You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/07/20 17:07:43 UTC
[cxf-fediz] branch 1.4.x-fixes updated: FEDIZ-222 - Added some more
unit tests
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 1.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf-fediz.git
The following commit(s) were added to refs/heads/1.4.x-fixes by this push:
new 47e2da3 FEDIZ-222 - Added some more unit tests
47e2da3 is described below
commit 47e2da31630d5f02a2062f174a1e6673f894c363
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jul 20 17:44:41 2018 +0100
FEDIZ-222 - Added some more unit tests
---
.../fediz/core/processor/SAMLProcessorImpl.java | 5 +
.../cxf/fediz/core/samlsso/SAMLResponseTest.java | 124 +++++++++++++++++++++
2 files changed, 129 insertions(+)
diff --git a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
index 1008674..d3c8f06 100644
--- a/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
+++ b/plugins/core/src/main/java/org/apache/cxf/fediz/core/processor/SAMLProcessorImpl.java
@@ -285,6 +285,11 @@ public class SAMLProcessorImpl extends AbstractFedizProcessor {
validateSamlResponseProtocol(logoutResponse, config);
Date issueInstant = logoutResponse.getIssueInstant().toDate();
+ // Enforce that the LogoutResponse is signed - we don't support a separate signature for now
+ if (!logoutResponse.isSigned()) {
+ LOG.debug("The LogoutResponse is not signed");
+ throw new ProcessingException(TYPE.INVALID_REQUEST);
+ }
FedizResponse fedResponse = new FedizResponse(
null, logoutResponse.getIssuer().getValue(),
diff --git a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
index e09e2e3..96f7832 100644
--- a/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
+++ b/plugins/core/src/test/java/org/apache/cxf/fediz/core/samlsso/SAMLResponseTest.java
@@ -1276,6 +1276,130 @@ public class SAMLResponseTest {
FedizProcessor wfProc = new SAMLProcessorImpl();
wfProc.processRequest(wfReq, config);
}
+
+ @org.junit.Test
+ public void validateUnsignedLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, false, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on an unsigned response");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
+ public void validateUntrustedLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("CLIENT_TRUST");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, true, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on an untrusted response");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
+ public void validateBadStatusInLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Requester";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL, true, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on a a bad status code");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
+
+ @org.junit.Test
+ public void validateBadDestinationLogoutResponse() throws Exception {
+ // Mock up a LogoutResponse
+ FedizContext config = getFederationConfigurator().getFedizContext("ROOT");
+
+ String requestId = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+
+ String status = "urn:oasis:names:tc:SAML:2.0:status:Success";
+ Element logoutResponse = createLogoutResponse(status, TEST_REQUEST_URL + "_", false, requestId);
+
+ HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
+ EasyMock.expect(req.getRequestURL()).andReturn(new StringBuffer(TEST_REQUEST_URL));
+ EasyMock.expect(req.getRemoteAddr()).andReturn(TEST_CLIENT_ADDRESS);
+ EasyMock.replay(req);
+
+ FedizRequest wfReq = new FedizRequest();
+ wfReq.setResponseToken(encodeResponse(logoutResponse));
+ String relayState = URLEncoder.encode(UUID.randomUUID().toString(), "UTF-8");
+ wfReq.setState(relayState);
+ wfReq.setRequest(req);
+ wfReq.setSignOutRequest(true);
+
+ FedizProcessor wfProc = new SAMLProcessorImpl();
+ try {
+ wfProc.processRequest(wfReq, config);
+ fail("Failure expected on a bad destination");
+ } catch (ProcessingException ex) {
+ // expected
+ }
+ }
private String createSamlResponseStr(String requestId) throws Exception {
// Create SAML Assertion