1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.apache.wss4j.policy.stax.test;
20
21 import java.util.ArrayList;
22 import java.util.LinkedList;
23 import java.util.List;
24
25 import javax.xml.namespace.QName;
26
27 import org.apache.wss4j.common.ext.WSSecurityException;
28 import org.apache.wss4j.policy.stax.PolicyViolationException;
29 import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
30 import org.apache.wss4j.stax.ext.WSSConstants;
31 import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
32 import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
33 import org.apache.xml.security.stax.ext.XMLSecurityConstants;
34 import org.junit.jupiter.api.Test;
35
36 import static org.junit.jupiter.api.Assertions.assertEquals;
37 import static org.junit.jupiter.api.Assertions.assertTrue;
38 import static org.junit.jupiter.api.Assertions.fail;
39
40 public class SignedPartsTest extends AbstractPolicyTestBase {
41
42 @Test
43 public void testPolicy() throws Exception {
44 String policyString =
45 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
46 "<sp:Body/>\n" +
47 "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
48 "<sp:Attachments>\n" +
49 "<sp3:ContentSignatureTransform/>\n" +
50 "<sp3:AttachmentCompleteSignatureTransform/>\n" +
51 "</sp:Attachments>\n" +
52 "</sp:SignedParts>";
53 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
54
55 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
56 operationSecurityEvent.setOperation(new QName("definitions"));
57 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
58
59 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
60 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
61 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
62 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
63 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
64 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
65 List<QName> headerPath = new ArrayList<>();
66 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
67 headerPath.add(new QName("http://example.org", "a"));
68 signedPartSecurityEvent.setElementPath(headerPath);
69 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
70
71 headerPath = new ArrayList<>();
72 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
73 headerPath.add(new QName("http://example.org", "b"));
74 signedPartSecurityEvent.setElementPath(headerPath);
75 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
76 policyEnforcer.doFinal();
77 }
78
79 @Test
80 public void testPolicyMultipleAssertionEventsNegative() throws Exception {
81 String policyString =
82 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
83 "<sp:Body/>\n" +
84 "<sp:Header Name=\"a\" Namespace=\"http://example.org\"/>\n" +
85 "<sp:Attachments>\n" +
86 "<sp3:ContentSignatureTransform/>\n" +
87 "<sp3:AttachmentCompleteSignatureTransform/>\n" +
88 "</sp:Attachments>\n" +
89 "</sp:SignedParts>";
90 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
91
92 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
93 operationSecurityEvent.setOperation(new QName("definitions"));
94 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
95
96 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
97 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
98 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
99 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
100 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
101 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
102 signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, null);
103 List<QName> headerPath = new ArrayList<>();
104 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
105 headerPath.add(new QName("http://example.org", "a"));
106 signedPartSecurityEvent.setElementPath(headerPath);
107 try {
108 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
109 fail("Exception expected");
110 } catch (WSSecurityException e) {
111 assertTrue(e.getCause() instanceof PolicyViolationException);
112 assertEquals(e.getCause().getMessage(),
113 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be signed");
114 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
115 }
116 }
117
118 @Test
119 public void testPolicyAllHeaders() throws Exception {
120 String policyString =
121 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
122 "</sp:SignedParts>";
123 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
124
125 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
126 operationSecurityEvent.setOperation(new QName("definitions"));
127 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
128
129 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
130 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
131 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
132 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
133 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
134 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
135 List<QName> headerPath = new ArrayList<>();
136 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
137 headerPath.add(new QName("http://example.org", "a"));
138 signedPartSecurityEvent.setElementPath(headerPath);
139 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
140 headerPath = new ArrayList<>();
141 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
142 headerPath.add(new QName("http://example.org", "b"));
143 signedPartSecurityEvent.setElementPath(headerPath);
144 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
145 policyEnforcer.doFinal();
146 }
147
148 @Test
149 public void testPolicyBodyNegative() throws Exception {
150 String policyString =
151 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
152 "</sp:SignedParts>";
153 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
154
155 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
156 operationSecurityEvent.setOperation(new QName("definitions"));
157 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
158
159 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, null);
160 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
161 try {
162 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
163 } catch (WSSecurityException e) {
164 assertTrue(e.getCause() instanceof PolicyViolationException);
165 assertEquals(e.getCause().getMessage(),
166 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Body must be signed");
167 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
168 }
169 }
170
171 @Test
172 public void testPolicyWildcardHeader() throws Exception {
173 String policyString =
174 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
175 "<sp:Body/>\n" +
176 "<sp:Header Namespace=\"http://example.org\"/>\n" +
177 "<sp:Attachments>\n" +
178 "<sp3:ContentSignatureTransform/>\n" +
179 "<sp3:AttachmentCompleteSignatureTransform/>\n" +
180 "</sp:Attachments>\n" +
181 "</sp:SignedParts>";
182 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
183
184 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
185 operationSecurityEvent.setOperation(new QName("definitions"));
186 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
187
188 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
189 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
190 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
191 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
192 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
193 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
194 List<QName> headerPath = new ArrayList<>();
195 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
196 headerPath.add(new QName("http://example.org", "a"));
197 signedPartSecurityEvent.setElementPath(headerPath);
198 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
199
200 headerPath = new ArrayList<>();
201 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
202 headerPath.add(new QName("http://example.org", "b"));
203 signedPartSecurityEvent.setElementPath(headerPath);
204 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
205 policyEnforcer.doFinal();
206 }
207
208 @Test
209 public void testPolicyWildcardHeaderNegative() throws Exception {
210 String policyString =
211 "<sp:SignedParts xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
212 "<sp:Body/>\n" +
213 "<sp:Header Namespace=\"http://example.org\"/>\n" +
214 "<sp:Attachments>\n" +
215 "<sp3:ContentSignatureTransform/>\n" +
216 "<sp3:AttachmentCompleteSignatureTransform/>\n" +
217 "</sp:Attachments>\n" +
218 "</sp:SignedParts>";
219 PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
220
221 OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
222 operationSecurityEvent.setOperation(new QName("definitions"));
223 policyEnforcer.registerSecurityEvent(operationSecurityEvent);
224
225 List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
226 protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
227 protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
228 SignedPartSecurityEvent signedPartSecurityEvent = new SignedPartSecurityEvent(null, true, protectionOrder);
229 signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
230 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
231 signedPartSecurityEvent = new SignedPartSecurityEvent(null, false, null);
232 List<QName> headerPath = new ArrayList<>();
233 headerPath.addAll(WSSConstants.SOAP_11_HEADER_PATH);
234 headerPath.add(new QName("http://example.org", "a"));
235 signedPartSecurityEvent.setElementPath(headerPath);
236 try {
237 policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
238 fail("Exception expected");
239 } catch (WSSecurityException e) {
240 assertTrue(e.getCause() instanceof PolicyViolationException);
241 assertEquals(e.getCause().getMessage(),
242 "Element /{http://schemas.xmlsoap.org/soap/envelope/}Envelope/{http://schemas.xmlsoap.org/soap/envelope/}Header/{http://example.org}a must be signed");
243 assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
244 }
245 }
246 }