You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/06/17 08:29:39 UTC

[cxf-fediz] branch master updated: Adding more SAML encrypted non signed tests

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git


The following commit(s) were added to refs/heads/master by this push:
     new a08ff33  Adding more SAML encrypted non signed tests
a08ff33 is described below

commit a08ff3343130e9496e558dee41f9a21fdf84352c
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jun 17 08:16:34 2020 +0100

    Adding more SAML encrypted non signed tests
---
 .../core/samlsso/SAMLEncryptedResponseTest.java    | 54 ++++++++++++++++++++--
 .../src/test/resources/fediz_test_config_saml.xml  | 33 +++++++++++++
 2 files changed, 83 insertions(+), 4 deletions(-)

diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
index b801796..882df46 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
@@ -52,6 +52,7 @@ import org.apache.cxf.fediz.core.RequestState;
 import org.apache.cxf.fediz.core.SAML2CallbackHandler;
 import org.apache.cxf.fediz.core.config.FedizConfigurator;
 import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
 import org.apache.cxf.fediz.core.processor.FedizProcessor;
 import org.apache.cxf.fediz.core.processor.FedizRequest;
 import org.apache.cxf.fediz.core.processor.FedizResponse;
@@ -86,6 +87,7 @@ import org.junit.BeforeClass;
 
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 /**
  * Some tests for processing SAMLResponses containing EncryptedAssertions using the SAMLProcessorImpl
@@ -150,7 +152,6 @@ public class SAMLEncryptedResponseTest {
     @org.junit.Test
     public void validateSignedEncryptedSAMLResponse() throws Exception {
         // Mock up a Request
-        //FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
         FedizContext config =
                 getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
 
@@ -199,12 +200,10 @@ public class SAMLEncryptedResponseTest {
     }
 
     @org.junit.Test
-    @org.junit.Ignore // TODO re-enable once we support unsigned encrypted assertions
     public void validateUnsignedEncryptedSAMLResponse() throws Exception {
         // Mock up a Request
-        //FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
         FedizContext config =
-                getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
+                getFederationConfigurator().getFedizContext("ROOT_DECRYPTION_ALLOW_UNSIGNED");
 
         String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
 
@@ -250,6 +249,53 @@ public class SAMLEncryptedResponseTest {
         assertClaims(wfRes.getClaims(), ClaimTypes.COUNTRY);
     }
 
+    @org.junit.Test
+    public void rejectUnsignedEncryptedAssertionByDefault() throws Exception {
+        // Mock up a Request
+        FedizContext config =
+                getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
+
+        String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+        String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+        RequestState requestState = new RequestState(TEST_REQUEST_URL,
+                TEST_IDP_ISSUER,
+                requestId,
+                TEST_REQUEST_URL,
+                (String)config.getProtocol().getIssuer(),
+                null,
+                relayState,
+                System.currentTimeMillis());
+
+        // Create SAML Response
+        SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+        callbackHandler.setAlsoAddAuthnStatement(true);
+        callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+        callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+        callbackHandler.setIssuer(TEST_IDP_ISSUER);
+        callbackHandler.setSubjectName(TEST_USER);
+        String responseStr = createSamlResponseStr(callbackHandler, requestId, false);
+
+        HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+        EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+        EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+        EasyMock.replay(req);
+
+        FedizRequest wfReq = new FedizRequest();
+        wfReq.setResponseToken(responseStr);
+        wfReq.setState(relayState);
+        wfReq.setRequest(req);
+        wfReq.setRequestState(requestState);
+
+        FedizProcessor wfProc = new SAMLProcessorImpl();
+        try {
+            wfProc.processRequest(wfReq, config);
+            fail("Failure expected on an unsigned token");
+        } catch (ProcessingException ex) {
+            // expected
+        }
+    }
+
     private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
                                          String requestId,
                                          boolean signAssertion) throws Exception {
diff --git a/plugins/core/src/test/resources/fediz_test_config_saml.xml b/plugins/core/src/test/resources/fediz_test_config_saml.xml
index ff84520..69bbd32 100644
--- a/plugins/core/src/test/resources/fediz_test_config_saml.xml
+++ b/plugins/core/src/test/resources/fediz_test_config_saml.xml
@@ -364,4 +364,37 @@
 		<logoutURL>secure/logout</logoutURL>
 		<logoutRedirectTo>/redir.html</logoutRedirectTo>
 	</contextConfig>
+
+	<contextConfig name="ROOT_DECRYPTION_ALLOW_UNSIGNED">
+		<audienceUris>
+			<audienceItem>http://host_one:port/url</audienceItem>
+		</audienceUris>
+		<certificateStores>
+			<trustManager>
+				<keyStore file="ststrust.jks" password="storepass"
+						  type="JKS" />
+			</trustManager>
+		</certificateStores>
+		<trustedIssuers>
+			<issuer certificateValidation="PeerTrust" />
+		</trustedIssuers>
+		<tokenDecryptionKey keyPassword="stskpass" keyAlias="mystskey">
+			<keyStore file="stsstore.jks" password="stsspass" type="JKS" />
+		</tokenDecryptionKey>
+
+		<maximumClockSkew>1000</maximumClockSkew>
+		<protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+				  xsi:type="samlProtocolType" version="1.2">
+			<issuer>http://url_to_the_issuer</issuer>
+			<roleDelimiter>;</roleDelimiter>
+			<roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+			<claimTypesRequested>
+				<claimType type="a particular claim type" optional="true" />
+			</claimTypesRequested>
+			<doNotEnforceEncryptedAssertionsSigned>true</doNotEnforceEncryptedAssertionsSigned>
+		</protocol>
+
+		<logoutURL>secure/logout</logoutURL>
+		<logoutRedirectTo>/redir.html</logoutRedirectTo>
+	</contextConfig>
 </FedizConfig>