View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import java.util.ArrayList;
22  import java.util.LinkedList;
23  import java.util.List;
24  
25  import javax.xml.namespace.QName;
26  
27  import org.apache.wss4j.common.ext.WSSecurityException;
28  import org.apache.wss4j.policy.stax.PolicyViolationException;
29  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30  import org.apache.wss4j.stax.ext.WSSConstants;
31  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
33  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
34  import org.junit.jupiter.api.Test;
35  
36  import static org.junit.jupiter.api.Assertions.assertEquals;
37  import static org.junit.jupiter.api.Assertions.assertTrue;
38  import static org.junit.jupiter.api.Assertions.fail;
39  
40  public class SignedPartsTest extends AbstractPolicyTestBase {
41  
42      @Test
43      public void testPolicy() throws Exception {
44          String policyString =
45                  "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
46                          "<sp:Body/>\n" +
47                          "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
48                          "<sp:Attachments>\n" +
49                          "<sp3:ContentSignatureTransform/>\n" +
50                          "<sp3:AttachmentCompleteSignatureTransform/>\n" +
51                          "</sp:Attachments>\n" +
52                          "</sp:SignedParts>";
53          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
54  
55          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
56          operationSecurityEvent.setOperation(new QName("definitions"));
57          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
58  
59          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
60          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
61          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
62          SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
63          signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
64          policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
65          List<QName> headerPath = new ArrayList<>();
66          headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
67          headerPath.add(new QName("http://example.org", "a"));
68          signedPartSecurityEvent.setElementPath(headerPath);
69          policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
70          //additional signedParts are also allowed!
71          headerPath = new ArrayList<>();
72          headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
73          headerPath.add(new QName("http://example.org", "b"));
74          signedPartSecurityEvent.setElementPath(headerPath);
75          policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
76          policyEnforcer.doFinal();
77      }
78  
79      @Test
80      public void testPolicyMultipleAssertionEventsNegative() throws Exception {
81          String policyString =
82                  "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
83                          "<sp:Body/>\n" +
84                          "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
85                          "<sp:Attachments>\n" +
86                          "<sp3:ContentSignatureTransform/>\n" +
87                          "<sp3:AttachmentCompleteSignatureTransform/>\n" +
88                          "</sp:Attachments>\n" +
89                          "</sp:SignedParts>";
90          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
91  
92          OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
93          operationSecurityEvent.setOperation(new QName("definitions"));
94          policyEnforcer.registerSecurityEvent(operationSecurityEvent);
95  
96          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
97          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
98          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
99          SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
100         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
101         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
102         signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, null);
103         List<QName> headerPath = new ArrayList<>();
104         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
105         headerPath.add(new QName("http://example.org", "a"));
106         signedPartSecurityEvent.setElementPath(headerPath);
107         try {
108             policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
109             fail("Exception expected");
110         } catch (WSSecurityException e) {
111             assertTrue(e.getCause() instanceof PolicyViolationException);
112             assertEquals(e.getCause().getMessage(),
113                     "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be signed");
114             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
115         }
116     }
117 
118     @Test
119     public void testPolicyAllHeaders() throws Exception {
120         String policyString =
121                 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
122                         "</sp:SignedParts>";
123         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
124 
125         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
126         operationSecurityEvent.setOperation(new QName("definitions"));
127         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
128 
129         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
130         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
131         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
132         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
133         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
134         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
135         List<QName> headerPath = new ArrayList<>();
136         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
137         headerPath.add(new QName("http://example.org", "a"));
138         signedPartSecurityEvent.setElementPath(headerPath);
139         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
140         headerPath = new ArrayList<>();
141         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
142         headerPath.add(new QName("http://example.org", "b"));
143         signedPartSecurityEvent.setElementPath(headerPath);
144         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
145         policyEnforcer.doFinal();
146     }
147 
148     @Test
149     public void testPolicyBodyNegative() throws Exception {
150         String policyString =
151                 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
152                         "</sp:SignedParts>";
153         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
154 
155         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
156         operationSecurityEvent.setOperation(new QName("definitions"));
157         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
158 
159         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, null);
160         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
161         try {
162             policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
163         } catch (WSSecurityException e) {
164             assertTrue(e.getCause() instanceof PolicyViolationException);
165             assertEquals(e.getCause().getMessage(),
166                     "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body must be signed");
167             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
168         }
169     }
170 
171     @Test
172     public void testPolicyWildcardHeader() throws Exception {
173         String policyString =
174                 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
175                         "<sp:Body/>\n" +
176                         "<sp:Header Namespace=\"http://example.org\"/>\n" +
177                         "<sp:Attachments>\n" +
178                         "<sp3:ContentSignatureTransform/>\n" +
179                         "<sp3:AttachmentCompleteSignatureTransform/>\n" +
180                         "</sp:Attachments>\n" +
181                         "</sp:SignedParts>";
182         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
183 
184         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
185         operationSecurityEvent.setOperation(new QName("definitions"));
186         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
187 
188         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
189         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
190         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
191         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
192         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
193         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
194         List<QName> headerPath = new ArrayList<>();
195         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
196         headerPath.add(new QName("http://example.org", "a"));
197         signedPartSecurityEvent.setElementPath(headerPath);
198         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
199         //additional signedParts are also allowed!
200         headerPath = new ArrayList<>();
201         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
202         headerPath.add(new QName("http://example.org", "b"));
203         signedPartSecurityEvent.setElementPath(headerPath);
204         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
205         policyEnforcer.doFinal();
206     }
207 
208     @Test
209     public void testPolicyWildcardHeaderNegative() throws Exception {
210         String policyString =
211                 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
212                         "<sp:Body/>\n" +
213                         "<sp:Header Namespace=\"http://example.org\"/>\n" +
214                         "<sp:Attachments>\n" +
215                         "<sp3:ContentSignatureTransform/>\n" +
216                         "<sp3:AttachmentCompleteSignatureTransform/>\n" +
217                         "</sp:Attachments>\n" +
218                         "</sp:SignedParts>";
219         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
220 
221         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
222         operationSecurityEvent.setOperation(new QName("definitions"));
223         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
224 
225         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
226         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
227         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
228         SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
229         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
230         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
231         signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, null);
232         List<QName> headerPath = new ArrayList<>();
233         headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
234         headerPath.add(new QName("http://example.org", "a"));
235         signedPartSecurityEvent.setElementPath(headerPath);
236         try {
237             policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
238             fail("Exception expected");
239         } catch (WSSecurityException e) {
240             assertTrue(e.getCause() instanceof PolicyViolationException);
241             assertEquals(e.getCause().getMessage(),
242                     "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be signed");
243             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
244         }
245     }
246 }