View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  
20  package org.apache.wss4j.policy.stax.test;
21  
22  import java.util.ArrayList;
23  import java.util.LinkedList;
24  import java.util.List;
25  
26  import javax.xml.namespace.QName;
27  
28  import org.apache.wss4j.common.ext.WSSecurityException;
29  import org.apache.wss4j.common.saml.SAMLCallback;
30  import org.apache.wss4j.common.saml.SamlAssertionWrapper;
31  import org.apache.wss4j.common.saml.bean.AttributeBean;
32  import org.apache.wss4j.common.saml.bean.AttributeStatementBean;
33  import org.apache.wss4j.common.saml.bean.SubjectBean;
34  import org.apache.wss4j.common.saml.bean.Version;
35  import org.apache.wss4j.policy.stax.PolicyViolationException;
36  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
37  import org.apache.wss4j.stax.ext.WSSConstants;
38  import org.apache.wss4j.stax.impl.securityToken.KerberosServiceSecurityTokenImpl;
39  import org.apache.wss4j.stax.impl.securityToken.SamlSecurityTokenImpl;
40  import org.apache.wss4j.stax.securityEvent.KerberosTokenSecurityEvent;
41  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
42  import org.apache.wss4j.stax.securityEvent.SamlTokenSecurityEvent;
43  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
44  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
45  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
46  import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
47  import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
48  import org.junit.jupiter.api.Test;
49  
50  import static org.junit.jupiter.api.Assertions.assertEquals;
51  import static org.junit.jupiter.api.Assertions.assertTrue;
52  import static org.junit.jupiter.api.Assertions.fail;
53  
54  public class IssuedTokenTest extends AbstractPolicyTestBase {
55  
56      private static final String samlPolicyString =
57              "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
58              "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
59              "<sp:InitiatorToken>\n" +
60              "   <wsp:Policy>\n" +
61              "       <sp:IssuedToken>\n" +
62              "           <sp:IssuerName>http://initiatorTokenIssuer.com</sp:IssuerName>\n" +
63              "           <sp:RequestSecurityTokenTemplate xmlns:t=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">\n" +
64              "               <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>\n" +
65              "               <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>\n" +
66              "               <t:Claims Dialect=\"http://schemas.xmlsoap.org/ws/2005/05/identity\"\n" +
67              "                   xmlns:ic=\"http://schemas.xmlsoap.org/ws/2005/05/identity\">\n" +
68              "                   <ic:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email\"/>\n" +
69              "                   <ic:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"/>\n" +
70              "                   <ic:ClaimType Uri=\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/phone\" Optional=\"true\"/>\n" +
71              "               </t:Claims>\n" +
72              "           </sp:RequestSecurityTokenTemplate>\n" +
73              "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
74              "               <sp:RequireExternalReference/>\n" +
75              "           </wsp:Policy>\n" +
76              "       </sp:IssuedToken>\n" +
77              "   </wsp:Policy>\n" +
78              "</sp:InitiatorToken>\n" +
79              "<sp:RecipientToken>\n" +
80              "   <wsp:Policy>\n" +
81              "       <sp:IssuedToken>\n" +
82              "           <sp:IssuerName>http://recipientTokenIssuer.com</sp:IssuerName>\n" +
83              "           <sp:RequestSecurityTokenTemplate/>\n" +
84              "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
85              "               <sp:RequireExternalReference/>\n" +
86              "           </wsp:Policy>\n" +
87              "       </sp:IssuedToken>\n" +
88              "   </wsp:Policy>\n" +
89              "</sp:RecipientToken>\n" +
90              "   <sp:AlgorithmSuite>\n" +
91              "       <wsp:Policy>\n" +
92              "           <sp:Basic256/>\n" +
93              "       </wsp:Policy>\n" +
94              "   </sp:AlgorithmSuite>\n" +
95              "</wsp:Policy>\n" +
96              "</sp:AsymmetricBinding>";
97  
98      @Test
99      public void testPolicyWithSAMLToken() throws Exception {
100 
101         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
102 
103         SAMLCallback samlCallback = new SAMLCallback();
104         samlCallback.setSamlVersion(Version.SAML_20);
105         samlCallback.setIssuer("http://initiatorTokenIssuer.com");
106         SubjectBean subjectBean = new SubjectBean();
107         samlCallback.setSubject(subjectBean);
108 
109         List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
110         List<AttributeBean> attributeBeans = new ArrayList<>();
111         List<Object> attributeValues = new ArrayList<>();
112         attributeValues.add("test@example.com");
113         attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
114         attributeValues.clear();
115         attributeValues.add("Proper");
116         attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
117         attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
118         samlCallback.setAttributeStatementData(attributeStatementBeans);
119 
120         SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
121 
122         SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
123         SamlSecurityTokenImpl securityToken =
124             new SamlSecurityTokenImpl(
125                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
126                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
127         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
128         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
129         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
130 
131         samlCallback.setIssuer("http://recipientTokenIssuer.com");
