You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/07/20 17:05:44 UTC
[cxf-fediz] branch master updated: FEDIZ-222 - Added some more unit
tests
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push:
new e42fea3 FEDIZ-222 - Added some more unit tests
e42fea3 is described below
commit e42fea3a428487886d6036f8f0df2cb27ddb4f5d
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jul 20 17:44:41 2018 +0100
FEDIZ-222 - Added some more unit tests
---
.../fediz/core/processor/SAMLProcessorImpl.java | 6 +
.../cxf/fediz/core/samlsso/SAMLResponseTest.java | 125 ++++++++++++++++++++-
2 files changed, 130 insertions(+), 1 deletion(-)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 03b1b6b..93020d7 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -278,6 +278,12 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
// Validate the Response
validateSamlResponseProtocol(logoutResponse, config);
+ // Enforce that the LogoutResponse is signed - we don't support a separate signature for now
+ if (!logoutResponse.isSigned()) {
+ LOG.debug("The LogoutResponse is not signed");
+ throw new ProcessingException(TYPE.INVALID_REQUEST);
+ }
+
Instant issueInstant = logoutResponse.getIssueInstant().toDate().toInstant();
FedizResponse fedResponse = new FedizResponse(
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
index e0de355..69fd12e 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
@@ -64,7 +64,6 @@ import org.apache.cxf.fediz.core.processor.FedizProcessor;
import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.core.processor.FedizResponse;
import org.apache.cxf.fediz.core.processor.SAMLProcessorImpl;
-import org.apache.cxf.fediz.core.util.CertsUtils;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.CryptoFactory;
import org.apache.wss4j.common.crypto.CryptoType;
@@ -1277,6 +1276,130 @@ public class SAMLResponseTest {
FedizProcessor wfProc = new SAMLProcessorImpl();
wfProc.processRequest(wfReq, config);
}
+
+ @org.junit.Test
+ public void validateUnsignedLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, false, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on an unsigned response");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
+ public void validateUntrustedLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("CLIENT_TRUST");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, true, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on an untrusted response");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
+ public void validateBadStatusInLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Requester";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, true, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on a a bad status code");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
+ public void validateBadDestinationLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL + "_", false, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on a bad destination");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
private String createSamlResponseStr(String requestId) throws Exception {
// Create SAML Assertion