View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.util.LinkedList;
22  import java.util.List;
23  
24  import javax.xml.namespace.QName;
25  
26  import org.apache.wss4j.common.ext.WSSecurityException;
27  import org.apache.wss4j.policy.stax.PolicyViolationException;
28  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
29  import org.apache.wss4j.stax.ext.WSSConstants;
30  import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
31  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32  import org.apache.wss4j.stax.securityEvent.SecurityContextTokenSecurityEvent;
33  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
34  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
35  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
36  import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
37  import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
38  import org.junit.jupiter.api.Test;
39  
40  import static org.junit.jupiter.api.Assertions.assertEquals;
41  import static org.junit.jupiter.api.Assertions.assertTrue;
42  import static org.junit.jupiter.api.Assertions.fail;
43  
44  public class SecureConversationTokenTest extends AbstractPolicyTestBase {
45  
46      @Test
47      public void testPolicy() throws Exception {
48          String policyString =
49                  "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
50                          "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
51                          "<sp:EncryptionToken>\n" +
52                          "   <wsp:Policy>\n" +
53                          "       <sp:SecureConversationToken>\n" +
54                          "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
55                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
56                          "               <sp:RequireExternalUriReference/>\n" +
57                          "           </wsp:Policy>\n" +
58                          "       </sp:SecureConversationToken>\n" +
59                          "   </wsp:Policy>\n" +
60                          "</sp:EncryptionToken>\n" +
61                          "<sp:SignatureToken>\n" +
62                          "   <wsp:Policy>\n" +
63                          "       <sp:SecureConversationToken>\n" +
64                          "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
65                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
66                          "               <sp:RequireExternalUriReference/>\n" +
67                          "           </wsp:Policy>\n" +
68                          "       </sp:SecureConversationToken>\n" +
69                          "   </wsp:Policy>\n" +
70                          "</sp:SignatureToken>\n" +
71                          "   <sp:AlgorithmSuite>\n" +
72                          "       <wsp:Policy>\n" +
73                          "           <sp:Basic256/>\n" +
74                          "       </wsp:Policy>\n" +
75                          "   </sp:AlgorithmSuite>\n" +
76                          "</wsp:Policy>\n" +
77                          "</sp:SymmetricBinding>";
78  
79          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
80          SecurityContextTokenSecurityEvent initiatorTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
81          initiatorTokenSecurityEvent.setIssuerName("xs:anyURI");
82          initiatorTokenSecurityEvent.setExternalUriRef(true);
83          X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
84          securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
85          initiatorTokenSecurityEvent.setSecurityToken(securityToken);
86          policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
87  
88          SecurityContextTokenSecurityEvent recipientTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
89          recipientTokenSecurityEvent.setIssuerName("xs:anyURI");
90          recipientTokenSecurityEvent.setExternalUriRef(true);
91          securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
92          securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
93          recipientTokenSecurityEvent.setSecurityToken(securityToken);
94          policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
95  
96          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
97          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
98          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
99          SignedPartSecurityEvent signedPartSecurityEvent =
100                 new SignedPartSecurityEvent(
101                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
102         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
103         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
104 
105         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
106                 new ContentEncryptedElementSecurityEvent(
107                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
108         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
109         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
110 
111         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
112         operationSecurityEvent.setOperation(new QName("definitions"));
113         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
114 
115         policyEnforcer.doFinal();
116     }
117 
118     @Test
119     public void testPolicyNegative() throws Exception {
120         String policyString =
121                 "<sp:SymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
122                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
123                         "<sp:EncryptionToken>\n" +
124                         "   <wsp:Policy>\n" +
125                         "       <sp:SecureConversationToken>\n" +
126                         "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
127                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
128                         "               <sp:RequireExternalUriReference/>\n" +
129                         "           </wsp:Policy>\n" +
130                         "       </sp:SecureConversationToken>\n" +
131                         "   </wsp:Policy>\n" +
132                         "</sp:EncryptionToken>\n" +
133                         "<sp:SignatureToken>\n" +
134                         "   <wsp:Policy>\n" +
135                         "       <sp:SecureConversationToken>\n" +
136                         "           <sp:IssuerName>xs:anyURI</sp:IssuerName>\n" +
137                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
138                         "               <sp:RequireExternalUriReference/>\n" +
139                         "           </wsp:Policy>\n" +
140                         "       </sp:SecureConversationToken>\n" +
141                         "   </wsp:Policy>\n" +
142                         "</sp:SignatureToken>\n" +
143                         "   <sp:AlgorithmSuite>\n" +
144                         "       <wsp:Policy>\n" +
145                         "           <sp:Basic256/>\n" +
146                         "       </wsp:Policy>\n" +
147                         "   </sp:AlgorithmSuite>\n" +
148                         "</wsp:Policy>\n" +
149                         "</sp:SymmetricBinding>";
150         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
151         SecurityContextTokenSecurityEvent initiatorTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
152         initiatorTokenSecurityEvent.setIssuerName("sss");
153         initiatorTokenSecurityEvent.setExternalUriRef(true);
154         InboundSecurityToken securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
155         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
156         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
157         policyEnforcer.registerSecurityEvent(initiatorTokenSecurityEvent);
158 
159         SecurityContextTokenSecurityEvent recipientTokenSecurityEvent = new SecurityContextTokenSecurityEvent();
160         recipientTokenSecurityEvent.setIssuerName("sss");
161         recipientTokenSecurityEvent.setExternalUriRef(true);
162         securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
163         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
164         initiatorTokenSecurityEvent.setSecurityToken(securityToken);
165         policyEnforcer.registerSecurityEvent(recipientTokenSecurityEvent);
166 
167         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
168         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
169         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
170         SignedPartSecurityEvent signedPartSecurityEvent =
171                 new SignedPartSecurityEvent(
172                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
173         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
174         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
175 
176         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
177                 new ContentEncryptedElementSecurityEvent(
178                         (InboundSecurityToken)recipientTokenSecurityEvent.getSecurityToken(), true, protectionOrder);
179         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
180         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
181 
182         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
183         operationSecurityEvent.setOperation(new QName("definitions"));
184 
185         try {
186             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
187             fail("Exception expected");
188         } catch (WSSecurityException e) {
189             assertTrue(e.getCause() instanceof PolicyViolationException);
190             assertEquals(e.getCause().getMessage(),
191                     "IssuerName in Policy (xs:anyURI) didn't match with the one in the SecurityContextToken (sss)");
192             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
193         }
194     }
195 }