132         samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
133 
134         SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
135         securityToken =
136             new SamlSecurityTokenImpl(
137                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
138                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
139         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
140         recipientTokenSecurityEvent.setSecurityToken(securityToken);
141         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
142 
143         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
144         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
145         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
146         SignedPartSecurityEvent signedPartSecurityEvent =
147                 new SignedPartSecurityEvent(
148                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
149         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
150         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
151 
152         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
153                 new ContentEncryptedElementSecurityEvent(
154                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
155         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
156         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
157 
158         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
159         operationSecurityEvent.setOperation(new QName("definitions"));
160         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
161 
162         policyEnforcer.doFinal();
163     }
164 
165     @Test
166     public void testPolicyWithSAMLTokenWrongIssuer() throws Exception {
167 
168         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
169 
170         SAMLCallback samlCallback = new SAMLCallback();
171         samlCallback.setSamlVersion(Version.SAML_20);
172         samlCallback.setIssuer("http://initiatorTokenIssuer.com");
173         SubjectBean subjectBean = new SubjectBean();
174         samlCallback.setSubject(subjectBean);
175 
176         List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
177         List<AttributeBean> attributeBeans = new ArrayList<>();
178         List<Object> attributeValues = new ArrayList<>();
179         attributeValues.add("test@example.com");
180         attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
181         attributeValues.clear();
182         attributeValues.add("Proper");
183         attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
184         attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
185         samlCallback.setAttributeStatementData(attributeStatementBeans);
186 
187         SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
188 
189         SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
190         SamlSecurityTokenImpl securityToken =
191             new SamlSecurityTokenImpl(
192                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
193                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
194         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
195         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
196         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
197 
198         SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
199         securityToken =
200             new SamlSecurityTokenImpl(
201                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
202                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
203         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
204         recipientTokenSecurityEvent.setSecurityToken(securityToken);
205         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
206 
207         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
208         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
209         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
210         SignedPartSecurityEvent signedPartSecurityEvent =
211                 new SignedPartSecurityEvent(
212                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
213         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
214         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
215 
216         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
217                 new ContentEncryptedElementSecurityEvent(
218                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
219         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
220         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
221 
222         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
223         operationSecurityEvent.setOperation(new QName("definitions"));
224 
225         try {
226             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
227             fail("Exception expected");
228         } catch (WSSecurityException e) {
229             assertTrue(e.getCause() instanceof PolicyViolationException);
230             assertEquals(e.getCause().getMessage(), "IssuerName in Policy (http://recipientTokenIssuer.com) didn't match with the one in the IssuedToken (http://initiatorTokenIssuer.com)");
231         }
232     }
233 
234     @Test
235     public void testPolicyWithSAMLTokenWrongTokenType() throws Exception {
236 
237         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
238 
239         SAMLCallback samlCallback = new SAMLCallback();
240         samlCallback.setSamlVersion(Version.SAML_11);
241         samlCallback.setIssuer("http://initiatorTokenIssuer.com");
242         SubjectBean subjectBean = new SubjectBean();
243         samlCallback.setSubject(subjectBean);
244 
245         List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
246         List<AttributeBean> attributeBeans = new ArrayList<>();
247         List<Object> attributeValues = new ArrayList<>();
248         attributeValues.add("test@example.com");
249         attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
250         attributeValues.clear();
