cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: Removing some unneeded code from the security unit tests
Date Wed, 16 Aug 2017 16:47:35 GMT
Removing some unneeded code from the security unit tests

# Conflicts:
#	rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/bfdb3f8f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/bfdb3f8f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/bfdb3f8f

Branch: refs/heads/3.1.x-fixes
Commit: bfdb3f8ff39b948be9f97bc489df06955f16bdc7
Parents: 65869af
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Aug 16 17:44:49 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Aug 16 17:46:31 2017 +0100

----------------------------------------------------------------------
 .../wss4j/AbstractPolicySecurityTest.java       | 129 ++++---------------
 .../wss4j/example-sts-issued-saml-assertion.xml |  58 +--------
 2 files changed, 25 insertions(+), 162 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/bfdb3f8f/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
index b627081..9b25f16 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
@@ -22,6 +22,7 @@ import java.io.Closeable;
 import java.net.URL;
 import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@@ -47,6 +48,7 @@ import org.apache.cxf.binding.soap.SoapMessage;
 import org.apache.cxf.endpoint.Endpoint;
 import org.apache.cxf.feature.Feature;
 import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
 import org.apache.cxf.interceptor.AbstractAttributedInterceptorProvider;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.service.Service;
@@ -67,13 +69,14 @@ import org.apache.neethi.Policy;
 import org.apache.wss4j.common.crypto.Crypto;
 import org.apache.wss4j.common.crypto.CryptoFactory;
 import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
 import org.apache.wss4j.dom.WSConstants;
 import org.apache.wss4j.dom.WSDataRef;
 import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
 import org.apache.wss4j.dom.handler.WSHandlerConstants;
 import org.apache.wss4j.dom.handler.WSHandlerResult;
 import org.apache.wss4j.policy.SP12Constants;
-import org.apache.wss4j.policy.model.AsymmetricBinding;
 
 public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
     protected PolicyBuilder policyBuilder;
@@ -318,9 +321,7 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
         
         return msg.getContent(SOAPMessage.class).getSOAPPart();
     }
-    
-    // TODO: This method can be removed or reduced when testSignedElementsWithIssuedSAMLToken
is
-    // cleaned up.
+
     protected void runOutInterceptorAndValidateSamlTokenAttached(String policyDoc) throws
Exception {
         // create the request message
         final Document document = this.readDocument("wsse-request-clean.xml");
@@ -334,16 +335,23 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
         // add an "issued" assertion into the message exchange
         Element issuedAssertion = 
             this.readDocument("example-sts-issued-saml-assertion.xml").getDocumentElement();
-        
-        String assertionId = issuedAssertion.getAttributeNodeNS(null, "AssertionID").getNodeValue();
-        
-        SecurityToken issuedToken = 
-            new SecurityToken(assertionId, issuedAssertion, null);
-        
+
         Properties cryptoProps = new Properties();
         URL url = ClassLoader.getSystemResource("outsecurity.properties");
         cryptoProps.load(url.openStream());
         Crypto crypto = CryptoFactory.getInstance(cryptoProps);
+
+        // Sign the "issued" assertion
+        SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(issuedAssertion);
+        assertionWrapper.signAssertion("myalias", "myAliasPassword", crypto, false);
+
+        Document doc = DOMUtils.newDocument();
+        issuedAssertion = OpenSAMLUtil.toDom(assertionWrapper.getSaml1(), doc);
+        String assertionId = issuedAssertion.getAttributeNodeNS(null, "AssertionID").getNodeValue();
+        
+        SecurityToken issuedToken = 
+            new SecurityToken(assertionId, issuedAssertion, null);
+
         String alias = cryptoProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
         CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
         cryptoType.setAlias(alias);
@@ -361,8 +369,10 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
         // fire the interceptor and verify results
         final Document signedDoc = this.runOutInterceptorAndValidate(
                 msg, policy, aim, null, null);
-        
-        verifySignatureCoversAssertion(signedDoc, assertionId);
+
+        this.runInInterceptorAndValidate(signedDoc,
+                                         policy, Collections.singletonList(SP12Constants.ISSUED_TOKEN),
null,
+                                         Collections.singletonList(CoverageType.SIGNED));
     }
     
     protected PolicyBasedWSS4JOutInterceptorInternal getOutInterceptor() {
@@ -467,101 +477,6 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
         }
         assertTrue(foundReferenceList);
     }
-    
-    // TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding
-    // is cleaned up by adding server side enforcement of signature related algorithms.
-    // See https://issues.apache.org/jira/browse/WSS-222
-    protected void verifySignatureAlgorithms(Document signedDoc, AssertionInfoMap aim) throws
Exception { 
-        final AssertionInfo assertInfo = aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next();
-        assertNotNull(assertInfo);
-        
-        final AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion();
-        final String expectedSignatureMethod = binding.getAlgorithmSuite().getAsymmetricSignature();
-        final String expectedDigestAlgorithm = 
-            binding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest();
-        final String expectedCanonAlgorithm  = binding.getAlgorithmSuite().getC14n().getValue();
-            
-        XPathFactory factory = XPathFactory.newInstance();
-        XPath xpath = factory.newXPath();
-        final NamespaceContext nsContext = this.getNamespaceContext();
-        xpath.setNamespaceContext(nsContext);
-        
-        // Signature Algorithm
-        final XPathExpression sigAlgoExpr = 
-            xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo"

