View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.util.ArrayList;
22  import java.util.LinkedList;
23  import java.util.List;
24  
25  import javax.xml.namespace.QName;
26  
27  import org.apache.wss4j.common.ext.WSSecurityException;
28  import org.apache.wss4j.policy.stax.PolicyViolationException;
29  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30  import org.apache.wss4j.stax.ext.WSSConstants;
31  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
33  import org.apache.xml.security.stax.securityEvent.SignedElementSecurityEvent;
34  import org.junit.jupiter.api.Test;
35  
36  import static org.junit.jupiter.api.Assertions.assertEquals;
37  import static org.junit.jupiter.api.Assertions.assertTrue;
38  import static org.junit.jupiter.api.Assertions.fail;
39  
40  public class SignedElementsTest extends AbstractPolicyTestBase {
41  
42      @Test
43      public void testPolicy() throws Exception {
44          String policyString =
45                  "<sp:SignedElements xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
46                          "<sp:XPath xmlns:b=\"http://example.org\">/b:a</sp:XPath>\n" +
47                          "</sp:SignedElements>";
48          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
49  
50          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
51          operationSecurityEvent.setOperation(new QName("definitions"));
52          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
53  
54          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
55          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
56          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
57          SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
58          signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
59          policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
60          List<QName> headerPath = new ArrayList<>();
61          headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
62          headerPath.add(new QName("http://example.org", "a"));
63          signedElementSecurityEvent.setElementPath(headerPath);
64          policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
65          //additional SignedElements are also allowed!
66          headerPath = new ArrayList<>();
67          headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
68          headerPath.add(new QName("http://example.org", "b"));
69          signedElementSecurityEvent.setElementPath(headerPath);
70          policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
71          policyEnforcer.doFinal();
72      }
73  
74      @Test
75      public void testPolicyMultipleAssertionEventsNegative() throws Exception {
76          String policyString =
77                  "<sp:SignedElements xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
78                          "<sp:XPath xmlns:b=\"http://example.org\">/b:a</sp:XPath>\n" +
79                          "</sp:SignedElements>";
80          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
81  
82          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
83          operationSecurityEvent.setOperation(new QName("definitions"));
84          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
85  
86          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
87          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
88          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
89          SignedElementSecurityEvent signedElementSecurityEvent = new SignedElementSecurityEvent(null, true, protectionOrder);
90          signedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
91          policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
92          signedElementSecurityEvent = new SignedElementSecurityEvent(null, false, null);
93          List<QName> headerPath = new ArrayList<>();
94          headerPath.add(new QName("http://example.org", "a"));
95          signedElementSecurityEvent.setElementPath(headerPath);
96          try {
97              policyEnforcer.registerSecurityEvent(signedElementSecurityEvent);
98              fail("Exception expected");
99          } catch (WSSecurityException e) {
100             assertTrue(e.getCause() instanceof PolicyViolationException);
101             assertEquals(e.getCause().getMessage(),
102                     "Element /{http://example.org}a must be signed");
103             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
104         }
105     }
106 }