251         attributeValues.add("Proper");
252         attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
253         attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
254         samlCallback.setAttributeStatementData(attributeStatementBeans);
255 
256         SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
257 
258         SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
259         SamlSecurityTokenImpl securityToken =
260             new SamlSecurityTokenImpl(
261                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
262                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
263         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
264         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
265         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
266 
267         samlCallback.setIssuer("http://recipientTokenIssuer.com");
268         samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
269 
270         SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
271         securityToken =
272             new SamlSecurityTokenImpl(
273                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
274                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
275         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
276         recipientTokenSecurityEvent.setSecurityToken(securityToken);
277         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
278 
279         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
280         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
281         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
282         SignedPartSecurityEvent signedPartSecurityEvent =
283                 new SignedPartSecurityEvent(
284                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
285         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
286         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
287 
288         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
289                 new ContentEncryptedElementSecurityEvent(
290                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
291         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
292         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
293 
294         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
295         operationSecurityEvent.setOperation(new QName("definitions"));
296 
297         try {
298             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
299             fail("Exception expected");
300         } catch (WSSecurityException e) {
301             assertTrue(e.getCause() instanceof PolicyViolationException);
302             assertEquals(e.getCause().getMessage(), "Policy enforces SAML V2.0 token but got 1.1");
303         }
304     }
305 
306     @Test
307     public void testPolicyWithSAMLTokenWrongKeyType() throws Exception {
308 
309         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString.replaceFirst("PublicKey", "SymmetricKey"));
310 
311         SAMLCallback samlCallback = new SAMLCallback();
312         samlCallback.setSamlVersion(Version.SAML_20);
313         samlCallback.setIssuer("http://initiatorTokenIssuer.com");
314         SubjectBean subjectBean = new SubjectBean();
315         samlCallback.setSubject(subjectBean);
316 
317         List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
318         List<AttributeBean> attributeBeans = new ArrayList<>();
319         List<Object> attributeValues = new ArrayList<>();
320         attributeValues.add("test@example.com");
321         attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
322         attributeValues.clear();
323         attributeValues.add("Proper");
324         attributeBeans.add(new AttributeBean("surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", attributeValues));
325         attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
326         samlCallback.setAttributeStatementData(attributeStatementBeans);
327 
328         SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
329 
330         SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
331         SamlSecurityTokenImpl securityToken =
332             new SamlSecurityTokenImpl(
333                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
334                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
335         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
336         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
337         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
338 
339         samlCallback.setIssuer("http://recipientTokenIssuer.com");
340         samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
341 
342         SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
343         securityToken =
344             new SamlSecurityTokenImpl(
345                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
346                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
347         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
348         recipientTokenSecurityEvent.setSecurityToken(securityToken);
349         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
350 
351         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
352         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
353         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
354         SignedPartSecurityEvent signedPartSecurityEvent =
355                 new SignedPartSecurityEvent(
356                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
357         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
358         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
359 
360         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
361                 new ContentEncryptedElementSecurityEvent(
362                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
363         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
364         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
365 
366         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
