache(TokenReplayCache<String> replayCache) {
         this.replayCache = replayCache;
     }
+
+    public boolean isEnforceResponseSigned() {
+        return enforceResponseSigned;
+    }
+
+    /**
+     * Enforce whether a SAML Response must be signed.
+     */
+    public void setEnforceResponseSigned(boolean enforceResponseSigned) {
+        this.enforceResponseSigned = enforceResponseSigned;
+    }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ef06a563/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
index 7b9a9c1..466f97f 100644
--- a/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
+++ b/rt/rs/security/sso/saml/src/test/java/org/apache/cxf/rs/security/saml/sso/CombinedValidatorTest.java
@@ -22,6 +22,8 @@ package org.apache.cxf.rs.security.saml.sso;
 import java.io.InputStream;
 import java.io.StringReader;
 import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 
 import javax.xml.parsers.DocumentBuilder;
@@ -29,6 +31,7 @@ import javax.xml.parsers.DocumentBuilderFactory;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
+<<<<<<< HEAD
 import org.apache.cxf.staxutils.StaxUtils;
 import org.apache.ws.security.WSConstants;
 import org.apache.ws.security.WSSConfig;
@@ -42,25 +45,65 @@ import org.apache.ws.security.saml.ext.bean.ConditionsBean;
 import org.apache.ws.security.saml.ext.bean.SubjectConfirmationDataBean;
 import org.apache.ws.security.saml.ext.builder.SAML2Constants;
 import org.apache.ws.security.util.Loader;
+=======
+import org.apache.wss4j.common.crypto.Crypto;
+import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.crypto.Merlin;
+import org.apache.wss4j.common.ext.WSSecurityException;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SAMLCallback;
+import org.apache.wss4j.common.saml.SAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
+import org.apache.wss4j.common.saml.bean.AudienceRestrictionBean;
+import org.apache.wss4j.common.saml.bean.ConditionsBean;
+import org.apache.wss4j.common.saml.bean.SubjectConfirmationDataBean;
+import org.apache.wss4j.common.saml.builder.SAML2Constants;
+import org.apache.wss4j.common.util.Loader;
+import org.apache.wss4j.dom.WSConstants;
+import org.apache.wss4j.dom.WSSConfig;
+>>>>>>> a61db28... Adding more SAML SSO tests
 import org.joda.time.DateTime;
+<<<<<<< HEAD
 import org.opensaml.common.xml.SAMLConstants;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.Status;
+=======
+import org.opensaml.saml.common.SignableSAMLObject;
+import org.opensaml.saml.common.xml.SAMLConstants;
+import org.opensaml.saml.saml2.core.Response;
+import org.opensaml.saml.saml2.core.Status;
+import org.opensaml.security.x509.BasicX509Credential;
+import org.opensaml.xmlsec.keyinfo.impl.X509KeyInfoGeneratorFactory;
+import org.opensaml.xmlsec.signature.KeyInfo;
+import org.opensaml.xmlsec.signature.Signature;
+import org.opensaml.xmlsec.signature.support.SignatureConstants;
+>>>>>>> 3228637... Adding more SAML SSO tests
 
 /**
  * Some unit tests for the SAMLProtocolResponseValidator and the SAMLSSOResponseValidator
  */
 public class CombinedValidatorTest extends org.junit.Assert {
     
+    private static final DocumentBuilderFactory DOC_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
+    
     static {
         WSSConfig.init();
         OpenSAMLUtil.initSamlEngine();
+        DOC_BUILDER_FACTORY.setNamespaceAware(true);
     }
 
     @org.junit.Test
     public void testSuccessfulValidation() throws Exception {
         
-        Element responseElement = createResponse();
+        DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
+        Document doc = docBuilder.newDocument();
+        
+        Response response = createResponse(doc);
+        
+        Element responseElement = OpenSAMLUtil.toDom(response, doc);
+        doc.appendChild(responseElement);
+        assertNotNull(responseElement);
+        
         Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement);
         
         Crypto issuerCrypto = new Merlin();
@@ -96,7 +139,14 @@ public class CombinedValidatorTest extends org.junit.Assert {
     
     @org.junit.Test
     public void testWrappingAttack3() throws Exception {
-        Element responseElement = createResponse();
+        DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
+        Document doc = docBuilder.newDocument();
+        
+        Response response = createResponse(doc);
+        
+        Element responseElement = OpenSAMLUtil.toDom(response, doc);
+        doc.appendChild(responseElement);
+        assertNotNull(responseElement);
         
         // Get Assertion Element
         Element assertionElement = 
@@ -158,12 +208,98 @@ public class CombinedValidatorTest extends org.junit.Assert {
         assertEquals("alice", parsedAssertion.getSaml2().getSubject().getNameID().getValue());
     }
     
-    private Element createResponse() throws Exception {
-        DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
-        docBuilderFactory.setNamespaceAware(true);
-        DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
+    @org.junit.Test
+    public void testSuccessfulSignedValidation() throws Exception {
+        
+        DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
         Document doc = docBuilder.newDocument();
         
