View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.util.ArrayList;
22  import java.util.LinkedList;
23  import java.util.List;
24  
25  import javax.xml.namespace.QName;
26  
27  import org.apache.wss4j.common.ext.WSSecurityException;
28  import org.apache.wss4j.policy.stax.PolicyViolationException;
29  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30  import org.apache.wss4j.stax.ext.WSSConstants;
31  import org.apache.wss4j.stax.securityEvent.EncryptedPartSecurityEvent;
32  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
33  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
34  import org.junit.jupiter.api.Test;
35  
36  import static org.junit.jupiter.api.Assertions.assertEquals;
37  import static org.junit.jupiter.api.Assertions.assertTrue;
38  import static org.junit.jupiter.api.Assertions.fail;
39  
40  public class EncryptedPartsTest extends AbstractPolicyTestBase {
41  
42      @Test
43      public void testPolicy() throws Exception {
44          String policyString =
45                  "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
46                          "<sp:Body/>\n" +
47                          "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
48                          "<sp:Attachments/>\n" +
49                          "</sp:EncryptedParts>";
50          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
51  
52          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
53          operationSecurityEvent.setOperation(new QName("definitions"));
54          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
55  
56          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
57          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
58          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
59          EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
60          encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
61          policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
62          List<QName> headerPath = new ArrayList<>();
63          headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
64          headerPath.add(new QName("http://example.org", "a"));
65          encryptedPartSecurityEvent.setElementPath(headerPath);
66          policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
67          //additional encryptedParts are also allowed!
68          headerPath = new ArrayList<>();
69          headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
70          headerPath.add(new QName("http://example.org", "b"));
71          encryptedPartSecurityEvent.setElementPath(headerPath);
72          policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
73          policyEnforcer.doFinal();
74      }
75  
76      @Test
77      public void testPolicyMultipleAssertionEventsNegative() throws Exception {
78          String policyString =
79                  "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
80                          "<sp:Body/>\n" +
81                          "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
82                          "<sp:Attachments/>\n" +
83                          "</sp:EncryptedParts>";
84          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
85  
86          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
87          operationSecurityEvent.setOperation(new QName("definitions"));
88          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
89  
90          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
91          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
92          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
93          EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
94          encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
95          policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
96          encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, null);
97          List<QName> headerPath = new ArrayList<>();
98          headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
99          headerPath.add(new QName("http://example.org", "a"));
100         encryptedPartSecurityEvent.setElementPath(headerPath);
101         try {
102             policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
103             fail("Exception expected");
104         } catch (WSSecurityException e) {
105             assertTrue(e.getCause() instanceof PolicyViolationException);
106             assertEquals(e.getCause().getMessage(),
107                     "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be encrypted");
108             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
109         }
110     }
111 
112     @Test
113     public void testPolicyWholeBody() throws Exception {
114         String policyString =
115                 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
116                         "</sp:EncryptedParts>";
117         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
118 
119         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
120         operationSecurityEvent.setOperation(new QName("definitions"));
121         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
122 
123         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
124         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
125         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
126         EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
127         encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
128         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
129         List<QName> headerPath = new ArrayList<>();
130         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
131         headerPath.add(new QName("http://example.org", "a"));
132         encryptedPartSecurityEvent.setElementPath(headerPath);
133         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
134         headerPath = new ArrayList<>();
135         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
136         headerPath.add(new QName("http://example.org", "b"));
137         encryptedPartSecurityEvent.setElementPath(headerPath);
138         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
139         policyEnforcer.doFinal();
140     }
141 
142     @Test
143     public void testPolicyWholeBodyNegative() throws Exception {
144         String policyString =
145                 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
146                         "</sp:EncryptedParts>";
147         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
148 
149         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
150         operationSecurityEvent.setOperation(new QName("definitions"));
151         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
152 
153         EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, null);
154         encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
155         try {
156             policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
157         } catch (WSSecurityException e) {
158             assertTrue(e.getCause() instanceof PolicyViolationException);
159             assertEquals(e.getCause().getMessage(),
160                     "SOAP-Body must be encrypted");
161             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
162         }
163     }
164 
165     @Test
166     public void testPolicyWildcardHeader() throws Exception {
167         String policyString =
168                 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
169                         "<sp:Body/>\n" +
170                         "<sp:Header Namespace=\"http://example.org\"/>\n" +
171                         "<sp:Attachments/>\n" +
172                         "</sp:EncryptedParts>";
173         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
174 
175         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
176         operationSecurityEvent.setOperation(new QName("definitions"));
177         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
178 
179         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
180         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
181         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
182         EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
183         encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
184         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
185         List<QName> headerPath = new ArrayList<>();
186         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
187         headerPath.add(new QName("http://example.org", "a"));
188         encryptedPartSecurityEvent.setElementPath(headerPath);
189         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
190         //additional encryptedParts are also allowed!
191         headerPath = new ArrayList<>();
192         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
193         headerPath.add(new QName("http://example.org", "b"));
194         encryptedPartSecurityEvent.setElementPath(headerPath);
195         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
196         policyEnforcer.doFinal();
197     }
198 
199     @Test
200     public void testPolicyWildcardHeaderNegative() throws Exception {
201         String policyString =
202                 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
203                         "<sp:Body/>\n" +
204                         "<sp:Header Namespace=\"http://example.org\"/>\n" +
205                         "<sp:Attachments/>\n" +
206                         "</sp:EncryptedParts>";
207         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
208 
209         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
210         operationSecurityEvent.setOperation(new QName("definitions"));
211         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
212 
213         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
214         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
215         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
216         EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
217         encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
218         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
219         encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, null);
220         List<QName> headerPath = new ArrayList<>();
221         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
222         headerPath.add(new QName("http://example.org", "a"));
223         encryptedPartSecurityEvent.setElementPath(headerPath);
224         try {
225             policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
226             fail("Exception expected");
227         } catch (WSSecurityException e) {
228             assertTrue(e.getCause() instanceof PolicyViolationException);
229             assertEquals(e.getCause().getMessage(),
230                     "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be encrypted");
231             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
232         }
233     }
234 }