You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2020/06/17 08:29:39 UTC
[cxf-fediz] branch master updated: Adding more SAML encrypted non
signed tests
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/master by this push:
new a08ff33 Adding more SAML encrypted non signed tests
a08ff33 is described below
commit a08ff3343130e9496e558dee41f9a21fdf84352c
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jun 17 08:16:34 2020 +0100
Adding more SAML encrypted non signed tests
---
.../core/samlsso/SAMLEncryptedResponseTest.java | 54 ++++++++++++++++++++--
.../src/test/resources/fediz_test_config_saml.xml | 33 +++++++++++++
2 files changed, 83 insertions(+), 4 deletions(-)
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
index b801796..882df46 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLEncryptedResponseTest.java
@@ -52,6 +52,7 @@ import org.apache.cxf.fediz.core.RequestState;
import org.apache.cxf.fediz.core.SAML2CallbackHandler;
import org.apache.cxf.fediz.core.config.FedizConfigurator;
import org.apache.cxf.fediz.core.config.FedizContext;
+import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.fediz.core.processor.FedizProcessor;
import org.apache.cxf.fediz.core.processor.FedizRequest;
import org.apache.cxf.fediz.core.processor.FedizResponse;
@@ -86,6 +87,7 @@ import org.junit.BeforeClass;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
/**
* Some tests for processing SAMLResponses containing EncryptedAssertions using the SAMLProcessorImpl
@@ -150,7 +152,6 @@ public class SAMLEncryptedResponseTest {
@org.junit.Test
public void validateSignedEncryptedSAMLResponse() throws Exception {
// Mock up a Request
- //FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizContext config =
getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
@@ -199,12 +200,10 @@ public class SAMLEncryptedResponseTest {
}
@org.junit.Test
- @org.junit.Ignore // TODO re-enable once we support unsigned encrypted assertions
public void validateUnsignedEncryptedSAMLResponse() throws Exception {
// Mock up a Request
- //FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
FedizContext config =
- getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
+ getFederationConfigurator().getFedizContext("ROOT_DECRYPTION_ALLOW_UNSIGNED");
String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
@@ -250,6 +249,53 @@ public class SAMLEncryptedResponseTest {
assertClaims(wfRes.getClaims(), ClaimTypes.COUNTRY);
}
+ @org.junit.Test
+ public void rejectUnsignedEncryptedAssertionByDefault() throws Exception {
+ // Mock up a Request
+ FedizContext config =
+ getFederationConfigurator().getFedizContext("ROOT_DECRYPTION");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ RequestState requestState = new RequestState(TEST_REQUEST_URL,
+ TEST_IDP_ISSUER,
+ requestId,
+ TEST_REQUEST_URL,
+ (String)config.getProtocol().getIssuer(),
+ null,
+ relayState,
+ System.currentTimeMillis());
+
+ // Create SAML Response
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setAlsoAddAuthnStatement(true);
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setIssuer(TEST_IDP_ISSUER);
+ callbackHandler.setSubjectName(TEST_USER);
+ String responseStr = createSamlResponseStr(callbackHandler, requestId, false);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(responseStr);
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setRequestState(requestState);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on an unsigned token");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
private String createSamlResponseStr(AbstractSAMLCallbackHandler saml2CallbackHandler,
String requestId,
boolean signAssertion) throws Exception {
diff --git a/plugins/core/src/test/resources/fediz_test_config_saml.xml b/plugins/core/src/test/resources/fediz_test_config_saml.xml
index ff84520..69bbd32 100644
--- a/plugins/core/src/test/resources/fediz_test_config_saml.xml
+++ b/plugins/core/src/test/resources/fediz_test_config_saml.xml
@@ -364,4 +364,37 @@
<logoutURL>secure/logout</logoutURL>
<logoutRedirectTo>/redir.html</logoutRedirectTo>
</contextConfig>
+
+ <contextConfig name="ROOT_DECRYPTION_ALLOW_UNSIGNED">
+ <audienceUris>
+ <audienceItem>http://host_one:port/url</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="ststrust.jks" password="storepass"
+ type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+ <tokenDecryptionKey keyPassword="stskpass" keyAlias="mystskey">
+ <keyStore file="stsstore.jks" password="stsspass" type="JKS" />
+ </tokenDecryptionKey>
+
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="samlProtocolType" version="1.2">
+ <issuer>http://url_to_the_issuer</issuer>
+ <roleDelimiter>;</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <claimTypesRequested>
+ <claimType type="a particular claim type" optional="true" />
+ </claimTypesRequested>
+ <doNotEnforceEncryptedAssertionsSigned>true</doNotEnforceEncryptedAssertionsSigned>
+ </protocol>
+
+ <logoutURL>secure/logout</logoutURL>
+ <logoutRedirectTo>/redir.html</logoutRedirectTo>
+ </contextConfig>
</FedizConfig>