You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/04/07 17:20:25 UTC
cxf-fediz git commit: [FEDIZ-111] - Adding some chain trust tests
Repository: cxf-fediz
Updated Branches:
refs/heads/1.1.x-fixes 098eabe7e -> d38c1a5a6
[FEDIZ-111] - Adding some chain trust tests
Conflicts:
plugins/core/src/test/resources/fediz_test_config.xml
Project: http://git-wip-us.apache.org/repos/asf/cxf-fediz/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf-fediz/commit/d38c1a5a
Tree: http://git-wip-us.apache.org/repos/asf/cxf-fediz/tree/d38c1a5a
Diff: http://git-wip-us.apache.org/repos/asf/cxf-fediz/diff/d38c1a5a
Branch: refs/heads/1.1.x-fixes
Commit: d38c1a5a670398ed7f57331dfb458716ce4f31d7
Parents: 098eabe
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Tue Apr 7 16:05:30 2015 +0100
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Tue Apr 7 16:19:53 2015 +0100
----------------------------------------------------------------------
.../cxf/fediz/core/saml/SAMLTokenValidator.java | 8 +-
.../cxf/fediz/core/FederationProcessorTest.java | 45 ++++++++++
.../src/test/resources/fediz_test_config.xml | 93 ++++++++++++++++++++
3 files changed, 145 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d38c1a5a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
index 3030479..8937a14 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/saml/SAMLTokenValidator.java
@@ -123,7 +123,13 @@ public class SAMLTokenValidator implements TokenValidator {
List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers();
for (TrustedIssuer ti : trustedIssuers) {
- List<String> subjectConstraints = Collections.singletonList(ti.getSubject());
+ List<String> subjectConstraints = null;
+ if (ti.getSubject() == null) {
+ subjectConstraints = Collections.emptyList();
+ } else {
+ subjectConstraints = Collections.singletonList(ti.getSubject());
+ }
+
if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
trustValidator.setSubjectConstraints(subjectConstraints);
trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS);
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d38c1a5a/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
index 5d1a3d8..1555ebd 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/FederationProcessorTest.java
@@ -243,6 +243,51 @@ public class FederationProcessorTest {
}
+ @org.junit.Test
+ public void testChainTrust() throws Exception {
+ SAML2CallbackHandler callbackHandler = new SAML2CallbackHandler();
+ callbackHandler.setStatement(SAML2CallbackHandler.Statement.ATTR);
+ callbackHandler.setConfirmationMethod(SAML2Constants.CONF_BEARER);
+ callbackHandler.setIssuer(TEST_RSTR_ISSUER);
+ callbackHandler.setSubjectName(TEST_USER);
+ ConditionsBean cp = new ConditionsBean();
+ cp.setAudienceURI(TEST_AUDIENCE);
+ callbackHandler.setConditions(cp);
+
+ SAMLParms samlParms = new SAMLParms();
+ samlParms.setCallbackHandler(callbackHandler);
+ AssertionWrapper assertion = new AssertionWrapper(samlParms);
+ String rstr = createSamlToken(assertion, "mystskey", true);
+
+ FederationRequest wfReq = new FederationRequest();
+ wfReq.setWa(FederationConstants.ACTION_SIGNIN);
+ wfReq.setWresult(rstr);
+
+ // Test successful trust validation (subject cert constraint)
+ configurator = null;
+ FederationContext config = getFederationConfigurator().getFederationContext("CHAIN_TRUST");
+
+ FederationProcessor wfProc = new FederationProcessorImpl();
+ FederationResponse wfRes = wfProc.processRequest(wfReq, config);
+
+ Assert.assertEquals("Principal name wrong", TEST_USER,
+ wfRes.getUsername());
+ Assert.assertEquals("Issuer wrong", TEST_RSTR_ISSUER, wfRes.getIssuer());
+ Assert.assertEquals("Audience wrong", TEST_AUDIENCE, wfRes.getAudience());
+
+ // Test unsuccessful trust validation (bad subject cert constraint)
+ configurator = null;
+ config = getFederationConfigurator().getFederationContext("CHAIN_TRUST2");
+
+ wfProc = new FederationProcessorImpl();
+ try {
+ wfRes = wfProc.processRequest(wfReq, config);
+ Assert.fail("Processing must fail because of invalid subject cert constraint");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
/**
* Validate SAML 2 token which includes the role attribute with 2 values
* Roles are encoded as a multi-value saml attribute
http://git-wip-us.apache.org/repos/asf/cxf-fediz/blob/d38c1a5a/plugins/core/src/test/resources/fediz_test_config.xml
----------------------------------------------------------------------
diff --git a/plugins/core/src/test/resources/fediz_test_config.xml b/plugins/core/src/test/resources/fediz_test_config.xml
index d2f83d2..b862ac3 100644
--- a/plugins/core/src/test/resources/fediz_test_config.xml
+++ b/plugins/core/src/test/resources/fediz_test_config.xml
@@ -234,4 +234,97 @@
</claimTypesRequested>
</protocol>
</contextConfig>
+ <contextConfig name="CLIENT_TRUST">
+ <audienceUris>
+ <audienceItem>http://host_one:port/url</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="clientonly.jks" password="cspass"
+ type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="PeerTrust" />
+ </trustedIssuers>
+
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.2">
+ <realm>target realm</realm>
+ <issuer>http://url_to_the_issuer</issuer>
+ <roleDelimiter>;</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <authenticationType value="some auth type" type="String" />
+ <freshness>10000</freshness>
+ <reply>reply value</reply>
+ <request>REQUEST</request>
+ <claimTypesRequested>
+ <claimType type="a particular claim type" optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ </contextConfig>
+
+ <contextConfig name="CHAIN_TRUST">
+ <audienceUris>
+ <audienceItem>http://host_one:port/url</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="ststrust.jks" password="storepass"
+ type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="ChainTrust" subject=".*CN=www.sts.com.*" />
+ </trustedIssuers>
+
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.2">
+ <realm>target realm</realm>
+ <issuer>http://url_to_the_issuer</issuer>
+ <roleDelimiter>;</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <authenticationType value="some auth type" type="String" />
+ <freshness>10000</freshness>
+ <reply>reply value</reply>
+ <request>REQUEST</request>
+ <claimTypesRequested>
+ <claimType type="a particular claim type" optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ </contextConfig>
+
+ <contextConfig name="CHAIN_TRUST2">
+ <audienceUris>
+ <audienceItem>http://host_one:port/url</audienceItem>
+ </audienceUris>
+ <certificateStores>
+ <trustManager>
+ <keyStore file="ststrust.jks" password="storepass"
+ type="JKS" />
+ </trustManager>
+ </certificateStores>
+ <trustedIssuers>
+ <issuer certificateValidation="ChainTrust" subject=".*CN=www.sts2.com.*" />
+ </trustedIssuers>
+
+ <maximumClockSkew>1000</maximumClockSkew>
+ <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:type="federationProtocolType" version="1.2">
+ <realm>target realm</realm>
+ <issuer>http://url_to_the_issuer</issuer>
+ <roleDelimiter>;</roleDelimiter>
+ <roleURI>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role</roleURI>
+ <authenticationType value="some auth type" type="String" />
+ <freshness>10000</freshness>
+ <reply>reply value</reply>
+ <request>REQUEST</request>
+ <claimTypesRequested>
+ <claimType type="a particular claim type" optional="true" />
+ </claimTypesRequested>
+ </protocol>
+ </contextConfig>
+
</FedizConfig>