+        Response response = createResponse(doc);
+        
+        Crypto issuerCrypto = new Merlin();
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
+        InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+        keyStore.load(input, "password".toCharArray());
+        ((Merlin)issuerCrypto).setKeyStore(keyStore);
+        
+        signResponse(response, "alice", "password", issuerCrypto, true);
+        
+        Element responseElement = OpenSAMLUtil.toDom(response, doc);
+        doc.appendChild(responseElement);
+        assertNotNull(responseElement);
+        
+        Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement);
+        
+        // Validate the Response
+        SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
+        validator.validateSamlResponse(
+            marshalledResponse, issuerCrypto, new KeystorePasswordCallback()
+        );
+        
+        // Test SSO validation
+        SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+        ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
+        ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
+        ssoValidator.setClientAddress("http://apache.org");
+        ssoValidator.setRequestId("12345");
+        ssoValidator.setSpIdentifier("http://service.apache.org");
+        
+        // Parse the response
+        SSOValidatorResponse ssoResponse = 
+            ssoValidator.validateSamlResponse(marshalledResponse, false);
+        SamlAssertionWrapper parsedAssertion = 
+            new SamlAssertionWrapper(ssoResponse.getAssertionElement());
+        
+        assertEquals("alice", parsedAssertion.getSubjectName());
+    }
+    
+    @org.junit.Test
+    public void testEnforceResponseSigned() throws Exception {
+        
+        DocumentBuilder docBuilder = DOC_BUILDER_FACTORY.newDocumentBuilder();
+        Document doc = docBuilder.newDocument();
+        
+        Response response = createResponse(doc);
+        
+        Element responseElement = OpenSAMLUtil.toDom(response, doc);
+        doc.appendChild(responseElement);
+        assertNotNull(responseElement);
+        
+        Response marshalledResponse = (Response)OpenSAMLUtil.fromDom(responseElement);
+        
+        Crypto issuerCrypto = new Merlin();
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        ClassLoader loader = Loader.getClassLoader(CombinedValidatorTest.class);
+        InputStream input = Merlin.loadInputStream(loader, "alice.jks");
+        keyStore.load(input, "password".toCharArray());
+        ((Merlin)issuerCrypto).setKeyStore(keyStore);
+        
+        // Validate the Response
+        SAMLProtocolResponseValidator validator = new SAMLProtocolResponseValidator();
+        validator.validateSamlResponse(
+            marshalledResponse, issuerCrypto, new KeystorePasswordCallback()
+        );
+        
+        // Test SSO validation
+        SAMLSSOResponseValidator ssoValidator = new SAMLSSOResponseValidator();
+        ssoValidator.setIssuerIDP("http://cxf.apache.org/issuer");
+        ssoValidator.setAssertionConsumerURL("http://recipient.apache.org");
+        ssoValidator.setClientAddress("http://apache.org");
+        ssoValidator.setRequestId("12345");
+        ssoValidator.setSpIdentifier("http://service.apache.org");
+        ssoValidator.setEnforceResponseSigned(true);
+        
+        // Parse the response
+        try {
+            ssoValidator.validateSamlResponse(marshalledResponse, false);
+            fail("Failure expected on an unsigned Response");
+        } catch (WSSecurityException ex) {
+            // expected
+        }
+    }
+    
+    private Response createResponse(Document doc) throws Exception {
         Status status = 
             SAML2PResponseComponentBuilder.createStatus(
                 SAMLProtocolResponseValidator.SAML2_STATUSCODE_SUCCESS, null
@@ -172,6 +308,7 @@ public class CombinedValidatorTest extends org.junit.Assert {
             SAML2PResponseComponentBuilder.createSAMLResponse(
                 "http://cxf.apache.org/saml", "http://cxf.apache.org/issuer", status
             );
+        response.setDestination("http://recipient.apache.org");
         
         // Create an AuthenticationAssertion
         SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
@@ -211,10 +348,62 @@ public class CombinedValidatorTest extends org.junit.Assert {
         
         response.getAssertions().add(assertion.getSaml2());
         
-        Element policyElement = OpenSAMLUtil.toDom(response, doc);
-        doc.appendChild(policyElement);
-        assertNotNull(policyElement);
-        
-        return policyElement;
+        return response;
+    }
+    
+    private void signResponse(
+        Response response,
+        String issuerKeyName,
+        String issuerKeyPassword,
+        Crypto issuerCrypto,
+        boolean useKeyInfo
+    ) throws Exception {
+        //
+        // Create the signature
+        //
+        Signature signature = OpenSAMLUtil.buildSignature();
+        signature.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS);
+
+        // prepare to sign the SAML token
+        CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
+        cryptoType.setAlias(issuerKeyName);
+        X509Certificate[] issuerCerts = issuerCrypto.getX509Certificates(cryptoType);
+        if (issuerCerts == null) {
+            throw new Exception(
+                "No issuer certs were found to sign the SAML Assertion using issuer name:
" + issuerKeyName);
+        }
+
+        String sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1;
+        String pubKeyAlgo = issuerCerts[0].getPublicKey().getAlgorithm();
+
+        if (pubKeyAlgo.equalsIgnoreCase("DSA")) {
+            sigAlgo = SignatureConstants.ALGO_ID_SIGNATURE_DSA;
+        }
+
+        PrivateKey privateKey = issuerCrypto.getPrivateKey(issuerKeyName, issuerKeyPassword);
+
+        signature.setSignatureAlgorithm(sigAlgo);
+
+        BasicX509Credential signingCredential = 
+            new BasicX509Credential(issuerCerts[0], privateKey);
+        signature.setSigningCredential(signingCredential);
+
+        if (useKeyInfo) {
+            X509KeyInfoGeneratorFactory kiFactory = new X509KeyInfoGeneratorFactory();
+            kiFactory.setEmitEntityCertificate(true);
+
+            try {
+                KeyInfo keyInfo = kiFactory.newInstance().generate(signingCredential);
+                signature.setKeyInfo(keyInfo);
+            } catch (org.opensaml.security.SecurityException ex) {
+                throw new Exception("Error generating KeyInfo from signing credential", ex);
+            }
+        }
+
+        // add the signature to the assertion
+        SignableSAMLObject signableObject = (SignableSAMLObject) response;
+        signableObject.setSignature(signature);
+        signableObject.releaseDOM();
+        signableObject.releaseChildrenDOM(true);
     }
 }


Mime
View raw message