Removing some unneeded code from the security unit tests
# Conflicts:
# rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/bfdb3f8f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/bfdb3f8f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/bfdb3f8f
Branch: refs/heads/3.1.x-fixes
Commit: bfdb3f8ff39b948be9f97bc489df06955f16bdc7
Parents: 65869af
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Aug 16 17:44:49 2017 +0100
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Aug 16 17:46:31 2017 +0100
----------------------------------------------------------------------
.../wss4j/AbstractPolicySecurityTest.java | 129 ++++---------------
.../wss4j/example-sts-issued-saml-assertion.xml | 58 +--------
2 files changed, 25 insertions(+), 162 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/bfdb3f8f/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
index b627081..9b25f16 100644
--- a/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
+++ b/rt/ws/security/src/test/java/org/apache/cxf/ws/security/wss4j/AbstractPolicySecurityTest.java
@@ -22,6 +22,7 @@ import java.io.Closeable;
import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Properties;
@@ -47,6 +48,7 @@ import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.feature.Feature;
import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.interceptor.AbstractAttributedInterceptorProvider;
import org.apache.cxf.message.Message;
import org.apache.cxf.service.Service;
@@ -67,13 +69,14 @@ import org.apache.neethi.Policy;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.crypto.CryptoType;
+import org.apache.wss4j.common.saml.OpenSAMLUtil;
+import org.apache.wss4j.common.saml.SamlAssertionWrapper;
import org.apache.wss4j.dom.WSConstants;
import org.apache.wss4j.dom.WSDataRef;
import org.apache.wss4j.dom.engine.WSSecurityEngineResult;
import org.apache.wss4j.dom.handler.WSHandlerConstants;
import org.apache.wss4j.dom.handler.WSHandlerResult;
import org.apache.wss4j.policy.SP12Constants;
-import org.apache.wss4j.policy.model.AsymmetricBinding;
public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest {
protected PolicyBuilder policyBuilder;
@@ -318,9 +321,7 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
return msg.getContent(SOAPMessage.class).getSOAPPart();
}
-
- // TODO: This method can be removed or reduced when testSignedElementsWithIssuedSAMLToken
is
- // cleaned up.
+
protected void runOutInterceptorAndValidateSamlTokenAttached(String policyDoc) throws
Exception {
// create the request message
final Document document = this.readDocument("wsse-request-clean.xml");
@@ -334,16 +335,23 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
// add an "issued" assertion into the message exchange
Element issuedAssertion =
this.readDocument("example-sts-issued-saml-assertion.xml").getDocumentElement();
-
- String assertionId = issuedAssertion.getAttributeNodeNS(null, "AssertionID").getNodeValue();
-
- SecurityToken issuedToken =
- new SecurityToken(assertionId, issuedAssertion, null);
-
+
Properties cryptoProps = new Properties();
URL url = ClassLoader.getSystemResource("outsecurity.properties");
cryptoProps.load(url.openStream());
Crypto crypto = CryptoFactory.getInstance(cryptoProps);
+
+ // Sign the "issued" assertion
+ SamlAssertionWrapper assertionWrapper = new SamlAssertionWrapper(issuedAssertion);
+ assertionWrapper.signAssertion("myalias", "myAliasPassword", crypto, false);
+
+ Document doc = DOMUtils.newDocument();
+ issuedAssertion = OpenSAMLUtil.toDom(assertionWrapper.getSaml1(), doc);
+ String assertionId = issuedAssertion.getAttributeNodeNS(null, "AssertionID").getNodeValue();
+
+ SecurityToken issuedToken =
+ new SecurityToken(assertionId, issuedAssertion, null);
+
String alias = cryptoProps.getProperty("org.apache.ws.security.crypto.merlin.keystore.alias");
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias(alias);
@@ -361,8 +369,10 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
// fire the interceptor and verify results
final Document signedDoc = this.runOutInterceptorAndValidate(
msg, policy, aim, null, null);
-
- verifySignatureCoversAssertion(signedDoc, assertionId);
+
+ this.runInInterceptorAndValidate(signedDoc,
+ policy, Collections.singletonList(SP12Constants.ISSUED_TOKEN),
null,
+ Collections.singletonList(CoverageType.SIGNED));
}
protected PolicyBasedWSS4JOutInterceptorInternal getOutInterceptor() {
@@ -467,101 +477,6 @@ public abstract class AbstractPolicySecurityTest extends AbstractSecurityTest
{
}
assertTrue(foundReferenceList);
}
-
- // TODO: This method can be removed when runOutInterceptorAndValidateAsymmetricBinding
- // is cleaned up by adding server side enforcement of signature related algorithms.
