cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [cxf-fediz] 03/07: Adding a modified SignatureValue test for SAML SSO
Date Thu, 17 May 2018 17:13:31 GMT
This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git

commit 88aeaf1b215699c2dd36de8efddda0365f5fe179
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Thu May 17 14:23:33 2018 +0100

    Adding a modified SignatureValue test for SAML SSO
---
 .../fediz/systests/samlsso/Tomcat8PluginTest.java  | 83 ++++++++++++++++++++++
 .../cxf/fediz/integrationtests/AbstractTests.java  |  4 +-
 2 files changed, 85 insertions(+), 2 deletions(-)

diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java
b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java
index e100ad7..3fe901f 100644
--- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java
+++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java
@@ -19,10 +19,13 @@
 
 package org.apache.cxf.fediz.systests.samlsso;
 
+import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
 
 import javax.servlet.ServletException;
 
@@ -32,11 +35,28 @@ import org.apache.catalina.LifecycleState;
 import org.apache.catalina.connector.Connector;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.commons.io.IOUtils;
+import org.apache.cxf.common.util.Base64Utility;
 import org.apache.cxf.fediz.integrationtests.AbstractTests;
 import org.apache.cxf.fediz.tomcat8.FederationAuthenticator;
+import org.apache.cxf.staxutils.StaxUtils;
+import org.apache.http.auth.AuthScope;
+import org.apache.http.auth.UsernamePasswordCredentials;
+import org.apache.wss4j.common.util.DOM2Writer;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
+import org.junit.Test;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+
+import com.gargoylesoftware.htmlunit.CookieManager;
+import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException;
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.html.DomElement;
+import com.gargoylesoftware.htmlunit.html.DomNodeList;
+import com.gargoylesoftware.htmlunit.html.HtmlForm;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput;
 
 /**
  * Some tests for SAML SSO with the Tomcat 8 plugin, invoking on the Fediz IdP configured
for SAML SSO.
@@ -177,4 +197,67 @@ public class Tomcat8PluginTest extends AbstractTests {
         Thread.sleep(5 * 60 * 1000);
     }
 
+    @Test
+    public void testModifiedSignatureValue() throws Exception {
+
+        String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName()
+            + "/secure/fedservlet";
+        String user = "alice";
+        String password = "ecila";
+
+        // Get the initial token
+        CookieManager cookieManager = new CookieManager();
+        final WebClient webClient = new WebClient();
+        webClient.setCookieManager(cookieManager);
+        webClient.getOptions().setUseInsecureSSL(true);
+        webClient.getCredentialsProvider().setCredentials(
+            new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())),
+            new UsernamePasswordCredentials(user, password));
+
+        webClient.getOptions().setJavaScriptEnabled(false);
+        final HtmlPage idpPage = webClient.getPage(url);
+        webClient.getOptions().setJavaScriptEnabled(true);
+        Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText());
+
+        // Parse the form to get the token (wresult)
+        DomNodeList<DomElement> results = idpPage.getElementsByTagName("input");
+
+        for (DomElement result : results) {
+            if (getTokenNameFromForm().equals(result.getAttributeNS(null, "name"))) {
+                String value = result.getAttributeNS(null, "value");
+
+                // Decode response
+                byte[] deflatedToken = Base64Utility.decode(value);
+                InputStream inputStream = new ByteArrayInputStream(deflatedToken);
+
+                Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream,
"UTF-8"));
+
+                // Modify SignatureValue
+                String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#";
+                Node signatureValue =
+                    responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0);
+                signatureValue.setTextContent("H" + signatureValue.getTextContent());
+
+                // Re-encode response
+                String responseMessage = DOM2Writer.nodeToString(responseDoc);
+                result.setAttributeNS(null, "value", Base64Utility.encode(responseMessage.getBytes()));
+            }
+        }
+
+        // Invoke back on the RP
+
+        final HtmlForm form = idpPage.getFormByName(getLoginFormName());
+        final HtmlSubmitInput button = form.getInputByName("_eventId_submit");
+
+        try {
+            button.click();
+            Assert.fail("Failure expected on a modified signature");
+        } catch (FailingHttpStatusCodeException ex) {
+            // expected
+            Assert.assertTrue(401 == ex.getStatusCode() || 403 == ex.getStatusCode());
+        }
+
+        webClient.close();
+    }
+
 }
diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
index 7a85783..03aee17 100644
--- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
+++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java
@@ -72,14 +72,14 @@ public abstract class AbstractTests {
         return true;
     }
 
-    private String getLoginFormName() {
+    protected String getLoginFormName() {
         if (isWSFederation()) {
             return "signinresponseform";
         }
         return "samlsigninresponseform";
     }
 
-    private String getTokenNameFromForm() {
+    protected String getTokenNameFromForm() {
         if (isWSFederation()) {
             return "wresult";
         }

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

Mime
View raw message