From commits-return-49223-archive-asf-public=cust-asf.ponee.io@cxf.apache.org Thu May 17 19:13:31 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id D515B18078A for ; Thu, 17 May 2018 19:13:30 +0200 (CEST) Received: (qmail 36228 invoked by uid 500); 17 May 2018 17:13:29 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 36191 invoked by uid 99); 17 May 2018 17:13:29 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 May 2018 17:13:29 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id 7E7008626B; Thu, 17 May 2018 17:13:28 +0000 (UTC) Date: Thu, 17 May 2018 17:13:31 +0000 To: "commits@cxf.apache.org" Subject: [cxf-fediz] 03/07: Adding a modified SignatureValue test for SAML SSO MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit From: coheigea@apache.org In-Reply-To: <152657720839.1326.15503006124440750300@gitbox.apache.org> References: <152657720839.1326.15503006124440750300@gitbox.apache.org> X-Git-Host: gitbox.apache.org X-Git-Repo: cxf-fediz X-Git-Refname: refs/heads/1.4.x-fixes X-Git-Reftype: branch X-Git-Rev: 88aeaf1b215699c2dd36de8efddda0365f5fe179 X-Git-NotificationType: diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated Message-Id: <20180517171328.7E7008626B@gitbox.apache.org> This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 1.4.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git commit 88aeaf1b215699c2dd36de8efddda0365f5fe179 Author: Colm O hEigeartaigh AuthorDate: Thu May 17 14:23:33 2018 +0100 Adding a modified SignatureValue test for SAML SSO --- .../fediz/systests/samlsso/Tomcat8PluginTest.java | 83 ++++++++++++++++++++++ .../cxf/fediz/integrationtests/AbstractTests.java | 4 +- 2 files changed, 85 insertions(+), 2 deletions(-) diff --git a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java index e100ad7..3fe901f 100644 --- a/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java +++ b/systests/samlsso/src/test/java/org/apache/cxf/fediz/systests/samlsso/Tomcat8PluginTest.java @@ -19,10 +19,13 @@ package org.apache.cxf.fediz.systests.samlsso; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; import javax.servlet.ServletException; @@ -32,11 +35,28 @@ import org.apache.catalina.LifecycleState; import org.apache.catalina.connector.Connector; import org.apache.catalina.startup.Tomcat; import org.apache.commons.io.IOUtils; +import org.apache.cxf.common.util.Base64Utility; import org.apache.cxf.fediz.integrationtests.AbstractTests; import org.apache.cxf.fediz.tomcat8.FederationAuthenticator; +import org.apache.cxf.staxutils.StaxUtils; +import org.apache.http.auth.AuthScope; +import org.apache.http.auth.UsernamePasswordCredentials; +import org.apache.wss4j.common.util.DOM2Writer; import org.junit.AfterClass; import org.junit.Assert; import org.junit.BeforeClass; +import org.junit.Test; +import org.w3c.dom.Document; +import org.w3c.dom.Node; + +import com.gargoylesoftware.htmlunit.CookieManager; +import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.html.DomElement; +import com.gargoylesoftware.htmlunit.html.DomNodeList; +import com.gargoylesoftware.htmlunit.html.HtmlForm; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import com.gargoylesoftware.htmlunit.html.HtmlSubmitInput; /** * Some tests for SAML SSO with the Tomcat 8 plugin, invoking on the Fediz IdP configured for SAML SSO. @@ -177,4 +197,67 @@ public class Tomcat8PluginTest extends AbstractTests { Thread.sleep(5 * 60 * 1000); } + @Test + public void testModifiedSignatureValue() throws Exception { + + String url = "https://localhost:" + getRpHttpsPort() + "/" + getServletContextName() + + "/secure/fedservlet"; + String user = "alice"; + String password = "ecila"; + + // Get the initial token + CookieManager cookieManager = new CookieManager(); + final WebClient webClient = new WebClient(); + webClient.setCookieManager(cookieManager); + webClient.getOptions().setUseInsecureSSL(true); + webClient.getCredentialsProvider().setCredentials( + new AuthScope("localhost", Integer.parseInt(getIdpHttpsPort())), + new UsernamePasswordCredentials(user, password)); + + webClient.getOptions().setJavaScriptEnabled(false); + final HtmlPage idpPage = webClient.getPage(url); + webClient.getOptions().setJavaScriptEnabled(true); + Assert.assertEquals("IDP SignIn Response Form", idpPage.getTitleText()); + + // Parse the form to get the token (wresult) + DomNodeList results = idpPage.getElementsByTagName("input"); + + for (DomElement result : results) { + if (getTokenNameFromForm().equals(result.getAttributeNS(null, "name"))) { + String value = result.getAttributeNS(null, "value"); + + // Decode response + byte[] deflatedToken = Base64Utility.decode(value); + InputStream inputStream = new ByteArrayInputStream(deflatedToken); + + Document responseDoc = StaxUtils.read(new InputStreamReader(inputStream, "UTF-8")); + + // Modify SignatureValue + String signatureNamespace = "http://www.w3.org/2000/09/xmldsig#"; + Node signatureValue = + responseDoc.getElementsByTagNameNS(signatureNamespace, "SignatureValue").item(0); + signatureValue.setTextContent("H" + signatureValue.getTextContent()); + + // Re-encode response + String responseMessage = DOM2Writer.nodeToString(responseDoc); + result.setAttributeNS(null, "value", Base64Utility.encode(responseMessage.getBytes())); + } + } + + // Invoke back on the RP + + final HtmlForm form = idpPage.getFormByName(getLoginFormName()); + final HtmlSubmitInput button = form.getInputByName("_eventId_submit"); + + try { + button.click(); + Assert.fail("Failure expected on a modified signature"); + } catch (FailingHttpStatusCodeException ex) { + // expected + Assert.assertTrue(401 == ex.getStatusCode() || 403 == ex.getStatusCode()); + } + + webClient.close(); + } + } diff --git a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java index 7a85783..03aee17 100644 --- a/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java +++ b/systests/tests/src/test/java/org/apache/cxf/fediz/integrationtests/AbstractTests.java @@ -72,14 +72,14 @@ public abstract class AbstractTests { return true; } - private String getLoginFormName() { + protected String getLoginFormName() { if (isWSFederation()) { return "signinresponseform"; } return "samlsigninresponseform"; } - private String getTokenNameFromForm() { + protected String getTokenNameFromForm() { if (isWSFederation()) { return "wresult"; } -- To stop receiving notification emails like this one, please contact coheigea@apache.org.