-                              + "/ds:SignatureMethod/@Algorithm");
-        
-        final String sigMethod =  (String) sigAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
-        assertEquals(expectedSignatureMethod, sigMethod);
-        
-        // Digest Method Algorithm
-        final XPathExpression digestAlgoExpr = xpath.compile(
-            "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod");
-        
-        final NodeList digestMethodNodes = 
-            (NodeList) digestAlgoExpr.evaluate(signedDoc, XPathConstants.NODESET);
-        
-        for (int i = 0; i < digestMethodNodes.getLength(); i++) {
-            Node node = (Node)digestMethodNodes.item(i);
-            String digestAlgorithm = node.getAttributes().getNamedItem("Algorithm").getNodeValue();
-            assertEquals(expectedDigestAlgorithm, digestAlgorithm);
-        }
-        
-        // Canonicalization Algorithm
-        final XPathExpression canonAlgoExpr =
-            xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo"

-                              + "/ds:CanonicalizationMethod/@Algorithm");
-        final String canonMethod =  (String) canonAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
-        assertEquals(expectedCanonAlgorithm, canonMethod);
-    }
-    
-    // TODO: This method can be removed when runOutInterceptorAndValidateSamlTokenAttached
-    // is cleaned up.
-    protected void verifySignatureCoversAssertion(Document signedDoc, String assertionId)
throws Exception {
-        XPathFactory factory = XPathFactory.newInstance();
-        XPath xpath = factory.newXPath();
-        final NamespaceContext nsContext = this.getNamespaceContext();
-        xpath.setNamespaceContext(nsContext);
-        
-        // Find the SecurityTokenReference for the assertion
-        final XPathExpression strExpr = xpath.compile(
-            "/s:Envelope/s:Header/wsse:Security/wsse:SecurityTokenReference/wsse:KeyIdentifier");
-        
-        final NodeList strKeyIdNodes = 
-            (NodeList) strExpr.evaluate(signedDoc, XPathConstants.NODESET);
-        
-        String strId = null;
-        for (int i = 0; i < strKeyIdNodes.getLength(); i++) {
-            Node keyIdNode = (Node) strKeyIdNodes.item(i);
-            String strKey = keyIdNode.getTextContent();
-            if (strKey.equals(assertionId)) {
-                Node strNode = (Node) keyIdNode.getParentNode();
-                strId = strNode.getAttributes().
-                    getNamedItemNS(nsContext.getNamespaceURI("wsu"), "Id").getNodeValue();
-                break;
-            }
-        }
-        assertNotNull("SecurityTokenReference for " + assertionId + " not found in security
header.", strId);
-        
-        // Verify STR is included in the signature references
-        final XPathExpression sigRefExpr =
-                xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference");
-        
-        final NodeList sigReferenceNodes = 
-            (NodeList) sigRefExpr.evaluate(signedDoc, XPathConstants.NODESET);
-        
-        boolean foundStrReference = false;
-        for (int i = 0; i < sigReferenceNodes.getLength(); i++) {
-            Node sigRefNode = (Node) sigReferenceNodes.item(i);
-            String sigRefURI = sigRefNode.getAttributes().getNamedItem("URI").getNodeValue();
-            if (sigRefURI.equals("#" + strId)) {
-                foundStrReference = true;
-                break;
-            }
-        }
-
-        assertTrue("SecurityTokenReference for " + assertionId + " is not signed.", foundStrReference);
-    }
 
     protected void verifyEncryptedHeader(Document originalDoc, Document processedDoc) throws
Exception {
         XPathFactory factory = XPathFactory.newInstance();

