1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.LinkedList;
22 import java.util.List;
23
24 import javax.xml.namespace.QName;
25
26 import org.apache.wss4j.common.ext.WSSecurityException;
27 import org.apache.wss4j.policy.stax.PolicyViolationException;
28 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
29 import org.apache.wss4j.stax.ext.WSSConstants;
30 import org.apache.wss4j.stax.impl.securityToken.ECKeyValueSecurityTokenImpl;
31 import org.apache.wss4j.stax.impl.securityToken.RsaKeyValueSecurityTokenImpl;
32 import org.apache.wss4j.stax.securityEvent.KeyValueTokenSecurityEvent;
33 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
34 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
35 import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
36 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
37 import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
38 import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
39 import org.junit.jupiter.api.Test;
40
41 import static org.junit.jupiter.api.Assertions.assertEquals;
42 import static org.junit.jupiter.api.Assertions.assertTrue;
43 import static org.junit.jupiter.api.Assertions.fail;
44
45 public class KeyValueTokenTest extends AbstractPolicyTestBase {
46
47 @Test
48 public void testPolicy() throws Exception {
49 String policyString =
50
51 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
52 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
53 "<sp:InitiatorToken>\n" +
54 " <wsp:Policy>\n" +
55 " <sp:KeyValueToken>\n" +
56 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
57 " <sp:RsaKeyValue/>\n" +
58 " </wsp:Policy>\n" +
59 " </sp:KeyValueToken>\n" +
60 " </wsp:Policy>\n" +
61 "</sp:InitiatorToken>\n" +
62 "<sp:RecipientToken>\n" +
63 " <wsp:Policy>\n" +
64 " <sp:KeyValueToken>\n" +
65 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
66 " <sp:RsaKeyValue/>\n" +
67 " </wsp:Policy>\n" +
68 " </sp:KeyValueToken>\n" +
69 " </wsp:Policy>\n" +
70 "</sp:RecipientToken>\n" +
71 " <sp:AlgorithmSuite>\n" +
72 " <wsp:Policy>\n" +
73 " <sp:Basic256/>\n" +
74 " </wsp:Policy>\n" +
75 " </sp:AlgorithmSuite>\n" +
76 "</wsp:Policy>\n" +
77 "</sp:AsymmetricBinding>";
78
79 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
80 KeyValueTokenSecurityEvent initiatorTokenSecurityEvent = new KeyValueTokenSecurityEvent();
81 RsaKeyValueSecurityTokenImpl securityToken = getRsaKeyValueSecurityToken();
82 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
83 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
84 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
85
86 KeyValueTokenSecurityEvent recipientTokenSecurityEvent = new KeyValueTokenSecurityEvent();
87 securityToken = getRsaKeyValueSecurityToken();
88 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
89 recipientTokenSecurityEvent.setSecurityToken(securityToken);
90 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
91
92 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
93 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
94 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
95 SignedPartSecurityEvent signedPartSecurityEvent =
96 new SignedPartSecurityEvent(
97 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
98 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
99 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
100
101 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
102 new ContentEncryptedElementSecurityEvent(
103 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
104 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
105 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
106
107 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
108 operationSecurityEvent.setOperation(new QName("definitions"));
109 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
110
111 policyEnforcer.doFinal();
112 }
113
114 @Test
115 public void testPolicyNegative() throws Exception {
116 String policyString =
117
118 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
119 "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
120 "<sp:InitiatorToken>\n" +
121 " <wsp:Policy>\n" +
122 " <sp:KeyValueToken>\n" +
123 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
124 " <sp:RsaKeyValue/>\n" +
125 " </wsp:Policy>\n" +
126 " </sp:KeyValueToken>\n" +
127 " </wsp:Policy>\n" +
128 "</sp:InitiatorToken>\n" +
129 "<sp:RecipientToken>\n" +
130 " <wsp:Policy>\n" +
131 " <sp:KeyValueToken>\n" +
132 " <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
133 " <sp:RsaKeyValue/>\n" +
134 " </wsp:Policy>\n" +
135 " </sp:KeyValueToken>\n" +
136 " </wsp:Policy>\n" +
137 "</sp:RecipientToken>\n" +
138 " <sp:AlgorithmSuite>\n" +
139 " <wsp:Policy>\n" +
140 " <sp:Basic256/>\n" +
141 " </wsp:Policy>\n" +
142 " </sp:AlgorithmSuite>\n" +
143 "</wsp:Policy>\n" +
144 "</sp:AsymmetricBinding>";
145
146 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
147 KeyValueTokenSecurityEvent initiatorTokenSecurityEvent = new KeyValueTokenSecurityEvent();
148 ECKeyValueSecurityTokenImpl securityToken = getECKeyValueSecurityToken();
149 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
150 initiatorTokenSecurityEvent.setSecurityToken(securityToken);
151 policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
152
153 KeyValueTokenSecurityEvent recipientTokenSecurityEvent = new KeyValueTokenSecurityEvent();
154 securityToken = getECKeyValueSecurityToken();
155 securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
156 recipientTokenSecurityEvent.setSecurityToken(securityToken);
157 policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
158
159 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
160 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
161 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
162 SignedPartSecurityEvent signedPartSecurityEvent =
163 new SignedPartSecurityEvent(
164 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
165 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
166 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
167
168 ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
169 new ContentEncryptedElementSecurityEvent(
170 (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
171 contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
172 policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
173
174 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
175 operationSecurityEvent.setOperation(new QName("definitions"));
176 try {
177 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
178 fail("Exception expected");
179 } catch (WSSecurityException e) {
180 assertTrue(e.getCause() instanceof PolicyViolationException);
181 assertEquals(e.getCause().getMessage(),
182 "Policy enforces that a RsaKeyValue must be present in the KeyValueToken but we got a ECKeyValueSecurityTokenImpl");
183 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
184 }
185 }
186 }