Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 5AC01200BAD for ; Tue, 25 Oct 2016 14:37:45 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 59865160AFA; Tue, 25 Oct 2016 12:37:45 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7AA60160AE6 for ; Tue, 25 Oct 2016 14:37:44 +0200 (CEST) Received: (qmail 53990 invoked by uid 500); 25 Oct 2016 12:37:43 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 53971 invoked by uid 99); 25 Oct 2016 12:37:43 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Oct 2016 12:37:43 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 5D110DFE80; Tue, 25 Oct 2016 12:37:43 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: coheigea@apache.org To: commits@cxf.apache.org Date: Tue, 25 Oct 2016 12:37:43 -0000 Message-Id: X-Mailer: ASF-Git Admin Mailer Subject: [1/2] cxf git commit: Record older ActAs attributes in the newer token archived-at: Tue, 25 Oct 2016 12:37:45 -0000 Repository: cxf Updated Branches: refs/heads/master 160618509 -> e6d2a5121 Record older ActAs attributes in the newer token Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6cec1a13 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6cec1a13 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6cec1a13 Branch: refs/heads/master Commit: 6cec1a13d90d93f26017453836b2d759f7437165 Parents: 1606185 Author: Colm O hEigeartaigh Authored: Tue Oct 25 11:15:02 2016 +0100 Committer: Colm O hEigeartaigh Committed: Tue Oct 25 11:15:02 2016 +0100 ---------------------------------------------------------------------- .../ActAsAttributeStatementProvider.java | 30 ++++++ .../token/provider/SAMLProviderActAsTest.java | 96 ++++++++++++++++++++ 2 files changed, 126 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/6cec1a13/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java index 808cad2..cd0e837 100644 --- a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java +++ b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ActAsAttributeStatementProvider.java @@ -34,6 +34,7 @@ import org.apache.wss4j.common.saml.SamlAssertionWrapper; import org.apache.wss4j.common.saml.bean.AttributeBean; import org.apache.wss4j.common.saml.bean.AttributeStatementBean; import org.apache.wss4j.dom.WSConstants; +import org.opensaml.core.xml.XMLObject; /** * An AttributeStatementProvider implementation to handle "ActAs". It adds an "ActAs "attribute" with the name of @@ -94,6 +95,35 @@ public class ActAsAttributeStatementProvider implements AttributeStatementProvid SamlAssertionWrapper wrapper = new SamlAssertionWrapper((Element)parameter); SAMLTokenPrincipal principal = new SAMLTokenPrincipalImpl(wrapper); parameterBean.addAttributeValue(principal.getName()); + + // Check for other ActAs attributes here + add them in + if (wrapper.getSaml2() != null) { + for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement + : wrapper.getSaml2().getAttributeStatements()) { + for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + parameterBean.addAttributeValue(text); + } + } + } + } + } else if (wrapper.getSaml1() != null) { + for (org.opensaml.saml.saml1.core.AttributeStatement attributeStatement + : wrapper.getSaml1().getAttributeStatements()) { + for (org.opensaml.saml.saml1.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getAttributeName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + parameterBean.addAttributeValue(text); + } + } + } + } + } } return parameterBean; http://git-wip-us.apache.org/repos/asf/cxf/blob/6cec1a13/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java ---------------------------------------------------------------------- diff --git a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java index 768da57..ad90fe4 100644 --- a/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java +++ b/services/sts/sts-core/src/test/java/org/apache/cxf/sts/token/provider/SAMLProviderActAsTest.java @@ -288,6 +288,102 @@ public class SAMLProviderActAsTest extends org.junit.Assert { assertTrue(tokenString.contains(ClaimTypes.LASTNAME.toString())); } + @org.junit.Test + public void testIncludeOtherActAsAttributesInTheToken() throws Exception { + TokenProvider samlTokenProvider = new SAMLTokenProvider(); + + UsernameTokenType usernameToken = new UsernameTokenType(); + AttributedString username = new AttributedString(); + username.setValue("bob"); + usernameToken.setUsername(username); + JAXBElement usernameTokenType = + new JAXBElement( + QNameConstants.USERNAME_TOKEN, UsernameTokenType.class, usernameToken + ); + + TokenProviderParameters providerParameters = + createProviderParameters( + WSConstants.WSS_SAML_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, usernameTokenType + ); + //Principal must be set in ReceivedToken/ActAs + providerParameters.getTokenRequirements().getActAs().setPrincipal( + new CustomTokenPrincipal(username.getValue())); + + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML_TOKEN_TYPE)); + TokenProviderResponse providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + // Verify the token + Element token = (Element)providerResponse.getToken(); + SamlAssertionWrapper assertion = new SamlAssertionWrapper(token); + Assert.assertEquals("technical-user", assertion.getSubjectName()); + + boolean foundActAsAttribute = false; + for (org.opensaml.saml.saml1.core.AttributeStatement attributeStatement + : assertion.getSaml1().getAttributeStatements()) { + for (org.opensaml.saml.saml1.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getAttributeName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + if (text.contains("bob")) { + foundActAsAttribute = true; + break; + } + } + } + } + } + + Assert.assertTrue(foundActAsAttribute); + + // Now get another token "ActAs" the previous token + providerParameters = + createProviderParameters( + WSConstants.WSS_SAML2_TOKEN_TYPE, STSConstants.BEARER_KEY_KEYTYPE, token + ); + //Principal must be set in ReceivedToken/ActAs + providerParameters.getTokenRequirements().getActAs().setPrincipal( + new CustomTokenPrincipal("service-A")); + providerParameters.setPrincipal(new CustomTokenPrincipal("service-A")); + + assertTrue(samlTokenProvider.canHandleToken(WSConstants.WSS_SAML2_TOKEN_TYPE)); + providerResponse = samlTokenProvider.createToken(providerParameters); + assertTrue(providerResponse != null); + assertTrue(providerResponse.getToken() != null && providerResponse.getTokenId() != null); + + // Verify the token + token = (Element)providerResponse.getToken(); + assertion = new SamlAssertionWrapper(token); + Assert.assertEquals("service-A", assertion.getSubjectName()); + + String tokenString = DOM2Writer.nodeToString(token); + System.out.println(tokenString); + + boolean foundBob = false; + boolean foundTechnical = false; + for (org.opensaml.saml.saml2.core.AttributeStatement attributeStatement + : assertion.getSaml2().getAttributeStatements()) { + for (org.opensaml.saml.saml2.core.Attribute attribute : attributeStatement.getAttributes()) { + if ("ActAs".equals(attribute.getName())) { + for (XMLObject attributeValue : attribute.getAttributeValues()) { + Element attributeValueElement = attributeValue.getDOM(); + String text = attributeValueElement.getTextContent(); + if (text.contains("bob")) { + foundBob = true; + } else if (text.contains("technical-user")) { + foundTechnical = true; + } + } + } + } + } + + Assert.assertTrue(foundBob); + Assert.assertTrue(foundTechnical); + } + private Element getSAMLAssertion() throws Exception { TokenProvider samlTokenProvider = new SAMLTokenProvider(); TokenProviderParameters providerParameters =