- // See https://issues.apache.org/jira/browse/WSS-222
- protected void verifySignatureAlgorithms(Document signedDoc, AssertionInfoMap aim) throws
Exception {
- final AssertionInfo assertInfo = aim.get(SP12Constants.ASYMMETRIC_BINDING).iterator().next();
- assertNotNull(assertInfo);
-
- final AsymmetricBinding binding = (AsymmetricBinding) assertInfo.getAssertion();
- final String expectedSignatureMethod = binding.getAlgorithmSuite().getAsymmetricSignature();
- final String expectedDigestAlgorithm =
- binding.getAlgorithmSuite().getAlgorithmSuiteType().getDigest();
- final String expectedCanonAlgorithm = binding.getAlgorithmSuite().getC14n().getValue();
-
- XPathFactory factory = XPathFactory.newInstance();
- XPath xpath = factory.newXPath();
- final NamespaceContext nsContext = this.getNamespaceContext();
- xpath.setNamespaceContext(nsContext);
-
- // Signature Algorithm
- final XPathExpression sigAlgoExpr =
- xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo"
- + "/ds:SignatureMethod/@Algorithm");
-
- final String sigMethod = (String) sigAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
- assertEquals(expectedSignatureMethod, sigMethod);
-
- // Digest Method Algorithm
- final XPathExpression digestAlgoExpr = xpath.compile(
- "/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference/ds:DigestMethod");
-
- final NodeList digestMethodNodes =
- (NodeList) digestAlgoExpr.evaluate(signedDoc, XPathConstants.NODESET);
-
- for (int i = 0; i < digestMethodNodes.getLength(); i++) {
- Node node = (Node)digestMethodNodes.item(i);
- String digestAlgorithm = node.getAttributes().getNamedItem("Algorithm").getNodeValue();
- assertEquals(expectedDigestAlgorithm, digestAlgorithm);
- }
-
- // Canonicalization Algorithm
- final XPathExpression canonAlgoExpr =
- xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo"
- + "/ds:CanonicalizationMethod/@Algorithm");
- final String canonMethod = (String) canonAlgoExpr.evaluate(signedDoc, XPathConstants.STRING);
- assertEquals(expectedCanonAlgorithm, canonMethod);
- }
-
- // TODO: This method can be removed when runOutInterceptorAndValidateSamlTokenAttached
- // is cleaned up.
- protected void verifySignatureCoversAssertion(Document signedDoc, String assertionId)
throws Exception {
- XPathFactory factory = XPathFactory.newInstance();
- XPath xpath = factory.newXPath();
- final NamespaceContext nsContext = this.getNamespaceContext();
- xpath.setNamespaceContext(nsContext);
-
- // Find the SecurityTokenReference for the assertion
- final XPathExpression strExpr = xpath.compile(
- "/s:Envelope/s:Header/wsse:Security/wsse:SecurityTokenReference/wsse:KeyIdentifier");
-
- final NodeList strKeyIdNodes =
- (NodeList) strExpr.evaluate(signedDoc, XPathConstants.NODESET);
-
- String strId = null;
- for (int i = 0; i < strKeyIdNodes.getLength(); i++) {
- Node keyIdNode = (Node) strKeyIdNodes.item(i);
- String strKey = keyIdNode.getTextContent();
- if (strKey.equals(assertionId)) {
- Node strNode = (Node) keyIdNode.getParentNode();
- strId = strNode.getAttributes().
- getNamedItemNS(nsContext.getNamespaceURI("wsu"), "Id").getNodeValue();
- break;
- }
- }
- assertNotNull("SecurityTokenReference for " + assertionId + " not found in security
header.", strId);
-
- // Verify STR is included in the signature references
- final XPathExpression sigRefExpr =
- xpath.compile("/s:Envelope/s:Header/wsse:Security/ds:Signature/ds:SignedInfo/ds:Reference");
-
- final NodeList sigReferenceNodes =
- (NodeList) sigRefExpr.evaluate(signedDoc, XPathConstants.NODESET);
-
- boolean foundStrReference = false;
- for (int i = 0; i < sigReferenceNodes.getLength(); i++) {
- Node sigRefNode = (Node) sigReferenceNodes.item(i);
- String sigRefURI = sigRefNode.getAttributes().getNamedItem("URI").getNodeValue();
- if (sigRefURI.equals("#" + strId)) {
- foundStrReference = true;
- break;
- }
- }
-
- assertTrue("SecurityTokenReference for " + assertionId + " is not signed.", foundStrReference);
- }
protected void verifyEncryptedHeader(Document originalDoc, Document processedDoc) throws
