View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.util.LinkedList;
22  import java.util.List;
23  
24  import javax.xml.namespace.QName;
25  
26  import org.apache.wss4j.common.ext.WSSecurityException;
27  import org.apache.wss4j.policy.stax.PolicyViolationException;
28  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
29  import org.apache.wss4j.stax.ext.WSSConstants;
30  import org.apache.wss4j.stax.securityEvent.EncryptedPartSecurityEvent;
31  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
33  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
34  import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
35  import org.apache.xml.security.stax.securityEvent.EncryptedElementSecurityEvent;
36  import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
37  import org.junit.jupiter.api.Test;
38  
39  import static org.junit.jupiter.api.Assertions.assertEquals;
40  import static org.junit.jupiter.api.Assertions.assertTrue;
41  import static org.junit.jupiter.api.Assertions.fail;
42  
43  public class ProtectionOrderTest extends AbstractPolicyTestBase {
44  
45      @Test
46      public void testPolicySignBeforeEncrypt() throws Exception {
47          String policyString =
48                  "<sp:AsymmetricBinding  xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
49                          "   <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
50                          "   <sp:AlgorithmSuite>\n" +
51                          "       <wsp:Policy>\n" +
52                          "           <sp:Basic256/>\n" +
53                          "       </wsp:Policy>\n" +
54                          "   </sp:AlgorithmSuite>\n" +
55                          "   </wsp:Policy>\n" +
56                          "</sp:AsymmetricBinding>\n";
57          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
58  
59          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
60          operationSecurityEvent.setOperation(new QName("definitions"));
61          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
62  
63          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
64          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
65          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
66  
67          SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
68          signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
69          policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
70  
71          SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
72          signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
73          policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
74  
75          EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
76          encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
77          policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
78  
79          EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
80          encryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
81          policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
82  
83          ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(null, true, protectionOrder);
84          contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
85          policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
86  
87          policyEnforcer.doFinal();
88      }
89  
90      @Test
91      public void testPolicySignBeforeEncryptWithoutEncryption() throws Exception {
92          String policyString =
93                  "<sp:AsymmetricBinding  xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
94                          "   <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
95                          "   <sp:AlgorithmSuite>\n" +
96                          "       <wsp:Policy>\n" +
97                          "           <sp:Basic256/>\n" +
98                          "       </wsp:Policy>\n" +
99                          "   </sp:AlgorithmSuite>\n" +
100                         "   </wsp:Policy>\n" +
101                         "</sp:AsymmetricBinding>\n";
102         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
103 
104         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
105         operationSecurityEvent.setOperation(new QName("definitions"));
106         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
107 
108         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
109         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
110         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
111         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
112         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
113         policyEnforcer.doFinal();
114     }
115 
116     @Test
117     public void testPolicySignBeforeEncryptNegative() throws Exception {
118         String policyString =
119                 "<sp:AsymmetricBinding  xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
120                         "   <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
121                         "   <sp:AlgorithmSuite>\n" +
122                         "       <wsp:Policy>\n" +
123                         "           <sp:Basic256/>\n" +
124                         "       </wsp:Policy>\n" +
125                         "   </sp:AlgorithmSuite>\n" +
126                         "   </wsp:Policy>\n" +
127                         "</sp:AsymmetricBinding>\n";
128         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
129 
130         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
131         operationSecurityEvent.setOperation(new QName("definitions"));
132         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
133 
134         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
135         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
136         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
137         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
138         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
139         try {
140             policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
141             fail("Exception expected");
142         } catch (WSSecurityException e) {
143             assertTrue(e.getCause() instanceof PolicyViolationException);
144             assertEquals(e.getCause().getMessage(),
145                     "Policy enforces SignBeforeEncrypting but the /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body was encrypted and then signed");
146             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
147         }
148     }
149 
150     @Test
151     public void testPolicyEncryptBeforeSign() throws Exception {
152         String policyString =
153                 "<sp:AsymmetricBinding  xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
154                         "   <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
155                         "   <sp:AlgorithmSuite>\n" +
156                         "       <wsp:Policy>\n" +
157                         "           <sp:Basic256/>\n" +
158                         "       </wsp:Policy>\n" +
159                         "   </sp:AlgorithmSuite>\n" +
160                         "       <sp:EncryptBeforeSigning/>\n" +
161                         "   </wsp:Policy>\n" +
162                         "</sp:AsymmetricBinding>\n";
163         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
164 
165         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
166         operationSecurityEvent.setOperation(new QName("definitions"));
167         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
168 
169         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
170         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
171         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
172 
173         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
174         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
175         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
176 
177         SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
178         signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
179         policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
180 
181         EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
182         encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
183         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
184 
185         EncryptedElementSecurityEvent encryptedElementSecurityEvent = new EncryptedElementSecurityEvent(null, true, protectionOrder);
186         encryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
187         policyEnforcer.registerSecurityEvent(encryptedElementSecurityEvent);
188 
189         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent = new ContentEncryptedElementSecurityEvent(null, true, protectionOrder);
190         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
191         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
192 
193         policyEnforcer.doFinal();
194     }
195 
196     @Test
197     public void testPolicyEncryptBeforeSignWithoutSignature() throws Exception {
198         String policyString =
199                 "<sp:AsymmetricBinding  xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
200                         "   <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
201                         "   <sp:AlgorithmSuite>\n" +
202                         "       <wsp:Policy>\n" +
203                         "           <sp:Basic256/>\n" +
204                         "       </wsp:Policy>\n" +
205                         "   </sp:AlgorithmSuite>\n" +
206                         "       <sp:EncryptBeforeSigning/>\n" +
207                         "   </wsp:Policy>\n" +
208                         "</sp:AsymmetricBinding>\n";
209         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
210 
211         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
212         operationSecurityEvent.setOperation(new QName("definitions"));
213         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
214 
215         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
216         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
217         EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
218         encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
219         policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
220         policyEnforcer.doFinal();
221     }
222 
223     @Test
224     public void testPolicyEncryptBeforeSignNegative() throws Exception {
225         String policyString =
226                 "<sp:AsymmetricBinding  xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\">\n" +
227                         "   <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
228                         "   <sp:AlgorithmSuite>\n" +
229                         "       <wsp:Policy>\n" +
230                         "           <sp:Basic256/>\n" +
231                         "       </wsp:Policy>\n" +
232                         "   </sp:AlgorithmSuite>\n" +
233                         "       <sp:EncryptBeforeSigning/>\n" +
234                         "   </wsp:Policy>\n" +
235                         "</sp:AsymmetricBinding>\n";
236         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
237 
238         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
239         operationSecurityEvent.setOperation(new QName("definitions"));
240         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
241 
242         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
243         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
244         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
245         EncryptedPartSecurityEvent encryptedPartSecurityEvent = new EncryptedPartSecurityEvent(null, true, protectionOrder);
246         encryptedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
247         try {
248             policyEnforcer.registerSecurityEvent(encryptedPartSecurityEvent);
249             fail("Exception expected");
250         } catch (WSSecurityException e) {
251             assertTrue(e.getCause() instanceof PolicyViolationException);
252             assertEquals(e.getCause().getMessage(),
253                     "Policy enforces EncryptBeforeSigning but the /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body was signed and then encrypted");
254             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
255         }
256     }
257 }