1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.ArrayList;
22 import java.util.LinkedList;
23 import java.util.List;
24
25 import javax.xml.namespace.QName;
26
27 import org.apache.wss4j.common.ext.WSSecurityException;
28 import org.apache.wss4j.policy.stax.PolicyViolationException;
29 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30 import org.apache.wss4j.stax.ext.WSSConstants;
31 import org.apache.wss4j.stax.securityEvent.EncryptedPartSecurityEvent;
32 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
33 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
34 import org.junit.jupiter.api.Test;
35
36 import static org.junit.jupiter.api.Assertions.assertEquals;
37 import static org.junit.jupiter.api.Assertions.assertTrue;
38 import static org.junit.jupiter.api.Assertions.fail;
39
40 public class EncryptedPartsTest extends AbstractPolicyTestBase {
41
42 @Test
43 public void testPolicy() throws Exception {
44 String policyString =
45 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
46 "<sp:Body/>\n" +
47 "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
48 "<sp:Attachments/>\n" +
49 "</sp:EncryptedParts>";
50 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
51
52 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
53 operationSecurityEvent.setOperation(new QName("definitions"));
54 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
55
56 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
57 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
58 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
59 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
60 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
61 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
62 List<QName> headerPath = new ArrayList<>();
63 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
64 headerPath.add(new QName("http://example.org", "a"));
65 encryptedPartSecurityEvent.setElementPath(headerPath);
66 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
67
68 headerPath = new ArrayList<>();
69 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
70 headerPath.add(new QName("http://example.org", "b"));
71 encryptedPartSecurityEvent.setElementPath(headerPath);
72 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
73 policyEnforcer.doFinal();
74 }
75
76 @Test
77 public void testPolicyMultipleAssertionEventsNegative() throws Exception {
78 String policyString =
79 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
80 "<sp:Body/>\n" +
81 "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
82 "<sp:Attachments/>\n" +
83 "</sp:EncryptedParts>";
84 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
85
86 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
87 operationSecurityEvent.setOperation(new QName("definitions"));
88 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
89
90 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
91 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
92 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
93 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
94 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
95 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
96 encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, null);
97 List<QName> headerPath = new ArrayList<>();
98 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
99 headerPath.add(new QName("http://example.org", "a"));
100 encryptedPartSecurityEvent.setElementPath(headerPath);
101 try {
102 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
103 fail("Exception expected");
104 } catch (WSSecurityException e) {
105 assertTrue(e.getCause() instanceof PolicyViolationException);
106 assertEquals(e.getCause().getMessage(),
107 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be encrypted");
108 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
109 }
110 }
111
112 @Test
113 public void testPolicyWholeBody() throws Exception {
114 String policyString =
115 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
116 "</sp:EncryptedParts>";
117 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
118
119 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
120 operationSecurityEvent.setOperation(new QName("definitions"));
121 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
122
123 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
124 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
125 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
126 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
127 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
128 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
129 List<QName> headerPath = new ArrayList<>();
130 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
131 headerPath.add(new QName("http://example.org", "a"));
132 encryptedPartSecurityEvent.setElementPath(headerPath);
133 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
134 headerPath = new ArrayList<>();
135 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
136 headerPath.add(new QName("http://example.org", "b"));
137 encryptedPartSecurityEvent.setElementPath(headerPath);
138 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
139 policyEnforcer.doFinal();
140 }
141
142 @Test
143 public void testPolicyWholeBodyNegative() throws Exception {
144 String policyString =
145 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
146 "</sp:EncryptedParts>";
147 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
148
149 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
150 operationSecurityEvent.setOperation(new QName("definitions"));
151 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
152
153 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, null);
154 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
155 try {
156 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
157 } catch (WSSecurityException e) {
158 assertTrue(e.getCause() instanceof PolicyViolationException);
159 assertEquals(e.getCause().getMessage(),
160 "SOAP-Body must be encrypted");
161 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
162 }
163 }
164
165 @Test
166 public void testPolicyWildcardHeader() throws Exception {
167 String policyString =
168 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
169 "<sp:Body/>\n" +
170 "<sp:Header Namespace=\"http://example.org\"/>\n" +
171 "<sp:Attachments/>\n" +
172 "</sp:EncryptedParts>";
173 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
174
175 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
176 operationSecurityEvent.setOperation(new QName("definitions"));
177 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
178
179 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
180 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
181 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
182 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
183 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
184 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
185 List<QName> headerPath = new ArrayList<>();
186 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
187 headerPath.add(new QName("http://example.org", "a"));
188 encryptedPartSecurityEvent.setElementPath(headerPath);
189 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
190
191 headerPath = new ArrayList<>();
192 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
193 headerPath.add(new QName("http://example.org", "b"));
194 encryptedPartSecurityEvent.setElementPath(headerPath);
195 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
196 policyEnforcer.doFinal();
197 }
198
199 @Test
200 public void testPolicyWildcardHeaderNegative() throws Exception {
201 String policyString =
202 "<sp:EncryptedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
203 "<sp:Body/>\n" +
204 "<sp:Header Namespace=\"http://example.org\"/>\n" +
205 "<sp:Attachments/>\n" +
206 "</sp:EncryptedParts>";
207 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
208
209 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
210 operationSecurityEvent.setOperation(new QName("definitions"));
211 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
212
213 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
214 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
215 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
216 EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
217 encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
218 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
219 encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, false, null);
220 List<QName> headerPath = new ArrayList<>();
221 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
222 headerPath.add(new QName("http://example.org", "a"));
223 encryptedPartSecurityEvent.setElementPath(headerPath);
224 try {
225 policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
226 fail("Exception expected");
227 } catch (WSSecurityException e) {
228 assertTrue(e.getCause() instanceof PolicyViolationException);
229 assertEquals(e.getCause().getMessage(),
230 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be encrypted");
231 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
232 }
233 }
234 }