367         operationSecurityEvent.setOperation(new QName("definitions"));
368 
369         try {
370             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
371             fail("Exception expected");
372         } catch (WSSecurityException e) {
373             assertTrue(e.getCause() instanceof PolicyViolationException);
374             assertEquals(e.getCause().getMessage(), "Policy enforces SAML token with a symmetric key");
375         }
376     }
377 
378     @Test
379     public void testPolicyWithSAMLTokenMissingClaimType() throws Exception {
380 
381         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(samlPolicyString);
382 
383         SAMLCallback samlCallback = new SAMLCallback();
384         samlCallback.setSamlVersion(Version.SAML_20);
385         samlCallback.setIssuer("http://initiatorTokenIssuer.com");
386         SubjectBean subjectBean = new SubjectBean();
387         samlCallback.setSubject(subjectBean);
388 
389         List<AttributeStatementBean> attributeStatementBeans = new ArrayList<>();
390         List<AttributeBean> attributeBeans = new ArrayList<>();
391         List<Object> attributeValues = new ArrayList<>();
392         attributeValues.add("test@example.com");
393         attributeBeans.add(new AttributeBean("email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email", attributeValues));
394         attributeStatementBeans.add(new AttributeStatementBean(subjectBean, attributeBeans));
395         samlCallback.setAttributeStatementData(attributeStatementBeans);
396 
397         SamlAssertionWrapper samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
398 
399         SamlTokenSecurityEvent initiatorTokenSecurityEvent = new SamlTokenSecurityEvent();
400         SamlSecurityTokenImpl securityToken =
401             new SamlSecurityTokenImpl(
402                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
403                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
404         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
405         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
406         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
407 
408         samlCallback.setIssuer("http://recipientTokenIssuer.com");
409         samlAssertionWrapper = createSamlAssertionWrapper(samlCallback);
410 
411         SamlTokenSecurityEvent recipientTokenSecurityEvent = new SamlTokenSecurityEvent();
412         securityToken =
413             new SamlSecurityTokenImpl(
414                     samlAssertionWrapper, getX509Token(WSSecurityTokenConstants.X509V3Token), null, null,
415                     WSSecurityTokenConstants.KEYIDENTIFIER_SECURITY_TOKEN_DIRECT_REFERENCE, null);
416         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
417         recipientTokenSecurityEvent.setSecurityToken(securityToken);
418         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
419 
420         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
421         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
422         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
423         SignedPartSecurityEvent signedPartSecurityEvent =
424                 new SignedPartSecurityEvent(
425                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
426         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
427         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
428 
429         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
430                 new ContentEncryptedElementSecurityEvent(
431                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
432         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
433         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
434 
435         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
436         operationSecurityEvent.setOperation(new QName("definitions"));
437 
438         try {
439             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
440             fail("Exception expected");
441         } catch (WSSecurityException e) {
442             assertTrue(e.getCause() instanceof PolicyViolationException);
443             assertEquals(e.getCause().getMessage(), "Attribute http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname not found in the SAMLAssertion");
444         }
445     }
446 
447     private static final String kerberosPolicyString =
448             "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
449                     "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
450                     "<sp:InitiatorToken>\n" +
451                     "   <wsp:Policy>\n" +
452                     "       <sp:IssuedToken>\n" +
453                     "           <sp:IssuerName>http://initiatorTokenIssuer.com</sp:IssuerName>\n" +
454                     "           <sp:RequestSecurityTokenTemplate xmlns:t=\"http://docs.oasis-open.org/ws-sx/ws-trust/200512\">\n" +
455                     "               <t:TokenType>http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1</t:TokenType>\n" +
456                     "           </sp:RequestSecurityTokenTemplate>\n" +
457                     "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
458                     "               <sp:RequireExternalReference/>\n" +
459                     "           </wsp:Policy>\n" +
460                     "       </sp:IssuedToken>\n" +
461                     "   </wsp:Policy>\n" +
462                     "</sp:InitiatorToken>\n" +
463                     "<sp:RecipientToken>\n" +
464                     "   <wsp:Policy>\n" +
465                     "       <sp:IssuedToken>\n" +
466                     "           <sp:IssuerName>http://recipientTokenIssuer.com</sp:IssuerName>\n" +
467                     "           <sp:RequestSecurityTokenTemplate/>\n" +
468                     "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
469                     "               <sp:RequireExternalReference/>\n" +
470                     "           </wsp:Policy>\n" +
471                     "       </sp:IssuedToken>\n" +