http://git-wip-us.apache.org/repos/asf/cxf/blob/bfdb3f8f/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
b/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
index ed5abe6..6768104 100644
--- a/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
+++ b/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
@@ -6,10 +6,9 @@
 <saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
     xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
     xmlns:xs="http://www.w3.org/2001/XMLSchema" AssertionID="uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522"
-    IssueInstant="2010-07-29T20:48:46.229Z" Issuer="TEST-STS"
+    Issuer="TEST-STS"
     MajorVersion="1" MinorVersion="1">
-    <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z"
-        NotOnOrAfter="2010-07-29T20:49:22.229Z">
+    <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z">
         <saml:AudienceRestrictionCondition>
             <saml:Audience>test-service</saml:Audience>
         </saml:AudienceRestrictionCondition>
@@ -21,7 +20,7 @@
             <saml:NameIdentifier>CN=test-user,OU=test,OU=CXF,O=Apache Software Foundation</saml:NameIdentifier>
             <saml:SubjectConfirmation>
                 <saml:ConfirmationMethod>
-                    urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
+                    urn:oasis:names:tc:SAML:1.0:cm:bearer
                 </saml:ConfirmationMethod>
                     <ds:KeyInfo>
                         <ds:X509Data>
@@ -41,55 +40,4 @@
             </saml:SubjectConfirmation>
         </saml:Subject>
     </saml:AuthenticationStatement>
-        <ds:Signature>
-            <ds:SignedInfo>
-                <ds:CanonicalizationMethod
-                    Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
-                <ds:SignatureMethod
-                    Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
-                <ds:Reference
-                    URI="#uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522">
-                    <ds:Transforms>
-                        <ds:Transform
-                            Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
-                        <ds:Transform
-                            Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
-                    </ds:Transforms>
-                    <ds:DigestMethod
-                        Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
-                    <ds:DigestValue>+oA6MZcwrQrVa+IwsOejQW91VwM=
-                    </ds:DigestValue>
-                </ds:Reference>
-            </ds:SignedInfo>
-            <ds:SignatureValue>
-                WNU2nQEnGtMl3f+bApcFB/fFb36WCfBMae/9wFs5Y2Be6RVZ0FMv6NYMhEboWwuUuRMAZ8L8Ac4H
-                2Xp76pd/9ypO/IY+oM5k6A4N+p8q/VX5f3Qnkh5EcF2k69LVfMNpBje+eksUyHyREUd8w6Ejh1O1
-                kLkR4oxBLjvYm+GLGFEmMYTpFHFyAK1bn1BdvAtDb3/hDZeGASRWUPnYFuqMTMUqa1O6iBISQFM1
-                3KUwhvKk7xODSsIsivFYFcP/7MamYOwr5UWyDex2xID9ubXdzu0B/Ey6IslaCCFZSZK1WfSiTU2Q
-                yZarJS6WBDTNCt2ad29A5oURJpwEsdXQsOtNmA==
-            </ds:SignatureValue>
-            <ds:KeyInfo>
-                <ds:X509Data>
-                    <ds:X509Certificate>MIIDmzCCAoOgAwIBAgIBAzANBgkqhkiG9w0
-                        BAQUFADBYMSYwJAYDVQQKEx1Qcm9ncmVzcyBTb2Z0
-                        d2FyZSBDb3Jwb3JhdGlvbjELMAkGA1UECxMCcHMxDTALBgNVBAsTBHRlc3QxEjAQBgNVBAMTCVRl
-                        c3QgQ0EgMTAeFw0wOTEyMTgwMTQ5MDFaFw0xOTEyMTYwMTQ2NDFaMFkxJjAkBgNVBAoTHVByb2dy
-                        ZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMQswCQYDVQQLEwJwczENMAsGA1UECxMEdGVzdDETMBEG
-                        A1UEAxMKc3RzLWlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf6fT4yXU8J
-                        sfQAa6Kidu8NVONLF4HPgGMnB/JxcMJFzYvG9J2WtWTV0PEwzoLronC/92NcEmHktaY6mbgXQx90
-                        4nnyXVs1mhSFbFjuunOCwbYbLoP0hTSOAFEXIMZfIev6ecnSS2jbuhz4CRKxdbtf5d1QF2MWataN
-                        zTXYqoWuHKcSxzha4DlS8W9MVAp4gi6yubbbb0KZxMDeTiuCM8kJ1B0et+qAw3hVRosWHxzvcJz7
-                        zzc2fscOSVBtwDyYZdEShHt8oL+9bs1oiWHZm35/YP476AOC9rznYU6ekXtVszwak5kOAheJC9sx
-                        BF+WMmMRZc3w3ZMEJUcLMgYj678CAwEAAaNvMG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6hTh
-                        MTVrJEvhmPWvHzgFS4fbPr4wCwYDVR0PBAQDAgSwMBEGCWCGSAGG+EIBAQQEAwIFoDAeBglghkgB
-                        hvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQAbb5autCceUfJLII1T
-                        C2zqTFdxFzW6Pa1Ni8VYtxEVli5d48R3VgfPm4o1uP5MeJJc1LzgwQ7TYWhdmwDAWIbXvNtaMzDZ
-                        FZK2kgU4yjhPSTTqMZvvdJlADBQbZPKxsd9NT5K7FEcxuWNOnjRl1vZZ3pbgbR/aq12g9ERWjvt6
-                        ZOS0/Rc2mv8uie1rCpPIdes/nj9yTP+pMIGI65RhMHrr3zPIkl6ZWPPWFoXkOS26e8AKkfMadaZd
-                        WKrB3xkBW5eDoUz22DaolFw5WfJJD2s3kto26/UYjjRviZ9j+YkRVRDLDn3j/8wcdYD2p1anzMKU
-                        TjZe7HgwbK7N/J5QJ/KQ
-                            </ds:X509Certificate>
-                </ds:X509Data>
-            </ds:KeyInfo>
-        </ds:Signature>
 </saml:Assertion>


Mime
View raw message