Exception {
XPathFactory factory = XPathFactory.newInstance();
http://git-wip-us.apache.org/repos/asf/cxf/blob/bfdb3f8f/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
----------------------------------------------------------------------
diff --git a/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
b/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
index ed5abe6..6768104 100644
--- a/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
+++ b/rt/ws/security/src/test/resources/org/apache/cxf/ws/security/wss4j/example-sts-issued-saml-assertion.xml
@@ -6,10 +6,9 @@
<saml:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema" AssertionID="uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522"
- IssueInstant="2010-07-29T20:48:46.229Z" Issuer="TEST-STS"
+ Issuer="TEST-STS"
MajorVersion="1" MinorVersion="1">
- <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z"
- NotOnOrAfter="2010-07-29T20:49:22.229Z">
+ <saml:Conditions NotBefore="2010-07-29T20:48:46.229Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>test-service</saml:Audience>
</saml:AudienceRestrictionCondition>
@@ -21,7 +20,7 @@
<saml:NameIdentifier>CN=test-user,OU=test,OU=CXF,O=Apache Software Foundation</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
- urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
+ urn:oasis:names:tc:SAML:1.0:cm:bearer
</saml:ConfirmationMethod>
<ds:KeyInfo>
<ds:X509Data>
@@ -41,55 +40,4 @@
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
- <ds:Signature>
- <ds:SignedInfo>
- <ds:CanonicalizationMethod
- Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- <ds:SignatureMethod
- Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
- <ds:Reference
- URI="#uuid-c318f4ea-a9c4-4d3c-8f11-218d30028522">
- <ds:Transforms>
- <ds:Transform
- Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
/>
- <ds:Transform
- Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
- </ds:Transforms>
- <ds:DigestMethod
- Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
- <ds:DigestValue>+oA6MZcwrQrVa+IwsOejQW91VwM=
- </ds:DigestValue>
- </ds:Reference>
- </ds:SignedInfo>
- <ds:SignatureValue>
- WNU2nQEnGtMl3f+bApcFB/fFb36WCfBMae/9wFs5Y2Be6RVZ0FMv6NYMhEboWwuUuRMAZ8L8Ac4H
- 2Xp76pd/9ypO/IY+oM5k6A4N+p8q/VX5f3Qnkh5EcF2k69LVfMNpBje+eksUyHyREUd8w6Ejh1O1
- kLkR4oxBLjvYm+GLGFEmMYTpFHFyAK1bn1BdvAtDb3/hDZeGASRWUPnYFuqMTMUqa1O6iBISQFM1
- 3KUwhvKk7xODSsIsivFYFcP/7MamYOwr5UWyDex2xID9ubXdzu0B/Ey6IslaCCFZSZK1WfSiTU2Q
- yZarJS6WBDTNCt2ad29A5oURJpwEsdXQsOtNmA==
- </ds:SignatureValue>
- <ds:KeyInfo>
- <ds:X509Data>
- <ds:X509Certificate>MIIDmzCCAoOgAwIBAgIBAzANBgkqhkiG9w0
- BAQUFADBYMSYwJAYDVQQKEx1Qcm9ncmVzcyBTb2Z0
- d2FyZSBDb3Jwb3JhdGlvbjELMAkGA1UECxMCcHMxDTALBgNVBAsTBHRlc3QxEjAQBgNVBAMTCVRl
- c3QgQ0EgMTAeFw0wOTEyMTgwMTQ5MDFaFw0xOTEyMTYwMTQ2NDFaMFkxJjAkBgNVBAoTHVByb2dy
- ZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMQswCQYDVQQLEwJwczENMAsGA1UECxMEdGVzdDETMBEG
- A1UEAxMKc3RzLWlzc3VlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf6fT4yXU8J
- sfQAa6Kidu8NVONLF4HPgGMnB/JxcMJFzYvG9J2WtWTV0PEwzoLronC/92NcEmHktaY6mbgXQx90
- 4nnyXVs1mhSFbFjuunOCwbYbLoP0hTSOAFEXIMZfIev6ecnSS2jbuhz4CRKxdbtf5d1QF2MWataN
- zTXYqoWuHKcSxzha4DlS8W9MVAp4gi6yubbbb0KZxMDeTiuCM8kJ1B0et+qAw3hVRosWHxzvcJz7
- zzc2fscOSVBtwDyYZdEShHt8oL+9bs1oiWHZm35/YP476AOC9rznYU6ekXtVszwak5kOAheJC9sx
- BF+WMmMRZc3w3ZMEJUcLMgYj678CAwEAAaNvMG0wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU6hTh
- MTVrJEvhmPWvHzgFS4fbPr4wCwYDVR0PBAQDAgSwMBEGCWCGSAGG+EIBAQQEAwIFoDAeBglghkgB
- hvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBBQUAA4IBAQAbb5autCceUfJLII1T
- C2zqTFdxFzW6Pa1Ni8VYtxEVli5d48R3VgfPm4o1uP5MeJJc1LzgwQ7TYWhdmwDAWIbXvNtaMzDZ
- FZK2kgU4yjhPSTTqMZvvdJlADBQbZPKxsd9NT5K7FEcxuWNOnjRl1vZZ3pbgbR/aq12g9ERWjvt6
- ZOS0/Rc2mv8uie1rCpPIdes/nj9yTP+pMIGI65RhMHrr3zPIkl6ZWPPWFoXkOS26e8AKkfMadaZd
- WKrB3xkBW5eDoUz22DaolFw5WfJJD2s3kto26/UYjjRviZ9j+YkRVRDLDn3j/8wcdYD2p1anzMKU
- TjZe7HgwbK7N/J5QJ/KQ
- </ds:X509Certificate>
- </ds:X509Data>
- </ds:KeyInfo>
- </ds:Signature>
</saml:Assertion>
|