472                     "   </wsp:Policy>\n" +
473                     "</sp:RecipientToken>\n" +
474                     "   <sp:AlgorithmSuite>\n" +
475                     "       <wsp:Policy>\n" +
476                     "           <sp:Basic256/>\n" +
477                     "       </wsp:Policy>\n" +
478                     "   </sp:AlgorithmSuite>\n" +
479                     "</wsp:Policy>\n" +
480                     "</sp:AsymmetricBinding>";
481 
482     @Test
483     public void testPolicyWithKerberosToken() throws Exception {
484 
485         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(kerberosPolicyString);
486 
487         KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
488         initiatorTokenSecurityEvent.setIssuerName("http://initiatorTokenIssuer.com");
489         KerberosServiceSecurityTokenImpl securityToken = new KerberosServiceSecurityTokenImpl(
490                 null, null, null,
491                 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1",
492                 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
493         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
494         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
495         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
496 
497         KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
498         recipientTokenSecurityEvent.setIssuerName("http://recipientTokenIssuer.com");
499         securityToken = new KerberosServiceSecurityTokenImpl(
500                 null, null, null,
501                 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1",
502                 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
503         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
504         recipientTokenSecurityEvent.setSecurityToken(securityToken);
505         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
506 
507         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
508         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
509         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
510         SignedPartSecurityEvent signedPartSecurityEvent =
511                 new SignedPartSecurityEvent(
512                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
513         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
514         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
515 
516         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
517                 new ContentEncryptedElementSecurityEvent(
518                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
519         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
520         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
521 
522         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
523         operationSecurityEvent.setOperation(new QName("definitions"));
524         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
525 
526         policyEnforcer.doFinal();
527     }
528 
529     @Test
530     public void testPolicyWithKerberosTokenWrongTokenType() throws Exception {
531 
532         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(kerberosPolicyString);
533 
534         KerberosTokenSecurityEvent initiatorTokenSecurityEvent = new KerberosTokenSecurityEvent();
535         initiatorTokenSecurityEvent.setIssuerName("http://initiatorTokenIssuer.com");
536         KerberosServiceSecurityTokenImpl securityToken = new KerberosServiceSecurityTokenImpl(
537                 null, null, null,
538                 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#GSS_Kerberosv5_AP_REQ",
539                 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
540         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
541         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
542         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
543 
544         KerberosTokenSecurityEvent recipientTokenSecurityEvent = new KerberosTokenSecurityEvent();
545         recipientTokenSecurityEvent.setIssuerName("http://recipientTokenIssuer.com");
546         securityToken = new KerberosServiceSecurityTokenImpl(
547                 null, null, null,
548                 "http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1",
549                 "1", WSSecurityTokenConstants.KEYIDENTIFIER_EMBEDDED_KEY_IDENTIFIER_REF);
550         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
551         recipientTokenSecurityEvent.setSecurityToken(securityToken);
552         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
553 
554         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
555         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
556         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
557         SignedPartSecurityEvent signedPartSecurityEvent =
558                 new SignedPartSecurityEvent(
559                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
560         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
561         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
562 
563         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
564                 new ContentEncryptedElementSecurityEvent(
565                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
566         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
567         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
568 
569         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
570         operationSecurityEvent.setOperation(new QName("definitions"));
571         try {
572             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
573             fail("Exception expected");
574         } catch (WSSecurityException e) {
575             assertTrue(e.getCause() instanceof PolicyViolationException);
576             assertEquals(e.getCause().getMessage(),
577                     "Policy enforces Kerberos token of type http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#Kerberosv5APREQSHA1 but got http://docs.oasisopen.org/wss/oasiswss-kerberos-tokenprofile-1.1#GSS_Kerberosv5_AP_REQ");
578         }
579     }
580 }